NNoto

Version 2026-05-16 · effective May 16, 2026

Privacy Policy

Exactly what we collect, where it goes, and how long we keep it.

1. Overview

This Privacy Policy describes what information Noto (the “Service”) collects when you use it, why we collect it, how it’s stored, and the rights you have over it. It applies to everyone who creates an account or browses the public pages of the Service.

2. Data we collect

2.1 Account data

  • Email address — required to sign in and to send transactional messages such as 2FA email codes and account-recovery emails.
  • Password — stored only as a salted bcrypt hash. The plaintext is never written to disk.
  • Display name — optional, shown only to you.
  • 2FA secret (if you enable TOTP) — stored to verify codes generated by your authenticator app.
  • 2FA email-OTP hash (if you use email 2FA) — stored only as a salted bcrypt hash with a short expiry.
  • Consent record — the version of these legal documents that you accepted and the timestamp of acceptance.

2.2 Content data

  • Notebooks and notes — titles, body content (see password-protected notes below), sort order, and per-note presentation metadata (paper template and background).
  • Version history (optional) — for notes that are not password-protected, we may keep up to thirty prior copies of the note body as automatic checkpoints (about every five minutes while you edit) and as manual checkpoints you name yourself. These are stored in our database alongside the current note and are deleted when the note or your account is removed. Password-protected notes do not get server-side version history while locked.
  • Password-protected notes (optional) — if you set a note passphrase, your browser encrypts that note’s body before it is sent for storage. We keep the ciphertext, salt, and initialization vector; we never receive or store your passphrase, and we cannot recover the body if you forget it. The note title stays readable so lists and navigation still work. Embedded attachments (images, PDFs in object storage) are not encrypted by this feature — only the note body stored in the database is.
  • Note attachments — images, PDFs, and similar files you embed in notes via the editor toolbar. The bytes are stored in our hosting provider’s object-storage service (see “Third parties”); a small index row in the database records the file name, type, and size so we can authorise reads and clean up when a note or your account is deleted.
  • Dashboard preferences — your widget layout, timezone choice, weather location, scratch-pad contents, roadmap entries, RSS feed URL.

2.3 Operational data

  • Server logs — IP address, user-agent string, request path, and timestamps for failed login attempts, security warnings, and runtime errors. Retained for up to 30 days for abuse-prevention and debugging.
  • Session cookie — a signed JWT issued by NextAuth on successful login. Used only to identify your session. No third-party analytics cookies are set.

3. Geolocation

The dashboard’s Weather widget can use your browser’s geolocation to pick a nearby weather station. This requires your explicit one-time browser permission. If granted, the latitude and longitude are stored in your account preferences so the widget can keep working without re-asking. They are sent to the weather provider (see “Third parties” below) but not to any other party. You can clear them anytime in Settings.

4. Third parties

Noto sends data to a small number of third parties strictly to deliver the features you use:

  • Hosting (Railway, which operates on AWS infrastructure) — stores the database, runs the app servers, and keeps automated encrypted backups. Railway has access to the database in the same way any hosting provider has access to the systems it runs.
  • Object storage (Railway Buckets, an S3-compatible service operated by Railway) — stores the raw bytes of files you upload via the editor (images, PDFs). Bucket objects are private; reads are always brokered by Noto and gated on you being signed in as the owner.
  • Open-Meteo (open-meteo.com) — receives your latitude and longitude when the Weather widget fetches a forecast. No identifier is sent.
  • RSS feed origins — when you add an RSS feed, Noto fetches the feed URL from its server. The feed’s host sees a request from the Noto server (not from your browser).
  • SMTP provider (if 2FA email is configured) — receives the recipient email address and the OTP code, only for delivery of that single message.

Noto does not currently use third-party analytics, ad networks, tracking pixels, or AI providers. If any of these change you will see a new version of this policy at the top of this page and be prompted to re-consent.

5. Encryption

All traffic between your browser and Noto is encrypted with HTTPS (TLS 1.2 or later). All traffic between Noto’s servers, the database, and the object-storage service is encrypted with TLS. Database files, backups, and bucket objects are encrypted at rest by the hosting platform (AES-256 with provider-managed keys). By default, note bodies are stored as plaintext inside the database, and attachment bytes are stored unencrypted in the bucket — this matches the model used by Notion, Evernote, and most hosted note services and allows server-side features such as backups and consistent rendering. If you enable password protection on a note, that note’s body is stored as ciphertext derived in your browser; titles and attachments are handled as described in “Data we collect.” If you need guarantees we do not offer, please don’t store that material in Noto.

6. How long we keep data

  • Account and content data — for as long as your account exists.
  • Note attachments — for as long as the note (or your account) exists; deleting either removes the corresponding bucket objects on the same schedule as the database row.
  • After account deletion — your row in the active database is deleted immediately, and the bucket objects under your user prefix are deleted on the same pass. Backup snapshots that contain historical copies of your data are rotated out within 30 days.
  • Server logs — up to 30 days.
  • 2FA email codes — until used or until 10 minutes have passed, whichever comes first.

7. Your rights

You have the right to access, correct, export, and delete your personal data, and to object to its processing. You can exercise most of these directly inside the Service:

  • Access and correction — Settings page.
  • Export — use the per-note Export action (or contact us for a full account export).
  • Deletion — Settings → Delete account.

Under the EU/UK GDPR you also have the right to lodge a complaint with your local data-protection authority.

8. Cookies

Noto uses one cookie: a signed session cookie set after you log in. It is essential for the Service to function (without it you would have to re-authenticate on every request) and therefore does not require a separate cookie banner under the e-Privacy Directive. No analytics, advertising, or cross-site tracking cookies are used.

9. Children

Noto is not directed at children under 16. If you believe a child has created an account, please contact us so the account can be removed.

10. Changes to this policy

We may update this policy from time to time. Material changes are signalled by a new version label at the top of this page, and you will be asked to re-accept on your next visit.

11. Contact

For questions about this policy, data-access requests, or security disclosures, write to info@trynoto.app.