Privacy Policy
Effective date: 10 May 2025
Noteeli ("we", "our", "us") is a Markdown workspace application. This policy explains what data we collect and how we use it.
1. Who we are
Noteeli is an open-source application developed and operated by Noteeli. The hosted product is split between noteeli.com (account, billing) and app.noteeli.com (the workspace). You can also self-host the application on your own infrastructure — in that case this policy applies only to the hosted Service.
Contact: contact@noteeli.com
2. What data we collect
2a. Account data
If you sign in with Google OAuth, we receive and store:
- Your Google account e-mail address (used as your account identifier)
- Your Google
subID (stable identifier used to recognise you across sessions) - Your display name (used for greetings and the admin user list)
We do not store your Google password.
2b. Subscription data
When you subscribe via Paddle we store:
- A reference to your Paddle customer ID
- Your subscription status (active / canceled / past_due / trialing) and renewal date
Payment instruments (card numbers, billing address, tax IDs) are stored by Paddle, not by us. See §6 for Paddle's role.
2c. Audit log
We maintain a minimal per-user audit log of security and billing events to help with customer support and abuse detection: logins (with IP and user-agent), subscription state changes, and billing-portal access. Entries are auto-pruned to a maximum of 200 events per user or 90 days, whichever is shorter.
2d. Google Drive integration (optional)
If you choose Google Drive as your storage backend, we request the OAuth scope https://www.googleapis.com/auth/drive to read and write your notes. We store an OAuth refresh token in our database scoped to your account. The token is used solely to read and write your own notes on your behalf and can be revoked at any time at Google Account Permissions.
2e. Server logs
Server access logs (IP address, request path, timestamp, response status) are retained for up to 30 days for security, debugging, and abuse prevention.
2f. Notes content
Your notes and files are stored in your storage backend — either an SFTP server you control, or your Google Drive. We do not copy, mirror, analyse, or share your note content. We process it transiently to render it in your browser when you open a file.
3. How we use your data
| Data | Purpose |
|---|---|
| E-mail / Google ID | Authenticate your session; identify your account |
| Display name | Show your name in the UI and admin views |
| Subscription status | Determine whether you can access the workspace |
| Audit log | Customer support, abuse detection, security |
| Server logs | Diagnose errors; detect abuse |
| GDrive token | Access your Drive files when you open them |
We do not sell, rent, or share your personal data with third parties, except as required by law or to the processors listed in §6.
4. Cookies and sessions
We use a single server-side session cookie named noteeli_session, scoped to .noteeli.com so the same session works across the portal and the app. It is a Secure, HttpOnly, SameSite=Lax cookie signed with a server-side secret. We do not set any third-party tracking cookies and do not use analytics or advertising cookies. The Paddle checkout overlay and customer portal may set their own cookies on their own domain (governed by Paddle's privacy policy).
5. Data retention
- Session data: deleted when you log out or after 30 days of inactivity.
- Server logs: deleted after 30 days.
- Audit log: capped at 200 events per user or 90 days per event, whichever is shorter.
- Account record: kept while the account exists. If you delete your account (by contacting us), we remove all associated data within 7 days. Paddle's records of past transactions are retained per Paddle's policy and applicable tax law (typically 7 years).
6. Sub-processors
We use a small number of trusted third parties to deliver the Service:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Paddle (paddle.com) | Merchant of Record — payments, invoices, VAT, refunds | E-mail, billing address you enter, payment instrument |
| Google (google.com) | Sign-in via OAuth + (optionally) Drive storage | E-mail, name, profile picture, Drive contents you open |
| Cloudflare | DDoS protection, DNS, edge proxy | IP address, request metadata |
| Hetzner | Server hosting (Germany / EU) | All server-side data |
Each of these processors operates under their own privacy policy. We do not share your data with anyone else.
7. Your rights (GDPR / CCPA)
You have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Export your account record (data portability)
- Withdraw consent for Google Drive access at any time via Google Account Permissions
- Object to processing or lodge a complaint with your local data protection authority
To exercise these rights, contact us at contact@noteeli.com. We respond within 30 days.
For Paddle-held data (billing records, invoices), contact Paddle's privacy team.
8. Children
Noteeli is not directed at children under 13. We do not knowingly collect data from children.
9. Changes to this policy
We will update this page if our practices change. The effective date at the top reflects the last revision. Material changes will be notified via the e-mail you signed up with. Continued use of the hosted Service after changes constitutes acceptance of the updated policy.
10. Contact
Questions? E-mail contact@noteeli.com.