Privacy Policy
Jonathan Sims (“we,” “us,” or “our”) operates Notanem, a local-first writing application available as a desktop application and mobile application (collectively, the “App”). This Privacy Policy explains how we collect, use, and protect your information when you use the App.
Our Privacy Philosophy
Notanem is built on a local-first principle. Your creative work — manuscripts, notes, plot elements, annotations, and all other writing content — originates and is stored on your device. When you choose to use sync, sharing, or mobile capture features, portions of your content may be temporarily relayed through our servers for delivery, but are never permanently stored. We only collect the minimum information necessary to provide account authentication, subscription management, and optional sharing and sync features.
Information We Collect
Account Information (Authenticated Users)
When you create an account, we collect:
- Email address — used for login, password resets, and account identification
- Name — used for display within the App and when sharing work with others
- Authentication credentials — passwords are hashed and stored securely by our authentication provider; we never have access to your plain-text password
- Subscription and account tier — your current subscription status and tier (e.g., beta, founder, subscriber) are stored on our servers to manage feature access
If you sign in using Google or Apple, we receive basic profile information (email and name) as authorized by you through those services. We do not receive or store your Google or Apple passwords.
If you subscribe to a paid plan, payment is processed by Stripe. We store only a Stripe customer identifier on our servers — we never receive, see, or store your credit card number, bank details, or other payment credentials. Stripe’s handling of your payment data is governed by Stripe’s Privacy Policy.
Local-Only Mode
You may choose to use Notanem without creating an account (“Use locally without an account”). In this mode:
- No personal information is collected
- No data is sent to any server
- All features that require an account (sharing, contacts) are unavailable
- The App makes no network requests to our services
Data Stored on Your Device
All of your creative work originates on and is stored on your device. The following data never leaves your device under any circumstances:
- Plot elements (beats, threads, arcs)
- Collections and their organization
- Writing session activity (start time, word counts)
- User preferences and settings
- Navigation state
The following data is stored on your device by default and is only transmitted to our servers when you explicitly use sync, sharing, or mobile capture features:
- Manuscript sections — section prose content may be transmitted when you share sections with a reader or sync a section between your desktop and mobile devices
- Notes and ideas — notes captured on your mobile device are temporarily relayed through our servers when syncing to your desktop
- Annotations — annotations and quoted text may be transmitted when a reader returns feedback or when you sync annotated sections between devices
In all cases, this content is stored on our servers only temporarily for delivery and is automatically deleted on a defined schedule (see Data Retention below). We do not permanently store your creative content on our servers.
Data Transmitted to Our Servers (Authenticated Users Only)
When you are signed in and use sharing, sync, or mobile features, the following data may be transmitted:
- Share packages — when you explicitly choose to share sections of your manuscript with a reader, the selected section content and associated metadata are temporarily stored on our servers for delivery
- Feedback — when a reader returns feedback on shared work, including their annotations, quoted text, and comments, it is temporarily stored for delivery to you
- Section checkouts — when syncing a section between your desktop and mobile devices, the section content (and any annotations added on mobile) is temporarily relayed through our servers
- Stream entries — notes, ideas, and text captured on your mobile device are temporarily stored on our servers while being synced to your desktop, and deleted once you file them or after 30 days
- Contact information — if you add other users as contacts for sharing, we store the association between accounts along with display names
- Contact requests — invitations sent to other users, including any optional message you include
- Privacy settings — your sharing permission preferences (e.g., who can send you shares)
- Device tokens — if you enable push notifications, a platform-specific notification token, device identifier, and platform type are stored on our servers to deliver notifications to your devices
Automatic Updates
The desktop App checks for software updates via GitHub’s public API. This check:
- Occurs on startup and periodically while the App is running
- Does not transmit any personal information
- Only retrieves publicly available release metadata
How We Use Your Information
We use the information we collect to:
- Authenticate your account and maintain your session
- Deliver share packages and feedback between you and your readers
- Manage your contacts list and sharing permissions
- Relay section content and notes between your devices
- Deliver push notifications to your devices
- Manage your subscription status and feature access
- Send password reset emails when requested
- Check for and deliver App updates
What We Do Not Do
We do not:
- Sell your personal information to third parties
- Use your data for advertising or marketing purposes
- Analyze, read, or process your writing content or creative work
- Build user profiles for any purpose beyond the App’s core functionality
Analytics and Telemetry
As of the date of this policy, Notanem does not use any analytics, telemetry, crash reporting, or behavioral tracking tools. We do not collect usage statistics, measure feature engagement, or track how you navigate the App.
