Back to Notez

Privacy Policy

Last updated: 28 February 2026

Overview

Notez is a collaborative note-taking application. We collect minimal analytics data to improve the product. This policy explains what we collect, why, and your rights regarding that data.

Region-Based Tracking

Notez uses two tracking tiers based on your geographic region, detected server-side from your connection. No consent banner is shown because EU users are tracked in a fully cookieless, anonymous mode that stores nothing on your device.

EU / EEA Users

  • Cookieless mode — no cookies, localStorage, or sessionStorage are used for analytics
  • No IP collection — your IP address is not stored by our analytics provider
  • No session recording — screen recordings are disabled
  • No personal identification — we do not call identify functions; you are counted via a server-side privacy-preserving hash with a daily-rotating salt that is deleted after processing
  • Anonymised event tracking — product usage events are captured without any link to your identity

Non-EU Users

  • Standard analytics cookies — PostHog sets cookies to track sessions and returning users
  • User identification — your user ID, display name, and email are sent to PostHog to associate events with your account
  • Session recording — your screen interactions may be recorded to help us diagnose issues and improve the user experience. Recordings capture UI interactions but not keystrokes in password fields.
  • IP address — may be collected per PostHog default settings

What We Collect

Product Usage Events (All Regions)

We track the following events to understand how the product is used:

  • Node operations — created, deleted, renamed, pinned, unpinned, visibility changed
  • AI interactions — chat sidebar opened, AI prompts submitted
  • Import — vault import started and completed
  • Other — settings opened, user onboarded, image uploaded

Error Tracking (All Regions)

Automatic exception capture is enabled to help us identify and fix bugs. This may include stack traces and error messages.

Personal Information (Non-EU Only)

For non-EU users, we associate analytics data with your user ID, display name, and email address.

Legal Basis for Processing

We process data under the following legal bases depending on your region:

  • Legitimate interest (GDPR Article 6(1)(f), UK GDPR) — analytics and error tracking to maintain and improve the service. We have assessed that our minimal, largely anonymised collection does not override your rights and freedoms.
  • Contract performance (GDPR Article 6(1)(b)) — processing necessary to provide the Notez service (e.g. authentication, storing your notes).

Why We Collect This Data

  • Product improvement — understanding which features are used helps us prioritise development
  • Bug fixing — error tracking and session recordings help us diagnose and resolve issues
  • Usage analytics — aggregate statistics help us understand growth and user behaviour

How Data Is Processed

Analytics data is processed by PostHog Inc., hosted in the United States. PostHog is our sole third-party analytics provider.

Your note content is stored in Cloudflare Durable Objects and is not sent to any analytics service.

International Data Transfers

Regardless of where you access Notez, analytics data is processed by PostHog in the United States. For EU/EEA and UK users, this constitutes an international transfer. We rely on PostHog's Standard Contractual Clauses (SCCs) and their Data Processing Agreement as the transfer mechanism.

For EU users, the risk of this transfer is further mitigated by the fact that all data sent is fully anonymised — no personal data as defined by the GDPR leaves the EU in identifiable form.

Cookies & Local Storage

EU/EEA and UK users: No cookies or local storage are set for analytics purposes. Only strictly necessary cookies (e.g. session authentication) are used.

All other users: PostHog may set first-party cookies and use localStorage to identify returning users and track sessions. These are analytics cookies — not used for advertising. No third-party advertising or tracking cookies are set.

Data Retention

Analytics event data is retained according to PostHog's default retention settings. Session recordings, where enabled, are retained for 30 days. We may update these periods and will reflect changes in this policy.

Sale of Personal Information

We do not sell, rent, or share your personal information with third parties for monetary or other valuable consideration. We do not share personal information for cross-context behavioural advertising. This applies to all users regardless of region.

Children's Privacy

Notez is not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Your Rights

Depending on your location, you may have the following rights regarding your data:

EU / EEA & UK (GDPR / UK GDPR)

  • Access — request a copy of the data we hold about you (Article 15)
  • Rectification — request correction of inaccurate data (Article 16)
  • Erasure — request deletion of your data (Article 17)
  • Portability — request your data in a machine-readable format (Article 20)
  • Object — object to processing based on legitimate interest (Article 21)
  • Restrict processing — request limitation of processing (Article 18)
  • Complain — lodge a complaint with your local Data Protection Authority

California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know — request disclosure of the categories and specific pieces of personal information we have collected
  • Delete — request deletion of your personal information
  • Opt out of sale/sharing — we do not sell or share your personal information, so there is nothing to opt out of
  • Non-discrimination — we will not discriminate against you for exercising your privacy rights

Categories of personal information we may collect from California residents: identifiers (user ID, email, display name), internet activity (usage events, session recordings), and geolocation data (region derived from IP, not precise location).

Brazil (LGPD)

Brazilian users have rights similar to those listed under the GDPR, including access, correction, deletion, portability, and the right to information about sharing. Our legal basis for processing is legitimate interest.

Canada (PIPEDA)

Canadian users have the right to access and challenge the accuracy of their personal information held by us, and to withdraw consent for its collection and use.

Australia (Privacy Act)

Australian users have the right to access and correct personal information we hold, and to complain to the Office of the Australian Information Commissioner if unsatisfied with our handling of their data.

We will respond to all data rights requests within 30 days (or sooner where required by law).

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via a notice within the application. The “last updated” date at the top of this page reflects the most recent revision.

Contact

To exercise any of your rights or ask questions about this policy, email us at privacy@notez.app.