Summary
- Notaiis local-first — your notes stay on your device unless you sync.
- We do not sell your personal data and do not use your notes to train AI.
- You can export everything or delete your account anytime from Settings → Account.
- Data is hosted in the European Union. Sub-processors are listed below.
1. Who is the data controller?
The data controller for the personal data described in this policy is Vlăduțescu Dragoș Cătălin (persoană fizică), Romania. Contact: privacy@notai.ro. For data protection matters specifically: dpo@notai.ro.
2. What we collect and why
| Category | What | Why (lawful basis) | Retention |
|---|---|---|---|
| Account | Email, name, profile picture from Google sign-in. | Contract performance (Art. 6(1)(b) GDPR). | Until account deletion + 30-day backup retention. |
| Notes & attachments | Content you sync to the cloud, version history, sticky notes. | Contract performance. | Until you delete; trash purges after 30 days. |
| Billing | Stripe customer ID, country, last4 card, subscription status. Card numbers and CVV never reach our servers. | Contract performance + legal obligation (tax law). | 10 years for invoices (Romanian fiscal code). |
| Operational logs | IP addresses, user agent, request URL, timing, error traces. | Legitimate interest (Art. 6(1)(f)) — security, debugging. | 30 days, then aggregated. |
| Analytics (optional) | Page views, anonymous usage stats. | Consent (Art. 6(1)(a)). | 14 months. |
| Support tickets | Anything you send through the contact / support form. | Consent + legitimate interest. | 3 years from last reply. |
3. Sub-processors
We use the following third parties to deliver the service. Each is bound by a written data-processing agreement (DPA) with appropriate safeguards.
- Vercel Inc.— web hosting (EU/US, EU data residency where configured).
- Google Cloud— managed PostgreSQL and supporting services (europe-west region).
- Cloudflare R2— object storage for attachments (EU jurisdiction).
- Stripe Payments Europe Ltd.— payment processing.
- Resend— transactional email delivery.
- Sentry— error monitoring (PII scrubbed).
- Auth.js + Google— authentication.
- OpenAI / Anthropic— AI features. Prompts are sent on-demand only and are governed by their respective DPAs; no training on your data.
4. International transfers
Where a sub-processor stores or processes personal data outside the EU/EEA (e.g. some Stripe or AI sub-processing), transfers rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) and additional safeguards required by GDPR.
5. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data (“right to be forgotten”).
- Restrict or object to specific processing.
- Data portability — export in a structured, machine-readable format.
- Withdraw consent at any time, without affecting prior lawful processing.
- Lodge a complaint with the Romanian data-protection authority Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) or your local supervisory authority.
To exercise any right, email privacy@notai.ro. We respond within 30 days. We may need to verify your identity to prevent unauthorised disclosure.
6. Children
Notai is not directed at children under 16. We do not knowingly collect personal data from children under that age. If you believe a child has provided us with personal data, contact us and we will delete it.
7. Cookies
See our cookie policy for the full list and the consent controls.
8. Security
We use industry-standard measures: TLS 1.2+ for data in transit, encryption at rest for the managed database and object storage, role-based access control for our team, audit logging of admin actions, and regular dependency & vulnerability scanning. No system is absolutely secure — if you discover a vulnerability, please report it to abuse@notai.ro.
9. Data breach notification
In the event of a personal data breach affecting your rights and freedoms, we will notify the supervisory authority within 72 hours and inform affected users without undue delay when required by GDPR Art. 33 & 34.
10. Changes
We may update this policy. Material changes are announced in-app and by email. The “Last updated” date at the top reflects the current version.
11. Contact
Privacy questions: privacy@notai.ro. DPO: dpo@notai.ro.