Privacy Policy

Information we collect

When you use FreshNDA, we collect the information you provide directly: your name, email address, company name, and the name and email address of your NDA recipient. We collect your IP address for rate limiting and fraud prevention. When an NDA is signed, the signer’s IP address, browser user agent, and an approximate location (city and country derived from that IP) are recorded on the document’s Certificate of Completion as proof of signing.

How we use your information

We use your information to generate, send, and manage NDAs on your behalf. This includes delivering emails, creating signed PDF documents, and providing status updates about your agreements. We do not use your information for marketing or advertising, or to train artificial intelligence or machine-learning models.

Legal bases for processing

For users in the United Kingdom, the European Economic Area, and other regions with similar laws, the legal bases we rely on are: performing our contract with you to provide the service (creating, sending, signing, and storing your NDAs and supporting your account); our legitimate interests in operating, securing, and improving the service and preventing fraud and abuse; complying with legal obligations; and, where it applies, your consent (for example, when you turn on an optional feature). Signing parties provide their information in order to enter into the agreement they are signing.

Cookies

FreshNDA keeps cookies to a minimum and uses no third-party advertising, analytics, or cross-site tracking cookies; no third-party tracker is loaded in your browser. Fonts are self-hosted, so visiting FreshNDA sends no request to Google or any other font provider. The cookies in use are:

• A session cookie set by Clerk, the authentication provider, to keep you signed in.
• A signed cookie that records when a sign-in has passed two-step verification—set only if you turn that feature on.
• When you upgrade or manage billing, you are redirected to the hosted checkout and billing portal of Stripe, where Stripe sets its own payment and fraud-prevention cookies. No Stripe code runs on FreshNDA’s own pages.
• A first-party cookie that records how you arrived—for example, a campaign link or referring site—set only if you reach FreshNDA from such a link, so that a new signup can be attributed to its source. It holds no third-party identifier, is never shared, and is not set for plain direct visits.

The sign-in, two-step, and payment cookies are essential to using the service and cannot be disabled while you continue to use FreshNDA; the attribution cookie is optional and you can clear it at any time. Recipients signing an NDA through a link are not required to sign in and are not given any of these cookies beyond what Stripe or Clerk may set if they later create an account.

Data storage and security

NDA records are stored in a Neon database. Signed PDF documents are stored on Vercel Blob with private access—they are not publicly reachable and can only be retrieved through the unique, secure link in your confirmation email. Data is encrypted in transit via TLS and encrypted at rest by our infrastructure providers. For a fuller breakdown, see our security page.

If you create API keys (Settings → API Keys), they grant programmatic access to your organization’s NDA data through the REST API. Treat them as credentials, keep them secret, and revoke any key you no longer need.

Where your data is processed

FreshNDA is operated from the United States, and your data is processed and stored in the United States. If you access the service from outside the United States, your information is transferred to and processed there. Where required for transfers of personal data out of the United Kingdom or the European Economic Area, we rely on appropriate safeguards, including the Standard Contractual Clauses, which are made available through the Data Processing Addendum described on our security page.

Data breach notification

If a security incident affects your personal information, we will notify affected customers without undue delay and provide the information needed to understand and respond to it, consistent with applicable law. Suspected vulnerabilities and incidents can be reported to security@freshnda.com.

Email delivery

Emails are sent through Resend. We share your name and email address with Resend solely to deliver NDA-related messages. Resend processes this data under their own privacy policy.

Data sharing

We do not sell, rent, or share your personal information with third parties for their marketing purposes. Data is shared only with the service providers (subprocessors) that operate FreshNDA—Vercel, Neon, Clerk, Stripe, Resend, and Sentry—and only as needed to run the service. In addition, if an organization admin connects Google Drive, FreshNDA exports that organization’s own signed NDAs to its Google Drive; this happens only for organizations that turn the integration on, and Google then acts as a customer-elected subprocessor. The complete, current list, with each provider’s role and the data it handles, is on the security page.

Data retention

NDA records and signed PDFs are retained for the life of your account. An organization admin can permanently delete the organization and all of its data at any time. You can also request deletion of your data by emailing privacy@freshnda.com; verified requests are completed within 30 days.

If your organization has connected Google Drive, copies of signed NDAs exported there live in your own Google Drive and are not deleted by FreshNDA. Disconnecting Drive or deleting your organization does not remove copies already exported — manage those in your Google Drive.

Your rights

You may request access to, correction of, or deletion of your personal information by emailing privacy@freshnda.com; verified requests are completed within 30 days. You can also download a portable, machine-readable copy of your account data yourself at any time from your profile (Profile → Your data), which includes every NDA you are a party to. If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what data we collect and the right to opt out of its sale (we do not sell your data).

Changes to this policy

We may update this policy from time to time. If we make material changes, we will update the date at the top of this page.

Contact

FreshNDA is operated by Mornin Labs LLC, the entity responsible for the personal information handled under this policy. Questions about this policy? Email privacy@freshnda.com.