Privacy Policy

1. Data Controller

Controller: Bartosz Krawczyk (individual developer, Poland)

Contact:

• Privacy: [email protected]
• General: [email protected]

We do not publicly list a personal home address for privacy reasons. Additional contact details may be provided upon request where legally required.

We are not required to appoint a Data Protection Officer under Article 37 GDPR.

2. What Data We Collect

Data You Provide

• Account information: email address, password hash, OAuth tokens (if used)
• Content: notes, attachments, tags, folders
• Settings: preferences and configuration
• Communications: emails, support requests, feedback

Data Collected Automatically

We collect only minimal technical data required to operate the service:

• Server logs: requested route, HTTP status code, and IP address (retained only as long as necessary for security and operational purposes; not used for tracking or profiling)
• Session data: authentication tokens
• Error reports: anonymized technical error information

What We Do NOT Collect

• Tracking or analytics data
• Behavioral profiles
• Advertising identifiers
• Device fingerprinting

3. Why We Process Data (Legal Basis)

We may also process personal data where necessary to:

• Comply with legal obligations (Art. 6(1)(c) GDPR)
• Establish, exercise, or defend legal claims (Art. 6(1)(f) GDPR)

Legitimate interest justification: We process only minimal technical data strictly necessary to ensure service functionality and security. We have assessed that our legitimate interests are not overridden by your rights and freedoms, given the limited scope of data processing and absence of tracking or profiling.

4. AI Features

Notedrop provides optional AI-powered features that run entirely locally in your browser.

• All processing happens on your device using client-side models (e.g., via Transformers.js)
• No note content is sent to our servers for AI processing
• We do not store, access, or transmit AI inputs or outputs

AI features are activated only when you explicitly use them.

4A. End-to-End Encryption

Notedrop supports optional end-to-end encryption (E2EE) for private notes.

• When a note is marked as private, it is encrypted on your device before being sent to our servers
• We store only encrypted data and cannot access the plaintext content of these notes
• Decryption occurs locally in your browser using your encryption keys

For public notes:

• Content is not end-to-end encrypted
• It is protected using standard security measures (encryption in transit and at rest)
• We may process this content as necessary to provide the Service

For end-to-end encrypted data, we may be unable to provide access to plaintext content in response to data access requests, as we do not possess the decryption keys.

5. Data Sharing

We do not sell or share your data for marketing or advertising.

We only share data with:

• Infrastructure providers: We use third-party hosting providers to operate the service. A current list of infrastructure providers is maintained at notedrop.app/legal/subprocessors. All subprocessors are contractually bound by Data Processing Agreements and may only process personal data on our documented instructions and in accordance with GDPR.
• Legal authorities: Only where required by applicable law or valid legal process

6. Data Storage and Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS 1.3)
• Encryption at rest (database-level)
• End-to-end encryption for private notes (we cannot access plaintext)
• Encrypted backups
• Access controls (minimal access principle)

Content is processed automatically by our systems and is not accessed in human-readable form except where strictly necessary, such as for security incidents, abuse prevention, or compliance with legal obligations.

Data is hosted within the European Economic Area (EEA), specifically in data centers located in the Netherlands.

No system is completely secure, but we follow industry best practices to minimize risks.

7. International Data Transfers

We primarily store and process data within the European Economic Area (EEA).

If any processing involves transfers outside the EEA, appropriate safeguards such as Standard Contractual Clauses (SCCs) are used.

8. Data Retention

• Notes and account data: retained until account deletion
• Support communications: up to 2 years after last contact
• Server logs: limited, provider-defined retention
• Backups: deleted within 90 days

When you delete your account:

• Active data is deleted within 24 hours
• Backups are deleted within 90 days

9. Your Rights (GDPR)

You have the right to:

• Access your data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20) — exports are provided in a structured, commonly used, and machine-readable format
• Object to processing (Art. 21)

To exercise your rights:

• Use in-app tools, or
• Email: [email protected]

We respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority within the EU. In Poland, this is UODO.

10. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on users within the meaning of Article 22 GDPR.

11. Cookies

We use only strictly necessary cookies:

• Session cookie (authentication) — deleted when you close your browser
• CSRF token (security)

These cookies are essential for the operation of the service and do not require consent under applicable EU regulations.

12. Use of Sensitive Data

The Service is not intended for the storage of highly sensitive personal data, such as health information, financial credentials, or other categories of data requiring enhanced protection. Users are responsible for determining the appropriateness of the Service for their specific use cases.

13. Children

Notedrop is intended only for users aged 16 or older.

We do not knowingly collect data from individuals under 16. Age is self-declared at registration. If we identify or are notified that an account belongs to someone under 16, we will delete that account and its associated data promptly. If you believe an underage account exists, please contact [email protected].

14. Self-Hosting

If you self-host Notedrop:

• You act as the independent data controller for any data processed through your instance
• This privacy policy applies only to the hosted service at notedrop.app and does not extend to self-hosted deployments
• You are solely responsible for your own GDPR compliance, including maintaining a privacy policy for your users, handling data subject requests, and managing data security
• Resources on GDPR obligations for data controllers are available from your national supervisory authority (e.g., UODO for Poland, or the EDPB for general EU guidance)

Because Notedrop is free and open source software, self-hosters retain full access to the codebase and can operate their instances independently of this service.

15. Service Continuity

Notedrop is developed and maintained by an individual developer. In the event that the hosted service at notedrop.app is discontinued:

• Users will be given advance notice where possible
• In-app data export tools will remain accessible during any wind-down period to allow you to retrieve your data

Because Notedrop is free and open source software, the codebase remains publicly available for anyone to self-host or fork, ensuring long-term continuity of the project independent of this hosted instance.

16. Data Breaches

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours where required under GDPR
• Inform affected users without undue delay where there is a high risk to their rights and freedoms

17. Changes to This Policy

• Material changes: advance notice where possible
• Minor changes: updated revision date

18. Contact

If you have questions about this policy:

[email protected]