Privacy Policy

Plain-language summary

NoteLace is a Markdown note-taking app. Your notes live on your computer first; cloud sync is optional. We collect the minimum personal data we need to provide the service: your email + subscription state for the account, and anonymous diagnostics so we can keep sync reliable. We don’t sell your data, we don’t profile you, and we don’t read your notes — not on the server, not for analytics, not for training anything. You can export everything as Markdown or delete your account anytime.

1. Who we are (controller)

The data controller for NoteLace is Currentbits, based in the Netherlands. Postal address available on request. For privacy questions: [email protected]. For general support: [email protected]. See our imprint for the full provider disclosure.

2. What stays on your device

Your notes, notebooks, tags, attachments, version-history snapshots, and the local search index live in the desktop app’s local PouchDB. Until you sign in and turn on cloud sync, none of that ever leaves your machine.

3. What we collect when you sign up

• Email address — you provide this to Clerk (our authentication provider). We use it to send you transactional email (renewal reminders, trial expiry, security notices).
• Display name (optional, from Clerk) — shown in Settings; never displayed to anyone else.
• Subscription state (plan, trial end, renewal date) — provided by Lemon Squeezy after a successful checkout.
• Per-user CouchDB credentials — auto-generated when you first turn on sync. The desktop app uses these to push and pull your encrypted-in-transit replication payloads.

Lawful basis: performance of a contract (Art. 6(1)(b) GDPR) — we can’t provide the subscription service without this minimum.

4. What cloud sync sends

Once you turn on sync, the desktop app replicates your notes to your per-user CouchDB database at couch.notelace.app. Data is encrypted in transit (TLS 1.2+) between your device and our servers. We are working on end-to-end encryption (E2EE) so that even we can’t read note content at rest — until E2EE ships, your notes are stored unencrypted at rest on EU-hosted CouchDB instances we operate. We do not read them, but we technically could. If that matters to you, leave sync off until E2EE ships.

5. Anonymous diagnostics (default on)

The desktop app sends anonymous diagnostics so we can detect sync regressions and crashes. This is default-on, with a first-launch notice in the app explaining it. You can turn it off in Settings › Insights › Diagnostics. The diagnostics include:

• Sentry — uncaught errors, with file paths scrubbed of usernames. Stack traces. Never the contents of your notes, titles, or filenames.
• PostHog — coarse usage events (sync started, sync finished, settings panel opened). No note content, no titles, no note identifiers. A random per-install ID (regenerated when you uninstall) so we can count distinct devices without a profile.

Both providers process data in the EU: Sentry on ingest.de.sentry.io (Germany), PostHog on eu.i.posthog.com (EU). Lawful basis: legitimate interest (Art. 6(1)(f) GDPR) — product reliability with content-free, anonymous data.

6. Browser clipper extension

The optional NoteLace web clipper is a browser extension that lets you save the page you’re reading into your local NoteLace vault as Markdown. When you click the toolbar icon, the extension reads the active tab’s HTML, runs Mozilla’s Readability + Turndown locally in your browser, and hands the result to the desktop app via a notelace:// URL. The extension talks to no server, sets no cookies, and uses no analytics. Its manifest declares activeTab and scripting permissions only — no host_permissions. Source code lives alongside NoteLace in the same open-source repository.

Lawful basis: the extension only processes data you actively initiate (your click on a specific page) and the processing happens entirely in your browser; no NoteLace server is in the loop.

7. Website analytics

We use Umami for website analytics, self-hosted on our EU infrastructure at analytics.currentbits.net. Umami is cookie-less. It records: page visited, referrer, device type, country (from IP, then the IP is discarded). It does not use cookies, it does not fingerprint you across sessions, and it does not let us identify you. The first time you visit, the site shows a small banner noting this.

Lawful basis: legitimate interest (Art. 6(1)(f) GDPR). We rely on the cookieless-analytics exemption recognised by several EU DPAs. The most cited set of conditions (CNIL, France) is met by our setup: purpose strictly limited to audience measurement for the operator; no cross-site tracking; IP addresses anonymised before storage; retention limited to 12 months; no sharing with third parties; no combining with other personal data. ePrivacy Art. 5(3) is technology-neutral, so we apply the same restraint to the localStorage flag the cookie-notice banner uses — that flag stores only whether the banner has been dismissed.

