Privacy Policy
Effective date: 18 May 2026
This Privacy Policy describes how NotarAI (“we”, “us”, “our”) collects, uses, and stores your personal data when you access notarai.io or use the NotarAI service. NotarAI is operated by Arthur Temmerman (VAT BE1031912625), Belgium. We act as data controller under Regulation (EU) 2016/679 (GDPR). This policy is addressed to business customers and their representatives.
1. Who we are and how to contact us
NotarAI is operated by Arthur Temmerman, a sole trader registered in Belgium (VAT BE1031912625). We act as data controller for personal data processed in connection with the service. For all privacy matters, including data subject requests, email us at privacy@notarai.io. We will acknowledge your request within 72 hours and respond substantively within 30 days (GDPR Art. 12).
As our customer base currently consists of business users and their representatives, the personal data processed primarily relates to business contact persons. Where individual consumers interact with the service (e.g. account holders), full GDPR rights apply as described in section 8.
2. Personal data we collect and why
Account data
When you create an account we collect your email address and, if you provide it, a display name. Authentication is handled by Supabase Auth. Sign-in with email/password or OAuth providers (Google, GitHub) is supported. Legal basis: performance of contract (Art. 6(1)(b)).
Billing and payment data
Subscription and payment processing is handled entirely by Stripe. NotarAI stores only a Stripe customer ID and subscription status. We do not store card numbers, bank account details, or any other payment instrument information. Stripe’s privacy policy governs payment data. Legal basis: performance of contract (Art. 6(1)(b)) and legal obligation for billing record retention (Art. 6(1)(c)).
Uploaded files and signing records
When you scan or sign a file, NotarAI temporarily stores the file in Supabase Storage (EU Frankfurt) to perform the requested operation. For each signing job we create a permanent database record containing: file name, file size, MIME type, SHA-256 fingerprint, the AI declaration you configured, certificate identifier, and status metadata. File objects are deleted per the retention schedule in section 5. The database record and public verification page (/verify/:id) are retained permanently to support independent verification and audit. Legal basis: performance of contract (Art. 6(1)(b)).
Important — uploaded file content: Files you upload may contain embedded personal data (e.g. EXIF metadata, GPS coordinates, author names). We process this data solely to perform the service. We do not read, analyse, or extract personal data from file content for any other purpose. We do not use file content to train machine learning models.
Usage and rate-limit counters
Monthly scan and sign counters and per-minute rate-limit state are stored in Upstash Redis (EU region), keyed to your user or API key identifier. These counters reset on a rolling or monthly basis and do not contain file content. Legal basis: legitimate interests (Art. 6(1)(f)) — enforcing fair-use limits and protecting service availability for all users.
API keys
API keys you generate are stored as one-way hashed values (scrypt). The plaintext key is shown only once at creation and cannot be recovered by us thereafter. Legal basis: performance of contract (Art. 6(1)(b)).
Technical log data
Infrastructure systems log standard request metadata: IP address, timestamp, HTTP method, endpoint path, and HTTP response status code. These logs are used for security monitoring, incident investigation, and debugging. They are not used for profiling, advertising, or any purpose beyond service operations. Log retention follows the default retention of the respective infrastructure provider. Legal basis: legitimate interests (Art. 6(1)(f)) — security and fraud prevention.
Public demo scan (unauthenticated)
The public demo scan at notarai.io uses your IP address to enforce a daily rate limit (5 scans per 24 hours). The IP-keyed counter is stored in Upstash Redis for 24 hours and then deleted. Uploaded demo files are not stored beyond the duration of the scan request. No account is created and no file is retained. Legal basis: legitimate interests (Art. 6(1)(f)) — preventing abuse of an unauthenticated endpoint.
3. What we do not do with your data
- We do not sell, rent, or broker your personal data to any third party.
- We do not use your data for targeted or behavioural advertising.
- We do not use your file content to train, fine-tune, or evaluate any machine learning model.
- We do not perform automated decision-making with legal or similarly significant effects (GDPR Art. 22).
- We do not share your data with third parties except as described in section 6 (sub-processors) or as required by law.
4. Legal basis summary (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Art. 6(1)(b) — contract |
| Scan, sign, and certificate generation | Art. 6(1)(b) — contract |
| Permanent verification records (/verify/:id) | Art. 6(1)(b) — contract / Art. 6(1)(f) — legitimate interest (audit integrity) |
| Billing and subscription management | Art. 6(1)(b) — contract |
| Retention of billing records | Art. 6(1)(c) — legal obligation (Belgian accounting law) |
| Security logging and fraud prevention | Art. 6(1)(f) — legitimate interest |
| Rate-limit enforcement | Art. 6(1)(f) — legitimate interest |
| Transactional email (account, billing) | Art. 6(1)(b) — contract |
5. Retention periods
We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. Specific retention windows:
| Data | Retention |
|---|---|
| Original uploaded files (post-signing) | ~15 minutes after successful signing |
| Abandoned / error job files | ~72 hours after creation |
| Signed output files and certificate PDFs | 7 days (Starter) · 21 days (Business) · 45 days (Enterprise) |
| Signing database records, certificate IDs, declarations, fingerprints | Permanent (required for public verification) |
| Account data (email, display name) | Until account deletion request, plus 30 days |
| Billing records (Stripe customer ID, invoices) | 7 years (Belgian accounting law obligation) |
| Security and infrastructure logs | Up to 90 days (infrastructure provider defaults) |
| Rate-limit counters | 24 hours (demo) · monthly rolling window (authenticated) |
File deletion is executed by a scheduled hourly maintenance job. Removal occurs shortly after the retention deadline, not at the exact second. Public verification pages (/verify/:id) remain accessible permanently because they contain only a certificate ID, the AI declaration, and a SHA-256 fingerprint — no file binaries are retained beyond the windows above.
