Privacy Policy

LuroDocs is an apostille, certified-translation, and notary coordination service based in Florida, USA. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use www.lurodocs.com or our related services (collectively, the “Service”).

Controller / Business contact:
LuroDocs
Florida, United States
Email: hello@lurodocs.com
Privacy inquiries: privacy@lurodocs.com

We collect the following categories of information about you:

A. Information you provide directly

• Account information: email address, full name, password (hashed), and for business accounts, your company name.
• Case intake information: document type, destination country, issuing state, purpose of the authentication, and any situation description you provide.
• Documents you upload: scans, photographs, or PDFs of the documents you need authenticated (e.g. birth certificates, marriage certificates, passports, corporate documents, powers of attorney).
• Contact details: phone number, shipping address, and email for case updates and document return.
• Payment information: processed by our payment vendor (e.g. Stripe). We do not store full card numbers on our servers.
• Communications: messages you send us by email, chat, or phone.

B. Information collected automatically

• Log data: IP address, browser type, device type, pages viewed, and referring URL.
• Usage data: actions you take within your dashboard (uploads, downloads, case events).
• Cookies and similar technologies: session cookies to keep you signed in; we do not use third-party advertising cookies.

C. Information from third parties

• Identity providers: if you sign in with Google OAuth, we receive your name, email, and profile picture.
• Service providers: notaries, translators, and courier services may share status updates and confirmations with us.
• Government agencies: the Florida Secretary of State, U.S. Department of State, foreign consulates, and other authorities that process your document may provide confirmations, rejection notices, or apostille certificates.

Sensitive personal information. Some of the documents you upload contain sensitive data — social security numbers, dates of birth, biometric markers, medical details, financial records, or government-issued ID numbers. We treat all document uploads as sensitive and apply the heightened safeguards described in Section 7.

We use your information only to deliver the services you hired us for. Specifically:

• To provide the Service: coordinate notarization, apostille, legalization, translation, and delivery of your documents; process payments; send case status updates.
• To verify your identity: confirm you are the person authorized to submit a document for authentication, prevent fraud, and comply with notary and legal requirements.
• To operate and improve the Service: debug, secure, audit, and improve the platform (we use aggregated and anonymized data for this where possible).
• To communicate with you: respond to support requests; send transactional emails (case updates, receipts); send occasional service announcements.
• To comply with legal obligations: respond to lawful requests from regulators, courts, or law enforcement; meet record-keeping requirements of notary and apostille law.

Lawful basis (GDPR). For users in the European Union or United Kingdom, our lawful bases are: (a) performance of a contract (delivering the Service you requested); (b) compliance with legal obligations; (c) legitimate interests (securing our platform, preventing fraud); and (d) consent (for optional marketing emails, which you can withdraw at any time).

We share personal information only with:

• Service providers that help us operate: hosting (Supabase, Vercel), email delivery (Resend), payment processing (Stripe), AI document-quality checks (Anthropic). These providers are contractually bound by Data Processing Agreements to use your data only on our instructions.
• Fulfillment partners: Florida-commissioned notaries, certified translators, courier services, and other vendors required to complete your case. They receive only the information needed to do their specific step.
• Government agencies: the Florida Secretary of State, U.S. Department of State, and any embassy or consulate required for your destination country. You authorize these disclosures when you sign our Letter of Authorization.
• Legal compliance: regulators, courts, or law enforcement when we have a good-faith belief disclosure is legally required.
• Corporate transactions: if we merge with, are acquired by, or sell assets to another company, we may transfer your information under equivalent or stricter privacy protections.

We do not sell your personal information. We have not sold or shared personal information for cross-context behavioral advertising in the last twelve months.

Our servers and many of our service providers are located in the United States. If you access LuroDocs from outside the US, your information will be transferred to, stored, and processed in the US. When we transfer data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses approved by the European Commission and on our vendors’ Data Processing Agreements.

Additionally, your document may be transmitted to the destination country’s consulate or embassy in the course of legalization — this is a consequence of the service you requested.

• Account information: retained while your account is active, then for up to 3 years after closure for record-keeping and legal defense.
• Case records and uploaded documents: retained for 1 year after case completion, then automatically deleted unless you request earlier deletion or longer retention.
• Incomplete intake forms: automatically deleted 90 days after last activity.
• Audit logs and access logs: retained for 6 years to satisfy applicable record-keeping and security audit requirements.
• Financial records: retained for 7 years as required by U.S. tax law.

You can request earlier deletion at any time; we will honor the request unless we are legally required to retain specific records.

We take administrative, technical, and physical safeguards to protect your information, including:

• Encryption in transit (HTTPS/TLS 1.2+) and at rest (AES-256 on Supabase Storage).
• Email verification (one-time codes) required for every sign-in.
• Row-level access controls in our database — only you and authorized LuroDocs staff can read your records.
• Full audit logging of every document upload, view, download, and deletion.
• Short-lived signed URLs for document access (10 minutes) so links cannot be shared or indexed.
• Principle of least privilege for LuroDocs staff; access is role-based and reviewed quarterly.
• Vendor Data Processing Agreements with every subprocessor.
• Regular security reviews and, on request, a SOC 2 / HIPAA compliance dossier for enterprise clients.

No system is perfectly secure. If we become aware of a security incident that affects your personal information, we will notify you and applicable regulators without undue delay and in any case within 30 days as required by Florida Statute 501.171 (or sooner where the law requires).

A. If you live in California (CCPA / CPRA)

You have the right to:

• Know what personal information we have collected about you and how we use and disclose it.
• Request a copy of the personal information we hold about you (portability).
• Request deletion of your personal information (subject to legal retention requirements).
• Correct inaccurate personal information.
• Opt out of any “sale” or “sharing” of personal information (we do not sell or share for advertising).
• Limit the use of sensitive personal information.
• Not be discriminated against for exercising these rights.

B. If you live in the European Economic Area, United Kingdom, or Switzerland (GDPR / UK GDPR)

You have the right to:

• Access, rectify, or erase your personal information.
• Restrict or object to processing.
• Portability of your data.
• Withdraw consent at any time for processing based on consent.
• Lodge a complaint with your local data protection authority.

C. How to exercise your rights

Email privacy@lurodocs.com from the address on your account. We will verify your identity and respond within 30 days (45 days in some CCPA cases with notice). If we deny a request, we will tell you why and how to appeal.

LuroDocs is not directed at children under 13 and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child, contact privacy@lurodocs.com and we will delete it.

If you are submitting a document on behalf of a minor (e.g. a child’s birth certificate for a foreign citizenship application), you represent that you are the minor’s parent or legal guardian authorized to make that submission.

We use a small number of cookies strictly necessary for the Service to function, including session cookies that keep you signed in. We do not use third-party advertising or tracking cookies. You can control cookies through your browser settings; disabling essential cookies may prevent you from using the Service.

We may update this Privacy Policy from time to time to reflect changes in our practices or the law. If we make material changes, we will notify you by email or by prominent notice on the Service before the changes take effect. The “Last updated” date at the top of this policy indicates when it was last revised.

Questions, requests, or complaints about this Privacy Policy or our data practices:

LuroDocs
Email: privacy@lurodocs.com
General support: hello@lurodocs.com