Privacy Policy
Last updated: April 29, 2026
Summary
MyNotes is a rich-text note-taking service. This page explains, in plain language, what we collect, why we collect it, who we share it with, and the choices you have. The short version:
- We store your email, a hashed password, your notes, and — if you subscribe — a billing record returned by our payment processor.
- We never see or store your payment card. That lives with Lemon Squeezy.
- You can request a full
.zipexport of every note you've written at any time; we build it in the background and email you a one-time download link valid for 24 hours. You can close your account by emailing us.
1. Who we are
MyNotes ("we", "us", "our") is operated by [COMPANY], based in [JURISDICTION]. For the purposes of the EU/UK GDPR, we are the data controller for the personal information described below. You can reach us at privacy@example.com.
2. What we collect and why
We collect only what we need to run the service. Specifically:
| Category | Data | Why | Legal basis (GDPR) |
|---|---|---|---|
| Account | Email address, bcrypt-hashed password | Create and secure your account; send password-reset emails | Contract |
| Profile | Display name, short bio (both optional) | Personalize the UI | Contract |
| Age & consent | Date of birth, timestamp and version of the Terms of Service you accepted at signup | Enforce our minimum age (16) and keep an audit record that you agreed to the Terms | Legal obligation; Contract |
| Notes | Title, filename, rich-text body, and any images embedded in a note | Deliver the core service: store and render the notes you create | Contract |
| Billing | Plan, subscription status, Lemon Squeezy subscription ID, renewal and end dates | Gate paid features, process renewals, honor cancellations | Contract |
| Technical logs | IP address, user agent, request path, timestamps, error traces | Debug the service; rate-limit sign-in, password-reset, and webhook traffic | Legitimate interests |
We do not collect payment card numbers, CVVs, or bank details. Those are entered directly into Lemon Squeezy's hosted checkout and never reach our servers. We do not run web analytics, fingerprinting, or cross-site tracking on signed-in users beyond what is described above.
3. How we use your data
- Operate the service — sign you in, save your notes, render the editor, serve per-note downloads, and build full-account export archives in the background.
- Communicate with you — password resets, account-confirmation messages, billing notices, and the one-time download link emailed to you when a full-account export is ready. We do not send marketing email.
- Bill and renew — process subscription events from Lemon Squeezy when you subscribe, and restore or revoke paid access accordingly.
- Protect the service — throttle abusive traffic, investigate incidents, and enforce our Terms of Service.
We do not sell your personal information. We do not use your notes to train AI models, and we do not share them with third parties for their own purposes.
4. Who we share data with
We share the minimum data needed with a small number of trusted providers:
- Lemon Squeezy (payment processor and merchant of record). Receives your email and billing details when you check out, and sends us back a subscription ID, plan, status, and renewal dates via a signed webhook. See Lemon Squeezy's privacy policy.
- Our hosting and infrastructure providers. Your data is stored on servers operated by our hosting provider; encrypted backups are kept by the same provider. We configure these providers to process data only on our instructions.
- Email delivery. Transactional messages — password resets, account confirmations, billing notices, and the one-time download link for a full-account export — are delivered through a third-party email provider configured in our environment.
- Law enforcement and legal process. We will disclose information only when compelled by a valid legal request, and we will push back on overbroad requests where appropriate.
5. International transfers
Our providers (Lemon Squeezy, hosting and email vendors) may process data outside your country, including in the United States. Where required, we rely on Standard Contractual Clauses or equivalent safeguards published by the European Commission and the UK ICO. Email us for a copy of the current list.
6. Cookies and browser storage
What the browser stores for MyNotes is either strictly necessary to keep you signed in and protect against attacks, or functional — remembering UI preferences you have set. We do not run advertising or analytics scripts.
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
_session |
Essential cookie | Keeps you signed in | Session |
| CSRF token | Essential (meta + cookie) | Prevents cross-site request forgery | Session |
remember_user_token |
Essential (if you choose "remember me") | Keeps you signed in across browser restarts | Up to 2 weeks |
app_theme, app_font, app_font_size |
Functional cookies | Remember your theme, reading font, and text size | ~20 years (permanent) |
Essential and functional cookies are required for the app to work and are set without separate consent. We do not set any advertising or analytics cookies. You can clear cookies from your browser's site storage at any time; essential cookies will be re-issued the next time you sign in.
7. How long we keep your data
- Account and notes — retained for as long as your account exists. Closing your account deletes your user record, all notes (including rich-text bodies and embedded images), and our local subscription link.
- Billing records — local subscription rows are removed with your account. Transaction records required for tax and accounting are retained by our payment processor, Lemon Squeezy, under their own retention schedule (typically seven years).
- Server logs — retained for up to 30 days for debugging and abuse investigation, then rotated out.
- Backups — encrypted backups are retained for up to 30 days and then overwritten. Deletion requests complete in your live database immediately and propagate out of backups within this window.
8. Your rights
Subject to your jurisdiction's laws (including the EU/UK GDPR and the California CCPA), you can:
- Access the personal data we hold about you.
- Correct your name, bio, or email from your profile, or by contacting us.
- Export every note you have written as a
.zipcontaining.txt,.docx, and.pdfcopies — from Options, on any account, at any time, even after a subscription ends. - Delete your account and all associated notes yourself from the Cancel my account button on your profile edit page. If you'd rather we process the deletion, email privacy@example.com from your account's email address. We complete deletions within 30 days.
- Restrict or object to certain processing (for example, our legitimate-interest log processing).
- Complain to your local data-protection authority — in the EU, your national supervisory authority; in the UK, the Information Commissioner's Office (ico.org.uk).
We will not discriminate against you for exercising any of these rights. We respond to verified requests within 30 days.
9. How we protect your data
For a human-readable summary — encryption posture, authentication, dependency scanning, and how to report a vulnerability — see the Security page. The technical specifics enforced by the application include:
- All traffic to and from the app is served over HTTPS.
- Passwords are stored as bcrypt hashes; we never see or store your plaintext password.
- Sensitive parameters — passwords, tokens, card fields, SSNs, note bodies, bios, and dates of birth — are filtered out of server logs.
- A strict Content Security Policy and CSRF protection are enforced on every page.
- Sign-in, password-reset, and webhook endpoints are rate-limited by IP to slow credential-stuffing and abuse.
- Access to production data is limited to a small number of staff on a need-to-know basis.
No system is perfectly secure. If we ever discover a breach that affects your personal data, we will notify you and, where required, the relevant regulator, without undue delay.
10. Children
MyNotes is not intended for children under 16 (under 13 in the United States). We do not knowingly collect personal data from children, and the signup form rejects any date of birth that would make the applicant under 16. If you believe a child has created an account, contact us at privacy@example.com and we will delete the account and any associated data.
11. Automated decision-making
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.
12. Changes to this policy
We may update this policy as the service evolves. The "Last updated" date at the top of this page always reflects the current version. Material changes — for example, a new category of data or a new third-party processor — will be announced by email or an in-app notice before they take effect.
13. Contact
Privacy and data-subject requests:
privacy@example.com.
General support:
support@example.com.