Legal

Privacy Policy

Last updated

1. Who we are

AshNote (“AshNote,” “we,” “us,” or “our”) is a service for sharing encrypted notes, files, and other sensitive information using temporary or controlled access workflows. This Privacy Policy explains what information we collect, how we use it, when we disclose it, how long we retain it, and the choices available to you.

2. Scope of this policy

This Privacy Policy applies to AshNote’s websites, applications, APIs, browser extensions, and related services (collectively, the “Service”).

This Privacy Policy does not apply to third-party websites, applications, or services that may link to or from AshNote.

3. How AshNote works

AshNote is designed so that, in the standard secret-sharing flow, secret content is encrypted in the client before transmission and stored by the Service as encrypted payloads rather than readable plaintext.

Depending on the feature being used, AshNote may process:

  • encrypted content payloads,
  • operational metadata needed to provide the Service,
  • account and authentication data,
  • service logs and abuse-prevention data.

In the standard encrypted sharing flow, we do not ordinarily have access to the plaintext content of secrets created through that flow. However, no system can eliminate all risks, and content may still be exposed through compromised devices, insecure passwords, browser compromise, user error, recipient behavior, or other endpoint-level failures.

4. Information we collect

4.1 Account and authentication information

If you register for an account or use an authenticated feature, we may collect and store:

  • your email address,
  • authentication and session identifiers,
  • login and account status information,
  • public cryptographic keys associated with your account,
  • encrypted private key material where the product architecture requires client-side key recovery or synchronization.

We use this information to authenticate users, operate account features, and provide account-related communications.

4.2 Secret and file content

AshNote may store encrypted payloads containing:

  • note text,
  • file contents,
  • titles or labels,
  • other content fields that are encrypted client-side before upload.

In the standard encrypted sharing flow, these payloads are stored in encrypted form rather than as readable plaintext.

4.3 Operational metadata

We collect and store operational metadata necessary to run the Service, which may include:

  • creation timestamps,
  • expiration timestamps,
  • access mode,
  • redemption status,
  • token hashes,
  • pool, workspace, membership, or grant relationships,
  • file sizes or content-type hints,
  • administrative or configuration settings,
  • retention and grace-period settings.

Operational metadata is distinct from encrypted content.

4.4 Pool and workspace information

If you use workspace, team, organization, or pool features, we may collect and store:

  • workspace or organization identifiers,
  • pool names, settings, and retention rules,
  • membership and role information,
  • invitation status,
  • access control and policy settings,
  • access event records where such features are enabled.

4.5 Service logs and security data

Our systems may generate standard technical logs and security records, including:

  • IP addresses,
  • request timestamps,
  • user agent strings,
  • device or browser characteristics,
  • HTTP status codes,
  • abuse-detection or rate-limit events,
  • authentication and session events.

We use this information for service operation, troubleshooting, abuse prevention, and security monitoring.

4.6 Cookies, local storage, and similar technologies

We may use:

  • session cookies,
  • local storage,
  • secure browser storage,
  • similar technologies required to provide authentication, session continuity, feature preferences, or application functionality.

We do not use third-party advertising cookies or cross-site advertising pixels.

4.7 Payments and billing

If you purchase a paid plan, billing and payment processing may be handled by a third-party payment processor. We may receive limited billing-related information such as:

  • customer identifiers,
  • subscription status,
  • billing contact details,
  • transaction status,
  • invoice and plan data.

We do not store full payment card information unless explicitly stated otherwise.

5. How we use information

We use information we collect to:

  • provide, operate, and maintain the Service,
  • create, store, transmit, redeem, expire, and delete encrypted content,
  • authenticate users and manage sessions,
  • administer pools, workspaces, and sharing permissions,
  • enforce burn-after-reading, windowed access, retention, grace-period, and deletion policies,
  • detect and prevent abuse, fraud, malware distribution, unauthorized access, and other misuse,
  • troubleshoot errors and improve reliability and security,
  • communicate with users about accounts, billing, policy changes, or important service notices,
  • comply with legal obligations and protect our rights, users, and the public.

We do not sell personal information or share personal information with third parties for cross-context behavioral advertising.

6. When we disclose information

We may disclose information in the following circumstances:

6.1 Service providers

We may disclose information to vendors and service providers that help us operate the Service, such as:

  • hosting and infrastructure providers,
  • cloud storage or delivery providers,
  • email delivery providers,
  • payment processors,
  • security, logging, or operations vendors,
  • customer support providers.

These providers may process information on our behalf subject to contractual and legal restrictions.

6.2 Legal process and lawful requests

We may disclose information if we determine that disclosure is required by applicable law, regulation, subpoena, court order, warrant, or other valid legal process.

Depending on the request and the feature used, this may include:

  • account information,
  • billing information,
  • operational metadata,
  • logs,
  • encrypted payloads,
  • workspace and membership records.

