Effective date: 2026-06-25. Last reviewed: 2026-06-25. Owner: Goliath Dynamics, Inc.

This notice explains how DocPost handles the personal information of individuals in Canada in the e-signature signing transaction, under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). It is the Canadian-handling counterpart to the GDPR Article 6(1)(f) legitimate-interest notice published in §5 of the DocPost E-Sign Act & Data-Processing Disclosure at /esign-disclosure.

DocPost is operated by Goliath Dynamics, Inc., a Florida corporation with its principal place of business at 7901 4th St N, STE 300, St. Petersburg, FL 33702, United States.

1. Roles

DocPost has two categories of users, and the PIPEDA roles differ between them:

(a) Account holders — people who sign in to an organization workspace on DocPost. Goliath Dynamics is the organization that determines the purposes and means of processing account-holder personal information and is the PIPEDA-accountable organization for that information.

(b) Signers — people who receive a signing link and complete an electronic signature inside a sender’s signing flow. For signer personal information processed inside a specific signing transaction, the sender (the organization that initiated the signing request) determines the purpose of the collection and is the PIPEDA-accountable organization for that information. DocPost processes the information on the sender’s behalf under written instructions and is accountable for the safeguarding obligations that apply to a service provider.

This notice addresses the signer flow. Account-holder handling is addressed in the DocPost Privacy Policy at /privacy.

2. Personal information collected in the signing transaction

To deliver the e-signature service and produce a legally admissible audit trail, DocPost processes the following personal information on behalf of the sender:

• Your name and email address as supplied to the sender.
• Your IP address.
• A device fingerprint — a probabilistic identifier derived from your browser configuration.
• Your user-agent string.
• The time you opened the signing link.
• The time you completed each action in the signing flow.
• The content of every field you complete.
• The image of the signature you draw or upload.
• Your ESIGN / UETA / ESA consent affirmation and your intent-to-sign affirmation.
• Any decline or consent-withdrawal events.
• Tamper-evidence material derived from the above — a SHA-256 hash of the final document, a hash-chained audit log in which every event carries the SHA-256 of the previous event so any later tampering is detectable, and an RFC-3161 timestamp from a trusted timestamp authority.

The same processing is described in §5 of the published E-Sign Act & Data-Processing Disclosure (the disclosure surfaced to you in the signing flow itself).

3. Purposes — PIPEDA appropriate purposes and business necessity

PIPEDA Principle 4.2 (Identifying Purposes), Principle 4.4 (Limiting Collection), and Principle 4.5 (Limiting Use, Disclosure, and Retention), read together with subsection 5(3) of the Act, require the purposes for which personal information is collected, used, and disclosed to be ones that a reasonable person would consider appropriate in the circumstances, and limit the collection to what is necessary for those purposes.

The purposes for which DocPost handles signer personal information in the signing transaction are:

(a) Producing tamper-evident evidence of the signing event — name, email address, IP address, device fingerprint, user-agent, event timestamps, field content, signature image, consent affirmations, document hash, hash-chained audit log, and RFC-3161 timestamp — so that the resulting contract is enforceable by either party against the other. This is appropriate-purpose handling in the meaning of subsection 5(3): the participants to a commercial e-signature transaction reasonably expect that the act of signing produces evidence of who signed, when, from where, and on what device.

(b) Detecting and preventing fraud, impersonation, link-sharing, and replay attacks against the signing flow — IP address, device fingerprint, user-agent, and event timestamps are used to bind the signer to the signing event and to detect anomalous signing behaviour. This handling is reasonable in the circumstances of a transaction that produces a legally enforceable contract.

Both purposes parallel the legitimate-interest framing in the GDPR notice in §5 of the E-Sign Act & Data-Processing Disclosure. The lawful gateway under PIPEDA is appropriate-purposes and business necessity (subsection 5(3) read with Principles 4.2, 4.4, and 4.5); the lawful gateway under GDPR is legitimate interests (Article 6(1)(f)). The purposes themselves — evidentiary integrity and anti-fraud — are the same.

We do not use signer personal information collected in the signing transaction for any purpose other than the two purposes set out in this section, and we do not use it to identify trends, profile individuals for marketing, or train AI or machine-learning models. The no-AI-training position is recorded at /privacy §10 and at /security §6(i) / §10.

4. Consent

Consent for the signing-transaction handling is captured at signing time as part of the ESIGN / UETA / ESA consent affirmation surfaced by the E-Sign Act & Data-Processing Disclosure. The disclosure names the personal information collected (§5), the purposes (§5), the lawful basis (§5), the retention rule (§5), and the rights available to you (§§3–5 and below). The affirmation is recorded with a SHA-256 hash of the disclosure text so the version you agreed to remains provable.

PIPEDA Principle 4.3 contemplates that consent may be express or implied depending on the sensitivity of the information and the reasonable expectations of the individual. The signing-transaction information described in §2 is collected in the act of signing a contract that you have chosen to enter, and the consent affirmation surfaced by the disclosure is express. You may withdraw consent at any time before completing your signature by clicking the “Withdraw consent” link on the signing page; withdrawal voids your signature slot in this request, the sender is notified, and you will be invited to arrange an alternative signing method. Withdrawal does not affect the validity of any signature you previously completed in this or any other request.

