At NotepadOne, privacy is our foundation. We built this service because we believe your thoughts belong to you alone. This policy explains exactly how we protect your privacy and what happens to your data.
π Privacy First, Always
By default: Zero data collection β’ Everything stays in your browser β’ No tracking, no cookies, no analytics β’ Optional cloud features clearly marked β’ We never sell your data, period
This is our promise to you. Read on for the complete details.
Last updated: August 2025 β’ Effective date: August 2025
π Default Mode: Complete Privacy
When using NotepadOne without an account (default mode):
- Your notes never leave your browser - everything stays in IndexedDB on your device
- We cannot access your notes - they're stored locally, not on our servers
- No tracking or analytics - we don't monitor your usage
- No cookies - not even for preferences
- No user identification - you remain completely anonymous
- Works offline - after initial load, no internet needed
While our web server may create standard access logs like any website, we don't process or analyze them for tracking purposes. Your privacy is guaranteed by our architecture - your notes physically cannot leave your device.
π Information We Collect (Optional Features Only)
We ONLY collect data when you explicitly enable optional features:
Account Registration (Optional)
- Email address - for authentication only
- Auth provider data - if using Google/GitHub login
- Account creation date - for record keeping
- Subscription status - for premium features
Premium Features (Paid Users)
- Payment information - processed by Stripe (we never see card numbers)
- Billing address - for tax compliance
- Usage metrics - number of notes, storage used (for quotas)
- Sync metadata - timestamps, device identifiers (for sync)
Note Sharing (When You Share)
- Shared note content - temporarily stored on our servers
- Share settings - expiration, password protection
- View counts - basic analytics (no viewer identification)
- Images in shared notes - stored in Cloudflare R2
π§ How We Use Information
We use collected information ONLY for:
- Providing the services you explicitly requested
- Processing payments for premium subscriptions
- Sending service-related emails (account users only)
- Preventing fraud and abuse
- Complying with legal obligations
- Enforcing our Terms of Service
We NEVER use your data for advertising, profiling, or selling to third parties.
ποΈ Data Storage & Security
Location & Jurisdiction:- Primary servers: United States (Delaware)
- CDN: Global (Cloudflare for shared images only)
- Backup: United States
- Subject to U.S. laws and potential government requests
Security Measures:- TLS 1.3 encryption for all data transmission
- AES-256 encryption for data at rest
- Regular security audits
- Access controls and monitoring
- Incident response procedures
However, NO system is 100% secure. Use at your own risk.
Data Retention:- Account data: Until account deletion + 30 days
- Shared notes: Until expiration or manual deletion
- Payment records: 7 years (legal requirement)
- Security logs: 90 days
- Deleted content: May persist in backups for 90 days
π€ Third-Party Services & Data Sharing
We share data ONLY with essential service providers:
- Stripe - Payment processing (PCI compliant)
- Supabase - Database hosting (SOC 2 compliant)
- Cloudflare - CDN and image storage
- Google - OAuth and Drive API (if you connect)
- Law enforcement - Only with valid legal process
We NEVER sell, rent, or trade your personal information.
Legal Disclosure:We may disclose your information if required by law, court order, or government request. We will notify you unless prohibited by law.
β
Your Rights & Controls
Depending on your location, you may have these rights:
- Access: Request a copy of your data
- Correction: Fix inaccurate information
- Deletion: Delete your account and data
- Portability: Export data in standard formats
- Objection: Opt-out of certain processing
- Restriction: Limit how we use your data
- Withdrawal: Revoke consent anytime
To exercise rights, email privacy@notepadone.com. Response within 30 days.
π International Data Transfers
By using NotepadOne, you consent to data transfer to the United States. The U.S. may not provide the same level of data protection as your country. We use Standard Contractual Clauses where required.
EU/UK users: We comply with GDPR. Our legal basis is legitimate interest (free tier) or contract performance (premium).
π» California Privacy Rights (CCPA/CPRA)
California residents have additional rights:
- Right to know what personal information we collect
- Right to delete personal information
- Right to opt-out of βsaleβ (we don't sell data)
- Right to non-discrimination for exercising rights
- Right to correct inaccurate information
- Right to limit use of sensitive information
Shine the Light: We don't share data for direct marketing.
πͺ Cookies & Tracking
We DO NOT use cookies, pixels, or tracking of any kind for:
- Analytics or usage tracking
- Advertising or remarketing
- Social media integration
- Third-party tracking
Account users: We use essential session tokens (not cookies) for authentication only.
π¨ Data Breach Notification
In the unlikely event of a data breach that may harm you:
- We will notify affected users within 72 hours
- Notification via email (account users) or website notice
- We will describe what happened and steps taken
- We will provide recommendations for protection
Note: Local-only users are not affected by server breaches.
π Do Not Track & Privacy Signals
We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals. When detected:
- No analytics collection (we don't collect any anyway)
- No third-party integrations loaded
- Maximum privacy mode enforced
π Changes to This Policy
We may update this policy at any time. Changes are effective immediately upon posting. For material changes:
- 30-day advance notice to account users via email
- Prominent notice on website for all users
- Opportunity to delete account before changes take effect
Continued use after changes constitutes acceptance.
π§ Contact & Data Protection Officer
For privacy concerns, requests, or complaints:
EU residents may also complain to their local supervisory authority.
π« Our Permanent Commitments
We make these legally binding commitments:
- NEVER sell, rent, or monetize your personal data
- NEVER use your notes to train AI without explicit consent
- NEVER share data with advertisers or data brokers
- NEVER track you across websites
- NEVER require account for basic features
- NEVER access notes without legal obligation
- NEVER change privacy retroactively for existing data
Violation of these commitments would constitute breach of contract and fraud.
βοΈ Legal Basis for Processing (GDPR)
For EU/UK users, our legal basis for processing:
- Contract: Premium features, account services
- Legitimate Interest: Security, fraud prevention, basic service
- Legal Obligation: Tax records, law enforcement
- Consent: Marketing emails (if any)
You may object to processing based on legitimate interest.
PRIVACY PROMISE
NotepadOne was built on the principle that your thoughts belong to you alone. Our local-first architecture ensures that by default, we cannot access your data even if we wanted to. Optional cloud features exist only for user convenience and process minimal data necessary for functionality.
Remember: The safest data is data we never see. Use local mode for maximum privacy. This policy is enforceable under contract law. We are legally bound by these commitments.