Privacy Policy

The Digital Gallery.

Transparency over legalese.

This Privacy Policy explains how note.md (“note.md”, “we”, “us”, or “our”) collects, uses, stores, and protects information when you use our website, web app, and related services. note.md is a local-first note-taking and research app. Our core privacy principle is simple: your notes, PDFs, citations, journals, and research files should remain under your control.

This Privacy Policy applies to:

  • the public website available at www.arsoftware.tech;
  • the note.md application;
  • related pages, features, and communications that link to this Privacy Policy.

This Privacy Policy does not apply to third-party websites, services, extensions, platforms, or integrations that we do not control.

1. Controller

The controller responsible for the processing of personal data under this Privacy Policy is:

ARSoftware UG (haftungsbeschränkt)
Johannisweg 3
84030 Ergolding, Germany
Email: contact@arsoftware.tech

If we are required to appoint a data protection officer or EU representative in the future, their contact details will be added here.

2. Summary

In plain language:

  • note.md is designed to work locally on your device.
  • We do not read, inspect, sell, or upload the contents of your notes, PDFs, journals, citations, or research files.
  • We use limited technical service providers to operate our website and improve the product.
  • The public website uses privacy-friendly Vercel Web Analytics (no cookies, no cross-site tracking).
  • The note.md app can optionally send anonymous usage analytics via Firebase Analytics (Google Analytics 4). This is off by default; you choose whether to enable it during onboarding or at any time in Settings → Privacy.
  • Any non-essential analytics is gated behind an explicit opt-in.
  • We do not sell your personal data for money.
  • We do not use your note content for advertising, profiling, AI training, or resale.
  • You can contact us to exercise your privacy rights.

3. Information We Process

3.1 Information You Provide Directly

We may process information you voluntarily provide to us, such as:

  • your name;
  • your email address;
  • messages you send to us;
  • support requests;
  • feedback, bug reports, or feature requests;
  • business or partnership inquiries.

We use this information only to respond to you, provide support, improve note.md, maintain records, and comply with legal obligations.

3.2 Local App Content

The note.md app is designed to be local-first. This means that your core app content is intended to remain on your device unless you choose otherwise.

Local app content may include:

  • notes;
  • journals;
  • PDFs;
  • highlights;
  • annotations;
  • citations;
  • references;
  • imported files;
  • research material;
  • local settings;
  • local app data.

We do not intentionally collect, upload, inspect, sell, or analyze this local app content. You are responsible for any data you choose to export, share, upload, sync, publish, or transfer outside your device.

3.3 Technical and Usage Information

When you visit our website or use online parts of note.md, we or our service providers may process limited technical information, such as:

  • IP address or truncated/anonymized IP-derived information;
  • browser type and version;
  • device type;
  • operating system;
  • referring page;
  • pages visited;
  • approximate location, such as country or region;
  • timestamps;
  • interaction events;
  • error logs;
  • diagnostic information;
  • cookie or consent status;
  • similar technical information needed to operate, secure, and improve the website.

We do not use this information to inspect your local notes, PDFs, citations, journals, or research files.

4. How We Use Information

We process information for the following purposes:

  • to provide and operate the website and app;
  • to maintain, debug, and improve note.md;
  • to respond to support requests and messages;
  • to understand how visitors use our public website;
  • to measure the effectiveness and usability of website pages;
  • to protect the website, app, users, and infrastructure from abuse or security risks;
  • to comply with legal obligations;
  • to establish, exercise, or defend legal claims.

We do not use your local note content for advertising, profiling, resale, or training AI systems.

5. Legal Basis for Processing

Where the General Data Protection Regulation (“GDPR”) or similar laws apply, we rely on the following legal bases:

5.1 Contractual Necessity

We process data where necessary to provide requested services, features, support, or communications.

5.2 Legitimate Interests

We may process limited technical, operational, and security information based on our legitimate interests, including:

  • operating and securing the website;
  • preventing abuse;
  • improving usability;
  • responding to user requests;
  • maintaining basic business records.

We only rely on legitimate interests where we believe our interests are not overridden by your rights and freedoms.

5.3 Consent

We rely on consent where required by law. In the note.md application, anonymous usage analytics (Firebase Analytics / Google Analytics 4) are off by defaultand only activated after you opt in — either via the dedicated prompt shown at the end of onboarding, or at any time from Settings → Privacy. You can withdraw your consent at any time from the same Settings panel. Withdrawal takes effect immediately and does not affect the lawfulness of processing carried out before withdrawal.

5.4 Legal Obligation

We may process information where required to comply with applicable legal obligations.

