Legal

Privacy Policy

Last updated: July 10, 2026  ·  Effective: July 10, 2026

LCBridge is an independent, third-party integration. DocuSign and HighLevel (GoHighLevel / LeadConnector) are trademarks of their respective owners; LCBridge is not affiliated with, endorsed by, sponsored by, or operated by them.

On this page

  1. Introduction & scope
  2. Our roles: controller & processor
  3. Information we process
  4. How we use information
  5. AI & automated processing
  6. Sub-processors & sharing
  7. DocuSign & CRM API data use
  8. Data retention & deletion
  9. Security
  10. International data transfers
  11. U.S. state privacy rights (CCPA)
  12. GDPR / UK rights
  13. Exercising your rights
  14. Data Processing Addendum
  15. Children's privacy
  16. Changes to this policy
  17. Contact us

1. Introduction & scope

LCBridge provides the DocuSign Integration (also referred to as "SignBridge," the "Service"), an integration that runs inside the HighLevel (GoHighLevel / LeadConnector) CRM and connects your DocuSign account to your CRM so you can send agreements for signature, keep signing status current on your contacts, chase stalled signatures, and file completed documents automatically.

This Privacy Policy explains what personal information the Service processes, the roles we play, how we use and share it, how long we keep it, how we secure it, and the choices and rights you have. It applies to your use of the Service as installed within HighLevel and connected to your DocuSign account. It does not cover the independent practices of DocuSign or HighLevel, which are governed by their own privacy policies.

In this policy, "you" means the LCBridge customer (typically a HighLevel agency or sub-account business) and its authorized users. "Signers" and "contacts" means the individuals whose information flows through your CRM and the agreements you send.

2. Our roles: controller & processor

We handle personal information in two distinct roles, and your rights and our obligations differ depending on which applies:

3. Information we process

The Service processes only the information needed to send agreements, keep their status current in your CRM, follow up on stalled agreements, and operate securely. It does not require, and we do not ask for, more than that.

a. Contact & agreement data (we act as processor)

Signed documents are not stored by us. The Service does not store the contents of your agreements or signed PDFs in our database. When an agreement completes, the combined signed PDF and certificate of completion are retrieved from DocuSign and filed into your HighLevel media library; we retain only a link or reference to that document, together with envelope status and metadata. We never receive document contents through the DocuSign webhook — that payload is limited to recipient and status data.

b. Account, connection & operational data (we act as controller)

We do not knowingly collect government-identifiers, financial account numbers, or special-category (sensitive) personal data through the Service, and we ask that you do not send such data in agreement fields or contact records where it is not needed.

4. How we use information

We use the information above only to deliver and maintain the Service. Specifically, to:

We do not use your data or your contacts' data for advertising, and we do not sell or share it (as those terms are defined under U.S. state privacy laws). We do not use the personal data we process on your behalf to train general-purpose AI models.

5. AI & automated processing

Optional AI assistance (nudge drafts). If your administrator enables it, the Service can use a third-party AI model (Google Gemini) to draft a suggested follow-up message for a stalled agreement. Only limited context is sent to the model — a signer's first name, the document subject/type, the sending agent and business name, days elapsed, and status. Full email addresses and phone numbers are not sent to the AI. Drafts are always suggestions you can edit; a human sends the message. If AI assistance is not enabled, no data is sent to the AI provider and the Service uses fixed message templates instead.

The Service also performs limited rules-based automation on your CRM data at your configuration: automatically matching a signer's email to a CRM contact, writing status notes/tags to the contact timeline, filing completed documents, and — where enabled — advancing a linked opportunity to a "Won" pipeline stage when an agreement completes. These are routine operational actions you control in Settings, not decisions that produce legal or similarly significant effects about an individual within the meaning of GDPR Article 22.

