Tersign Privacy Notice
v1.0 — effective 14 July 2026 (professional counsel review pending; material changes on 30 days’ notice per Section 22) Kevin Zhang, trading as Tersign, Hong Kong ("Tersign", "we"). Contact: legal@tersign.ai. Effective: 14 July 2026.
1. What this notice covers
This notice covers personal data for which Tersign decides the purposes and means — as a "data user" under the Hong Kong Personal Data (Privacy) Ordinance (PDPO) and, where the GDPR applies, a controller. That is: visitors to tersign.ai, account holders and their personnel, billing contacts, and support correspondents.
It does not cover the content of Records our customers submit to the ledger. For that content we act on the customer's behalf as a processor under our Data Processing Addendum (https://tersign.ai/legal/dpa). If your personal data appears in a customer's Records, that customer is responsible for it — please contact them; we will redirect any request we receive to them.
Tersign is a business-to-business service. We do not offer services to consumers or children and do not knowingly collect their data.
2. What we collect
- Account data: business name, your name and role, email, jurisdiction, authentication data.
- Billing data: subscription and invoice history. Card payments are processed by Stripe; we do not store card numbers. For crypto payments we record the paying wallet address and on-chain transaction reference.
- Usage and log data: IP address, user agent, API request metadata, and security logs, kept to run and defend the service.
- Support and correspondence: what you send us.
We do not run third-party advertising trackers on tersign.ai.
3. Why we use it (and legal bases where GDPR applies)
- Provide and operate the Services; manage accounts and billing (performance of a contract).
- Secure the Services: abuse prevention, rate-limit enforcement, sanctions screening (legitimate interests; legal obligation).
- Improve the Services, including service telemetry (legitimate interests).
- Communicate service, security, and legal-change notices (performance of a contract; legal obligation).
- Limited B2B marketing about our own services, with opt-out (legitimate interests).
- Comply with law, including tax and record-keeping duties (legal obligation).
4. Sharing
We share personal data only with: Cloudflare (infrastructure hosting, global); Stripe (payment processing); professional advisers (lawyers, accountants) under confidentiality; and authorities where the law requires. We do not sell personal data.
Business transfers: if Tersign is involved in incorporation of its current sole-proprietor business, financing, merger, acquisition, reorganization, or a sale of assets, personal data and other business data may be transferred as part of that transaction, subject to this notice's commitments.
5. International transfers
We operate from Hong Kong on Cloudflare's global infrastructure, so data may be processed outside your jurisdiction. Where the GDPR applies to a transfer, we rely on the EU Standard Contractual Clauses or another lawful transfer mechanism.
6. Retention
Account and billing records: for the life of the account and then as required by Hong Kong law (generally seven years for business records). Security and usage logs: shorter operational periods. We delete or anonymize data when it is no longer needed.
7. Your rights
Under the PDPO you may request access to and correction of your personal data. Where the GDPR applies, you may also request erasure, restriction, portability, and object to processing based on legitimate interests, and you may complain to your supervisory authority (in Hong Kong, the PCPD). Write to legal@tersign.ai; we respond within the timeframes the law sets.
8. Security
Encryption in transit and at rest, least-privilege access with multi-factor authentication, OS-keystore secret management, and logging. No system is perfectly secure; we will notify you of breaches as the law requires.
9. Changes
We will post changes here with a new version date and, for material changes, notify account holders by email or dashboard at least 30 days in advance where practicable.