PRIVACY POLICY
Noteastic OG
Effective Date: 21 April 2026
1. Definitions and Interpretation
1.1 In this Privacy Policy, capitalised terms have the meanings set out below:
(a) âAccountâ means the user account required to access the Application.
(b) âApplicationâ or âNoteastic Applicationâ means the Noteastic software application for Microsoft Windows, distributed through the Microsoft Store.
(c) âControllerâ means the natural or legal person which, alone or jointly, determines the purposes and means of the Processing of Personal Data, as defined in Article 4(7) GDPR.
(d) âData Subjectâ means an identified or identifiable natural person to whom Personal Data relates.
(e) âEEAâ means the European Economic Area.
(f) âGDPRâ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
(g) âMicrosoft Storeâ means the digital distribution platform operated by Microsoft Corporation.
(h) âNoteasticâ, âweâ, âusâ, or âourâ means Noteastic OG, the legal entity identified in Section 2.
(i) âPersonal Dataâ has the meaning given in Article 4(1) GDPR.
(j) âPolicyâ or âPrivacy Policyâ means this document.
(k) âProcessingâ (and cognate expressions) has the meaning given in Article 4(2) GDPR.
(l) âServicesâ means the Application, the Website, and any related services we provide.
(m) âSub-Processorâ means any Processor engaged by us to Process Personal Data on our behalf.
(n) âTelemetryâ means data concerning the performance, stability, and use of the Application, as further described in Section 5.
(o) âUserâ or âyouâ means an individual who uses the Services.
(p) âWebsiteâ means the website located at noteastic.app and its subdomains.
1.2 Headings are for convenience only and do not affect interpretation. References to legislation include any amendments to or re-enactments of that legislation. The singular includes the plural and vice versa. Where a provision is qualified by âincludingâ or âin particularâ, the qualification shall be construed as non-exhaustive.
2. Controller Identity and Contact
2.1 The Controller in respect of the Personal Data described in this Policy is:
Noteastic OG
Anton-Baumgartner-StraĂe 44
1230 Wien
Republic of AustriaAustrian VAT Number (UID): ATU81638239
Austrian Commercial Register Number (Firmenbuch): FN 644438 d
Partners: Dilan Boskan, Lukas Koinig
2.2 For all matters relating to this Privacy Policy, to the exercise of your rights as a Data Subject, or to data protection matters generally, you may contact us at privacy@noteastic.app.
2.3 We have not appointed a Data Protection Officer within the meaning of Article 37 GDPR, on the basis that the statutory conditions for mandatory designation do not apply to our Processing activities. The contact address in Section 2.2 serves as our designated point of contact for data protection matters.
3. Scope of this Policy
3.1 This Policy applies to Personal Data that we Process in connection with:
(a) your use of the Application;
(b) your visit to the Website;
(c) your creation and use of an Account;
(d) your submission of feedback to us through any channel; and
(e) any other interaction between you and us in your capacity as a User or prospective User.
3.2 This Policy is addressed to Users worldwide. We have elected to apply the standards of the GDPR as a baseline for all Users, irrespective of the jurisdiction in which you are resident.
3.3 This Policy does not apply to Personal Data Processed by third parties operating independent services, including (i) Microsoft Corporation in its operation of the Microsoft Store, (ii) Google LLC or Microsoft Corporation in their operation of identity services, and (iii) operators of social platforms through which you may interact with us. The Processing by those parties is governed by their own privacy documentation.
4. Minimum Age
4.1 The Services are not intended for, and may not be used by, persons under sixteen (16) years of age. You must be at least sixteen (16) years of age to create an Account or otherwise use the Services. By creating an Account you confirm that you meet this age requirement.
4.2 We do not knowingly collect Personal Data from persons under sixteen (16) years of age. If we become aware that we have collected Personal Data from a person below that age, we will delete it without undue delay.
5. Personal Data We Process
5.1 We Process the following categories of Personal Data:
(a) Account Data:
(i) your email address;
(ii) your given name;
(iii) your family name;
(iv) a hashed representation of your authentication credentials, where you authenticate by email and password; and
(v) where you elect to authenticate via a third-party identity provider, the subject identifier issued by that provider, together with the items in (i) to (iii) as transmitted by that provider.
(b) Telemetry and Diagnostic Data:
(i) an anonymous User identifier generated on first launch of the Application;
(ii) application-lifecycle events, including application start and termination;
(iii) feature-usage events;
(iv) crash reports and error diagnostics;
(v) device metadata, including device family, device form factor, and operating-system version;
(vi) coarse location information derived from your network connection;
(vii) the IP address from which Application telemetry is transmitted; and
(viii) the language configured within the Application.
