Legal

Privacy Policy

We built Nota on a single promise: your notes belong to you. This policy explains exactly what data we collect (very little), how we use it, and how we protect it.

🚫

No personal data collected

We don't collect names, emails, or any identifying information when you use the app.

🧠

AI runs on your device

Every AI feature processes your notes locally via WebAssembly. Nothing is sent to our servers.

🔐

End-to-end encrypted sync

If you use Google Drive sync, your notes are AES-256 encrypted before upload. We hold no keys.

Last updated: 1 June 2025 · Effective date: 1 June 2025

Contents

  1. Who we are
  2. Data we collect
  3. Local data storage
  4. On-device AI processing
  5. Google Drive integration
  6. Third-party services
  7. Cookies and tracking
  8. Children's privacy
  9. Your rights
  10. Data security
  11. Changes to this policy
  12. Contact us

1. Who we are

Nota ("we", "our", "us") is an independent software project. The app is available as a web application, an Android app on Google Play, and a Windows app on the Microsoft Store. Our contact email is rushi.programmer@gmail.com.

2. Data we collect

The short answer: When you use the Nota app itself (web, Android, or Windows), we collect no personal data whatsoever. Your notes, AI usage, and settings never leave your device or browser unless you explicitly choose to sync to Google Drive.

The only time we may receive any data is if you:

  • Contact us via email or the contact form — we receive your name, email address, and message content. We use this solely to respond to you and never share it with third parties.
  • Sign up for product update emails — we store your email address for the sole purpose of sending those updates. You can unsubscribe at any time.

We do not collect: device identifiers, IP addresses, usage analytics, crash reports, advertising identifiers, or any behavioural data.

3. Local data storage

Nota stores all your notes, settings, flashcards, and preferences in your browser's localStorage (web app) or the equivalent on-device database (Android/Windows). This data:

  • Never leaves your device unless you use the Google Drive sync feature
  • Is not accessible to us or any third party
  • Is cleared if you clear your browser data or uninstall the app
  • Is not backed up by us — Drive sync is the only backup mechanism

We strongly recommend using the Google Drive sync or the export features regularly to back up your notes.

4. On-device AI processing

Nota includes AI features powered by Transformers.js and Tesseract.js, which run entirely within your browser or device using WebAssembly. This means:

  • Your note content is never sent to any AI API or server
  • No OpenAI, Google AI, Anthropic, or other external AI service receives your data
  • AI models are downloaded once from the Hugging Face CDN (see Third-Party Services below) and cached locally
  • All inference — summarisation, keyword extraction, embedding generation, OCR — happens on your processor

The model download itself reveals your IP address to the Hugging Face CDN, as is standard for any web request. The content you process with those models is never transmitted.

5. Google Drive integration

The Google Drive sync feature is entirely optional. If you choose to use it:

  • You authenticate directly with Google using the Google Identity Services (GIS) OAuth 2.0 flow
  • We never see your Google credentials or access token
  • Before any data is uploaded, Nota encrypts it with AES-256 using a password you provide
  • The encryption happens entirely in your browser — the encrypted blob is what gets sent to Google Drive
  • We cannot decrypt your notes, even theoretically — we do not hold the encryption key
  • Google's own privacy policy governs how they store the encrypted file on their infrastructure
Important: Do not lose your encryption password. We have no way to recover it or decrypt your notes on your behalf. Store it in a secure password manager.

Google Calendar access (used for linking meeting notes to calendar events) requires the calendar.readonly scope. We read upcoming events on-demand when you request them; we do not store calendar data.

6. Third-party services

Nota uses the following third-party services. In each case the listed data exposure is the minimum inherent to fetching a resource from a CDN:

  • Google Fonts (fonts.googleapis.com) — loads the Fraunces and DM Sans typefaces. Google receives your IP address and browser user-agent. See Google's Privacy Policy.
  • Hugging Face CDN (cdn.jsdelivr.net / huggingface.co) — delivers AI model files on first use. Your IP is logged by CDN providers. The content you process with those models is not transmitted. See Hugging Face Privacy.
  • Google APIs (apis.google.com, accounts.google.com) — the Google Drive and Google Sign-In libraries. Only loaded if you use Drive sync. See Google's Privacy Policy.
  • cdnjs.cloudflare.com / cdn.jsdelivr.net — delivers CryptoJS, FlexSearch, D3.js, and Tesseract.js. Standard CDN IP logging applies.

We do not embed advertising networks, social tracking pixels, analytics scripts, or affiliate trackers of any kind.

7. Cookies and tracking

The Nota app itself uses no cookies and performs no tracking. We do not use:

  • Analytics cookies (no Google Analytics, Mixpanel, Amplitude, etc.)
  • Advertising or retargeting cookies
  • Session cookies from our servers (we have no application server)
  • Fingerprinting or device identification techniques

This website (notaapp.io) is a static site hosted on a CDN. Server logs may capture IP addresses and user-agents as a standard part of HTTP. These logs are not used for profiling and are rotated regularly.

8. Children's privacy

Nota is suitable for all ages and does not knowingly collect personal data from anyone, including children under 13 (COPPA) or children under 16 (GDPR). Since we collect no personal data through the app itself, there is no age-based restriction on using it.

If you believe a child has submitted personal data to us via the contact form and you wish for it to be deleted, please email rushi.programmer@gmail.com.

9. Your rights

Under GDPR, CCPA, and similar regulations you have the following rights with respect to any personal data we hold about you:

  • Right of access — you can request a copy of any data we hold about you
  • Right to rectification — you can ask us to correct inaccurate data
  • Right to erasure — you can ask us to delete your data
  • Right to object — you can object to processing of your data
  • Right to data portability — you can request your data in a portable format

Because we hold minimal data (only contact form submissions and optional newsletter signups), exercising any of these rights is simple. Email rushi.programmer@gmail.com and we will respond within 30 days.

For data stored locally on your device (your notes, settings, flashcards), you are the sole controller and can delete it at any time by clearing your browser data or uninstalling the app.

10. Data security

We take security seriously:

  • All communications with our website and CDNs use TLS encryption
  • Google Drive sync uses AES-256 client-side encryption before any upload
  • We do not store passwords or encryption keys
  • Contact form submissions are received via encrypted email
  • We conduct periodic reviews of third-party dependencies for known vulnerabilities

No system is perfectly secure. If you discover a security vulnerability in Nota, please disclose it responsibly by emailing security@notaapp.io. We will acknowledge your report within 48 hours.

11. Changes to this policy

We will update this Privacy Policy if our practices change materially. When we do, we will:

  • Update the "Last updated" date at the top of this page
  • Post a notice in the app on next launch for significant changes
  • Email newsletter subscribers if the changes affect them

Continued use of Nota after changes are posted constitutes acceptance of the updated policy.

12. Contact us

For any privacy-related questions, requests, or concerns: