Privacy Policy

At NotepadOne, privacy is our foundation. We built this service because we believe your thoughts belong to you alone. This policy explains exactly how we protect your privacy and what happens to your data.

πŸ”’ Privacy First, Always

By default: Zero data collection β€’ Everything stays in your browser β€’ No tracking, no cookies, no analytics β€’ Optional cloud features clearly marked β€’ We never sell your data, period

This is our promise to you. Read on for the complete details.

Last updated: August 2025 β€’ Effective date: August 2025

πŸ”’ Default Mode: Complete Privacy

When using NotepadOne without an account (default mode):

  • Your notes never leave your browser - everything stays in IndexedDB on your device
  • We cannot access your notes - they're stored locally, not on our servers
  • No tracking or analytics - we don't monitor your usage
  • No cookies - not even for preferences
  • No user identification - you remain completely anonymous
  • Works offline - after initial load, no internet needed

While our web server may create standard access logs like any website, we don't process or analyze them for tracking purposes. Your privacy is guaranteed by our architecture - your notes physically cannot leave your device.

πŸ“Š Information We Collect (Optional Features Only)

We ONLY collect data when you explicitly enable optional features:

Account Registration (Optional)

  • Email address - for authentication only
  • Auth provider data - if using Google/GitHub login
  • Account creation date - for record keeping
  • Subscription status - for premium features

Premium Features (Paid Users)

  • Payment information - processed by Stripe (we never see card numbers)
  • Billing address - for tax compliance
  • Usage metrics - number of notes, storage used (for quotas)
  • Sync metadata - timestamps, device identifiers (for sync)

Note Sharing (When You Share)

  • Shared note content - temporarily stored on our servers
  • Share settings - expiration, password protection
  • View counts - basic analytics (no viewer identification)
  • Images in shared notes - stored in Cloudflare R2

πŸ”§ How We Use Information

We use collected information ONLY for:

  • Providing the services you explicitly requested
  • Processing payments for premium subscriptions
  • Sending service-related emails (account users only)
  • Preventing fraud and abuse
  • Complying with legal obligations
  • Enforcing our Terms of Service

We NEVER use your data for advertising, profiling, or selling to third parties.

πŸ—„οΈ Data Storage & Security

Location & Jurisdiction:
  • Primary servers: United States (Delaware)
  • CDN: Global (Cloudflare for shared images only)
  • Backup: United States
  • Subject to U.S. laws and potential government requests
Security Measures:
  • TLS 1.3 encryption for all data transmission
  • AES-256 encryption for data at rest
  • Regular security audits
  • Access controls and monitoring
  • Incident response procedures

However, NO system is 100% secure. Use at your own risk.

Data Retention:
  • Account data: Until account deletion + 30 days
  • Shared notes: Until expiration or manual deletion
  • Payment records: 7 years (legal requirement)
  • Security logs: 90 days
  • Deleted content: May persist in backups for 90 days

🀝 Third-Party Services & Data Sharing

We share data ONLY with essential service providers:

  • Stripe - Payment processing (PCI compliant)
  • Supabase - Database hosting (SOC 2 compliant)
  • Cloudflare - CDN and image storage
  • Google - OAuth and Drive API (if you connect)
  • Law enforcement - Only with valid legal process

We NEVER sell, rent, or trade your personal information.

Legal Disclosure:

We may disclose your information if required by law, court order, or government request. We will notify you unless prohibited by law.

βœ… Your Rights & Controls

Depending on your location, you may have these rights:

  • Access: Request a copy of your data
  • Correction: Fix inaccurate information
  • Deletion: Delete your account and data
  • Portability: Export data in standard formats
  • Objection: Opt-out of certain processing
  • Restriction: Limit how we use your data
  • Withdrawal: Revoke consent anytime

To exercise rights, email privacy@notepadone.com. Response within 30 days.

🌍 International Data Transfers

By using NotepadOne, you consent to data transfer to the United States. The U.S. may not provide the same level of data protection as your country. We use Standard Contractual Clauses where required.

EU/UK users: We comply with GDPR. Our legal basis is legitimate interest (free tier) or contract performance (premium).

🐻 California Privacy Rights (CCPA/CPRA)

California residents have additional rights:

  • Right to know what personal information we collect
  • Right to delete personal information
  • Right to opt-out of β€œsale” (we don't sell data)
  • Right to non-discrimination for exercising rights
  • Right to correct inaccurate information
  • Right to limit use of sensitive information

Shine the Light: We don't share data for direct marketing.

πŸͺ Cookies & Tracking

We DO NOT use cookies, pixels, or tracking of any kind for:

  • Analytics or usage tracking
  • Advertising or remarketing
  • Social media integration
  • Third-party tracking

Account users: We use essential session tokens (not cookies) for authentication only.

🚨 Data Breach Notification

In the unlikely event of a data breach that may harm you:

  • We will notify affected users within 72 hours
  • Notification via email (account users) or website notice
  • We will describe what happened and steps taken
  • We will provide recommendations for protection

Note: Local-only users are not affected by server breaches.

πŸ›‘ Do Not Track & Privacy Signals

We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals. When detected:

  • No analytics collection (we don't collect any anyway)
  • No third-party integrations loaded
  • Maximum privacy mode enforced

πŸ“ Changes to This Policy

We may update this policy at any time. Changes are effective immediately upon posting. For material changes:

  • 30-day advance notice to account users via email
  • Prominent notice on website for all users
  • Opportunity to delete account before changes take effect

Continued use after changes constitutes acceptance.

πŸ“§ Contact & Data Protection Officer

For privacy concerns, requests, or complaints:

EU residents may also complain to their local supervisory authority.

🚫 Our Permanent Commitments

We make these legally binding commitments:

  • NEVER sell, rent, or monetize your personal data
  • NEVER use your notes to train AI without explicit consent
  • NEVER share data with advertisers or data brokers
  • NEVER track you across websites
  • NEVER require account for basic features
  • NEVER access notes without legal obligation
  • NEVER change privacy retroactively for existing data

Violation of these commitments would constitute breach of contract and fraud.

βš–οΈ Legal Basis for Processing (GDPR)

For EU/UK users, our legal basis for processing:

  • Contract: Premium features, account services
  • Legitimate Interest: Security, fraud prevention, basic service
  • Legal Obligation: Tax records, law enforcement
  • Consent: Marketing emails (if any)

You may object to processing based on legitimate interest.

PRIVACY PROMISE

NotepadOne was built on the principle that your thoughts belong to you alone. Our local-first architecture ensures that by default, we cannot access your data even if we wanted to. Optional cloud features exist only for user convenience and process minimal data necessary for functionality.

Remember: The safest data is data we never see. Use local mode for maximum privacy. This policy is enforceable under contract law. We are legally bound by these commitments.