Legal

Privacy Policy

Last updated: May 2, 2026 · Version 2026-05-02

1. About this Policy

This Privacy Policy (“Policy”) describes how Mazurka Labs LLC, a New York limited liability company (“WaiverDrop,” “we,” “us”; “WaiverDrop” is a product brand of Mazurka Labs LLC) collects, uses, shares, and protects personal information in connection with the waiverdrop.com website and related marketing sites, the WaiverDrop application and customer dashboard, the embeddable waiver signing experience used by Signers, and our APIs and integrations (collectively, the “Service”).

This Policy is incorporated into the WaiverDrop Terms of Service. Defined terms not defined here have the meaning given in the Terms of Service.

2. Our Two Roles

WaiverDrop plays two different roles depending on whose information is at issue.

(a) Controller — for Account Holder information. When you create a WaiverDrop account or use our Service as a business customer or Authorized User, we collect and process your information as a controller. This Policy applies directly to that processing.

(b) Processor — for Signer information. When a Signer signs a Waiver through the Service, we collect and process the Signer’s information on behalf of the business Customer that configured the Waiver. That Customer is the controller of the Signer’s information, and our processing is governed by our agreement with that Customer (including the Data Processing Agreement where applicable). Signers with questions about the handling of their information should contact the business that asked them to sign the Waiver. Where required by law, we will assist that business in responding to a Signer’s rights request.

3. Information We Collect

3.1 Information You Provide to Us (Account Holders).

Account information: name, email address, password hash, business name, role or title.
Billing information: billing name, address, last four digits of payment card (card details are collected and stored by Stripe; we do not see or store full card numbers).
Team information: names and email addresses of Authorized Users Customer invites to the account.
Communications: the contents of messages you send us through support channels.
Marketing inputs: information you submit via forms on our marketing website.

3.2 Information Collected from Signers (Processed on Behalf of Customers). When a Signer signs a Waiver on a Customer’s behalf, we collect and process, as instructed by the Customer:

Signer identity: name, email address, phone number, date of birth (where configured), emergency contact, and other fields the Customer configures in its Waiver template.
Signature data: drawn signature image, IP address, timestamp, browser user agent, device information.
Photograph where the Customer’s template enables it.
Minor information where the Waiver involves a minor: the guardian’s identity and relationship, and the minor’s name and date of birth, provided by the signing guardian.
Waiver content the Customer created, together with the PDF record generated at signing.

Signers should contact the Customer that requested the signature for questions about this information.

3.3 Information Collected Automatically. When you interact with the Service, we collect:

Device and connection data: IP address, browser type and version, operating system, referring URL, language preference, screen size.
Usage data: pages viewed, features used, actions performed, errors encountered, timestamps.
Cookies and similar technologies as described in Section 7.

3.4 Information from Third Parties.

Payment processor (Stripe): subscription status, last four digits of card, billing country, and related metadata.
Authentication providers: for Enterprise SSO or SAML, where enabled, identifiers returned by the identity provider you choose to federate with.

4. How We Use Information

We use personal information for the following purposes:

(a) Service delivery. To create and maintain accounts, deliver features, generate PDF waiver records, deliver confirmation emails, process payments, provide customer support, and enforce plan limits.

(b) Security and fraud prevention. To detect, investigate, and prevent fraud, unauthorized access, and abuse; to secure our systems; and to enforce the Terms of Service.

(c) Legal and compliance. To comply with applicable law, respond to lawful requests from authorities, retain e-signature evidence as required by ESIGN and UETA, and establish, exercise, or defend legal claims.

(d) Product analytics and improvement. To understand how the Service is used, measure performance, debug, and improve features. We use Aggregated Anonymous Data that does not identify any individual for benchmarking and research.

(e) Communications. To send transactional messages such as account notices, receipts, and signed waiver confirmations, and, where permitted, occasional product announcements and marketing messages you can opt out of.

(f) As directed by the Customer. For Signer information, only for the purposes instructed by the Customer controller.

Legal Bases (EU, UK, and Swiss Data Subjects). Where the EU or UK GDPR or the Swiss FADP applies to our processing as a controller, we rely on the following legal bases:

Performance of a contract to deliver the Service to Account Holders under the Terms.
Legitimate interests for security, fraud prevention, product analytics, direct marketing to existing business contacts, and enforcing our Terms.
Legal obligation to comply with applicable law.
Consent where we rely on consent, which you can withdraw at any time.

For Signer data, the Customer controller is responsible for identifying the legal basis for the underlying waiver collection.

