Understanding Privacy: What It Really Means Online

Privacy policies seem designed to confuse us. Legal terms and technical jargon can hide shortcuts, loopholes, and compromises behind a facade of trust.

The Free Dictionary defines privacy as “the quality or condition of being secluded from the presence or view of others.” At its core, privacy is about the right to act without being watched. Understanding how this applies online helps you choose tools and services that genuinely respect it.

This guide is for anyone who wants to understand what privacy really means, how it affects your digital life, and how to make informed choices about the apps and services you use.

Compliance is not the same as privacy

Compliance means meeting legal or regulatory standards. Certifications like GDPR, SOC 2, or ISO 27001 demonstrate that a company follows specific rules for data security and handling. Compliance creates a baseline of accountability, but it does not guarantee privacy. A company can meet all legal requirements yet still collect, analyze, or share your data in ways you may not expect.

Privacy is a principle, not a checklist. It is about giving people control over their data and obtaining informed consent for how it is used. A service may be fully compliant but respect privacy only minimally, while another service may prioritize privacy without holding every certification. Most companies fall somewhere in between, balancing compliance, cost, and how much they truly value user privacy.

The distinction matters. Compliance protects companies from lawsuits. Privacy protects you from surveillance.

Key privacy concepts explained

Privacy discussions are full of terms that sound technical but can be simplified. Here’s what some common terms mean in plain language.

Roles and responsibilities

• Data controller: the organization deciding why and how your data is used
  • Analogy: Think of it as the chef choosing the recipe.
  • Example: In an e-signature platform, the company sending a contract is the controller. They decide who signs and what information is collected.
• Data processor: a third party handling data on behalf of a controller.
  • Analogy: A sous-chef following the recipe but not owning it.
  • Example: The cloud service storing the signed documents is a processor. They follow the rules set by the controller but don’t decide how the data is used.

Technical protections

• Encryption: encoding information so only authorized people can read it.
  • Analogy: Sealing a letter in an envelope.
  • Example: When signing a contract digitally, encryption ensures that nobody intercepting the file can read it.
• Encryption at rest: protecting data while it’s stored.
  • Analogy: The sealed envelope sitting in a locked filing cabinet.
  • Example: Your signed contracts stored on a server are encrypted so that anyone accessing the storage directly cannot read them.
• Encryption in transit: protecting data while it moves between locations.
  • Analogy: The sealed envelope being carried by the postal service.
  • Example: When you upload a document to sign, encryption in transit protects it from being intercepted while traveling to the server.
• Confidential computing: processing data in a hardware-isolated secure enclave that the provider cannot access.
  • Analogy: A sealed vault inside the postal service facility. Documents are briefly opened inside the vault for processing, but neither the provider nor anyone else can enter the vault or see what’s inside.
  • Example: A contract sent digitally is encrypted and only decrypted in a protected environment for signing before being re-encrypted, so that not even the provider can preview the signature or document. Only the people signing can decrypt and view it.
• End-to-end encryption: only the sender and recipient can access the content; no one in the middle can read it.
  • Analogy: A sealed envelope that only you and the recipient have keys to open. The messenger carries it but has no way to peek inside, and it never needs to be opened in transit.
  • Example: Messages that are encrypted on your device and only decrypted on the recipient’s device, with no intermediate processing.

Data practices

• Consent: clear, informed agreement to share your data.
  • Analogy: A handshake where both parties agree clearly and willingly.
  • Example: A pop-up asking if the app can store your signature for reuse, with a simple yes/no choice.
• Data minimization: collecting only what is necessary.
  • Analogy: A restaurant asking only for your table size, not your full medical history.
  • Example: Asking only for your email address to create an account, not your phone number, home address, or date of birth, unless needed.
• Data transfer: moving data across locations or countries.
  • Analogy: Shipping documents internationally and following customs rules.
  • Example: Sending a contract from a French company to a cloud server in Germany. Regional rules apply.
• Retention policy: how long your data is stored before deletion.
  • Analogy: A best-before date.
  • Example: A platform might keep signed contracts for seven years for compliance, then automatically delete them.
• Anonymization: removing identifiers so data cannot be traced back to a person.
  • Analogy: Sharing statistics instead of stories.
  • Example: Aggregating usage data for analytics without including names or email addresses.
• Pseudonymization: replacing identifiers with codes while keeping a key.
  • Analogy: A coded list that could be decoded later.
  • Example: Replacing user email addresses with internal IDs for tracking usage while keeping the actual email addresses separate.
• Privacy by design: building products so privacy is automatic, not optional.
  • Analogy: Building a house with locks on every door and window before you move in, rather than adding them after a break-in.
  • Example: An e-signature service that encrypts documents end-to-end and never stores a copy it can read.

The critical gap most services won’t tell you about

Most services encrypt data in transit and at rest, but decrypt it on their servers to process it—for example, decrypting documents while they are being signed electronically. This means the provider can read everything—your documents, messages, files—even if they promise not to.

It’s like hiring a locksmith to install your safe, but they keep a copy of the combination “just in case.”

Advanced services use confidential computing—processing data in hardware-isolated secure enclaves that even the provider cannot access. This enables functionality that end-to-end encryption can’t support. For example, e-signatures require server-side processing to coordinate multiple signers, validate documents, and manage workflows. Confidential computing makes this processing possible while keeping your data protected in a sealed vault that’s impenetrable to everyone, including the service operator.

End-to-end encryption provides the strongest protection where data is only decrypted on devices you control, never on any server. However, this prevents many types of processing—you can’t search encrypted emails on the server, coordinate multi-party workflows, or apply business logic without decrypting locally first. For use cases requiring server-side processing, confidential computing offers the best balance of privacy and functionality.

Without these protections, every provider is a potential data breach, government subpoena, or insider threat away from exposing your information.

Understanding privacy concepts is the first step. The next is recognizing them in practice. In a next post, we’ll show you how to evaluate any service’s privacy claims and spot the red flags that reveal privacy theater.

Privacy-first e-signatures

Want to see what privacy by design looks like in practice?

Try Subnoto e-signatures.