Privacy Policy

Last updated: February 22, 2026

1. Who We Are

Encrypted Notes is operated by Cloud Surfers GmbH, registered at [ADRESSE] ("we", "us", "our"). We are the data controller for the purposes of applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

2. Our Zero-Knowledge Architecture

Encrypted Notes is designed with a zero-knowledge architecture. This means:

• All note content, todos, and file attachments are encrypted in your browser using AES-GCM 256-bit encryption before being transmitted to our servers
• Your password never leaves your browser — encryption keys are derived locally using PBKDF2 with 600,000 SHA-256 iterations
• We cannot read, access, or recover your encrypted content
• Even in the event of a server breach, your data remains encrypted and unreadable

3. Data We Collect

3.1 Account Data

When you create an account, we store your username and an authentication key derived from your password. We do not store your password.

3.2 Encrypted Content

Your notes, todos, and file attachments are stored on our servers in encrypted form only. We have no ability to decrypt this data.

3.3 Technical Data

When you access the Service, our web server may collect standard server logs including IP addresses, browser type, and access timestamps. These logs are used solely for security monitoring and are automatically deleted after 30 days.

4. How We Use Your Data

We use the collected data to:

• Provide and maintain the Service
• Authenticate your identity when you sign in
• Monitor and protect the security of our infrastructure
• Comply with legal obligations

5. Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract performance (Art. 6(1)(b) GDPR): To provide the Service and manage your account
• Legitimate interests (Art. 6(1)(f) GDPR): For security monitoring and fraud prevention
• Legal obligation (Art. 6(1)(c) GDPR): To comply with applicable laws and regulations

6. Data Sharing

We do not sell your personal data. We share data only with:

• Infrastructure providers: For hosting the Service (servers located in the EU)
• Law enforcement: Only when required by law; note that encrypted content cannot be decrypted by us

7. Cookies

Encrypted Notes uses only essential cookies required for authentication and session management. We do not use tracking cookies, analytics, or third-party advertising cookies.

8. Data Retention

Your encrypted data is retained for as long as your account is active. If you delete your account, all associated data (including encrypted content) will be permanently removed from our servers. Server logs are automatically deleted after 30 days.

9. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Data portability: Export your data (available via the JSON export feature)
• Restriction: Request restriction of processing
• Objection: Object to processing based on legitimate interests
• Lodge a complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at [E-MAIL].

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including end-to-end encryption, strict Content Security Policy (CSP), and regular security monitoring. However, no method of electronic transmission or storage is 100% secure.

11. International Data Transfers

Our servers are located in the European Union. If data is transferred outside the EU, we ensure appropriate safeguards are in place in accordance with GDPR requirements.

12. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of the Service after changes constitutes acceptance of the revised policy.

14. Contact

For privacy-related inquiries, please contact us at:
Cloud Surfers GmbH
[ADRESSE]
Email: [E-MAIL]