6. Website Analytics

We use analytics tools to understand how visitors use our public website, improve the product, and measure whether our pages are useful. Analytics tools may process information such as:

  • page views;
  • referrers;
  • approximate location;
  • browser and device information;
  • interaction events;
  • session information;
  • technical identifiers;
  • cookie or consent status;
  • similar website usage data.

Analytics are used for aggregate product and website improvement. They are not used to read or analyze the contents of your local notes, PDFs, journals, citations, or research files.

6.1 Vercel Web Analytics

We may use Vercel Web Analytics to understand basic website usage and performance. Vercel may process limited technical and usage information on our behalf as a service provider.

6.2 App Analytics — Firebase Analytics (Google Analytics 4)

The note.md macOS application can optionally use Firebase Analytics, which uses Google Analytics 4 (“GA4”) as its backend, to help us understand how features are used and improve the product. The service is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Off by default.Firebase Analytics is disabled when you first install note.md and does not collect any data until you enable it — either in the dedicated prompt shown at the end of onboarding, or at any time in the app’s Settings → Privacy panel. You can disable it again from the same place; the change takes effect immediately, and any locally cached Firebase identifiers are reset.

What is collected when enabled:

  • Default Firebase / GA4 events such as app_open, session_start, screen_view, and first_open.
  • A small number of custom feature events — for example, that an article was created, a Matrix extraction was run, or an import succeeded or failed. We send counts and outcomes only, never the names, contents or contexts of your notes or sources.
  • Aggregate technical information: app version, macOS version, device model, country-level region, and an app instance ID.

What is not collected:the contents of your notes, PDFs, citations, journals, research files, highlights or annotations; your name; your email address; your search queries; selected text or quotes; your IP address (anonymised by Google before storage); identifiers that would let us or Google build a behavioural profile across your devices (“Google Signals” is disabled in our configuration).

International data transfer. Data is transferred to Google LLC in the United States. The transfer relies on the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), under which Google LLC is certified. Where the framework does not apply, we additionally rely on Standard Contractual Clauses as approved by the European Commission.

Processor agreement. We have a data processing agreement under Article 28 GDPR with Google LLC, in place through our acceptance of the Google Analytics Data Processing Terms and the Firebase Data Processing and Security Terms.

Retention.Event-level data is retained on Google’s servers for no more than 2 months before automatic deletion; aggregate, non-identifying reports may be retained for longer.

Legal basis. Article 6(1)(a) GDPR (your consent, via the in-app opt-in described above).

Google explains how it uses information from sites and apps that use its services here: policies.google.com/technologies/partner-sites.

7. Cookies and Similar Technologies

Our website may use cookies, local storage, pixels, scripts, or similar technologies. These technologies may be used for:

  • essential website functionality;
  • security;
  • remembering consent choices;
  • analytics;
  • performance measurement;
  • debugging;
  • service improvement.

7.1 Essential Technologies

Some technologies are necessary for the website to function, remain secure, or remember your privacy choices. These may be used without prior consent where permitted by law.

7.2 Non-Essential Analytics Technologies

Analytics technologies that are not strictly necessary are only used where permitted by law and, where required, after you give consent. You can withdraw or change your consent at any time through the cookie or privacy settings made available on the website. You may also be able to control cookies through your browser settings. Blocking cookies may affect the functionality of some websites.

9. Sale or Sharing of Personal Information

We do not sell your personal data for money. We also do not use your local note content, PDFs, citations, journals, research files, or document contents for targeted advertising, resale, or cross-context behavioral advertising.

We use limited service providers to operate, secure, and improve the website and product. These providers may process technical or usage data on our behalf.

If we ever introduce advertising, remarketing, cross-context behavioral advertising, or any activity that legally qualifies as a “sale” or “sharing” of personal information under applicable law, we will update this Privacy Policy and provide any legally required notices, choices, opt-outs, or consent mechanisms before doing so.

10. Service Providers and Recipients

We may share limited information with service providers that help us operate, secure, analyze, or improve note.md. These may include providers for:

  • hosting;
  • website infrastructure;
  • analytics;
  • error monitoring;
  • email communication;
  • security;
  • customer support;
  • legal or compliance services.
ProviderPurposeData Category
VercelHosting, deployment, website infrastructure, web analyticsTechnical and usage data
Google LLC (Firebase Analytics / GA4)Optional in-app usage analytics; off by default. Opt-in via Settings → Privacy.Anonymised aggregate usage and technical data (app events, app + OS version, country-level region); no document contents
Email providerResponding to inquiries and support requestsContact and message data
Error monitoring provider (if any)Debugging and reliabilityTechnical diagnostic data

We require service providers to process data only for appropriate purposes and in accordance with applicable legal requirements. We may also disclose information if required by law, court order, government request, or to protect rights, safety, users, infrastructure, or legal interests.

