Privacy Policy

Last updated: 13/07/2026

This policy explains what Nota collects, why, who we share it with, and what you can do about it.

Who we are. The controller of your personal data is Nota. Contact: hello@usenota.co

The short version. We collect the minimum needed to run a synced task app: your email, your tasks and screenshots, and whether your subscription is active. We do not sell your data, we do not advertise, and we do not train AI models on your content. On Macs with Apple Intelligence, your screenshots are summarized on your device and never leave it.

1. What we collect

Account data. Your email address. If you use Google sign-in, the identifier and basic profile information Google returns. We never receive your password: authentication is handled by our provider, and passwords are stored only as hashes.

Your content. The tasks, subtasks and notes you create, the screenshots you capture, and the name of the application a screenshot came from. Stored so that it can sync across your devices.

Subscription data. Whether your trial or subscription is active, your plan, renewal date, and a billing-provider customer reference. We do not collect or store your card number. Card details go directly to Stripe.

Technical and diagnostic data. Minimal server logs (timestamps, IP address, coarse request data, error traces), app version, and macOS version, used to run, debug and secure the Service.

Support correspondence. If you email us, we keep the email.

We do not collect: your browsing history, your keystrokes, your screen contents outside a capture you initiate, contacts, or location.

2. Why we use it, and our legal basis

WhatWhyLegal basis (GDPR) Email, account identifiersCreate and authenticate your account Performance of a contract, Art. 6(1)(b)Tasks, notes, screenshotsStore, sync and display your contentPerformance of a contract, Art. 6(1)(b)Text from a capture, sent for summarization Generate the task title and subtasksPerformance of a contract, Art. 6(1)(b)Subscription status, billing referenceManage the trial, take payment, control accessPerformance of a contract, Art. 6(1)(b); legal obligation for tax records, Art. 6(1)(c)Server logs, rate limits, abuse signalsKeep the service running and secure, prevent trial abuseLegitimate interests, Art. 6(1)(f)Product emails you can opt out ofTell you about relevant changesLegitimate interests, Art. 6(1)(f), or consent where requiredSupport emailsAnswer youLegitimate interests, Art. 6(1)(f)

We do not sell personal data, we do not share it for behavioural advertising, and we do not carry out automated decision-making that produces legal or similarly significant effects.

3. AI summarization: exactly what happens

On Macs that support Apple Intelligence: summarization runs on your device. The screenshot and its text never leave your Mac for this purpose.

On Macs that do not: Nota extracts the text from your capture on your Mac, and sends only that text, through our backend, to Anthropic's Claude API, which returns a title and subtasks. The image is never sent. The text is processed to produce the summary and is not retained by us beyond what is needed to complete the request, and it is not used to train AI models. This fallback works only while you are signed in with an active trial or subscription, and is rate-limited per user per day.

If you click "open in Claude" or "open in ChatGPT": that specific task's text is passed to the assistant you chose, in your browser, at the moment you click. Nothing is sent unless you click. What happens next is governed by that assistant's own privacy policy.

If you do not want any cloud processing, do not use the "open in" action, and use Nota on a Mac with Apple Intelligence enabled.

4. Who we share it with (processors and providers)

ProviderWhat they handleWhereSupabaseDatabase, authentication, screenshot storage[EU (Frankfurt)]StripeSubscription payments and card dataEU / USAnthropicAI summarization fallback, text onlyUSAppleOn-device intelligence; macOS; app distributionOn your deviceGoogleOptional sign-in onlyUS [Email provider] Transactional email (password resets, receipts)[ ]

We share personal data with these providers only so they can perform services for us, under contract, and not for their own purposes. We may also disclose data where we are legally required to, or to establish, exercise or defend legal claims. If the business is sold or merged, data may transfer with it; we will tell you first.

A current list is on our Subprocessors page.

5. International transfers

Some of our providers are in the United States. Where personal data leaves the EEA or the UK, we rely on appropriate safeguards, in particular the European Commission's Standard Contractual Clauses (and the UK Addendum), together with the provider's own certification where available. You can ask us for details at team@routa.io.

Note that for the AI fallback, only extracted text is transferred, never your screenshot image.

6. How long we keep it

  • Your content and account: until you delete it, or until you delete your account.

  • Backups: deleted content persists in encrypted backups for up to [30] days, then is overwritten.

  • Invoices and tax records: [5] years, as required by tax law. We cannot delete these on request.

  • Server logs: up to [90] days.

  • Support email: up to [24] months.

  • Text sent for AI summarization: processed and discarded; not retained as a record by us.

7. Security

Your data lives in our hosted backend. Screenshots are stored in a private bucket, never public. Access is enforced per user, row by row (row-level security), so a signed-in user can only ever read and write their own rows. Data is encrypted in transit (HTTPS/TLS) and at rest by our provider. Subscription entitlement is verified with a signed token, so it cannot be forged on a device. Access to production systems is limited and authenticated.

No system is perfectly secure. If a breach affects your personal data and is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and, where the risk is high, notify you.

8. Your rights

Depending on where you live, you have rights to:

  • access the personal data we hold about you;

  • correct it if it is wrong;

  • delete it (Settings → Profile → Delete account removes your account, tasks, notes and screenshots permanently);

  • export it in a portable format;

  • restrict or object to processing based on legitimate interests;

  • withdraw consent where processing is based on consent, without affecting past processing;

  • complain to a supervisory authority. In Poland this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa). If you are elsewhere in the EEA or the UK, you may complain to your local authority.

Most of this you can do in the app. For anything else, email team@routa.io and we will respond within one month.

9. Cookies and the website

The Nota app uses no advertising or tracking technology.

The website uses only what is necessary to work and, if enabled, [privacy-friendly, cookieless analytics that does not track you across sites]. We do not use advertising cookies. [If you add any non-essential cookie or pixel, a consent banner becomes mandatory in the EU: see the note below.]

Our billing portal is provided by Stripe and sets cookies necessary for payment and fraud prevention.

10. Children

Nota is for adults. It is not directed at anyone under 18 and we do not knowingly collect data from children. If you believe a child has given us data, email team@routa.io and we will delete it.

11. Changes

We may update this policy. We will change the date above and, for material changes, notify you in the app or by email before they take effect.

12. Contact

hello@usenota.co

NOTE

  • The legal-basis table is the part most indie policies skip and the part a regulator looks for first. Keep it.

  • If Supabase is not in an EU region, change the table and expect a slightly heavier transfer story. Moving to Frankfurt before you have users is a five-minute decision that saves a page of drafting.

  • The moment you add Google Analytics, a Meta pixel, or any marketing pixel to the site, you need a consent banner with reject-as-easy-as-accept, and this section has to be rewritten. Plausible/Fathom style analytics avoids that. Given you have run Meta CAPI work before, this is worth a deliberate decision, not a default.

  • You are almost certainly not required to appoint a DPO or an EU representative (you are established in the EU). Do not claim to have one.