At Docshark, protecting privacy is a priority. This Privacy Notice explains how Sharkforce Inc., a corporation incorporated under the laws of Canada (federal) ("Sharkforce," "we," "us," or "our"), collects, uses, stores, and discloses personal information about customers, signers, and other individuals who access or use Docshark websites, applications, APIs, and signing services (the "Services"). By using the Services, you understand that we will handle personal information as described here. If an organization sent you a document to sign, that organization controls most decisions about your envelope; contact them first for signer-specific questions. This Notice is written for users in Canada. It is provided in English. If you require this Notice in French for Quebec operations, contact [email protected]. We recommend reading this Notice in full. You can jump to any section below.
1. Purpose and scope
Docshark helps organizations prepare, send, sign, and prove electronic transactions. Because proving what happened matters, we collect and retain information about who signed, when they signed, and what document version they signed. This Notice applies to Docshark websites, applications, APIs, and signing experiences operated by Sharkforce in Canada. It does not apply to third-party sites you reach through links in Docshark.
2. Who is responsible (controller vs. service provider)
When an organization (your employer, counterparty, or service provider) sends you an envelope, that organization decides why your information is needed and is responsible for most signer-facing privacy obligations. Sharkforce processes envelope content and signer data on that organization’s instructions as a service provider. Sharkforce is responsible for processing described in this Notice where we act on our own behalf, for example account administration, billing, platform security, subprocessors, and product operations.
3. Personal information we collect from you
You may provide: name, email address, phone number (if used for SMS OTP), typed legal name at consent, signature field values, and support messages. Customers may provide information about you when they add you as a signer or administrator. You can choose not to provide some information, but you may not be able to sign without required fields and consent.
4. Transaction and audit information (core to Docshark)
For each envelope we may process: envelope subject and status; document metadata; SHA-256 hashes of source and sealed documents; consent text version and consent timestamp; signing session identifiers; audit event types and chained payload hashes; coarse region derived from network headers (for example Cloudflare country code); hashed IP address and hashed user-agent string (we do not store full raw IP addresses in standard audit fields); OTP verification events; and PAdES sealing metadata including timestamp authority details when enabled.
5. Information collected automatically
When you use Docshark we automatically collect: device and browser type; authentication session data via our identity provider; application logs; and usage events needed to secure and operate the service. We use cookies and similar technologies as described in the Sharkforce Cookie Policy.
6. Information from other sources
We may receive business contact information from your organization’s administrators, from support interactions, or from identity providers when you authenticate. We do not purchase marketing lists for Docshark signing flows.
7. How we use personal information
We use personal information to: provide signing and envelope services; deliver email and SMS authentication codes; generate activity logs and completion certificates; seal PDFs; prevent fraud and abuse; provide customer support; process subscriptions and invoices; comply with law; and improve reliability and security. We do not sell personal information. We do not use completed envelope content to train generalized machine-learning models.
8. Lawful authority under Canadian privacy law
We collect, use, and disclose personal information with meaningful consent where required under the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws, including Alberta’s Personal Information Protection Act and British Columbia’s Personal Information Protection Act. In Quebec, Law 25 may impose additional obligations on Sharkforce and on Customers; Customers are responsible for Quebec notices to signers where required. Where consent is not required, we rely on processing that is necessary to provide the service you request, to secure the platform, or to meet legal obligations.
9. Optional AI-assisted features
Some accounts may use AI-assisted document summaries or clause tools. Those features send only the minimum text required to generate a response and are subject to usage limits configured for the organization. AI outputs are assistive only and are not legal advice. If your organization enables AI features, their use is governed by your organization’s instructions and this Notice.
10. Disclosure of personal information
We disclose personal information to service providers that help us operate Docshark, including providers for identity and accounts, hosting, database and document storage, and transactional email. Our current subprocessor list (provider name, role, and typical processing locations) is published at /legal/docshark/subprocessors and updated when vendors change. We may also disclose information to your organization’s administrators, professional advisers, or authorities when required by law or to protect safety and rights. If Sharkforce undergoes a corporate transaction, information may transfer to a successor with notice where required by law.
11. Cross-border processing
Docshark is operated from Canada, but subprocessors may process personal information in Canada, the United States, or other countries where they host infrastructure. When information is processed outside Canada, we require contractual and organizational safeguards appropriate to the sensitivity of the data, including access controls and confidentiality commitments. See /legal/docshark/subprocessors for the current list and contact [email protected] for questions.
12. Retention
We retain personal information only as long as needed for the purposes described in this Notice, your organization’s instructions, contractual retention settings, legal holds, and legal retention obligations. Completed envelopes and audit evidence may be retained for multi-year periods (commonly up to seven years for commercial records unless your organization configures a different period). When retention ends, we delete or de-identify information where technically feasible.
13. Marketing and cookies
Transactional messages (signing links, OTP codes, completion notices) are sent even if you opt out of marketing. You may opt out of marketing email using the unsubscribe link in those messages. Manage cookies through your browser and the Sharkforce Cookie Policy at /en/legal/cookies.
14. How we protect personal information
We maintain administrative, technical, and organizational safeguards designed to protect personal information, including: • Transport security: Docshark is served over HTTPS (TLS) for data in transit between your browser and our application. • Access controls: Production access is limited to authorized personnel on a need-to-know basis, with authentication through our corporate identity controls. • Audit integrity: Signing events are appended to a hash-chained audit log; document integrity uses SHA-256 hashes at send, consent, and seal stages. • Identity signals: Signer IP and user-agent values are stored as one-way hashes in standard audit fields to reduce raw network identifier retention while preserving evidentiary correlation. • Sealed artifacts: Completed PDFs may be sealed with PAdES and stored in access-controlled object storage. • Monitoring: We log security-relevant events and investigate suspected abuse. No security program is perfect. If you believe your account or envelope has been compromised, contact us immediately.
15. Breach notification
If we become aware of a breach of security safeguards involving personal information under our control, we will notify affected organizations and, where required by PIPEDA or provincial law, affected individuals and regulators without unreasonable delay. Report suspected incidents to [email protected].
16. Your privacy rights in Canada
Subject to applicable law, you may request access to, correction of, or deletion of personal information we control, or withdraw consent where processing is based on consent. We will verify your identity before responding. Signers should usually contact the organization that sent the envelope first; we will assist that organization when we act as their service provider. Submit requests to [email protected]. We respond within timeframes required by PIPEDA and provincial law (generally within 30 days, with permitted extensions where appropriate).
17. Complaints to the Privacy Commissioner
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/en/report-a-concern/. Quebec residents may also contact the Commission d’accès à l’information du Québec where applicable.
18. Children
Docshark is designed for business and organizational use, not for children. We do not knowingly collect personal information from individuals under the age of 16 without appropriate authority. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.
19. Changes to this Notice
We may update this Notice to reflect changes in law, technology, or our processing practices. We will post the revised Notice with an updated date. Material changes will be communicated where required by law.
20. Contact us
Privacy requests and questions: [email protected] Security incidents: [email protected] Sharkforce Inc. (Canada, federal corporation) Attention: Privacy Office