NoteSync

Privacy Policy

Last updated: April 2026

This Privacy Policy describes how NoteSync ("we", "our", "us") collects, uses, and protects your information when you use our service.

1. Information we collect

We collect minimal data needed to provide the service. This includes your email address (for account sign-in), authentication tokens, and metadata about sync events (device IDs, timestamps, sync frequency).

We do not collect or have access to the content of your notes. All notes are encrypted on your device before being sent to our servers using AES-256-GCM with keys derived from your master password.

2. How we use information

The data we collect is used solely to provide the sync service: routing encrypted blobs between your devices, billing, and detecting abuse (e.g., spam sign-ups).

We do not sell, rent, or share your information with advertisers or third-party data brokers.

3. Encryption and zero-knowledge

NoteSync is designed as a zero-knowledge service. Your master password never leaves your device. Note content is encrypted client-side. Our servers store only ciphertext.

If you forget your master password, we cannot recover your notes. This is by design — even if compelled by court order, we have no technical ability to access your content.

4. Data retention

Encrypted note blobs are retained for as long as your account is active. Deleted items are permanently purged within 30 days.

Server logs (IP, request metadata) are retained for 14 days for abuse prevention, then permanently deleted.

5. Subprocessors

We use the following processors to deliver the service:

6. Your rights (GDPR)

If you're in the EU, you have the right to access, rectify, and delete your data, and to data portability. Contact privacy@notesync-stub.invalid to exercise these rights.

7. Changes to this policy

We'll notify you of material changes via email at least 30 days before they take effect.

8. Contact

For privacy questions: privacy@notesync-stub.invalid