5. How We Share Information

We do not sell personal information. We share information in the following limited circumstances.

(a) With the Customer. Signer information is made available to the Customer that configured the Waiver.

(b) Subprocessors and service providers. We share information with vetted third parties that provide hosting, edge CDN, payment processing, and email delivery under contracts that require appropriate confidentiality and security. See our full subprocessor list at waiverdrop.com/subprocessors.

Hetzner (Hetzner Online GmbH, Germany) — application hosting, database, encrypted backups in a United States data center. Also hosts our self-hosted analytics (GoatCounter) and error tracking (GlitchTip).
Cloudflare (Cloudflare, Inc., United States) — CDN, DDoS protection, WAF, DNS, TLS termination, bot mitigation, and R2 object storage for signatures, PDF waiver records, and optional photographs.
Stripe (Stripe, Inc., United States) — payment processing for subscription billing. Stripe handles full card data under PCI DSS.
Resend (Resend, Inc., United States) — transactional email delivery for waiver confirmations and password resets.

We run our product analytics (GoatCounter) and error tracking (GlitchTip) on our own Hetzner infrastructure rather than sending data to a third-party analytics or observability vendor. Because these tools are self-hosted, they are not separate subprocessors.

(c) Professional advisors. Auditors, lawyers, accountants, and other advisors under confidentiality obligations.

(d) Corporate transactions. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to standard confidentiality and continuing obligations under this Policy.

(e) Legal obligations and protection. To comply with law, legal process, or enforceable governmental requests; to enforce our Terms; and to protect the rights, property, or safety of WaiverDrop, our users, or others.

(f) With your consent for any other purpose disclosed at the time and with your consent.

6. International Data Transfers

WaiverDrop is based in the United States and stores Service data on infrastructure located in the United States. When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to the United States or other jurisdictions that have not been deemed to provide an adequate level of protection, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented as needed. Details are set out in the Data Processing Agreement at waiverdrop.com/dpa.

7. Cookies and Similar Technologies

We use a minimal set of cookies:

Strictly necessary cookies required for authentication, session management, CSRF protection, and core functionality. These cannot be disabled without breaking the Service.
Preference cookies to remember settings like theme and locale.
No analytics cookies. We use GoatCounter, a self-hosted privacy-friendly analytics tool that counts page views without setting tracking cookies, using fingerprinting, or collecting personal data.

We do not use advertising or cross-site tracking cookies. We do not use third-party social media tracking pixels or interest-based advertising on the Service. Where required by law, we display a cookie banner allowing you to accept or reject non-essential cookies.

Do Not Track and Global Privacy Control. We treat a Global Privacy Control signal as a valid opt-out of any sale or sharing for the purposes of California law. We do not respond to Do Not Track browser signals beyond what is described in this Policy.

8. Data Retention

We retain personal information for as long as necessary to provide the Service and to satisfy legal, accounting, or reporting obligations.

Export window. Following account closure, Customer has thirty (30) days to export its Customer Data through the Service.
Account Holder data is retained during the subscription and deleted or anonymized within a commercially reasonable time after the 30-day export window closes, except where tax and financial records must be retained for 7 years under applicable law.
Signer Waiver Records are retained during the subscription plus a default of up to 7 years following the end of the 30-day post-termination export window (the 7-year clock begins 30 days after account closure), to support the Customer’s potential need to produce signed waivers in legal proceedings. The Customer that collected the Waiver may request earlier deletion in writing, subject to its own legal obligations.
Backups. Older data may persist in encrypted backups for up to 30 days after deletion from production systems before being overwritten.
Marketing and support records are retained for up to 2 years after last interaction.

The terms of the Data Processing Agreement are read consistently with this Section 8. Where the DPA references a default 30-day return-or-deletion period, that period is subject to the Waiver-Record retention described above and does not require WaiverDrop to delete Waiver Records ahead of the default retention period unless Customer expressly so directs in writing.

Customer responsibility for Waiver retention. The 7-year default for Signer waiver records is a reasonable baseline for most U.S. adult-signer use cases. The Customer that collected the Waiver, not WaiverDrop, is responsible for ensuring this default meets the Customer’s legal obligations. In particular, waivers signed by or on behalf of minors may require substantially longer retention in jurisdictions where the applicable statute of limitations tolls until the minor reaches the age of majority and may then run for an additional limitations period.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

Encryption in transit using TLS 1.3 for all connections to the Service.
Encryption at rest for database and object storage.
Access controls limiting personnel access to personal data on a need-to-know basis, with authentication, audit logging, and least-privilege principles.
Network segregation between production and non-production environments.
Vendor security reviews before engaging subprocessors.
Incident response procedures for investigating and notifying in the event of a security incident.