(c) Attribution and Onboarding Data:
(i) your response, where provided, to the question identifying how you came to learn of the Application; and
(ii) your response, where provided, to the question identifying whether you are a student and, if so, your field of study.
(d) Feedback Data:
(i) the content of feedback you voluntarily submit through the Application; and
(ii) where you elect to provide it, a contact email address at which we may respond.
(e) Website Data:
(i) the IP address from which you access the Website, used as further described in Section 11;
(ii) where you have accepted the Website analytics banner, a persistent anonymous identifier stored in a first-party cookie as described in Section 11.3; where you have not accepted, a daily-rotating server-side hash computed by our analytics Sub-Processor from your IP address, User-Agent, and related connection metadata, as described in Section 11.4;
(iii) pageview events and associated technical metadata, including the referring URL and the User-Agent string transmitted by your browser; and
(iv) any UTM parameters contained in the URL by which you reached the Website, being source, medium, campaign, and owner.
(f) Correspondence Data: where you contact us, or where we receive publicly-posted content that references us through any channel described in Section 14, the content of the communication together with any identifier by which the communication is attributed to you (email address, platform username, or public display name) and the date of the communication.
5.2 We do not Process special categories of Personal Data within the meaning of Article 9 GDPR, nor Personal Data relating to criminal convictions and offences within the meaning of Article 10 GDPR. Should you voluntarily include information of that nature in a Feedback submission or other correspondence, we will not use it for any purpose other than to respond to your communication and will delete it as soon as it is no longer needed.
5.3 Personal identifiers used in Telemetry are hashed prior to transmission where technically feasible. Because hashing does not necessarily preclude reidentification, we treat hashed identifiers as Personal Data under this Policy.
5.4 Notes, drawings, and other content you create using the Application are stored locally on your device. We do not transmit that content to, store that content on, or Process that content through any service operated by us or by any Sub-Processor.
6. Purposes and Legal Bases for Processing
6.1 We Process Personal Data for the purposes and on the legal bases set out in the table below.
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Creation, authentication, and maintenance of your Account | Account Data (§5.1(a)) | Art. 6(1)(b) GDPR â performance of a contract |
| Provision of the Application to you | Account Data; Telemetry (§5.1(a), §5.1(b)) | Art. 6(1)(b) GDPR â performance of a contract |
| Verification of your email address | Account Data (§5.1(a)(i)) | Art. 6(1)(b) GDPR â performance of a contract |
| Sending transactional communications (account verification, welcome) | Account Data (§5.1(a)) | Art. 6(1)(b) GDPR â performance of a contract |
| Diagnosis and resolution of errors and defects in the Application | Telemetry (§5.1(b)) | Art. 6(1)(f) GDPR â legitimate interests (maintaining a reliable service) |
| Statistical evaluation of feature usage for product improvement | Telemetry (§5.1(b)); Attribution (§5.1(c)) | Art. 6(1)(f) GDPR â legitimate interests (improving the Application) |
| Statistical evaluation of Website usage and acquisition channels where you have accepted the Website analytics banner | Website Data (§5.1(e)) | Art. 6(1)(a) GDPR â consent |
| Aggregate statistical evaluation of Website usage where you have not accepted, using the cookieless server-hash mechanism described in Section 11.4 | Website Data (§5.1(e)(i), (iii), (iv)) in transit | Art. 6(1)(f) GDPR â legitimate interests (understanding aggregate Website usage) |
| Evaluation of in-Application attribution responses | Attribution (§5.1(c)); Telemetry (§5.1(b)) | Art. 6(1)(f) GDPR â legitimate interests (understanding how Users discover the Application) |
| Consideration and implementation of user-submitted feedback | Feedback Data (§5.1(d)); Correspondence Data (§5.1(f)) | Art. 6(1)(f) GDPR â legitimate interests (improving the Application) |
| Sending beta-programme update notifications to users who have subscribed | Account Data (§5.1(a)(i)) | Art. 6(1)(a) GDPR â consent |
| Compliance with our legal obligations | As required by the applicable obligation | Art. 6(1)(c) GDPR â legal obligation |
| Establishment, exercise, or defence of legal claims | As necessary for the relevant claim | Art. 6(1)(f) GDPR â legitimate interests |
6.2 Where we rely on Article 6(1)(f) GDPR (legitimate interests), we have conducted a balancing assessment weighing our interests against your interests and fundamental rights and freedoms. You may object to such Processing at any time in accordance with Section 10.
6.3 Where we rely on Article 6(1)(a) GDPR (consent), you may withdraw that consent at any time, without affecting the lawfulness of Processing carried out before the withdrawal.
7. Recipients and Sub-Processors
7.1 We disclose Personal Data only to Sub-Processors who Process Personal Data on our behalf under a written agreement meeting the requirements of Article 28 GDPR, and to third parties who act as independent Controllers in the limited circumstances set out in Section 7.3.
7.2 Sub-Processors. The following Sub-Processors Process Personal Data on our behalf:
| Sub-Processor | Role | Data Processed | Location of Processing |
|---|---|---|---|
| Microsoft Ireland Operations Ltd (Azure App Service) | Hosting of the Noteastic back-end API | Account Data, Correspondence Data, Telemetry in transit | EEA (Ireland) |
| Microsoft Ireland Operations Ltd (Azure Database for PostgreSQL) | Primary database of the Noteastic back-end | Account Data | EEA (Ireland) |
| Microsoft Ireland Operations Ltd (Azure Monitor and Application Insights) | Telemetry collection, diagnostic logging, and error reporting | Telemetry | EEA (Ireland) |
| Microsoft Ireland Operations Ltd (Azure Communication Services) | Sending of transactional emails | Account Data (email address, given name) | EEA (Europe region) |
| Microsoft Ireland Operations Ltd (Azure Key Vault, Entra ID, Static Web Apps, Azure DNS) | Supporting infrastructure (secrets management, administrator identity, Website hosting, DNS) | Limited incidental exposure; no substantive Processing of User Personal Data | EEA (Ireland) |
| PostHog Inc. (accessed via a first-party reverse proxy at anal.noteastic.app) | Website analytics | Website Data (§5.1(e)) | EEA (PostHog Cloud EU, Frankfurt, Germany) |
| Grafana Labs, Inc. | Observability and log aggregation | Telemetry | EEA (EU Cloud stack) |
| Google LLC (Google Workspace / Gmail) | Receipt and storage of inbound email at our published contact addresses | Correspondence Data for email communications | EEA (with Google Workspace EU data-residency applicable to storage at rest) |
7.3 Independent Controllers. The following third parties receive Personal Data in connection with the Services but act as independent Controllers in respect of the Processing concerned:
(a) Microsoft Corporation, in its operation of the Microsoft Store and of Microsoft Partner Center, in respect of your installation of the Application, submission of reviews, and related activities on the Store;
(b) Google LLC or Microsoft Corporation, where you elect to authenticate to the Services using their identity services, in respect of the authentication interaction itself.
7.4 The list of Sub-Processors in Section 7.2 reflects our arrangements as at the effective date of this Policy and is subject to change. Where a change materially affects your rights or the location of Processing, we will update this Policy in accordance with Section 17.
8. International Transfers
8.1 Under our current architecture, Personal Data Processed by us is stored and Processed within the European Economic Area. We do not carry out routine transfers of Personal Data outside the EEA.
8.2 Where a Sub-Processor is ultimately controlled by a parent company established outside the EEA (in particular, PostHog Inc. and Grafana Labs, Inc., both established in the United States of America), the possibility exists that Personal Data may be accessed from outside the EEA in the context of parent-entity support activities or in response to legal process in the parentâs jurisdiction. We have in place with each such Sub-Processor contractual safeguards appropriate to address this residual risk, including Standard Contractual Clauses approved by the European Commission under Article 46(2)(c) GDPR where applicable.
8.3 You may request a copy of the relevant safeguards by writing to us at the address in Section 2.2.
9. Retention Periods
9.1 We retain Personal Data only for as long as is necessary for the purposes for which it was collected, or as otherwise required by applicable law.
9.2 Specific retention periods are as follows:
| Category | Retention |
|---|---|
| Account Data | For the duration of the Account, and deleted upon termination of the Account in accordance with Section 9.3 |
| Telemetry and Diagnostic Data | 365 days from collection |
| Website analytics data held by our analytics Sub-Processor | 1 year from collection |
| Feedback archives drawn from Reddit, Microsoft Store reviews, and other external channels described in Section 14 | 3 years from the date of the underlying communication |
| Email correspondence received at our published contact addresses | 3 years from the date of receipt |
| Data we are required to retain by law (e.g., accounting or tax records, where applicable) | For the period prescribed by the applicable law |
9.3 Where you terminate your Account, we perform an immediate deletion of your Account Data. We do not operate a grace period or a soft-delete mechanism. Telemetry records that can no longer be linked to you may continue to be held for the period specified in Section 9.2.
10. Your Rights as a Data Subject
10.1 Subject to the conditions and exceptions set out in the GDPR, you have the following rights in respect of your Personal Data:
(a) the right of access, pursuant to Article 15 GDPR;
(b) the right to rectification, pursuant to Article 16 GDPR;
(c) the right to erasure (âthe right to be forgottenâ), pursuant to Article 17 GDPR;
(d) the right to restriction of Processing, pursuant to Article 18 GDPR;
(e) the right to data portability, pursuant to Article 20 GDPR;
(f) the right to object to Processing based on legitimate interests or direct marketing, pursuant to Article 21 GDPR;
(g) the right to withdraw consent at any time, pursuant to Article 7(3) GDPR, without affecting the lawfulness of Processing carried out before the withdrawal; and
(h) the right to lodge a complaint with a supervisory authority, as further described in Section 19.
10.2 To exercise any of these rights, please contact us at privacy@noteastic.app. We will respond within the time limits set by Article 12(3) GDPR. We may request information reasonably necessary to confirm your identity before responding.
10.3 We do not charge a fee for the exercise of Data Subject rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request in accordance with Article 12(5) GDPR.
11. Cookies and Similar Technologies
11.1 This Section describes the use of cookies and equivalent tracking technologies on the Website. Our use of such technologies is subject to Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC, as amended, and as transposed into applicable national law), which requires your prior consent for any storage of or access to information on your terminal equipment save where that activity is strictly necessary for the provision of a service you have requested.
11.2 Consent banner. On your first visit to the Website, a consent banner is displayed. Until you interact with the banner, no analytics cookie or other persistent storage mechanism is written to your browser; the default position is that consent has not been given. The banner presents an âAcceptâ action and a âRejectâ action of equal prominence, together with a link to this Policy. Your consent decision is stored locally on your own device and remains in effect until you clear your browser storage for the Website or otherwise reset the decision, at which point the banner will be displayed again on your next visit.
11.3 Where you accept. If you accept via the consent banner, we enable anonymous Website analytics through our Sub-Processor PostHog Inc. (see Section 7.2). For this purpose, one or more first-party cookies are set under the noteastic.app domain. The principal cookie is named ph_phc_HO6DnH2BGvgT9LhE3YUn3wc8YeAZ35EAGTmhSFVQ4kh_posthog and stores a persistent anonymous identifier together with session-level metadata for up to 365 days. The analytics library captures pageview events, interactions with page elements (including clicks and form submissions, excluding the content typed into form fields), web-vitals performance metrics, and JavaScript errors. We do not use third-party cookies, advertising pixels, or retargeting technologies on the Website.
11.4 Where you do not accept. If you reject via the consent banner, or before you interact with the banner, no cookies or other persistent storage mechanisms are written to your browser. Notwithstanding that position, when your browser requests a page from the Website we inevitably receive, in the network traffic, your IP address, User-Agent string, and the metadata of pageviews you generate. For the purpose of aggregate Website analytics in this state, PostHog Inc. computes on its servers a daily-rotating hash of your IP address, User-Agent, and related request metadata, together with a random salt that is generated for that calendar day and irreversibly deleted at the end of that day. The resulting hash cannot be reversed and cannot be linked to you across days. No persistent identifier linkable to you is retained. The legal basis for this Processing is our legitimate interest, pursuant to Article 6(1)(f) GDPR, in understanding the aggregate usage of the Website.
11.5 Withdrawal and change of consent. You may at any time withdraw, change, or re-assert your consent by clearing your browserâs storage for this Website or by using any consent-management control made available by your browser, after which the consent banner will be displayed again on your next visit.
11.6 Strictly-necessary storage. The Website does not set cookies or equivalent storage for any purpose other than the analytics use described in this Section.
11.7 The Application. The Application does not use cookies. Telemetry within the Application uses a persistent anonymous identifier stored on your device in accordance with Section 5.1(b)(i).
12. Automated Decision-Making and Profiling
12.1 We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
13. Security
13.1 We implement technical and organisational measures appropriate to the risk of the Processing, in accordance with Article 32 GDPR. These measures include:
(a) restriction of access to production systems to authorised personnel, protected by multi-factor authentication;
(b) identity-based authentication to systems storing Personal Data;
(c) encryption of Personal Data in transit using current industry-standard transport-layer security;
(d) network-level isolation of systems storing Personal Data;
(e) logging and review of privileged access;
(f) geo-redundant backup of the primary database with appropriate protection of backup media;
(g) confidentiality obligations binding on all personnel with access to Personal Data; and
(h) a documented procedure for the assessment, containment, and notification of personal-data breaches.
