Privacy Policy — AstraTsign

This privacy policy explains how AstraTsign collects, uses, stores, and shares personal data in connection with our authentication and document approval services. It is written from a technical and operational perspective to clarify the categories of data involved, the purposes for processing, the legal bases relied upon, and the measures we implement to protect data. We aim for clear, actionable information so customers and users can make informed choices about their use of AstraTsign.

08-05-2026 AstraTsign, Jalan Telipot, 15150 Kota Bharu, Kelantan, Malaysia; Phone: +60129590250; Business ID: 189755634037 Jalan Telipot, 15150 Kota Bharu, Kelantan, Malaysia [email protected]

Definitions

This section defines the principal terms used throughout the privacy policy to ensure consistent interpretation.

Personal data: Any information relating to an identified or identifiable natural person, such as names, contact details, identification numbers, and other identifiers used for authentication and document processing.
Processing: Any operation performed on personal data including collection, storage, use, disclosure, deletion, and transfer.
User: An individual who interacts with AstraTsign services, including account holders, signatories, approvers, and administrators.
Service: The authentication, electronic signing, document approval, and related services provided by AstraTsign via AstraTsign.best.
Cookies: Small data files placed on devices to enable session management, preferences storage, analytics, and related technical functions necessary for the Service.

Data collection

We collect personal data necessary to provide and secure the Service, to comply with legal obligations, and to improve performance and reliability. Data sources include information supplied by users, data generated by system processes, and data obtained from trusted third parties.

Data provided directly by users

When users register, submit documents, or interact with workflows, AstraTsign collects the following categories of user-provided data:

  • Identity details: full name, national ID or passport number when required for verification, and job title.
  • Contact information: email addresses, business phone numbers, and mailing address for account and communication purposes.
  • Uploaded documents: contracts, forms, identification scans, and any files submitted for signature or approval.
  • Authentication data: username, hashed passwords, multi-factor authentication vouchers, and encrypted certificate metadata necessary for secure login and signing.
  • Company and account data: organization name, registration number, billing details and administrative contacts.
  • Consent and preferences: marketing preferences, communication consents, and settings related to how the Service is used.

Automatically collected data

The Service also collects technical data automatically to operate, secure, and improve AstraTsign:

  • Usage data and logs: timestamps, actions performed in the system, and event logs tied to authentication and document approval activities.
  • Device and browser information: device type, operating system, browser version, and user agent strings.
  • Network data: IP addresses, approximate geo-location derived from IP, and connection metadata used for security monitoring.
  • Cookies and local storage identifiers used to maintain sessions and preferences.
  • Performance and diagnostic data to troubleshoot errors and improve reliability.
  • Signature metadata: encrypted signature hashes, timestamps, and certificate identifiers required to validate signed documents.

Data received from third parties

AstraTsign may receive information from verified third-party providers to support identity verification, payments, or integrations with enterprise systems.

  • Identity verification providers supplying validation results and limited identity attributes.
  • Payment processors providing payment confirmations and billing metadata when customers use paid services.
  • Integration partners and identity providers (e.g., SAML, OIDC) that supply authentication assertions and group membership attributes.

Purposes of processing

We process personal data for specific, legitimate operational reasons. Processing is limited to what is necessary to achieve these purposes.

  • Account creation, authentication, and access control to enable authorized use of AstraTsign.
  • Document handling and approval workflows including signing, storage, and retrieval.
  • Identity verification and validation where higher assurance is required for a given transaction.
  • Billing, invoicing, and subscription management for paid services.
  • Security, fraud detection, and incident response to protect users and the platform.
  • Service analytics and product improvement using aggregated, de-identified metrics where possible.
  • Regulatory and legal compliance, including fulfilling lawful requests from competent authorities.
  • Communications regarding account status, feature updates, and operational notifications necessary for service functionality.

Legal bases for processing

Processing is based on one or more of the legal bases applicable to the jurisdiction in which the data subject is located, including contractual necessity, consent, legal obligation, and legitimate interests.

  • Contract: processing necessary to perform the service agreement and fulfill customer requests.
  • Consent: where optional features or marketing communications require explicit consent.
  • Legal obligation: processing required to comply with laws, regulations, or valid government requests.
  • Legitimate interests: for platform security, fraud prevention, business continuity, and service improvements, subject to balancing tests.

GDPR and data subject rights

Where EU data protection law applies, AstraTsign observes data subject rights and provides mechanisms to exercise those rights in line with regulatory requirements.

  • Right of access: individuals may request confirmation of whether we process their data and obtain a copy.
  • Right to rectification: correction of inaccurate or incomplete personal data.
  • Right to erasure: requests to delete personal data where legal grounds permit.
  • Right to restriction: request limitation of processing under certain conditions.
  • Right to data portability: receive personal data in a structured, machine-readable format where applicable.
  • Right to object: object to processing based on legitimate interests or for direct marketing purposes.

Cookies and similar technologies

AstraTsign uses cookies and similar technologies to enable core functionality, remember preferences, and collect analytics data necessary to operate and improve the Service.

