Skip to main content

Privacy Policy

Last updated: March 19, 2026

1. Information We Collect

We collect the following types of information when you use NoteFlow:

  • Account information: name, email address, and password (hashed) when you register
  • Content: notes, bookmarks, whiteboards, todos, sticky notes, tags, and file attachments you create
  • Usage data: activity logs, feature usage, and session information for improving the Service
  • Payment information: billing details processed securely through Stripe (we do not store card numbers)

2. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and secure your account
  • Process payments and manage subscriptions
  • Send transactional emails (password resets, account notifications)
  • Provide AI-powered features when you choose to use them
  • Monitor and prevent abuse of the Service

3. Data Security

We take the security of your data seriously:

  • Note content is encrypted at rest using AES-256 encryption
  • Passwords are hashed using industry-standard algorithms
  • All connections are encrypted in transit via TLS/SSL
  • Sessions are stored securely with HttpOnly and Secure cookie flags
  • Two-factor authentication (TOTP and WebAuthn) is available for additional account protection

4. Third-Party Services

We use the following third-party services to operate NoteFlow:

  • Stripe: payment processing. Stripe's privacy policy governs payment data handling.
  • AI providers (OpenAI, Anthropic): when you use AI features, relevant content is sent to these providers for processing. This only occurs when you explicitly use an AI feature.
  • Postmark: transactional email delivery.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

5. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data and content within 30 days, except where we are required by law to retain it.

Activity logs and usage data are subject to automated retention policies and are periodically cleaned up.

6. Your Rights

You have the right to:

  • Access: view and download your data using the backup feature
  • Correct: update your account information through Settings
  • Delete: request deletion of your account and associated data
  • Export: export your data at any time via the backup and restore feature

7. Cookies and Sessions

NoteFlow uses essential cookies for authentication and session management. We do not use tracking cookies or third-party analytics cookies. Session cookies are set with Secure, HttpOnly, and SameSite attributes for your protection.

8. Browser Extension

The NoteFlow Bookmarks Chrome extension allows you to save and access bookmarks from your browser. When you use the extension:

  • Authentication: Your email and password are sent to your NoteFlow server during sign-in to generate an API token. Credentials are not stored by the extension — only the token is kept in local browser storage.
  • Tab information: When you open the extension popup, it reads the current tab's URL and page title to auto-fill the bookmark form. This data is only sent to your NoteFlow server if you choose to save the bookmark.
  • Bookmark check: When you navigate to a page, the extension may send the page URL to your NoteFlow server to check if it is already bookmarked. This is used solely to display a badge indicator.
  • Data storage: The extension stores only your NoteFlow server URL, API token, and display name in local browser storage. No bookmark content, browsing history, or personal data is stored in the extension.
  • Data transmission: All data is sent exclusively to your NoteFlow server. The extension does not send data to any third-party services, analytics providers, or external servers.

You can revoke the extension's access at any time from your NoteFlow account settings or by signing out of the extension.

9. Children's Privacy

NoteFlow is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service. The "Last updated" date at the top of this page indicates when this policy was last revised.

11. Contact

If you have questions about this Privacy Policy or how we handle your data, please contact us.