Privacy Policy

1. Who We Are

This Privacy Policy describes how Andrea Fillingane, doing business as Andrea The Notary ("Andrea The Notary," "we," "our," or "us") collects, uses, and protects your personal information when you use our website (andreathenotary.com), client portal (portal.andreathenotary.com), online booking form, or any other services we provide.

We are committed to handling your information responsibly and in compliance with applicable privacy laws, including the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.).

2. Information We Collect

We collect the following categories of personal information:

Information you provide directly

• Identity information: Full name, preferred name
• Contact information: Email address, phone number, mailing address
• Identification information: Government-issued ID type and number (collected at the time of notarization as required by Colorado law for notary journal records)
• Appointment information: Requested service type, document types to be notarized, appointment date and time, location, number of witnesses requested
• Communication preferences: Whether you consent to text messages, preferred contact method
• Electronic signature data: Typed name or drawn signature image captured when you sign service agreements electronically
• Messages: Any information you include in inquiry forms or communications with us

Information collected automatically

• IP address: Recorded at the time you sign a document electronically, as part of the audit trail required for ESIGN Act compliance
• Authentication data: When you access the client portal, we collect a session token managed by our authentication provider (Supabase) to keep you logged in

Payment information

We do not store your full credit card numbers, bank account numbers, or other sensitive payment credentials on our systems. Payment is processed directly by our third-party payment processors (described in Section 4). We receive only a transaction confirmation and the amount paid.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide notary services: Scheduling appointments, performing notarial acts, maintaining required notary journal records, and generating estimates, invoices, and receipts
• To communicate with you: Sending appointment confirmations, estimates, invoices, signed contract copies, and other service-related communications to your email address
• To process payments: Generating secure payment links and verifying payment status
• To maintain legal compliance: Colorado law requires notaries to maintain a tamper-evident journal of all notarial acts for a minimum of ten (10) years (C.R.S. § 24-21-519). Signer identity and document information is retained as part of this legally required record
• To operate the client portal: Allowing you to view your appointments, booking history, open invoices, and pending estimates
• To improve our services: Understanding how clients find us (referral sources) and what services are most commonly requested

We do not sell, rent, or trade your personal information to any third party for marketing purposes. We do not use your information for automated decision-making or profiling.

4. Disclosure of Information to Third Parties

We share your information only as necessary to provide services and as described below. We do not disclose your information to any other third parties without your consent, except as required by law.

Stripe (card payments)

When you pay by credit or debit card, you are directed to a secure payment page hosted by Stripe, Inc. Stripe processes card transactions and is a PCI DSS Level 1 certified payment service provider. The information shared with Stripe includes the payment amount and a session token. We do not transmit your name or email directly to Stripe through our payment flow. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

Infrastructure providers

Our platform is built on the following infrastructure providers, each of which may process your data as a data processor on our behalf:

• Supabase: Provides our database (PostgreSQL) and authentication services. Your client record, appointment data, journal entries, and signed document records are stored in a Supabase-hosted database.
• Vercel: Hosts and serves our web application. Web requests, including your IP address, pass through Vercel's infrastructure.
• Resend: Delivers transactional emails (such as appointment confirmations and signed document copies) to your email address on our behalf.
• Cloudflare: Provides DNS and network security for our domain. Network-level traffic may pass through Cloudflare's infrastructure.

Legal requirements

We may disclose your information if required to do so by law, court order, or lawful request by a government authority, or if we believe disclosure is necessary to protect our legal rights, protect your safety or the safety of others, or investigate fraud.

5. Security Practices

We take the security of your personal information seriously and have implemented the following safeguards:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). Payment pages are served directly by Stripe over their own TLS-secured connections.
• Encryption at rest: Your data is stored in a Supabase-managed PostgreSQL database with encryption at rest provided by the underlying cloud infrastructure.
• Row-Level Security (RLS): Our database enforces row-level security policies so that data is accessible only to authorized users and our application's service role. Client portal users can only access their own records.
• Tamper-evident journal: Each entry in our electronic notary journal is cryptographically linked to the previous entry using a SHA-256 hash chain, making unauthorized modification detectable.
• Authentication: Access to the admin dashboard requires credentials and is protected by Supabase Auth. Client portal access uses magic link (one-time email link) authentication — no passwords are stored. Two-factor authentication (2FA) via authenticator app is available and strongly recommended for all portal users.
• Access controls: Administrative access to client data is restricted to Andrea Fillingane. No third-party staff have access to your personal data.
• Payment data: We never store full payment card numbers or bank account numbers. Payment processing is fully delegated to Stripe, a PCI DSS Level 1 certified payment processor.

While we implement reasonable security measures, no system is completely secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you as required by applicable law.

6. Data Retention

We retain your personal information for as long as necessary to provide services, fulfill legal obligations, and resolve disputes:

• Notary journal records: Retained for a minimum of ten (10) years as required by C.R.S. § 24-21-519.
• Signed agreements: Retained indefinitely as legal records of consent.
• Invoices and financial records: Retained for a minimum of seven (7) years for tax and accounting purposes.
• Client contact information and appointment history: Retained for the duration of our business relationship. You may request deletion of information not subject to a legal retention obligation at any time.

7. Your Rights (Colorado Privacy Act)

If you are a Colorado resident, you have the following rights under the Colorado Privacy Act (C.R.S. § 6-1-1306):

• Right to know what personal data we hold about you
• Right to correct inaccurate personal data
• Right to delete personal data (subject to legal retention obligations described in Section 6)
• Right to data portability — obtain a copy of your data in a portable format
• Right to opt out of the sale of personal data (we do not sell personal data)

To exercise any of these rights, please contact us at the address below. We will respond within 45 days as required by law.

8. Children's Privacy

Our services are not directed to children under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. Continued use of our services after the effective date constitutes acceptance of the updated policy.

10. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy, please contact us: