NoteTag — Privacy Policy
Effective date: 21.03.2026
Version: 1.0
This Privacy Policy explains how Caspari e.U ("we", "us", "our"), an individual operating as a sole trader (Einzelunternehmer) under Austrian law, trading under the name NoteTag, collects, uses, stores, and protects your personal data when you use the NoteTag mobile application and related services (the "Service").
We act as the data controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Datenschutzgesetz (DSG).
If you have questions or wish to exercise your rights, contact us at: contact@notetag.app
1. Data Controller
Caspari e.U
Einzelunternehmer
Manuel Caspari
Millergasse 19/20
1060 Vienna
Austria
Email: contact@notetag.app
2. Data We Collect
2.1 Account Data
When you sign in with Google or Apple, we receive and store:
| Data field | Source | Purpose |
|---|---|---|
| Email address | Google / Apple sign-in | Account identification, service communications |
| Display name | Google / Apple sign-in | Shown in Space membership lists |
| Firebase UID | Firebase Authentication | Internal user identifier |
| Account creation timestamp | Generated by us | Account management |
2.2 Subscription Data
We store subscription state data received from our payment processor:
| Data field | Source | Purpose |
|---|---|---|
| Subscription tier and product ID | RevenueCat (from Apple/Google) | Enforcing tier limits |
| Subscription expiry date | RevenueCat | Subscription management |
| Purchase timestamp | RevenueCat | Subscription management |
| Upgrade history | Generated by us | Audit trail |
We do not receive, process, or store payment card numbers or billing addresses. All payment data is handled exclusively by Apple or Google.
2.3 Content Data
- Notes (rich text) and images you create or upload.
- Space membership information: your user ID, role (admin/editor/viewer), and join date within each Space.
2.4 Consent and Service Records
- Terms of Service and Privacy Policy acceptance: version number and timestamp.
- Analytics and crash reporting consent: current flag and timestamp of last change.
- Account deletion request: flag and timestamp.
2.5 Moderation Data
If a Note is reported by another user, we retain a snapshot of that Note's content for moderation and legal purposes. See Section 8 for retention periods.
2.6 What We Do Not Collect
- We do not collect location data.
- We do not collect device identifiers directly (Firebase and RevenueCat may collect them on our behalf — see Section 5).
- The app is designed to strip EXIF metadata from images on your device before upload. Absent a technical defect, no image metadata is stored on our servers.
- Notes in shared Spaces carry no author attribution. We do not link individual contributions to specific user accounts.
- We do not display advertising and do not collect data for advertising purposes.
3. Legal Basis for Processing (GDPR Article 6)
| Processing activity | Legal basis |
|---|---|
| Account creation and management | Art. 6(1)(b) — performance of contract |
| Hosting Notes and Spaces | Art. 6(1)(b) — performance of contract |
| Subscription management | Art. 6(1)(b) — performance of contract |
| Firebase Analytics (opt-in only) | Art. 6(1)(a) — consent |
| Firebase Crashlytics (opt-in only) | Art. 6(1)(a) — consent |
| Logging Terms/Privacy Policy acceptance | Art. 6(1)(c) — legal obligation |
| Moderation of reported content | Art. 6(1)(f) — legitimate interests (platform safety) |
| Sending transactional emails (report outcomes, service notices) | Art. 6(1)(b) — performance of contract |
| Retention of legally preserved reports | Art. 6(1)(f) + Art. 17(3)(e) — defence of legal claims |
| Compliance with law enforcement obligations | Art. 6(1)(c) — legal obligation |
4. How We Use Your Data
We use your personal data solely to:
- create and maintain your account;
- provide, operate, and improve the Service;
- enforce subscription tier limits;
- send you Service-related communications (e.g., policy update notifications, account notices, content report status updates);
- review reports of prohibited content and enforce our Terms of Service;
- comply with our legal obligations.
We do not sell your personal data. We do not use your data for targeted advertising or profiling.