6. Sub-processors and international transfers
We engage the following data processors. Each is bound by a data processing agreement (DPA) and appropriate transfer mechanisms where data leaves the EEA.
| Processor | Purpose | Region / Transfer basis |
|---|---|---|
| Supabase (Supabase Inc.) | Database, file storage, authentication | EU — Frankfurt (EEA, no transfer) |
| Stripe (Stripe Inc.) | Payment processing, subscription management | USA — EU-U.S. Data Privacy Framework (DPF) / SCCs as fallback |
| Upstash (Upstash Inc.) | Rate-limit and usage counters (Redis) | EU region (EEA, no transfer) |
| Resend (Resend Inc.) | Transactional email delivery | USA — SCCs |
| Vercel (Vercel Inc.) | Application hosting, serverless edge, aggregate cookieless analytics | USA / EU CDN — EU-U.S. Data Privacy Framework (DPF) / SCCs as fallback |
| Sentry (Functional Software Inc.) | Error monitoring and diagnostics | USA — SCCs |
For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914). File content (uploaded images, videos, documents) is stored and processed exclusively in Supabase’s EU Frankfurt region and is never transferred outside the EEA.
7. Data security
We apply appropriate technical and organisational measures (TOMs) proportionate to the risks:
- All data in transit is encrypted with TLS 1.2 or higher.
- Data at rest in Supabase (storage and database) is encrypted using AES-256 at the infrastructure level.
- API keys are stored as one-way scrypt hashes; plaintext is never persisted.
- Production database access is restricted to application service accounts with least-privilege roles.
- Signed file storage paths include unpredictable identifiers; files are not enumerable.
- Error monitoring (Sentry) is configured to scrub sensitive fields before transmission.
No security measure can guarantee absolute protection. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay where required (Art. 34).
8. Your GDPR rights
You have the following rights under GDPR. To exercise any right, email privacy@notarai.io. We will respond within 30 days; where requests are complex or numerous, this period may be extended by a further two months with notice (Art. 12(3)).
- Access (Art. 15) — obtain a copy of the personal data we hold about you and information on how it is processed.
- Rectification (Art. 16) — request correction of inaccurate or incomplete personal data.
- Erasure (Art. 17) — request deletion of your personal data where no overriding legal basis exists. Note: billing records are retained for 7 years under Belgian law and cannot be deleted earlier; permanent verification records contain only non-personal metadata (fingerprint, declaration, certificate ID).
- Restriction (Art. 18) — request that we restrict processing of your data in specified circumstances.
- Portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format (applies to data processed by automated means under contract or consent).
- Objection (Art. 21) — object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Withdraw consent — where any processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
- Lodge a complaint — if you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données, dataprotectionauthority.be) or your local supervisory authority within the EEA.
9. Cookies and tracking
NotarAI uses strictly necessary session cookies and browser local storage solely for authentication state and user interface preferences. We do not use:
- Advertising or retargeting cookies.
- Third-party analytics that profile individual users across sites (no Google Analytics, no Meta Pixel).
- Fingerprinting or other non-cookie tracking technologies.
We do use Vercel Analytics, a cookieless, aggregate-only page-view counter built into our hosting provider. It sets no cookies, writes nothing to local storage, and cannot identify individual users or track them across sites. Because no personal data is processed for this purpose, no consent is required under ePrivacy Directive Art. 5(3).
Because we use only strictly necessary cookies, no cookie consent banner is required under ePrivacy Directive Art. 5(3). If we introduce non-essential cookies in the future, we will implement a consent mechanism and update this policy.
10. Minors
NotarAI is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has created an account without appropriate consent, contact us at privacy@notarai.io and we will delete the account and associated data promptly.
11. Changes to this policy
We may update this Privacy Policy to reflect changes in the service, applicable law, or data-handling practices. Material changes will be notified by email or by a prominent in-product notice at least 14 days before they take effect. The effective date at the top of this page will always reflect the latest version.
12. Contact
Data controller: Arthur Temmerman (VAT BE1031912625), Belgium.
Privacy and data subject requests: privacy@notarai.io
General enquiries: contact@notarai.io