6. Sub-processors & sharing

We share data only with the sub-processors necessary to deliver the Service. We do not sell personal data and do not share it for cross-context behavioral advertising. Our current sub-processors are:

Sub-processorPurposeData involved
DocuSign
(DocuSign, Inc.)
Create and send envelopes; receive signing status; retrieve completed documents (e-signature).Recipient name & email, document subject/template, envelope status.
HighLevel / LeadConnector
(HighLevel)
The host CRM the Service runs inside; source of contact/opportunity data and destination for status, notes, media, and reminder messages.Contact/opportunity data, envelope status, documents filed to your media library, reminder message content.
Railway
(cloud hosting, United States)
Hosts the Service and provides its managed PostgreSQL database and Redis queue. All data we store resides here.All stored data described in Section 3(b) and the metadata in 3(a).
Google (Gemini)
optional — only if AI assistance is enabled
Generate suggested follow-up message drafts.Limited context only: signer first name, document subject/type, agent & business name, status. No full emails/phones.

We use hosting in the United States. We may engage new sub-processors as the Service evolves; when we do, we will update this list. If you have a Data Processing Addendum with us (see Section 14), we will provide advance notice of new sub-processors and a means to object as described there.

We may also disclose information where required by law, to comply with legal process, or to protect the rights, safety, property, and security of our users, the public, or the Service. If we are involved in a merger, acquisition, or sale of assets, we will require the successor to honor this policy.

7. DocuSign & CRM API data use

We access DocuSign and HighLevel data solely to provide the integration to you, on an individual, transactional basis. We do not extract, aggregate, resell, or repurpose DocuSign or CRM data beyond what is necessary to support the Service, and we do not use it for advertising or to build independent profiles. This commitment reflects the data-use requirements of the platforms we integrate with, including DocuSign's developer terms.

8. Data retention & deletion

You can disconnect at any time to revoke the Service's access to your DocuSign account. To request earlier deletion of data we hold, contact us at hello@lcbridge.app.

9. Security

We maintain technical and organizational measures appropriate to the data we handle, including:

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach affecting your data, we will notify affected customers without undue delay and, where feasible, no later than 72 hours after becoming aware, consistent with applicable law.

10. International data transfers

We are based in, and host the Service in, the United States, and most of our customers are in the United States. If you or your contacts are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States. Where such transfers are subject to GDPR or UK data-protection law, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), and/or another lawful transfer mechanism, as set out in our Data Processing Addendum (Section 14).

11. U.S. state privacy rights (CCPA/CPRA & others)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you rights over your personal information. Residents of other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, and Texas, among others) have comparable rights. Subject to those laws, you may:

We do not sell or share your personal information, and we have not done so. Where we process your contacts' personal information to provide the Service, we act as a service provider (processor) under a written contract that prohibits us from retaining, using, or disclosing that information for any purpose other than performing the Service. When you exercise a right with respect to information we process on behalf of a customer (controller), we will refer your request to that customer or assist them in responding.

12. GDPR / UK rights & lawful bases

Where the GDPR or UK GDPR applies, our lawful bases for processing the data for which we are a controller are: performance of a contract (to provide the Service you request), our legitimate interests (to secure, operate, and improve the Service, balanced against your rights), and consent where required (for example, enabling optional AI assistance). Subject to applicable law, you have the right to access, rectify, erase, restrict, and object to processing, and to data portability. You also have the right to lodge a complaint with your local supervisory authority. For personal data we process on a customer's behalf, please direct requests to that customer as the controller; we will assist them as their processor.

13. Exercising your rights

To exercise any right, or to disconnect the Service and stop further processing, you can:

14. Data Processing Addendum

For customers who require one, we make available a Data Processing Addendum (DPA) that incorporates the EU Standard Contractual Clauses (and the UK Addendum) and describes our processor obligations, sub-processor commitments, security measures, and breach-notification duties. To request our DPA, contact hello@lcbridge.app.

15. Children's privacy

The Service is a business tool and is not directed to individuals under the age of 16, and we do not knowingly collect personal data from them. If you believe a child's data has been provided to us, contact us and we will delete it.

16. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will note them here and update the "Last updated" date above; where required, we will provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

17. Contact us

If you have questions about this Privacy Policy or how we handle your data, contact us at:

LCBridge — DocuSign Integration for HighLevel
Email: hello@lcbridge.app