1. Information We Collect

Account information: Name, email address, phone, company, and password when you register. Passwords are salted and hashed — we never store them in plain text.

Case data: Cases, notes, resolutions, clients, contacts, tasks, journal entries, and file attachments you create within the Service.

Usage data: Login timestamps, session duration, last active time, and IP addresses. This data is recorded in the audit trail for security purposes.

Security data: Two-factor authentication secrets (encrypted at rest), backup codes (hashed), failed login attempt counts, and account lockout status.

Payment information: Processed entirely by Stripe (PCI DSS Level 1 certified). We store only your Stripe customer and subscription IDs — never your card number, expiry, or CVV.

2. How We Use Your Information

We use your information to:

• Provide and maintain the Service, including case management, search, and AI features
• Process payments and manage your subscription
• Send transactional emails (verification, password reset, task reminders, team invitations)
• Enforce security controls (account lockout, session management, audit logging)
• Respond to support inquiries

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. AI Features & Data Processing

Pro and Team plans include AI-powered search and task suggestions. When you use these features, your case titles, descriptions, and notes are sent to Google's Gemini API for processing. This data is used solely to generate search results and suggestions — it is not used to train AI models. AI processing occurs on-demand only when you initiate a search or request suggestions.

4. Data Security

We implement multiple layers of security to protect your data:

• Encryption in transit: All connections use TLS 1.3 with HSTS preload
• Encryption at rest: Sensitive fields (2FA secrets) are encrypted using AES field-level encryption
• Password security: PBKDF2-SHA256 hashing with unique salts; password history prevents reuse
• Access controls: Two-factor authentication, account lockout, session timeout, IP allowlisting
• Application security: CSRF protection, Content Security Policy, rate limiting, input validation
• Audit trail: All data mutations logged with timestamp, user, and IP address

For full details, see our Security Practices page.

5. Team Data

If you are part of a team workspace, cases, contacts, and tasks created within that workspace are visible to all active team members. Your personal account data (profile, password, 2FA settings) is never shared with team members. Team administrators can view the team member list, online status, and manage access. Offboarded members are archived and can no longer access team data.

6. Third-Party Services

We use the following third-party services:

• Stripe — Payment processing (PCI DSS Level 1)
• Google Gemini API — AI-powered search and task suggestions (Pro/Team only)
• Cloudflare — CDN, DDoS protection, and Turnstile bot verification
• Purelymail — Transactional email delivery (SMTP over TLS)
• Google Analytics — Anonymous usage analytics on public pages

7. Cookies

We use essential cookies to maintain your login session. Session cookies are secure, HTTP-only, and SameSite=Lax. We use localStorage to remember your theme preference (light/dark mode). We do not use advertising or tracking cookies. Google Analytics uses its own cookies on public pages, which you can block with browser settings or extensions.

8. Data Retention

Your data is retained for as long as your account is active. Audit log entries are retained indefinitely for security and compliance purposes. When you delete your account, all associated data (cases, notes, contacts, tasks, journal entries, attachments, and audit logs) is permanently removed.

9. Your Rights

You have the right to:

• Access your data at any time through the Service
• Export all your data as a ZIP archive from Account Settings
• Correct your personal information through your account profile
• Delete your account and all associated data from Account Settings

These rights are available to all users regardless of subscription tier or jurisdiction.

10. Children's Privacy

NoteUp is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service. The "Last updated" date at the top of this page reflects the most recent revision.