Privacy Policy

Version 2.2 • Last updated: April 4, 2026 • Luxembourg, EU

1. Data Controller

For the purposes of the General Data Protection Regulation (GDPR), the data controller is:

Pupin Labs
62 Rue Marie-Adelaide
2128, Luxembourg, Luxembourg
Email: [email protected]

PrivateNote.ai is not intended for users under the age of 16. We do not knowingly collect personal data from children.

2. Optional AI (On-Device)

PrivateNote.ai may offer optional AI-assisted drafting or editing in your browser (for example via a local model runtime). Please read this carefully:

  • Processing location: For these features, note content you send into the assistant is processed on your device. It is not sent to PrivateNote.ai servers for AI inference. End-to-end encryption of the stored note is unchanged; plaintext exists in your browser only for as long as you use the feature.
  • Network activity: Your browser may still contact third-party hosts to download model assets or dependencies (for example a CDN or model registry). Those requests are governed by those operators' policies and your browser settings.

If you do not use AI features, you can create standard notes that stay client-side encrypted for storage and are not processed by the on-device assistant.

Legal basis split: Text processed by optional on-device AI features relies on your consent (Art. 6(1)(a) GDPR) when you actively use those features. Security metadata for anti-abuse and service protection relies on legitimate interests (Art. 6(1)(f) GDPR).

3. What Data We Collect & Why

Encrypted Notes (Stored Data)

Notes are stored in an encrypted format that we cannot read. Notes are deleted automatically upon expiration or consumption, depending on the settings you choose.

Technical Metadata (Traffic Data)

IP addresses, device and request metadata may be processed by our infrastructure providers (e.g., Cloudflare) for security, DDoS protection, abuse prevention, and rate limiting (Art. 6(1)(f) GDPR).

Security-related metadata is retained only for as long as necessary to ensure service security and abuse prevention, typically for a limited period of days to weeks, after which it is automatically deleted or anonymized.

First-Party Rate-Limit Cookie (pn_client_id)

Our API may set a small first-party, HttpOnly cookie named pn_client_id. It holds a random identifier used only to separate abuse-prevention and rate-limit buckets-especially on networks where many people share one public IP (for example schools or offices). When your IP is available to our infrastructure, we combine IP and this cookie for counting; we do not use it for advertising, profiling, or analytics. The cookie is renewed with a ~30-day lifetime; you can remove it at any time via your browser (you may get a new id on the next visit). Legal basis: Art. 6(1)(f) GDPR-legitimate interests in running a secure, abuse-resistant service.

Support Communications (If You Contact Us)

If you email our support or legal contacts, we will process the information you provide solely to respond to your request (Art. 6(1)(b) and/or Art. 6(1)(f) GDPR).

Lawful Basis by Processing Purpose

  • Optional on-device AI text processing: Art. 6(1)(a) GDPR (consent).
  • Security, abuse prevention, rate limiting, and network protection metadata: Art. 6(1)(f) GDPR (legitimate interests).
  • Support/legal correspondence initiated by you: Art. 6(1)(b) and/or Art. 6(1)(f) GDPR.

Retention Windows (Data Minimization)

  • Encrypted note payload: retained until expiry/one-time read settings trigger deletion.
  • Security metadata (IP/request-level anti-abuse logs): retained up to 30 days, then deleted or anonymized.
  • Rate-limit cookie (pn_client_id): approximately 30 days from last renewal.
  • Support/legal emails: retained for up to 24 months after resolution unless a longer legal retention period is required.

4. International Data Transfers

As a Luxembourg-based service, we prioritize EU-based processing. However, depending on your location and infrastructure routing, certain technical data may be processed outside the EU:

Processors and Roles

We use infrastructure processors to operate and secure the service. Their role depends on the processing context.

  • Cloudflare: processor for hosting, CDN delivery, and edge security; may process technical request metadata.
  • Model/CDN providers used by your browser: independent providers contacted only when optional on-device AI assets are fetched.
  • We maintain data processing agreements with processors where required and apply SCC-based safeguards when cross-border transfers are involved.
  • Cloudflare: used for global content delivery and security. Data may be processed in Cloudflare's global network.
  • On-device AI: if you use optional in-browser AI, model files may be loaded from globally distributed CDNs or hosts outside the EU, depending on how your browser fetches them.

Where required for transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or other appropriate safeguards to ensure a high level of data protection.

5. Your GDPR Rights

Under the GDPR, you have rights including access, rectification, erasure, restriction, portability, and the right to object.

Right of Access
Right to Rectification
Right to Erasure
Right to Restrict Processing
Right to Data Portability
Right to Object

We respond to verified GDPR requests within one month (Art. 12(3) GDPR). For complex requests, this may be extended by up to two additional months with notice. To prevent unauthorized disclosure, we may ask for verification details (for example, the relevant note URL and contextual metadata you provided to us).

To exercise these rights, contact [email protected]. Because we do not use user accounts, we may require the specific note URL (or other information you provide) to identify any data related to your request.

6. Security Limitations

We use modern cryptography (e.g., AES-GCM) and security controls (e.g., strict Content Security Policy headers) to protect the service. However, no system is 100% secure. Optional on-device AI runs in your browser and may pull assets from third-party networks; users requiring maximum confidentiality can rely on standard client-side encrypted note creation without using AI features.

You have the right to lodge a complaint with the Luxembourgish data protection authority (CNPD - Commission Nationale pour la Protection des Donnees).

[email protected]