NotaryLog Privacy Policy

1. Introduction

ClearStack Apps ("we", "us", "our") operates the NotaryLog mobile application — a digital journal that lets notaries record each notarial act they perform. Because a notary journal contains sensitive information about third parties (the signers), this policy is deliberately specific about what NotaryLog stores, where it is stored, how it is protected, and how it is deleted.

Short version: Every journal entry — including signer names, ID details, on-screen signatures, optional thumbprint photos, and optional GPS location — is stored only on your device, in an AES-256 encrypted database. None of it is ever uploaded to ClearStack Apps or any third party. The only data that leaves your device is anonymous crash and app-usage telemetry sent to Google, and (on the free tier) advertising data — never the contents of your journal.

2. Information You Enter — Stored On Your Device Only

The following is created by you and kept on your device. It is never transmitted to us:

• Signer details — full name, address, and phone number
• Identification — ID type, ID number, issuing authority, and expiration date
• Notarial act — document type, document date, fee charged, and payment method
• Signature — the signer's signature captured on the screen
• Thumbprint — an optional thumbprint photo, only if you choose to capture one
• Location — optional GPS coordinates and a reverse-geocoded address of the signing (see Section 4)
• Entry metadata — notes, void status, and timestamps
• Your notary profile and app settings

3. How Your Data Is Encrypted (Storage & Security)

NotaryLog protects signer data with on-device encryption — not just file-system defaults:

• Encrypted database: Journal entries and your notary profile are stored in Hive boxes encrypted with AES-256 (HiveAesCipher). The data on disk is ciphertext.
• Key storage: The 256-bit encryption key is generated on first launch with a cryptographically secure random generator and stored in flutter_secure_storage, which on Android is backed by the Android Keystore (EncryptedSharedPreferences) and on iOS by the Keychain. The key never leaves the device and is not bundled in the app.
• App lock: Premium adds an optional PIN + biometric lock (fingerprint / face) on launch. PIN values are stored only as a hash in secure storage, never in plain text.
• Signature & thumbprint files are stored in the app's private storage directory and are removed when you delete or wipe the corresponding entry.

Note: this is strong, practical at-rest protection for a mobile device. It is not a claim of certified or tamper-proof security, and it does not replace your own professional obligation to safeguard your journal.

4. Location

GPS tagging is optional and off until you enable it and grant location permission. When enabled, NotaryLog records the coordinates and a reverse-geocoded address for an entry so mobile notaries can note where a signing took place. This location is stored only on your device alongside the entry and is never sent to a server. You can toggle it off at any time, per entry or globally, in the app and in your device settings.

5. Information Sent To Google (Telemetry & Ads)

The only data that leaves your device is anonymous and operational. It never includes the contents of your journal:

• Firebase Crashlytics: crash logs, stack traces, device model, OS version, and app version — used to find and fix bugs.
• Firebase Analytics: anonymous app-usage events (e.g. "export tapped"), device model, OS, app version, and approximate location derived from IP address — used to understand how the app is used. Entry contents are never logged.
• Google AdMob (free tier only): on the free tier a single banner ad appears on the journal list screen. AdMob receives the Advertising ID, device model, OS, approximate location, and ad-interaction events — never journal data. Any premium purchase removes ads, and AdMob is not initialised for premium users.

In the EU, UK, and EEA, NotaryLog shows a Google-certified consent form (UMP) on first launch where you choose whether ads are personalised. You can change that choice later in settings.

6. Exports (PDF & CSV)

Premium lets you export a date range of your journal as a PDF (entries with signatures and thumbprints) or your fee history as CSV. Exporting creates a file and hands it to your device's standard share sheet. The exported file leaves the app only when you choose where to send it (email, cloud drive, printer, etc.). Once you share or save an export, it is governed by the destination you chose, not by NotaryLog. We never receive a copy.

7. Purchases

NotaryLog is free to download (up to a fixed number of lifetime entries) with optional premium upgrades: notarylog_premium_monthly ($3.99/mo), notarylog_premium_yearly ($19.99/yr), and notarylog_premium_lifetime ($19.99 one-time). Purchases are verified by Google Play Billing. NotaryLog stores only the active product identifier and status on your device. We do not collect, store, or have access to your payment-card details.

8. Backups — Read This

NotaryLog does not back up your journal to any ClearStack or cloud server. There is no automatic cloud copy. This is intentional for confidentiality, but it means:

• If you uninstall the app, switch phones, or wipe app data, your journal is gone and we cannot recover it.
• To keep an external copy, use PDF / CSV export (Section 6) and store the file somewhere you control.
• Your device's own system backup may or may not include the app's encrypted data depending on your device and settings; do not rely on it for a legal record.

9. Deleting Your Data

You are in full control of deletion. To be precise about what can be deleted and by whom:

• Delete a single entry — removes the entry and its signature/thumbprint files from your device.
• Void an entry — keeps it for audit integrity but marks it void (your choice instead of deletion).
• Wipe all entries — Settings → "Wipe all entries" permanently erases the entire journal.
• Reset the app — the Recovery screen can erase all data and the encryption key.
• Uninstall — removes the encrypted database and the secure-storage key; nothing readable remains.

About the Play Store "data can't be deleted" note: all of the on-device journal data above can be deleted by you at any time. What ClearStack cannot delete on your behalf is the anonymous Crashlytics, Analytics, and Advertising ID data that Google holds — because we never receive identifiable data and cannot map it back to you. To delete that anonymous telemetry, use Google's data-deletion process through your Google Account.

10. Permissions

• Camera — optional, to capture a thumbprint or signer photo for an entry.
• Location — optional, to GPS-tag entries (Section 4).
• Photos / Storage — to save or import a thumbprint image and to write PDF/CSV exports.
• Biometric — optional, for the premium app lock.
• Internet — used only for crash reporting, analytics, ads, and purchase verification.

11. Not Legal or Compliance Advice

NotaryLog is a personal recordkeeping tool, not a compliance product. It does not interpret your jurisdiction's notary laws, enforce fee caps, or generate state-approved submissions. Notary journal requirements differ by state and country — you are responsible for verifying your own jurisdiction's rules with your commissioning authority (e.g. your Secretary of State). See the FAQ on the NotaryLog page for more on jurisdictional acceptance.

12. Children's Privacy

NotaryLog is intended for professional users aged 18 and over. We do not knowingly collect data from children. If you believe a child has used the app, contact support@clearstackapps.com.

13. Third Parties

• Google LLC — Firebase (Crashlytics, Analytics) and AdMob. Google Privacy Policy.
• Google Play Billing — in-app purchase processing. Google Payments Privacy Notice.

14. Your Rights (GDPR / UK GDPR / CCPA)

If you reside in the EU, UK, or California, you have the right to:

• Access the personal data we hold about you — for NotaryLog, none on our servers; Google holds anonymous device-level telemetry per its policies.
• Delete your data — see Section 9.
• Object to ad personalisation — use the in-app consent form (UMP) or upgrade to remove ads.
• Withdraw consent — change consent in settings and/or uninstall the app.

Note on signer data: the signers whose details you record are third parties. As the notary, you are the controller of your own journal and responsible for handling signer information in line with your jurisdiction's rules; ClearStack only provides the on-device tool and never receives that data.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be noted in app release notes.

16. Contact

Questions about this Privacy Policy? Email support@clearstackapps.com.

Data Controller (app & telemetry): ClearStack Apps, 124 City Road, London EC1V 2NX, United Kingdom.