Privacy Policy

Last updated: 2026-04-16

Draft — pending legal review. This document has not been reviewed by legal counsel. It must receive sign-off before Milestone 5 (sync feature) ships.

1. Controller

[PLACEHOLDER] The data controller responsible for your personal data is NoteMD (“we”, “us”, “our”). Contact details will be inserted upon legal review.

2. Data Collected

[PLACEHOLDER] We collect your email address when you register. Note content is stored locally in your browser (IndexedDB) and, if you enable sync, encrypted in our cloud infrastructure. We do not collect analytics or advertising data.

3. Purpose of Processing

[PLACEHOLDER] Your data is processed to provide the NoteMD service: authenticating your account, synchronising notes across devices (if enabled), and processing subscription payments via Stripe.

4. Legal Basis

[PLACEHOLDER] Processing is based on your consent (GDPR Article 6(1)(a)) for optional cloud sync, and on contract performance (Article 6(1)(b)) for account management and billing. Specific legal bases will be confirmed by legal counsel.

5. Retention Period

[PLACEHOLDER] Account data is retained for the duration of your subscription and deleted within 30 days of account deletion. Cloud notes are soft-deleted immediately and purged within 30 days. Retention periods will be finalised upon legal review.

6. Your Rights

[PLACEHOLDER] Under GDPR you have the right to access, rectify, erase, and port your personal data. You may also object to processing or withdraw consent at any time. To exercise these rights, contact us at the address below.

7. Contact

[PLACEHOLDER] For privacy inquiries or to exercise your rights, please contact our Data Protection Officer at: [DPO email — to be inserted upon legal review].