Privacy Policy

1. Overview

This Privacy Policy describes how BitNotes ("we," "our," or "us") collects, uses, and protects information when you use our note-taking application and related services (collectively, the "Service").

We are committed to complying with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws. This policy explains your rights and our obligations regarding your personal data.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Service.

2. Data Controller

For the purposes of GDPR and other data protection laws, the data controller is:

We are responsible for deciding how and why your personal data is processed in connection with our Service.

3. Information We Collect

3.1 Information You Provide

• Account Information: Email address, username, and encrypted password hash
• Profile Information: Optional display name and profile settings
• Support Communications: Messages you send to our support team
• Payment Information: Processed by third-party payment processors (we don't store payment details)

3.2 Information Automatically Collected

• Technical Information: IP address, device type, operating system, app version
• Usage Information: Feature usage statistics (aggregated and anonymized)
• Error Information: Crash reports and error logs (containing no personal content)
• Security Information: Login attempts and security events

3.3 Encrypted Data

Your notes and personal content are encrypted using AES-256 encryption on your device before being transmitted to our servers. We store only encrypted data that we cannot decrypt or access.

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

4.1 Contractual Necessity

• Processing necessary to provide the Service you've requested
• Account creation and authentication
• Note synchronization across devices
• Customer support services

4.2 Legitimate Interest

• Security monitoring and fraud prevention
• Service improvement and optimization
• Technical maintenance and support
• Anonymized usage analytics

4.3 Consent

• Marketing communications (opt-in only)
• Optional features requiring additional data
• Cookies and similar technologies

4.4 Legal Obligation

• Compliance with applicable laws and regulations
• Response to legal requests and court orders
• Tax and accounting requirements

5. How We Process Your Data

5.1 Service Provision

• Creating and managing your account
• Synchronizing encrypted notes across devices
• Providing customer support
• Processing payments through third-party processors

5.2 Security and Fraud Prevention

• Monitoring for suspicious activity
• Preventing unauthorized access
• Protecting against spam and abuse
• Maintaining system security

5.3 Service Improvement

• Analyzing aggregated usage patterns
• Identifying and fixing technical issues
• Developing new features
• Optimizing performance

6. Data Sharing and Third Parties

6.1 Service Providers

We may share limited data with trusted service providers who help us operate our Service:

• Cloud Infrastructure: Hosting and data storage (encrypted data only)
• Payment Processing: Handling subscription payments
• Customer Support: Providing user assistance
• Security Services: Monitoring and protection

6.2 Legal Requirements

We may disclose information when required by law or to:

• Comply with legal obligations and court orders
• Respond to lawful government requests
• Protect our rights and property
• Ensure user and public safety

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and ensure continued protection of your data.

7. Data Retention

7.1 Active Accounts

We retain your data while your account is active and for as long as needed to provide our services.

7.2 Account Deletion

• Immediate: Encrypted notes and personal content
• 30 days: Account information and metadata
• 90 days: Backup copies and logs
• Legal requirements: Some data may be retained longer if required by law

7.3 Inactive Accounts

Accounts inactive for more than 2 years may be subject to deletion. We will notify you before any such action via your registered email address.

8. Security Measures

8.1 Technical Safeguards

• AES-256 Encryption: Industry-standard encryption for all data
• Zero-Knowledge Architecture: We cannot access your encrypted content
• Secure Transmission: TLS 1.3 for all data transfers
• Regular Security Audits: Independent security assessments
• Secure Infrastructure: Hardened servers and networks

8.2 Organizational Measures

• Access controls and employee training
• Regular security awareness programs
• Incident response procedures
• Data minimization practices
• Privacy by design principles

8.3 Data Breach Response

In the unlikely event of a data breach, we will:

• Notify relevant authorities within 72 hours (GDPR requirement)
• Inform affected users without undue delay
• Take immediate steps to contain and remedy the breach
• Conduct a thorough investigation and implement improvements

9. Your Privacy Rights

Under GDPR and other privacy laws, you have the following rights:

9.1 Right to Access

You can request a copy of the personal data we hold about you.

• Available through app settings or by request
• Provided in a structured, commonly used format
• Response within 30 days

9.2 Right to Rectification

You can correct inaccurate or incomplete personal data.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent and no other legal basis exists
• The data has been unlawfully processed
• Erasure is required for legal compliance

9.4 Right to Restrict Processing

You can limit how we process your data in certain circumstances.

9.5 Right to Data Portability

You can receive your data in a portable format or have it transferred to another service.

9.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing.

9.7 Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that significantly affects you.

10. International Data Transfers

Your data may be processed in countries outside your residence. We ensure adequate protection through:

• Adequacy Decisions: Transfers to countries with adequate protection as determined by the European Commission
• Standard Contractual Clauses: EU-approved contracts ensuring GDPR-level protection
• Certification Programs: Participation in recognized privacy frameworks
• Technical Safeguards: End-to-end encryption regardless of location

All international transfers comply with applicable laws and maintain the same level of protection as required by GDPR.

11. Cookies and Similar Technologies

11.1 Essential Cookies

We use essential cookies that are necessary for our Service to function:

• Authentication: Keep you logged in
• Security: Protect against attacks
• Preferences: Remember your settings
• Functionality: Enable core features

11.2 What We Don't Use

• Advertising cookies
• Social media cookies
• Analytics cookies (we use privacy-preserving alternatives)
• Third-party tracking cookies

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect Service functionality.

12. Children's Privacy

Our Service is not intended for children under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children.

If we become aware that we have collected personal data from a child without parental consent, we will take steps to remove that information from our servers.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@bitnotes.app.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending an email notification to your registered address
• Displaying a notice in the app
• Requiring acceptance for significant changes

Changes will be effective immediately upon posting unless otherwise specified. Your continued use of the Service after changes indicates acceptance of the updated policy.

14. Contact Information

For any questions about this Privacy Policy or our privacy practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. For urgent matters, please mark your email as "Urgent."

15. Data Protection Officer

You can contact our Data Protection Officer (DPO) for any data protection concerns:

You also have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.