Privacy Policy
Last updated: July 10, 2026 · Effective: July 10, 2026
LCBridge is an independent, third-party integration. DocuSign and HighLevel (GoHighLevel / LeadConnector) are trademarks of their respective owners; LCBridge is not affiliated with, endorsed by, sponsored by, or operated by them.
On this page
- Introduction & scope
- Our roles: controller & processor
- Information we process
- How we use information
- AI & automated processing
- Sub-processors & sharing
- DocuSign & CRM API data use
- Data retention & deletion
- Security
- International data transfers
- U.S. state privacy rights (CCPA)
- GDPR / UK rights
- Exercising your rights
- Data Processing Addendum
- Children's privacy
- Changes to this policy
- Contact us
1. Introduction & scope
LCBridge — a trading name of GoCSM Innovations Private Limited — provides the DocuSign Integration (also referred to as "SignBridge," the "Service"), an integration that runs inside the HighLevel (GoHighLevel / LeadConnector) CRM and connects your DocuSign account to your CRM so you can send agreements for signature, keep signing status current on your contacts, chase stalled signatures, and file completed documents automatically.
This Privacy Policy explains what personal information the Service processes, the roles we play, how we use and share it, how long we keep it, how we secure it, and the choices and rights you have. It applies to your use of the Service as installed within HighLevel and connected to your DocuSign account. It does not cover the independent practices of DocuSign or HighLevel, which are governed by their own privacy policies.
In this policy, "you" means the LCBridge customer (typically a HighLevel agency or sub-account business) and its authorized users. "Signers" and "contacts" means the individuals whose information flows through your CRM and the agreements you send.
2. Our roles: controller & processor
We handle personal information in two distinct roles, and your rights and our obligations differ depending on which applies:
- As a processor (and sub-processor). For the personal information of your contacts and signers that we process to send and track agreements on your behalf, you are the controller and LCBridge acts as a processor — or a sub-processor where you are yourself a processor acting for your own clients. We process that data only on your documented instructions, which are your configuration and use of the Service.
- As a controller. For information about your account, your connection, and your use of the Service — such as your DocuSign and HighLevel account identifiers, connection credentials, settings, and operational logs — LCBridge acts as the controller.
3. Information we process
The Service processes only the information needed to send agreements, keep their status current in your CRM, follow up on stalled agreements, and operate securely. It does not require, and we do not ask for, more than that.
a. Contact & agreement data (we act as processor)
- CRM contact & opportunity data accessed from HighLevel — such as names, email addresses, phone numbers, business/location names, and deal/opportunity details — used to populate, address, and send agreements and to link signing activity back to the right record.
- Recipient & envelope data — the names, email addresses, and signing status of each agreement recipient; envelope subject lines and template names; and event timestamps (sent, delivered, signed, declined, including a decline reason where DocuSign provides one).
- Follow-up message content — the body of the reminder ("nudge") messages that are sent to signers through your connected HighLevel account, retained as an audit record of what was sent.
- Matching data — the recipient email/name we use to match a signer to a CRM contact, and the candidate contact records considered for that match.
Signed documents are not stored by us. The Service does not store the contents of your agreements or signed PDFs in our database. When an agreement completes, the combined signed PDF and certificate of completion are retrieved from DocuSign and filed into your HighLevel media library; we retain only a link or reference to that document, together with envelope status and metadata. We never receive document contents through the DocuSign webhook — that payload is limited to recipient and status data.
b. Account, connection & operational data (we act as controller)
- DocuSign account information — your DocuSign account identifier, account base URI, user id, environment (demo/production), authorized scopes, and plan/capability information, used to call DocuSign on your behalf.
- Connection credentials — the OAuth access and refresh tokens issued when you connect your DocuSign and HighLevel accounts, and the DocuSign Connect signing-key secrets used to verify webhooks. These are stored encrypted and are used only to authenticate API calls and validate events.
- Settings & configuration — your field mappings, templates, automation preferences, and similar configuration.
- Usage & log data — operational logs and diagnostic information generated as the Service runs, used to operate, secure, monitor, and troubleshoot the Service.
