Controller and scope
TavoSign.lt is operated by astrovno.com for electronic document signing workflows in Lithuania and the EU. The policy applies to registered users, invited signers and documents processed through SES and Smart-ID flows.
GDPR / Data retention
TavoSign.lt Retention Policy
Effective date: 8 May 2026. MVP policy version: 2026-05-08.
This policy explains how TavoSign.lt stores, retains and deletes account data, uploaded documents, signed PDFs, hashes, audit logs and signing evidence. It is written for the MVP and must be reviewed by legal counsel before large-scale production use.
Why retention is needed
Electronic signing requires reliable evidence: who signed, when, from which session/IP, the document hash, final signed document hash, consent, OTP verification and Smart-ID session result. This evidence is kept to operate the service, prevent abuse, resolve disputes and support legal claims.
Documents and signed files
Active documents remain available while the account is active or until the user deletes them. When a user deletes a document, it is hidden from the user interface immediately, but the original hash, signed hash, signature records, audit trail and files are retained as legal evidence for up to 10 years unless a shorter period is legally possible.
Audit trail
Audit events are retained together with the document record. Audit logs may include signer email, timestamps, IP address, user agent, document hashes, OTP status, consent status and Smart-ID metadata. Audit logs are not removed by ordinary user deletion because they protect the integrity of the signing record.
Unverified registrations and sessions
Unverified email accounts may be removed after 24 hours. Browser sessions are short-lived and expire after approximately 30 minutes. SMS/OTP challenges are retained only as needed for security and audit evidence.
Backups and security logs
Operational backups and technical logs may retain data for up to 90 days, after which they are rotated or removed unless needed for security investigation, legal obligation or dispute handling.
Billing and accounting
If paid plans or invoices are used, billing records may be retained for up to 10 years where required by Lithuanian accounting and tax rules.
User rights
Users may request access, correction, restriction or deletion of personal data. Deletion requests are assessed against legal retention needs for signed documents, audit evidence, accounting records and security obligations.
Processors and providers
The service may use infrastructure, email, SMS, payment and eID providers. Each processor should be covered by appropriate data processing terms before production use.
Consent before registration
By creating an account, the user confirms that they have read this policy and accepts the retention of signing evidence as described above.
Sources used for structure and benchmark: GDPR storage limitation principle from the European Commission, and public retention/privacy practices from Lithuanian e-signing services such as Dokobit. This page is an MVP operational policy and should be legally reviewed before production launch.