Notah Privacy Policy

Summary at a Glance

• We collect account data, note content you create, optional audio you record for transcription, and basic device/use information needed to run the app.
• We do not sell your personal information or use advertising trackers.
• We store some data locally on your device (localStorage and IndexedDB) to support offline use.
• We use trusted service providers (e.g., Google Cloud for uploads via signed URLs, Sentry for error reporting).
• You have rights to access, correct, delete, and export your data, subject to applicable law.

1) Who We Are and Scope

• Controller: Brainbox LLC
• Services: Notah web application and browser extension (collectively, the "Services")
• Contact: privacy@notah.ai
• This Policy applies to all users of the Services worldwide.

2) Information We Collect

Account Data

• Name, email, credentials (e.g., hashed passwords on our servers), authentication tokens set by our API.
• Secondary emails you add, avatar image you upload.

Authentication Tokens and Identifiers

• Access/refresh tokens used to authenticate API requests. In the web/extension app, these are stored in your browser's local storage.
• Your user ID to connect real-time features.

User Content

• Notes (title, content, metadata such as created/updated time, pin/open state).
• Optional audio you choose to record and upload for transcription.
• Feedback you submit in-app.

Device and Usage Information

• Basic device/OS indicators to support keyboard shortcuts and UI ergonomics.
• Network connectivity status for syncing.
• We may receive IP address and standard HTTP metadata when you connect to our API.

Real-time Notifications Data

• Server-Sent Events (SSE) used to notify you when transcription is complete (event metadata, not marketing).

App Preferences (Stored on Your Device)

• Theme, font family, font size, sidebar state, and other UI preferences saved to localStorage.
• Local caches of notes and queued uploads saved in IndexedDB for offline functionality.

We do not use third-party advertising trackers. As of today, we do not run marketing analytics in the app.

3) How We Use Information

• Provide and improve the Services: Authenticate users, load and sync notes, deliver real-time notifications, and process audio you choose to upload for transcription.
• Operate offline-first functionality: Cache notes and certain operations on your device to keep Notah usable without network connectivity.
• Security and reliability: Detect and fix bugs; investigate service disruptions and errors; protect the Services against abuse.
• User support and communication: Respond to support requests; send important service or policy updates.
• Research and development: Improve features and quality. When feasible, we use de-identified or aggregated data.

4) Legal Bases (EEA/UK/Switzerland)

Where applicable under EU/UK/Swiss law:

• Performance of contract: To provide you with the Services you request (e.g., create/save notes, process audio).
• Legitimate interests: To secure and improve the Services (e.g., error reporting), provided these interests are not overridden by your rights.
• Consent: For optional features like microphone access and certain notifications.
• Legal obligations: To comply with applicable law.

5) Sharing of Information

We do not sell your personal information.

We share data only with:

Service Providers (Processors)

• Cloud storage and compute (e.g., Google Cloud Storage for signed uploads of audio you choose to send; our API hosting).
• Error monitoring (Sentry) to detect and fix issues.
• These providers are bound by confidentiality and data processing obligations.

OAuth Providers (Controllers)

If you sign in using Google or Microsoft, those providers process your data under their own policies during authentication.

Legal and Safety

If required by law or to protect rights, safety, or property.

Business Transfers

In a merger, acquisition, or asset sale, your information may be transferred with appropriate safeguards.

With Your Consent

When you ask us to share or integrate with a third party.

6) Cookies and Local Storage

• The web/extension app primarily uses bearer tokens and localStorage (not cookies) for session state.
• We store preferences and local caches in localStorage and IndexedDB to support offline use.
• We do not use advertising cookies. If our website uses essential cookies, they are limited to functionality and security.

7) Data Retention

• Account data: Kept for the life of your account and a reasonable period thereafter (e.g., for fraud prevention or legal obligations).
• Notes: Retained until you delete them or your account is deleted. Local copies on your device persist until you clear them.
• Audio uploads for transcription: Designed to be retained only as long as needed to process and deliver results, then removed according to our operational policies and cloud provider lifecycles.
• Local device storage (localStorage/IndexedDB): Persists until you clear it (e.g., via app sign-out flows where applicable, browser storage settings, or uninstalling the extension).

8) Security

• Encryption in transit (HTTPS).
• Cloud providers encrypt data at rest by default.
• Least-privilege access and monitoring.
• No method is 100% secure. If we learn of a breach, we will notify you and regulators as required.

9) Your Rights and Choices

Depending on your location, you may have:

• Access, correction, deletion, and portability rights.
• The right to object or restrict processing.
• The right to withdraw consent where processing is based on consent.
• Appeal rights (in certain US states).
• CCPA/CPRA (California): right to know, delete, correct, and opt out of sharing for cross-context behavioral advertising. We do not sell personal information.

How to exercise:

• Email privacy@notah.ai with your request. We may require verification.
• You can update/delete notes in-app and manage certain preferences directly.
• To clear local device storage, use your browser's storage settings or remove the extension.

10) Children's Privacy

The Services are not directed to children under 13 (or 16 where applicable). We do not knowingly collect personal data from children. If you believe a child has provided data, contact us to delete it.

11) International Data Transfers

Your information may be processed in the United States or other countries where we or our processors operate. We use appropriate safeguards (e.g., DPAs, SCCs) as required by law.

12) Do Not Track and Global Privacy Control (GPC)

We do not use advertising trackers. While industry standards for DNT/GPC handling continue to evolve, we honor applicable opt-out rights under relevant laws.

13) Changes to this Policy

We will update this Policy from time to time. Material changes will be highlighted in the app or on our website. Continued use after changes take effect means you accept the updated Policy.

14) Contact

• Brainbox LLC
• Email: privacy@notah.ai
• If you are in the EEA/UK/Switzerland and believe we have not resolved your concern, you may contact your local supervisory authority.

Region-Specific Disclosures

• EEA/UK/Switzerland: You have GDPR/UK GDPR rights. We rely on contract, legitimate interests, consent, and legal obligation bases as described above. International transfers use appropriate safeguards.
• California (CCPA/CPRA): We do not sell personal information or share it for cross-context behavioral advertising. You may request access/deletion/correction via privacy@notah.ai.

Future Updates

We may update this Privacy Policy as our services evolve. When we introduce new features like payment processing, we will update this policy with relevant information about how those features handle your data.