We do not knowingly collect government-identifiers, financial account numbers, or special-category (sensitive) personal data through the Service, and we ask that you do not send such data in agreement fields or contact records where it is not needed.
4. How we use information
We use the information above only to deliver and maintain the Service. Specifically, to:
- Send agreements for signature from your CRM through your connected DocuSign account.
- Sync envelope status back into the CRM so signing progress stays current on the contact.
- Surface stalled or follow-up agreements and help you send reminder messages.
- File completed documents into your HighLevel media library and, where you have enabled it, advance the linked opportunity's pipeline stage.
- Operate, secure, monitor, debug, and improve the Service, and provide support.
- Comply with law and enforce our Terms.
We do not use your data or your contacts' data for advertising, and we do not sell or share it (as those terms are defined under U.S. state privacy laws). We do not use the personal data we process on your behalf to train general-purpose AI models.
5. AI & automated processing
Optional AI assistance (nudge drafts). If your administrator enables it, the Service can use a third-party AI model (Google Gemini) to draft a suggested follow-up message for a stalled agreement. Only limited context is sent to the model — a signer's first name, the document subject/type, the sending agent and business name, days elapsed, and status. Full email addresses and phone numbers are not sent to the AI. Drafts are always suggestions you can edit; a human sends the message. If AI assistance is not enabled, no data is sent to the AI provider and the Service uses fixed message templates instead.
The Service also performs limited rules-based automation on your CRM data at your configuration: automatically matching a signer's email to a CRM contact, writing status notes/tags to the contact timeline, filing completed documents, and — where enabled — advancing a linked opportunity to a "Won" pipeline stage when an agreement completes. These are routine operational actions you control in Settings, not decisions that produce legal or similarly significant effects about an individual within the meaning of GDPR Article 22.
6. Sub-processors & sharing
We share data only with the sub-processors necessary to deliver the Service. We do not sell personal data and do not share it for cross-context behavioral advertising. Our current sub-processors are:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| DocuSign (DocuSign, Inc.) | Create and send envelopes; receive signing status; retrieve completed documents (e-signature). | Recipient name & email, document subject/template, envelope status. |
| HighLevel / LeadConnector (HighLevel) | The host CRM the Service runs inside; source of contact/opportunity data and destination for status, notes, media, and reminder messages. | Contact/opportunity data, envelope status, documents filed to your media library, reminder message content. |
| Railway (cloud hosting, United States) | Hosts the Service and provides its managed PostgreSQL database and Redis queue. All data we store resides here. | All stored data described in Section 3(b) and the metadata in 3(a). |
| Google (Gemini) optional — only if AI assistance is enabled | Generate suggested follow-up message drafts. | Limited context only: signer first name, document subject/type, agent & business name, status. No full emails/phones. |
We use hosting in the United States. We may engage new sub-processors as the Service evolves; when we do, we will update this list. If you have a Data Processing Addendum with us (see Section 14), we will provide advance notice of new sub-processors and a means to object as described there.
We may also disclose information where required by law, to comply with legal process, or to protect the rights, safety, property, and security of our users, the public, or the Service. If we are involved in a merger, acquisition, or sale of assets, we will require the successor to honor this policy.
7. DocuSign & CRM API data use
We access DocuSign and HighLevel data solely to provide the integration to you, on an individual, transactional basis. We do not extract, aggregate, resell, or repurpose DocuSign or CRM data beyond what is necessary to support the Service, and we do not use it for advertising or to build independent profiles. This commitment reflects the data-use requirements of the platforms we integrate with, including DocuSign's developer terms.
8. Data retention & deletion
- Connection credentials. Your DocuSign and HighLevel OAuth tokens are usable only while the integration is connected. When you disconnect or uninstall, the Service can no longer act on your behalf.
- Tenant data. When you uninstall the Service (or a sub-account is uninstalled), we deactivate the connection immediately and then permanently delete all associated data — envelope records, recipient data, matching records, follow-up message records, settings, and credentials — within 30 days. Reconnecting before the purge restores your workspace.
