Privacy Policy

This Privacy Policy describes how Savvy Signature ("we", "us", or "our") collects, uses, and protects information when you use:

• The Savvy Signature Portal at https://portal.savvysignature.co
• The Savvy Signature Vault Chrome browser extension

Both products are internal tools operated by Savvy Signature for its employees, contractors, and authorised guests. By using either product you agree to the practices described here.

2.1 Portal

• Identity data — your name, work email address, job title, and department, sourced from Microsoft Entra ID (Azure AD) when you sign in via Microsoft SSO.
• Attendance & time data — clock-in/out times, break records, and work-status changes you submit through the portal.
• Leave & HR data — leave requests, approval decisions, payroll-related records entered by HR administrators.
• Vault data — encrypted credential titles, usernames, site URLs, and folder names stored in the password vault. Passwords are stored exclusively as AES-256-GCM ciphertext; the plaintext is never written to disk or logged.
• Audit logs — records of vault entry views, copies, and edits (timestamp + email only; no passwords).
• Usage logs — server-side request logs (IP address, user agent, HTTP method, path, status code) retained for security and debugging.

2.2 Chrome Extension

• Authentication tokens — Microsoft ID/access tokens and refresh tokens stored in chrome.storage.session, which is automatically cleared when you close the browser.
• Guest tokens — time-limited access tokens stored in chrome.storage.session only.
• Active tab URL — read on demand (when you open the extension popup on a page) to suggest matching vault credentials. The URL is never transmitted to our servers nor stored.
• Form field values — when you click "Autofill", the extension writes your username and password into the active page's form fields. These values are fetched once from the portal API and never cached on disk.
• The extension does not collect browsing history, keystrokes, or any data from pages you do not explicitly interact with.

• To authenticate you and enforce role-based access controls within the portal and vault.
• To deliver core HR features — attendance tracking, leave management, onboarding, and recruitment workflows.
• To store and retrieve encrypted vault credentials on your behalf.
• To send Microsoft Teams and email notifications for events you trigger (e.g. leave approvals, clock-in alerts).
• To generate internal reports for HR and management (aggregated, not shared externally).
• To maintain audit trails for security and compliance purposes.
• We do not sell, rent, or share your personal data with any third party for advertising or commercial purposes.

• Vault passwords are encrypted with AES-256-GCM using a per-entry Data Encryption Key (DEK). Each DEK is wrapped with a per-folder Key Encryption Key (KEK) derived via HKDF-SHA256 from a master key held only in the server environment — never in the database.
• Transport — all communication between the extension, portal, and server is over HTTPS/TLS 1.2+.
• Session tokens in the extension are stored in chrome.storage.session (volatile — cleared on browser close) and never written to localStorage or cookies.
• Guest tokens are stored as SHA-256 hashes in the database; the raw token is shown once and never retrievable again.
• CSRF protection — all state-mutating portal API calls require a time-limited HMAC-SHA256 double-submit token.
• Idle lock — the vault extension automatically locks after 15 minutes of inactivity.

We use the following third-party services to operate the portal:

Each provider is bound by its own privacy policy and data processing agreement. We do not share data with any other third parties.

• Active employee data is retained for the duration of employment plus any legally required period thereafter.
• Vault entries are retained until deleted by an authorised user or administrator.
• Audit logs are retained for 12 months.
• Guest tokens expire automatically per the duration set at issuance (maximum 30 days). Expired and revoked tokens are purged after 90 days.
• Server request logs are retained for 30 days.
• Upon termination of employment, personal data is anonymised or deleted within 90 days except where retention is required by law.

Depending on your jurisdiction you may have the right to:

• Access — request a copy of personal data we hold about you.
• Correction — request correction of inaccurate data.
• Deletion — request deletion of your data (subject to legal retention obligations).
• Portability — request your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights, email us at hello@savvysignature.co. We will respond within 30 days.

The Savvy Signature Vault extension requests the following browser permissions and uses them solely as described:

The extension does not use remote code execution, does not read any page content beyond active-tab form fields during autofill, and does not track your browsing activity.

If you have questions about this Privacy Policy or our data practices, please contact:

We may update this policy from time to time. Material changes will be communicated via email or a notice in the portal. Continued use after changes constitutes acceptance.