Types include essential session cookies, persistent preference cookies, security cookies used for fraud prevention, and anonymous analytics cookies.

Categories: essential, performance/analytics, functionality, and optional marketing tools. Essential cookies are required for the Service to function correctly.

Users can manage cookie preferences via their browser settings and in-product controls where provided. Disabling certain cookies may impact functionality.

See the detailed cookie policy at AstraTsign.best/cookies for full descriptions and management options.

Data sharing and disclosures

We share personal data only when necessary to operate the Service or comply with legal obligations, and we vet third parties to ensure appropriate safeguards.

  • Service providers performing hosting, data storage, and backup services under contract and confidentiality obligations.
  • Identity verification and KYC vendors when identity validation is required by the customer.
  • Payment processors for billing and transaction reconciliation.
  • Professional advisors and auditors bound by confidentiality when needed for compliance or audit activities.
  • Competent authorities in response to lawful requests such as court orders or statutory obligations.
  • Integration partners when customers opt to connect third-party platforms to their AstraTsign account.

International data transfers

AstraTsign may transfer and store data outside Malaysia to operate global infrastructure and service providers. Transfers are subject to contractual safeguards and technical measures to maintain an adequate level of protection.

Safeguards include standard contractual clauses where appropriate, vendor security assessments, and encryption in transit and at rest to reduce exposure during transfer.

Data retention

Retention practices balance operational needs, legal obligations, and minimisation principles. We retain different categories of data for periods aligned with these factors.

Account data is retained for the life of the account and for a limited period after account closure to support dispute resolution and legal obligations.

Messages and user communications are retained according to business needs and to comply with regulatory retention requirements; customers may configure retention for document storage where supported.

Security logs and audit trails are retained for a defined period to support incident response and compliance, with retention length determined by risk and regulatory considerations.

When data is no longer required, it is deleted or irreversibly anonymized in accordance with documented retention schedules and customer settings.

Security measures

AstraTsign applies a layered security model combining technical, organizational, and procedural controls to protect personal data. Controls are periodically reviewed and updated in response to evolving threats and industry best practices.

  • Encryption: TLS for data in transit and industry-standard encryption for data at rest, including encrypted protection for signature material.
  • Access controls and role-based permissions, multi-factor authentication for administrative access, and least-privilege principles.
  • Operational controls including logging, monitoring, regular vulnerability scanning, and third-party security assessments.

User rights and choices

Users have rights to access and control their personal data. We provide processes to address requests in a timely manner, subject to verification and applicable exceptions.

  • To exercise rights or make inquiries, contact [email protected] or write to AstraTsign at Jalan Telipot, 15150 Kota Bharu, Kelantan, Malaysia. Include sufficient details to identify the request and the account concerned.
  • Access: You may request a copy of personal data AstraTsign holds about you to verify processing activities and stored information.
  • Rectification: If personal data is inaccurate or incomplete, you may request corrections to ensure records reflect accurate information.
  • Erasure: You may request deletion of personal data where retention is no longer necessary for the original processing purpose, subject to legal and operational limitations.
  • Restriction: You may request limitation of processing while a dispute about accuracy or lawfulness of processing is reviewed.
  • Portability: Where technically feasible, you may request a copy of your personal data in a structured, commonly used, machine-readable format.
  • Objection: You may object to certain types of processing based on legitimate interests or for direct marketing; AstraTsign will assess and respond according to applicable law.
  • Complaints: If you believe your data rights are infringed, you may direct a complaint to AstraTsign or the relevant supervisory authority in Malaysia.

How to exercise your data rights

To exercise any data rights, submit a signed request including proof of identity and a clear description of the requested action. We will confirm receipt and provide guidance if additional information is required to process your request efficiently.

[email protected]

AstraTsign aims to acknowledge requests within 5 business days and complete actions promptly in accordance with applicable law; complex requests may require additional time and we will notify you if an extension is necessary.

Marketing and communications

We use contact details to provide product updates, security notices, and service-related communications. Marketing communications are only sent with your consent or when permitted by local law, and content will be relevant to authentication and document approval services.

You may opt out of marketing messages at any time by following the unsubscribe link in the communication or by contacting AstraTsign support with your preference.

Data concerning minors

AstraTsign does not target or knowingly collect personal information from individuals under the age of majority in Malaysia for account creation. If lawful processing of a minor's data is required, parental or guardian consent and appropriate safeguards will be implemented.

Third-party links

Our site and services may include links to third-party sites or services. AstraTsign is not responsible for third-party privacy practices; review their privacy policies before sharing personal data with them.

Changes to this privacy policy

We periodically review and may update this policy to reflect changes in law, technology, or our services. Material changes will be communicated by posting an updated policy on AstraTsign.best with the effective date and, where appropriate, direct notification to affected users.

Contact for privacy matters

For privacy requests or questions, contact: AstraTsign Privacy Team, Jalan Telipot, 15150 Kota Bharu, Kelantan, Malaysia, Business ID 189755634037, or email [email protected]. Provide your full name, contact details, and a clear description of your request.