- Logs. Operational and diagnostic logs are kept only for the limited period needed to operate, secure, and troubleshoot the Service, and are then discarded or minimized.
- Legal holds. We may retain limited information for longer where required to comply with legal obligations, resolve disputes, or enforce our agreements.
You can disconnect at any time to revoke the Service's access to your DocuSign account. To request earlier deletion of data we hold, contact us at hello@lcbridge.app.
9. Security
We maintain technical and organizational measures appropriate to the data we handle, including:
- Encryption in transit — traffic to and from the Service and the platforms it integrates with is protected with TLS.
- Encryption at rest for credentials — OAuth tokens and webhook signing secrets are encrypted using AES-256-GCM before they are stored.
- Authenticated webhooks — inbound DocuSign Connect events are verified with HMAC-SHA256 signatures (and HighLevel events with their platform signatures) before processing; unverified events are rejected, and verification "fails closed."
- Access controls & least privilege — we limit who and what can reach stored credentials and data, and we request only the OAuth scopes the Service needs.
- U.S. hosting — the Service and its data are hosted with a U.S. cloud provider.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach affecting your data, we will notify affected customers without undue delay and, where feasible, no later than 72 hours after becoming aware, consistent with applicable law.
10. International data transfers
We are based in, and host the Service in, the United States, and most of our customers are in the United States. If you or your contacts are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States. Where such transfers are subject to GDPR or UK data-protection law, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), and/or another lawful transfer mechanism, as set out in our Data Processing Addendum (Section 14).
11. U.S. state privacy rights (CCPA/CPRA & others)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you rights over your personal information. Residents of other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, and Texas, among others) have comparable rights. Subject to those laws, you may:
- Know / access the categories and specific pieces of personal information we hold about you;
- Delete personal information we hold about you;
- Correct inaccurate personal information;
- Opt out of any "sale" or "sharing" of personal information and of targeted advertising; and
- Not be discriminated against for exercising these rights.
We do not sell or share your personal information, and we have not done so. Where we process your contacts' personal information to provide the Service, we act as a service provider (processor) under a written contract that prohibits us from retaining, using, or disclosing that information for any purpose other than performing the Service. When you exercise a right with respect to information we process on behalf of a customer (controller), we will refer your request to that customer or assist them in responding.
12. GDPR / UK rights & lawful bases
Where the GDPR or UK GDPR applies, our lawful bases for processing the data for which we are a controller are: performance of a contract (to provide the Service you request), our legitimate interests (to secure, operate, and improve the Service, balanced against your rights), and consent where required (for example, enabling optional AI assistance). Subject to applicable law, you have the right to access, rectify, erase, restrict, and object to processing, and to data portability. You also have the right to lodge a complaint with your local supervisory authority. For personal data we process on a customer's behalf, please direct requests to that customer as the controller; we will assist them as their processor.
13. Exercising your rights
To exercise any right, or to disconnect the Service and stop further processing, you can:
- Disconnect / uninstall the integration at any time from within HighLevel to revoke access and begin deletion (see Section 8); or
- Contact us at hello@lcbridge.app. We may need to verify your identity or your relationship to the relevant account before acting, and we will respond within the timeframes required by applicable law. You may use an authorized agent where the law permits.
14. Data Processing Addendum
For customers who require one, we make available a Data Processing Addendum (DPA) that incorporates the EU Standard Contractual Clauses (and the UK Addendum) and describes our processor obligations, sub-processor commitments, security measures, and breach-notification duties. To request our DPA, contact hello@lcbridge.app.
15. Children's privacy
The Service is a business tool and is not directed to individuals under the age of 16, and we do not knowingly collect personal data from them. If you believe a child's data has been provided to us, contact us and we will delete it.
16. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will note them here and update the "Last updated" date above; where required, we will provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
17. Contact us
If you have questions about this Privacy Policy or how we handle your data, contact us at:
GoCSM Innovations Private Limited (trading as "LCBridge")
23–24 Omaxe Greens Extension, Omaxe City-1, Indore, Madhya Pradesh 453771, India
Email: hello@lcbridge.app
Phone: +91 97041 66680