No security program is perfect. You are responsible for maintaining the security of your account credentials. If you suspect unauthorized access, contact [email protected].

10. Your Rights and Choices

Depending on where you live, you may have rights in your personal information. We honor these rights regardless of jurisdiction where reasonably practical.

10.1 Rights Available to Most Users.

Access a copy of the personal information we hold about you.
Correct inaccurate or incomplete information.
Delete your personal information, subject to exceptions.
Export a portable copy of your account data.
Unsubscribe from marketing communications at any time using the link in our emails.
Appeal a denied privacy request.

To exercise a right, email [email protected] or use the in-product controls in account settings. We will verify your identity before acting on requests. We do not discriminate against users for exercising their rights.

10.2 Signers. If you signed a Waiver through the Service, the business that asked you to sign is the controller of your information. Please contact that business directly. We will assist the business in responding to your request.

10.3 California Residents (CCPA and CPRA). Under the California Consumer Privacy Act as amended by the CPRA, California residents have the following rights:

Right to know categories and specific pieces of personal information collected, sources, purposes, and third parties with whom it is shared.
Right to delete personal information, subject to exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing of personal information. WaiverDrop does not sell personal information for monetary or other valuable consideration, and does not share personal information with third parties for cross-context behavioral advertising. Because we do not engage in sale or sharing as defined by the CCPA and CPRA, we do not display a “Do Not Sell or Share My Personal Information” link. If our practices change, we will post an updated notice and provide the link as required.
Right to limit the use of sensitive personal information where applicable.
Right to non-discrimination for exercising your rights.

We do not use or disclose sensitive personal information for purposes beyond those permitted by CCPA. Categories of personal information we collect in the preceding 12 months are described in Section 3; purposes are in Section 4; categories of recipients are in Section 5. To exercise a right, email [email protected]. Authorized agents may submit requests on a resident’s behalf with proof of authorization.

10.4 Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, and Other U.S. State Residents. Residents of these states have rights similar to those described in Section 10.3 under their respective state privacy laws. We honor access, correction, deletion, and opt-out rights where applicable. To exercise a right, email [email protected].

10.5 EU, UK, and Swiss Data Subjects (GDPR, UK GDPR, FADP). In addition to the rights above, you have the right to:

Object to processing based on legitimate interests, including direct marketing.
Restrict processing in certain circumstances.
Data portability — receive your data in a structured, commonly used, machine-readable format.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with a supervisory authority.

11. Children and Minor Signers

The Service is intended for business use and is not directed to children under 13.

WaiverDrop does not knowingly collect personal information directly from children under 13 (or under 16 where local law requires).

Where a Waiver involves a minor, the minor’s information is submitted to the Service by the signing parent or guardian on behalf of the business Customer who configured the Waiver. In that context, the business Customer is the party that has selected, configured, and presented the Waiver to the signing guardian, and we therefore consider the business Customer to be the “operator” under the U.S. Children’s Online Privacy Protection Act (COPPA) with respect to the child information collected through that Waiver. Accordingly, the business Customer is responsible for posting any required COPPA notice to parents, obtaining any required verifiable parental consent before collecting information from or about the child, complying with any other COPPA obligations applicable to its collection and use of the information, and complying with any comparable state-law children’s privacy obligations.

WaiverDrop acts as a service provider or processor with respect to minor information submitted through the Service and processes that information solely on Customer’s documented instructions. Nothing in the foregoing purports to alter the statutory definition of “operator” as a matter of law; the allocation of responsibilities described above is contractual between WaiverDrop and the Customer and does not bind the Federal Trade Commission or other regulators.

If you believe a child under 13 has provided personal information to us outside of a Customer-configured Waiver flow, please contact [email protected] and we will investigate and delete it where appropriate.

12. Links to Third-Party Sites

The Service may link to or integrate with third-party sites and services such as Stripe checkout, Customer-configured webhook endpoints, and booking platforms. We are not responsible for the privacy practices of those third parties. Review their privacy notices before providing information.

13. Changes to this Policy

We may update this Policy from time to time. If a change is material, we will provide notice, for example by email or in-product, and, where required, obtain your consent. The “Last updated” date indicates when the current version took effect. Continued use of the Service after the effective date constitutes acceptance.

14. Contact Us

Questions, requests, or complaints about this Policy or our privacy practices:

Email: [email protected]
Security incidents: [email protected]