NoteSamNoteSam

Privacy Policy

ENTRESPT-BRDEFRJAKOARZH-CNZH-TWITRUHINLPLID

PRIVACY POLICY

Last updated: April 25, 2026


NoteSam ("we", "us", "our") operates the NoteSam mobile application and web service (the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service.


1. DATA WE COLLECT


1.1 Account Data

When you create an account, we collect your email address and display name. Your password is hashed using bcrypt and never stored in plain text.


1.2 Note Data

Your handwritten notes, strokes, and attachments are stored locally on your device. If you enable sync, your data is encrypted end-to-end (AES-256-GCM) before leaving your device. We cannot read your notes.


1.3 Sync Data

If you use NoteSam Cloud Sync (Pro), encrypted blobs are stored on Cloudflare R2. We store sync metadata (notebook IDs, version numbers, timestamps) but never the content of your notes.


If you use third-party sync (WebDAV, Google Drive), your data goes directly to your chosen provider. We do not have access to it.


1.4 Usage Analytics

A small set of conversion and engagement events — sign-up, login, purchase, subscription start, notebook created, template downloaded, PDF imported, EPUB imported, paywall viewed, sync completed (counts only) — are sent to Firebase Analytics. These events carry your NoteSam user ID for attribution and an `is_premium` flag, but contain no notebook content, no PDF text and no audio. See Section 6 for how your advertising identifier is handled for rewarded ads. We also collect anonymous crash reports to improve the app — no personal data or note content is included.


2. HOW WE USE YOUR DATA


- To provide and maintain the Service

- To sync your notes across devices (only if you opt in)

- To process payments for Pro subscriptions

- To send important service updates (never marketing)


3. END-TO-END ENCRYPTION


When sync is enabled, all note data is encrypted on your device using AES-256-GCM with a key derived from your password via Argon2id. The encryption key never leaves your device. We cannot decrypt your data even if compelled to.


4. DATA STORAGE


- Local data: stored on your device only

- Cloud sync: Cloudflare R2 (encrypted), EU/US regions

- Account data: PostgreSQL on EU servers (Hetzner, Germany)

- Payment data: processed by Apple/Google, we never see card details


5. THIRD-PARTY SERVICES


- Apple App Store / Google Play Store (payments)

- Cloudflare (CDN, API hosting, blob storage)

- Google ML Kit (on-device handwriting recognition - no data sent to Google)

- Google AdMob (rewarded video ads - see Section 6)

- Anthropic Claude API (AI features - only if you explicitly use them, text sent for processing)


6. ADVERTISING


NoteSam displays rewarded video advertisements, served by Google AdMob, to free users who choose to unlock premium cosmetic content (specific templates, cover colors, sticker packs) by watching a short ad.


- Opt-in only: we never play ads automatically. You must tap "Watch ad to unlock" to start one.

- Format: rewarded video only. No banner ads, no interstitial popups, no in-content advertising.

- Advertising partner: Google LLC (AdMob). Their privacy policy applies: https://policies.google.com/privacy

- Advertising identifier: if you are in the EU/UK/California and consent to personalized ads, your device's advertising ID (Android Advertising ID or iOS IDFA) is shared with AdMob so relevant ads can be shown. Without consent, only non-personalized ads are served.

- Reset or disable your advertising ID at any time: iOS Settings > Privacy & Security > Tracking; Android Settings > Privacy > Ads.

- Pro subscribers see no ads of any kind. All premium cosmetic content is included with a Pro subscription.

- Consent: on first use of an ad-gated feature in the EU/UK/California, a consent form is presented (Google's User Messaging Platform, IAB TCF v2 compliant). Choices can be changed in Settings > Privacy.

- Ad revenue supports the free tier so core note-taking stays available at no cost.


7. YOUR RIGHTS (GDPR / KVKK)


You have the right to:

- Access your personal data

- Correct inaccurate data

- Delete your account and all associated data

- Export your data (via .nbk backup)

- Withdraw consent for data processing

- Lodge a complaint with a supervisory authority


8. DATA RETENTION


- Account data: retained until you delete your account

- Sync data: deleted within 30 days of account deletion

- Local data: remains on your device until you delete it

- Analytics: anonymized, retained for 12 months


9. CHILDREN'S PRIVACY


NoteSam does not knowingly collect data from children under 13 (or 16 in the EU). If we learn that we have collected such data, we will delete it promptly.


10. CHANGES TO THIS POLICY


We will notify you of any material changes via the app or email. Continued use after changes constitutes acceptance.


11. CONTACT


Cryptosam LLC

7901 4th N, STE 300, St. Petersburg, FL 33702, USA

Email: [email protected]