11. International Data Transfers

Some service providers may process data in countries outside your country of residence, including outside the European Economic Area. Where required by law, we rely on appropriate safeguards for international transfers, such as:

  • EU-US Data Privacy Framework— primary basis for transfers to Google LLC (Firebase Analytics / GA4) and Vercel Inc., both of which are DPF-certified. See Commission Implementing Decision (EU) 2023/1795.
  • Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a fallback where the DPF does not apply.
  • data processing agreements under Article 28 GDPR;
  • transfer impact assessments where appropriate;
  • other legally recognised transfer mechanisms.

12. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods depend on the type of data:

Data CategoryTypical Retention
Local app contentStored locally on your device unless you delete, export, sync, or transfer it
Support emails and inquiriesRetained as long as necessary to respond, maintain records, and protect legal interests
Website analytics (Vercel)Retained according to Vercel’s default settings and only as long as reasonably necessary; no cookies are set
App analytics (Firebase / GA4), if opted inEvent-level data: no more than 2 months on Google’s servers; aggregate, non-identifying reports may be retained longer
Consent recordsThe in-app analytics opt-in flag is stored locally on your device until you change it
Security and technical logsRetained for a limited period necessary for security, debugging, and abuse prevention

We may retain limited records where necessary to comply with legal obligations, resolve disputes, prevent abuse, or enforce agreements.

13. Security

We use reasonable technical and organizational measures designed to protect information against unauthorized access, loss, misuse, alteration, or disclosure. However, no website, app, device, or transmission method is completely secure. You are responsible for protecting your own devices, passwords, backups, exports, and files.

Because note.md is local-first, the security of your local content also depends on your device security, operating system, browser, storage, backup configuration, and any third-party tools you use.

14. Your Privacy Rights

Depending on where you live, you may have rights regarding your personal data. These rights may include:

  • the right to access your personal data;
  • the right to correct inaccurate personal data;
  • the right to delete personal data;
  • the right to restrict processing;
  • the right to object to processing;
  • the right to data portability;
  • the right to withdraw consent at any time where processing is based on consent;
  • the right to lodge a complaint with a supervisory authority.

To exercise your rights, contact us at contact@arsoftware.tech. We may need to verify your identity before fulfilling certain requests.

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection authority. If you are located in Germany, you may contact the competent German state data protection authority.

15. California and Similar U.S. State Privacy Rights

If you are a resident of California or another U.S. state with applicable privacy laws, you may have additional rights, such as:

  • the right to know what personal information is collected;
  • the right to request deletion;
  • the right to correct inaccurate personal information;
  • the right to opt out of sale or sharing of personal information;
  • the right to limit certain uses of sensitive personal information;
  • the right not to be discriminated against for exercising privacy rights.

We do not sell personal data for money. We do not use your local note content, PDFs, citations, journals, research files, or document contents for cross-context behavioral advertising.

If we introduce activities that legally qualify as sale or sharing under applicable privacy laws, we will provide any legally required notice and opt-out mechanism. To exercise applicable rights, contact us at contact@arsoftware.tech.

16. Children’s Privacy

note.md is not directed to children under the age of 16.

We do not knowingly collect personal data from children under 16. If you believe that a child has provided personal data to us, contact us at contact@arsoftware.tech, and we will take appropriate steps to delete the information where required.

17. Third-Party Links and Services

Our website or app may contain links to third-party websites, tools, documentation, services, or integrations. We are not responsible for the privacy practices, security, content, or policies of third parties. You should review the privacy policies of third-party services before using them.

18. User Responsibility for Local Content

Because note.md is designed to be local-first, you are responsible for managing and protecting your local content. This includes:

  • securing your device;
  • managing browser or app storage;
  • maintaining backups;
  • deleting data you no longer need;
  • controlling exports;
  • deciding what to upload, share, sync, publish, or transfer;
  • ensuring that you have the right to process any third-party personal data you store in note.md.

If you use note.md to process personal data about other people, you are responsible for complying with any laws that apply to your use of that data.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our product, analytics setup, service providers, legal requirements, or business practices. The “Last Updated” date at the top of this page shows when this Privacy Policy was last changed.

If we make material changes, we will take reasonable steps to notify users, such as by updating this page, displaying a notice on our website, or requesting consent where required by law. Changes apply from the date they are posted unless a different effective date is stated.

Your continued use of the website or app after a Privacy Policy update means that the updated Privacy Policy applies to your use, subject to any additional consent requirements under applicable law.

20. Contact

For privacy questions, requests, or concerns, contact:

ARSoftware UG (haftungsbeschränkt)
Johannisweg 3
84030 Ergolding, Germany
Email: contact@arsoftware.tech

Respect by Design.

If you have questions about our approach to privacy, or if you find a way we can be even more transparent, our doors are always open.