Privacy Policy
Last updated: March 2026
1. Data We Collect
Account Data (registered users only)
- Email address: provided during sign-in (Google or magic link)
- Google profile: name and email, if you sign in with Google OAuth
- Device identifiers: platform and app version, for device management (max 5 devices per account)
Cloud Plan Data (subscribers only)
- Notes and content: stored in Google Cloud SQL (PostgreSQL) for sync
- Embeddings: vector representations of your notes for AI search
- Attachments: stored in Google Cloud Storage
Free Tier (no account required)
- Browser fingerprint hash: used solely to enforce the 100K-token demo AI limit; stored as a one-way hash, not linked to any personal data
- IP address: used for rate limiting of the demo AI proxy (not stored long-term)
Usage Analytics
- Basic error tracking via Sentry (crash reports, stack traces, no note content)
- No behavioral tracking, no advertising, no third-party analytics
2. How We Use Your Data
- Authentication and account management
- Cloud sync and AI features for subscribers
- Payment processing via Polar.sh (Merchant of Record)
- Demo AI rate limiting (free tier)
- Error monitoring and service improvement
We do not use your data for AI training, advertising, or profiling.
3. AI Data Processing
Cloud AI (NoteBrain AI / Demo Proxy)
When you use NoteBrain AI or the free demo proxy, your query and relevant note context are sent to Google Vertex AI (Gemini models) for processing. Google does not store or use this data for training under our Vertex AI terms. Queries are not logged on our servers beyond rate-limiting counters.
End-to-end encryption and AI: if you enable end-to-end encryption (see section 4), your notes are unreadable to us at rest. However, when you actively use Cloud AI on an encrypted note, the relevant excerpts are decrypted on your device and transmitted to the model provider at query time so the AI can answer. We show a warning before this happens. To keep AI fully private, use Ollama or your own API keys.
Your Own API Keys
When you use your own API keys (Gemini, OpenAI, Claude), data is sent directly from your device to the respective provider. It never passes through NoteBrain AI servers. Refer to each provider's privacy policy for their data handling practices.
Local AI (Ollama)
When using Ollama, all AI processing happens entirely on your device. No data leaves your machine. This is the most private option.
4. Data Storage and Security
- Cloud data is stored in Google Cloud SQL and Google Cloud Storage (US region)
- All data is encrypted at rest (Google-managed encryption) and in transit (TLS)
- Authentication via magic link or Google OAuth (no passwords stored)
- Sessions use secure HTTP-only cookies
Optional End-to-End Encryption (Cloud plans)
Cloud plan subscribers can turn on end-to-end encryption (E2E). When enabled:
- Your note titles, content, and attachments are encrypted on your device with keys derived from a passphrase you choose. NoteBrain never receives your passphrase, your recovery key, or the encryption key — we cannot read your encrypted notes.
- Encryption is "zero-knowledge": if you lose both your passphrase and your recovery key, your encrypted data is permanently unrecoverable — not even NoteBrain support can restore it.
- Note sharing and real-time collaboration are disabled while E2E is on, because our servers cannot read encrypted content to serve it to others.
- Keyword and semantic search continue to work locally on your device.
5. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Polar.sh | Payment processing (Merchant of Record) | Email, billing details |
| Google Vertex AI | AI chat | Queries and note context (not stored) |
| Google Cloud | Hosting and storage | Cloud plan notes and attachments |
| Sentry | Error tracking | Error reports (no user content) |
| Cloudflare | CDN, DDoS protection, Turnstile CAPTCHA | IP address, request metadata |
6. Cookies
We use a single session cookie for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
7. Browser Fingerprinting
For free-tier demo AI rate limiting only, we generate a browser fingerprint hash. This hash is:
- A one-way hash - the original fingerprint cannot be reconstructed
- Used only to count demo AI queries (max 50 per fingerprint)
- Not linked to any account or personal information
- Not shared with any third party
8. Your Rights (GDPR)
If you are in the EU/EEA, you have the right to:
- Access: request a copy of your personal data
- Rectification: correct inaccurate personal data
- Erasure: delete your account and all associated data
- Data portability: export your notes via the built-in export feature (JSON, Markdown)
- Restriction: restrict processing of your data
- Objection: object to processing of your data
To exercise these rights, use the account dashboard or contact us at [email protected].
9. Data Retention
- Active accounts: data retained while the account is active
- Account deletion: all data permanently deleted immediately
- Cancelled subscriptions: cloud data retained for 30 days after the billing period ends, then permanently deleted
- Free tier: fingerprint hashes are not associated with any personal data and are purged periodically
- End-to-end encrypted data: stored only as ciphertext we cannot decrypt; if you lose your passphrase and recovery key, support cannot recover it
10. Children's Privacy
NoteBrain AI is not intended for users under 16 years of age, in accordance with GDPR. We do not knowingly collect data from children under 16.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days in advance. The "Last updated" date at the top reflects when the policy was last revised.
12. Contact
For privacy questions or GDPR requests, contact us at [email protected].