13.2 Security incidents may be reported to us at privacy@noteastic.app. Personal-data breaches are assessed by the Controller and, where a risk to the rights and freedoms of Data Subjects is identified, notified to the Austrian Datenschutzbehörde within seventy-two (72) hours in accordance with Article 33 GDPR, and communicated to affected Data Subjects in accordance with Article 34 GDPR where applicable.
14. Feedback from External Channels
14.1 We monitor a limited set of external channels for feedback relating to the Application. Specifically:
(a) Reddit. We collect and archive publicly-posted content on Reddit (including in the subreddit r/Noteastic and elsewhere) that expresses opinions, suggestions, or requests relating to Noteastic, together with the associated Reddit username and the publication date. We also preserve the content of direct messages sent to our Reddit account.
(b) Email. We collect and archive email communications sent to our published contact addresses, together with the senderâs email address and the date of the communication.
(c) Microsoft Store Reviews. We collect and archive reviews posted about the Application on the Microsoft Store, together with the reviewerâs public display name (where shown) and the date of the review.
14.2 The legal basis for this Processing is our legitimate interest in understanding user sentiment and improving the Application, pursuant to Article 6(1)(f) GDPR. We have assessed that our interest is not overridden by the interests or fundamental rights and freedoms of the Data Subjects concerned, having regard in particular to the public or directly-communicative nature of the content Processed and to the limited scope of our archiving activity.
14.3 You may object to this Processing at any time by contacting us at privacy@noteastic.app, identifying the content to which your objection relates.
14.4 We do not link feedback received through any external channel to any Account you may hold with us.
15. Third-Party Authentication
15.1 If you elect to sign in to the Services using a third-party identity provider, being Google or Microsoft, the authentication interaction is governed by that providerâs own privacy documentation. In the authentication interaction, the identity provider acts as an independent Controller.
15.2 Upon successful authentication, we receive from the identity provider a subject identifier together with profile information (ordinarily your email address, given name, and family name). We Process that information as Account Data in accordance with Section 5 and Section 6.
16. Microsoft Store
16.1 The Application is distributed exclusively through the Microsoft Store. Microsoft Corporation operates the Microsoft Store as an independent Controller and Processes Personal Data relating to your installation of the Application, your use of Store-level functionality (including the submission of reviews), and, where applicable, payment for offerings made available on the Store.
16.2 We receive from the Microsoft Store, through the Microsoft Partner Center interface, aggregate performance statistics relating to the Application (including monthly visitors, conversion rates, and installation counts), crash and diagnostic data, and individual reviews submitted by users. Aggregate statistics do not constitute Personal Data in our hands. Where the Microsoft Store makes available to us Personal Data in reviews or otherwise, we Process that data as described in Section 14.
17. Changes to this Privacy Policy
17.1 We may update this Privacy Policy from time to time to reflect changes in our Processing activities, legal requirements, or business practices.
17.2 Where a change is not material, we will publish the updated Policy on the Website and in the Application, and the updated Policy shall take effect from the Effective Date shown at the top of the revised version.
17.3 Where a change is material â including the introduction of a new purpose of Processing, a new category of Personal Data, a new Sub-Processor in a different jurisdiction, or a material change to retention periods or to the means by which Data Subject rights may be exercised â we shall:
(a) provide notice of the change to Users who hold an Account by email and through the Application before the change takes effect; and
(b) where the legal basis for the new Processing is consent, obtain that consent before the new Processing commences.
17.4 The âEffective Dateâ at the top of this Policy indicates the date on which the current version of the Policy became effective.
18. How to Contact Us
18.1 You may contact us in relation to this Policy, to exercise any right under it, or to request further information, at:
Noteastic OG Anton-Baumgartner-StraĂe 44 1230 Wien Republic of Austria
19. Supervisory Authority
19.1 If you are resident in the European Economic Area, you have the right to lodge a complaint with the data protection supervisory authority in your Member State of residence, your place of work, or the place where the alleged infringement occurred, in accordance with Article 77 GDPR.
19.2 The supervisory authority competent for Noteastic OG as Controller is:
Ăsterreichische Datenschutzbehörde Barichgasse 40â42 1030 Wien Republic of Austria dsb@dsb.gv.at www.dsb.gv.at
19.3 Users not resident in the European Economic Area may lodge a complaint with the Austrian Datenschutzbehörde as the supervisory authority of the Controllerâs establishment.
20. Severability and Governing Law
20.1 If any provision of this Policy is held to be invalid or unenforceable by a court or regulatory authority of competent jurisdiction, the remaining provisions shall continue in full force and effect.
20.2 This Policy shall be governed by and construed in accordance with the laws of the Republic of Austria, without prejudice to mandatory rules of data protection or consumer protection law applicable in your jurisdiction.
End of Privacy Policy.