5. Third-Party Data Processors
We share data with the following processors under written Data Processing Agreements (DPAs). Each processor is contractually bound to process data only on our instructions and in accordance with GDPR.
| Processor | Country | Purpose | Data shared |
|---|---|---|---|
| Google LLC (Firebase Auth) | USA | Authentication | Email, display name, Firebase UID |
| Google LLC (Firebase Analytics) | USA | App analytics (opt-in) | Anonymous usage events |
| Google LLC (Firebase Crashlytics) | USA | Crash reporting (opt-in) | Crash traces, device model, OS version |
| Google LLC (Cloud hosting) | Belgium (eu-west1) | Data storage and API hosting | All account and content data |
| RevenueCat, Inc. | USA | Subscription management | Firebase UID |
| Cloudflare, Inc. | USA / global CDN | API protection, image storage | Images (EXIF-stripped), transient IP addresses |
| Apple Inc. | USA | App distribution, payment | Per Apple's own privacy policy |
| Google LLC (Play Store) | USA | App distribution, payment | Per Google's own privacy policy |
5.1 Data Storage Location
Your account data and Notes are stored in Google Cloud Firestore, Belgium region (eu-west1). Images are stored in Cloudflare R2 within the European Union. Your data is never used for any purpose other than operating the Service.
6. International Data Transfers
Several of our processors are based in the United States. These transfers are lawful under GDPR through:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), which are incorporated into our DPAs with Google LLC, RevenueCat, Inc., and Cloudflare, Inc.; and
- Google's participation in the EU-U.S. Data Privacy Framework for applicable services.
You may request a copy of the applicable SCCs by contacting us at contact@notetag.app.
7. Analytics and Crash Reporting
Firebase Analytics and Firebase Crashlytics are disabled by default.
During onboarding and at any time in the app Settings, you are given the option to enable:
- Analytics: If enabled, we transmit anonymous usage events to Firebase Analytics (login method used; logout event). Your user ID is not transmitted to Firebase Analytics.
- Crash reporting: If enabled, crash data is held locally on your device. The next time you open the app after a crash, you are prompted to review and send the crash report or delete it. No crash data is transmitted without this explicit confirmation.
You may change your preferences at any time in Settings. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal.
8. Data Retention
| Data category | Retention period |
|---|---|
| Account data (email, display name, UID) | Deleted within 90 days of account deletion request |
| Notes and images in private Spaces | Deleted within 90 days of account deletion request |
| Notes in shared Spaces | Retained (not individually attributable; cannot be isolated for deletion) |
| Subscription history | Deleted within 90 days of account deletion request |
| Consent records | Deleted within 90 days of account deletion request |
| Moderation reports (standard) | Retained for 90 days after resolution, then deleted |
| Legally preserved reports (PreservedForLegal flag) | Retained for up to 3 years from the date of account deletion or last action on the report, whichever is later |
| CSAM-related evidence | Retained for as long as required by law enforcement or active legal proceedings |
| Analytics and crash data (if opted in) | Subject to Google Firebase's own retention settings |
We use a soft-deletion system. When you delete your account, data is flagged for deletion immediately and physically purged within 90 days. Your account cannot be recovered during this window.
9. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate personal data |
| Erasure (Art. 17) | Request deletion of your personal data |
| Restriction (Art. 18) | Request that we limit processing in certain circumstances |
| Portability (Art. 20) | Receive your personal data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interests |
| Withdraw consent (Art. 7(3)) | Withdraw analytics or crash reporting consent at any time in Settings |
To exercise any right, contact us at contact@notetag.app. We will respond within one month (extendable by a further two months for complex requests, with prior notice of the extension, in accordance with Art. 12(3) GDPR).
Limitations: The right to erasure does not apply to data retained for legal defence purposes (see Section 8). Notes contributed to shared Spaces are not individually attributable to you after account deletion, so their removal is not technically feasible — this is a privacy-by-design feature, not a limitation on your rights.
10. Account Deletion
You may delete your account at any time from the in-app Settings. Upon deletion:
- Your account is immediately deactivated.
- Your private Spaces and all Notes and images within them are scheduled for permanent deletion.
- Shared Spaces you own are transferred to another active member. If no other member exists, the Space is deleted.
- Physical deletion of your data occurs within 90 days of the deletion request.
- Data subject to a legal hold (e.g., active CSAM reports) is retained as described in Section 8.
Account deletion does not cancel your Apple App Store or Google Play subscription. You must cancel your subscription separately before or after deleting your account to avoid further charges.
11. Children's Privacy
11.1 Minimum Age
We require users to be at least 14 years of age to create an account, in accordance with Article 8 GDPR as implemented by the Austrian Datenschutzgesetz. This is confirmed by a self-declaration during onboarding.