5. Retention

Audit-trail data is retained for the duration of the signed contract plus any limitation period applicable to claims arising from it. This retention period is necessary to make the evidentiary purpose in §3(a) effective: deletion of audit data after a signature has been affixed may invalidate the legal effect of the signature.

You can request earlier deletion of audit-trail data by contacting the sender. The sender is the organization with the authority to instruct DocPost to delete the audit trail for a particular signing transaction, because the sender is the PIPEDA-accountable organization for the purpose of that collection.

6. Disclosure and transfers

DocPost stores personal information in the United States. Signer personal information described in §2 is shared with the sender and its sub-processors as set out in §5 of the DocPost Privacy Policy at /privacy:

• the sender (the PIPEDA-accountable organization for the signing transaction),
• DocPost’s infrastructure sub-processors (Google Cloud Platform for hosting and storage, Amazon SES for outbound transactional email, the RFC-3161 timestamp authority for trusted timestamps, and a Stripe payment processor for billing — which does not receive signer personal information),
• where the sender connects a third-party storage provider (e.g. Google Drive) and elects to export the executed envelope, that provider.

For transfers of Canadian personal information to the United States and to DocPost’s sub-processors, DocPost relies on contractual protections in its agreements with sub-processors and on the technical and organizational measures described in the Information Security Policy at /security. The Office of the Privacy Commissioner of Canada has issued guidance on accountability for transfers to a third party for processing; the controls described at /security implement that guidance.

7. Safeguards

DocPost protects signer personal information with the safeguards described in the Information Security Policy at /security and, where the signing transaction involves ePHI, with the HIPAA technical safeguards documented at /hipaa-technical-safeguards. The safeguards include encryption in transit (TLS) and at rest (Google Cloud Storage), least-privilege access controls, multi-factor authentication for workforce access, tamper-evident audit logging (the hash-chained audit log and RFC-3161 timestamps described in §2), backup and disaster-recovery procedures, vendor management, vulnerability management, and workforce security training. The breach-response process and breach-notification timelines are codified in the Incident-Response Runbook at /incident-response-runbook §7 (PIPEDA Breach of Security Safeguards Regulations).

8. Your rights under PIPEDA

You have the following rights with respect to your personal information handled in the signing transaction:

• Right of access (PIPEDA Principle 4.9). You may request access to your personal information held in connection with the signing transaction.
• Right of correction (PIPEDA Principle 4.9.5). You may request correction of inaccurate or incomplete personal information.
• Right to challenge compliance (PIPEDA Principle 4.10). You may challenge DocPost’s compliance with this notice or the sender’s compliance with PIPEDA.
• Right to withdraw consent (PIPEDA Principle 4.3.8). You may withdraw consent to processing as described in §4, subject to legal or contractual restrictions that survive withdrawal — in particular, the retention rule in §5.
• Right to receive a paper copy of any record provided to you electronically (also recorded in §3 of the E-Sign Act & Data-Processing Disclosure).

For signing-transaction personal information, direct access, correction, and consent-withdrawal requests to the sender, who is the PIPEDA-accountable organization for that flow. DocPost will assist the sender as required. For DocPost-as-controller account-holder personal information, direct requests to Goliath Dynamics at the address in §10.

9. Complaints

You may file a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) about DocPost’s handling of your personal information, or about the sender’s handling of your personal information in the signing transaction. The OPC can be contacted at 30 Victoria Street, Gatineau, Quebec K1A 1H3, telephone 1-800-282-1376, or at www.priv.gc.ca.

For provincial private-sector privacy laws (Alberta’s Personal Information Protection Act, British Columbia’s Personal Information Protection Act, and Quebec’s Act respecting the protection of personal information in the private sector) that may apply in addition to PIPEDA, you may also file a complaint with the relevant provincial privacy commissioner.

10. Contact

For questions about this notice or DocPost’s handling of your personal information:

Goliath Dynamics, Inc. Attn: Privacy 7901 4th St N, STE 300 St. Petersburg, FL 33702 United States Email: privacy@goliathdynamics.com

For questions about a specific signing transaction, contact the sender — the sender is the PIPEDA-accountable organization for that flow.

11. Cross-references

• DocPost E-Sign Act & Data-Processing Disclosure at /esign-disclosure — the disclosure surfaced to you in the signing flow itself; §5 records the parallel GDPR Article 6(1)(f) legitimate-interest notice for the same processing.
• DocPost Privacy Policy at /privacy — DocPost-as-controller account-holder handling, sub-processor list (§5), retention rule (§6), international-transfer mechanism (§7), and complaint-routing language (§8).
• DocPost Information Security Policy at /security — the safeguards relied on by §7 of this notice.
• DocPost Incident-Response Runbook at /incident-response-runbook — §7 records the PIPEDA Breach of Security Safeguards Regulations notification process and the two-year retention rule for breach records.

---

History

• 2026-06-25 — v1 published.