Where legally permitted, we may review requests for validity, seek to narrow overly broad requests, or notify affected users before disclosure. We cannot guarantee advance notice in all circumstances.

6.3 Protection of rights and safety

We may disclose information where reasonably necessary to:

  • detect, investigate, or prevent abuse or fraud,
  • enforce our Terms or policies,
  • protect the security of the Service,
  • respond to threats to users, customers, or the public,
  • protect AshNote’s rights, property, or safety.

6.4 Business transfers

If AshNote is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, information may be disclosed or transferred as part of that transaction, subject to applicable law.

7. Data retention

AshNote is designed around bounded retention where possible.

We retain different categories of information for different periods depending on the feature used and the purpose of processing.

7.1 Burn-mode encrypted payloads

Burn-mode encrypted payloads are deleted after successful redemption, subject to limited backup, recovery, or cleanup delays.

7.2 Window-mode encrypted payloads

Window-mode encrypted payloads are deleted when the configured access window or expiration period ends, subject to limited backup, recovery, or cleanup delays.

7.3 Unredeemed secrets

Secrets that are never redeemed are deleted when their expiration time is reached, subject to limited backup, recovery, or cleanup delays.

7.4 Pool and workspace content

Pool or workspace content is deleted when the applicable retention period ends, when the content is deleted by an authorized user, when the pool or workspace is deleted, or when any configured grace period has elapsed, subject to limited backup, recovery, or cleanup delays.

7.5 Account data

Account data is generally retained for as long as the account remains active and thereafter for a limited period as necessary for legal compliance, dispute resolution, fraud prevention, backup retention, or enforcement of our agreements.

7.6 Logs and security records

Logs and security-related records are retained for a limited period consistent with operational, abuse-prevention, legal, and security needs. Unless a longer retention period is required, such data is typically retained for no longer than 90 days.

7.7 Backup and residual copies

Deleted data may persist for a limited period in encrypted backups, log systems, caches, or disaster recovery systems before being overwritten or removed in the ordinary course.

8. Security

We use administrative, technical, and organizational safeguards designed to protect the information in our custody.

These measures may include:

  • client-side encryption in supported flows,
  • encryption in transit,
  • encrypted storage of content payloads,
  • rate limiting and abuse detection,
  • authentication controls,
  • role-based access control,
  • operational monitoring,
  • deletion and retention controls.

No security measure is perfect, and no system can guarantee absolute security. Users remain responsible for endpoint security, password strength, recipient selection, and safe handling of sensitive material.

9. Important limitations

AshNote is designed to reduce server-side exposure of secret content, but the Service cannot protect against every risk.

Secret content may still be exposed through:

  • compromised devices,
  • malicious browser extensions,
  • insecure or reused passwords,
  • phishing,
  • malware,
  • screenshots or copying by recipients,
  • user error,
  • browser or operating-system compromise,
  • configuration choices made by administrators or users.

Where the Service offers different modes or features, the exact privacy and retention characteristics may vary by feature.

10. Your rights and choices

Depending on your location, you may have rights regarding your personal information, including the right to:

  • request access to personal information we hold about you,
  • request correction of inaccurate information,
  • request deletion of personal information,
  • request portability of certain information,
  • object to or request restriction of certain processing,
  • withdraw consent where processing is based on consent.

You may also be able to delete your account or modify certain information directly through the Service.

To exercise your rights, contact us using the contact information below. We may need to verify your identity before responding.

Because AshNote is designed to store encrypted payloads rather than readable plaintext in standard encrypted flows, our ability to access or produce the plaintext content of your secrets may be limited or nonexistent.

11. International data transfers

Your information may be processed and stored in countries other than the country in which you live. Where required, we take steps intended to ensure that such transfers comply with applicable data protection laws.

12. Children’s privacy

AshNote is not directed to children under 16, or the applicable minimum age in the relevant jurisdiction. We do not knowingly collect personal information from children in violation of applicable law. If we learn that we have done so, we will take reasonable steps to delete the information.

13. Abuse, acceptable use, and enforcement

AshNote is intended for lawful use.

You must not use the Service to transmit, store, or distribute:

  • illegal content,
  • malware,
  • unauthorized personal data,
  • content that infringes the rights of others,
  • material that violates our Terms.

We may use logs, account information, operational metadata, abuse reports, and other service records to investigate suspected abuse, fraud, malware distribution, or other policy violations. We may suspend, restrict, or terminate access where appropriate and may cooperate with lawful investigations as required.

14. Do Not Track

AshNote does not currently respond differently to browser “Do Not Track” signals unless and until such signals are standardized and broadly supported in a way we can operationally implement.

15. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by applicable law, which may include email notice, in-product notice, or publication of an updated policy on the Service.

Your continued use of the Service after the effective date of an updated Privacy Policy is subject to the revised policy.

16. Contact

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact:

privacy@ashnote.com