11.2 Parental Consent for Children Under 14
For children under 14, use of the Service requires parental or guardian consent under Article 8 GDPR. During onboarding, every user must affirmatively confirm that they are at least 14 years of age before an account can be created. A parent or legal guardian who wishes a child under 14 to use the Service must create and manage the account themselves, or actively supervise the child's account creation and use. By doing so, the parent or guardian provides consent under Article 8 GDPR and accepts responsibility for the child's use of the Service.
We consider this age-gate, combined with the requirement for parental involvement, to constitute reasonable efforts to verify that consent has been given or authorised by the holder of parental responsibility, taking into account available technology and the nature of the Service (Recital 38 GDPR).
11.3 Family Use
NoteTag is designed to support family use cases, including shared Spaces accessible to family members of all ages. Children may access Spaces shared by a parent or guardian on a parent-managed device or with a parent's knowledge. Parents and guardians are responsible for ensuring that content in such Spaces is appropriate for their children.
11.4 Discovery and Deletion of Under-Age Accounts
If we discover that a child under 14 has created an account without parental consent, we will delete that account and all associated data promptly.
12. Security
We implement appropriate technical and organisational measures to protect your personal data:
- All data is transmitted over HTTPS/TLS.
- The API is protected by Cloudflare.
- Firebase Authentication handles identity management.
- Signed URLs for image access expire after 5 minutes.
- Access to production infrastructure is restricted to authorised personnel only.
No method of electronic storage or transmission is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security against all threats.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Austrian Data Protection Authority (Datenschutzbehörde) within 72 hours of becoming aware of the breach, and will inform affected users without undue delay where required by law.
13. The NoteTag Website (notetag.app)
The NoteTag website at notetag.app is a static marketing and information site. It:
- sets no cookies;
- uses no analytics or tracking scripts;
- contains no contact forms or newsletter sign-ups;
- collects no personal data directly.
Visitors' IP addresses are processed transiently by Cloudflare as part of its CDN and DDoS-protection service. We do not retain IP address logs. Cloudflare's privacy practices are described at cloudflare.com/privacypolicy.
14. Additional Information for Users Outside the EU/EEA
We apply the GDPR as our baseline data protection standard for all users worldwide. The following supplementary disclosures address the requirements of specific jurisdictions.
14.1 United Kingdom
If you are located in the United Kingdom, references to the GDPR in this Privacy Policy include the UK General Data Protection Regulation (UK GDPR) as retained under the Data Protection Act 2018. Your supervisory authority is the Information Commissioner's Office (ICO), ico.org.uk.
14.2 United States (California)
If you are a California resident, the California Consumer Privacy Act (CCPA/CPRA) provides you with additional rights regarding your personal information:
- Right to know: You may request the categories and specific pieces of personal information we have collected. See Section 2 for a full description.
- Right to delete: You may request deletion of your personal information. See Section 10.
- Right to opt out of sale or sharing: We do not sell your personal information and do not share it for cross-context behavioural advertising. No opt-out is necessary.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at contact@notetag.app.
14.3 Brazil
If you are located in Brazil, the Lei Geral de Protecao de Dados (LGPD) provides you with rights substantially similar to those listed in Section 9. You may exercise those rights by contacting us at contact@notetag.app. The competent authority is the Autoridade Nacional de Protecao de Dados (ANPD).
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the Service, our data practices, or applicable law. When we make a material change, we will notify you via an in-app screen and require you to acknowledge the updated policy before continuing to use the Service. The "Effective date" at the top of this document reflects the date of the most recent revision.
If you do not accept an updated Privacy Policy, you may delete your account at any time through the in-app Settings.
16. Contact and Supervisory Authority
Data Subject Requests and Privacy Enquiries
Caspari e.U
Manuel Caspari
Millergasse 19/20
1060 Vienna
Austria
Email: contact@notetag.app
We will respond to all requests within one month.
Austrian Supervisory Authority
You have the right to lodge a complaint with the Austrian Data Protection Authority if you believe we have processed your personal data in violation of applicable data protection law:
Datenschutzbehörde (DSB)
Barichgasse 40-42
1030 Wien
Austria
E-Mail: dsb@dsb.gv.at
Website: dsb.gv.at
We would appreciate the opportunity to address your concerns directly before you contact the supervisory authority.