Privacy Policy

Overview

Sidenote is operated by PF Creative Ltd. This policy explains what data we collect, how we use it, and your rights. We collect the minimum data necessary to provide the Service and do not sell or share your information with third parties for advertising purposes.

What We Collect

Account holders (uploaders): When you sign in with Google, we receive and store your email address, display name, and profile photo. We use this to identify you within the Service.

Reviewers: When you access a shared document, we store the display name you provide for attribution on comments. We do not require an account or collect additional personal data from reviewers.

Document content: We store the HTML documents you upload, version history, annotations, and associated metadata. This content is stored solely to provide the Service.

Usage data: We collect anonymised product analytics (page views, feature usage, session events) to understand how the Service is used and improve it. We also collect basic server logs (IP addresses, request timestamps, user agents) for security and debugging purposes. We do not use advertising pixels or fingerprinting.

How We Use Your Data

Your data is used to provide and improve the Service: authenticating your account, storing and serving your documents, delivering annotations, and processing billing. We do not use your content to train machine learning models, serve advertisements, or for any purpose unrelated to delivering the Service.

Third-Party Services

Supabase — database and authentication infrastructure. Your account data, documents, and annotations are stored in Supabase. Their privacy policy applies to data they process on our behalf.

Paddle— payment processing and merchant of record. When you subscribe to a paid plan, Paddle processes your payment and handles tax compliance. We do not store your payment card details. Paddle's privacy policy governs payment data.

PostHog — product analytics. We use PostHog to collect anonymised usage data (page views, feature interactions, session events). PostHog is configured in cookieless mode — no tracking cookies are set and IP addresses are anonymised. Data is processed in the EU. Our legal basis for this processing is legitimate interest in improving the Service.

Vercel— hosting infrastructure. The Service is deployed on Vercel's platform. Vercel processes server logs in accordance with their privacy policy.

Cookies

We use only essential cookies required for authentication (session tokens). Our analytics provider (PostHog) is configured in cookieless mode and does not set any tracking cookies. We do not use third-party cookies, advertising cookies, or analytics cookies. No cookie consent banner is required.

Data Retention

Your documents and account data are retained as long as your account is active. If you delete your account, all associated data (documents, versions, annotations, and account information) will be permanently deleted within 30 days. Server logs are retained for up to 90 days.

Your Rights

You have the right to access, correct, or delete your personal data at any time. You can export your documents and annotations via the Service's export features. To request account deletion or a copy of your data, contact us at the address below. If you are located in the UK or EU, you have additional rights under GDPR including the right to data portability and the right to lodge a complaint with a supervisory authority.

Data Security

We use industry-standard measures to protect your data, including encryption in transit (TLS) and at rest. Access to production systems is restricted to authorised personnel. While we take reasonable steps to protect your data, no system is completely secure.

Children

The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes

We may update this policy from time to time. Material changes will be communicated via the email address associated with your account. The “last updated” date at the top reflects when the policy was most recently revised.

Contact

For privacy-related questions or data requests, email hello@sidenote.ink.