If we introduce any form of anonymized, aggregate diagnostic data collection in the future (such as crash reports or anonymous feature usage counts), we will update this Privacy Policy before doing so and notify you through the App. Any such collection would be limited to anonymous, non-identifiable technical data — we will never analyze your creative content, track your writing behavior, or build individual behavioral profiles.
Data Retention
Server-Stored Data
Creative content on our servers is transient — it exists only for delivery and is automatically deleted on a defined schedule:
| Data | Retention |
|---|---|
| Undelivered share packages | 30 days, then auto-deleted |
| Delivered share packages | 7 days after delivery, then auto-deleted |
| Undelivered feedback | 30 days, then auto-deleted |
| Delivered feedback | 7 days after delivery, then auto-deleted |
| Expired contact requests | 14 days to accept, then auto-expired; deleted after 90 days |
| Section checkouts | Deleted on receipt confirmation, or after 30 days |
| Stream entries (mobile notes) | Deleted once filed on desktop, or after 30 days |
| Device tokens | Retained while your account is active; deleted on logout or account deletion |
Your account profile (email, name, subscription status, and Stripe customer identifier) is retained until you delete your account.
Locally Stored Data
Data on your device is retained until you choose to delete it. You may export your data at any time using the App’s built-in export feature.
Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, data relay for sharing and sync features | Email, name, share/feedback/checkout/stream content (transient), device tokens, subscription status |
| Stripe | Payment processing for subscriptions | Payment details are provided directly to Stripe; we receive only a customer identifier and subscription status |
| Google (OAuth) | Optional sign-in method | Authentication is handled by Supabase; we receive your email and name |
| Apple (OAuth) | Optional sign-in method | Authentication is handled by Supabase; we receive your email and name |
| Apple Push Notification service | Push notifications to macOS and iOS devices | Device token and notification payload (no creative content) |
| GitHub | App update distribution | No personal data; public API polling only |
As noted above, we do not currently use any analytics, crash reporting, advertising, or behavioral tracking services.
Data Security
We take reasonable measures to protect your information:
- Authentication tokens are encrypted using your operating system’s secure storage (OS keychain)
- Passwords are hashed by our authentication provider and never stored in plain text
- OAuth authentication uses the PKCE flow for enhanced security
- Server-side data access is controlled by row-level security policies
- Transient data is automatically deleted on a defined schedule
Your Rights
You have the right to:
- Access your data — your creative work is stored on your device and is always accessible to you
- Export your data — the App provides built-in export functionality
- Delete your account — contact us to request account deletion, which will remove your profile and all associated server-stored data
- Use the App without an account — local-only mode provides full writing functionality without any data collection
- Opt out of sharing features — you can use the App for writing without ever using sharing, contacts, or cross-device features
For EU/EEA Residents (GDPR)
If you are located in the European Union or European Economic Area, you have additional rights including the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. To exercise these rights, contact us using the information below.
For California Residents (CCPA)
If you are a California resident, you have the right to know what personal information we collect, request deletion of your personal information, and opt out of the sale of your personal information. We do not sell personal information.
Children’s Privacy
Notanem is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us so we can promptly delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the “Last Updated” date at the top of this policy and, where appropriate, through the App. Your continued use of the App after changes are posted constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights regarding your data, please contact:
Jonathan Sims
Email: write@notanem.com