If your national DPA interprets ePrivacy more strictly, you can block analytics.currentbits.net at the browser or DNS level without breaking the site.

8. Sub-processors

We use the following third parties to operate the service. Each is bound by a Data Processing Agreement. US-based processors operate under the EU–U.S. Data Privacy Framework.

DPF certifications are verified at the time this policy is published. If a sub-processor’s DPF status changes (DPF, like its predecessor Privacy Shield, can be invalidated or withdrawn), transfers fall back to Standard Contractual Clauses — see §11.

9. How long we keep your data

• Active account data — for as long as your account exists, plus a 30-day grace period after deletion to reverse accidental requests.
• Invoices & subscription records — retained for 7 years to satisfy Dutch tax obligations (Algemene wet inzake rijksbelastingen).
• Server logs — rotated after 90 days. Logs are scrubbed of note content; they may include IP addresses, user IDs, and request paths for security and debugging.
• Backups — rolling 30-day window. Deleted accounts roll off backups within 30 days of deletion.
• Diagnostics (Sentry/PostHog) — 90 days at the provider, then deleted automatically.
• Umami analytics — aggregated, retained 12 months.

10. Your rights

You have the following rights under the GDPR:

• Access (Art. 15) — request a copy of the personal data we hold about you. Email us at [email protected].
• Rectification (Art. 16) — correct inaccurate data via your account settings or email us.
• Erasure (Art. 17) — delete your account on /account. Your data (account row, CouchDB sync database, all linked records) is purged within 30 days; the 30-day window is reversibility for accidental requests. Tax records that we’re legally required to retain are the exception.
• Portability (Art. 20) — export your whole vault as Markdown anytime from Settings › Insights › Vault › Export. Account data (email, subscription) is available on request.
• Restriction (Art. 18) — request we limit processing while a dispute is resolved.
• Objection (Art. 21) — opt out of telemetry in Settings › Insights › Diagnostics. Block Umami at the browser/DNS level if you don’t want website analytics.
• Withdraw consent — where processing relies on consent, you can withdraw it without affecting prior lawful processing.
• Lodge a complaint — the Dutch supervisory authority is the Autoriteit Persoonsgegevens. You can also complain to your local DPA if you’re elsewhere in the EU.

We aim to respond within 30 days. Requests are free; we may charge or refuse only for manifestly unfounded or excessive requests, as Art. 12 allows.

11. International transfers

Most processing happens inside the EU. Where data is transferred to US sub-processors (Clerk, Lemon Squeezy, Resend, Cloudflare), the transfer relies on the EU–U.S. Data Privacy Framework. Where DPF is insufficient or unavailable, we use Standard Contractual Clauses.

12. Children

NoteLace is not directed at children under 16. We don’t knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we’ll delete the account.

13. Security

Transport encryption (TLS 1.2+) for all traffic. Per-user CouchDB passwords are stored encrypted at rest in our database using libsodium secretbox. The secretbox encryption key is held in an environment variable on hardened API hosts and is accessible only to the running API process. Authentication is delegated to Clerk. Per-user CouchDB databases are isolated by user id. Source code is version-controlled with signed commits. We monitor for errors and anomalies via Sentry and PostHog (see §5).

A note on what this doesn’t guarantee: until end-to-end encryption ships (see §4), the contents of your synced notes are decryptable by anyone with access to the API host. We don’t read them, but we technically could. If that’s unacceptable for your threat model, leave cloud sync off.

14. Automated decision-making

We do not make decisions about you using automated means. We don’t profile you, score you, or use your data for AI training.

15. Changes to this policy

We’ll update the effective date at the top whenever we change this policy. For substantial changes (new sub-processors, new processing purposes, changes to your rights), we’ll notify you by email + a banner in the desktop app, with at least 30 days’ notice before the change takes effect.