Privacy Policy v2.1

Last updated: February 22, 2026 · Effective: February 22, 2026

About Us
About This Policy
Your Content — What Stays Local and What Does Not
What Personal Data We Collect
AI-Powered Features
What Data NoteBee Stores Locally
What NoteBee Does NOT Collect
How We Use Your Data
Third-Party Service Providers
Cookies and Tracking Technologies
International Data Transfers
Data Retention
Subscription and Payments
Diagnostic Logs
System Permissions (macOS)
Data Security
Your Rights Under GDPR
Your Rights Under US State Privacy Laws
Children's Privacy
Accessibility
Changes to This Policy
Contact Us

1. About Us

NoteBee is operated by Nikita Havrylenko, operating as NoteBee, based in Poland.

Privacy inquiries: privacy@notebee.cloud
General support: support@notebee.cloud

No Data Protection Officer (DPO) is designated, as this is not required under GDPR Article 37 given the nature and scale of our data processing.

2. About This Policy

This Privacy Policy covers:

The NoteBee macOS application (distributed as a direct download from notebee.cloud)
The notebee.cloud website

NoteBee is a local-first application. Your notes, templates, snippets, and categories are stored on your Mac and are never synced to cloud servers. However, certain features — specifically AI text processing and translation — require transmitting selected content to third-party services to function. These are clearly identified in this policy.

Revenue Model

NoteBee generates revenue exclusively through paid subscriptions. We do not sell, rent, or monetize your personal data or user content. We do not serve advertisements, engage in ad-based tracking, or share your data with advertising networks. Our business model is simple: you pay for the product, not with your data.

Compliance

This policy complies with:

The General Data Protection Regulation (GDPR) (EU) 2016/679
The Polish Act of 10 May 2018 on the Protection of Personal Data
The California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Applicable US state privacy laws (see Section 18)

3. Your Content — What Stays Local and What Does Not

Stored locally on your Mac (never transmitted)

All notes, templates, snippets, and categories
Template categories and folder structure
Version history
Preferences and settings
Diagnostic logs

Transmitted to third parties only when you use specific features

Feature	Data Transmitted	Recipient	When
AI features (rewrite, summarize, grammar fix, expand, simplify, change tone, continue writing, custom instruction)	Selected text content	Google (Vertex AI / Gemini)	Only when you invoke an AI feature
AI translation	Selected text content + target language	Google (Vertex AI / Gemini)	Only when you choose AI translation mode
Basic translation	Selected text content + target language	Apple (Translation framework)	Only when you use basic translation

Important:

AI features require your explicit consent before first use. A one-time notice explains that your content will be sent to Google for processing. You can decline and continue using NoteBee without AI features.
Content sent for AI processing is not stored by NoteBee after the response is received. Only aggregate usage metadata (token counts and credit cost) is recorded.
Basic translation uses Apple's on-device Translation framework. Depending on language model availability, translation may occur on-device or on Apple's servers.
No internet connection is required for creating, editing, or organizing your templates.

Processed by service providers (account and service data)

Data	Service Provider	Purpose
Email address	Google (Firebase Auth)	Authentication
Display name	Google (Firebase Auth)	Profile
Password	Google (Firebase Auth)	Authentication (hashed server-side)
User profile	Google (Cloud Firestore)	Account persistence
Subscription status	RevenueCat, Stripe	Payment processing
AI usage quota	Google (Cloud Firestore)	Credit tracking

4. What Personal Data We Collect

Account Data

Data	Legal Basis (GDPR)	Retention
Email address	Performance of contract (Art. 6.1.b)	Until account deletion
Display name	Performance of contract (Art. 6.1.b)	Until account deletion
Password (hashed by Firebase)	Performance of contract (Art. 6.1.b)	Until account deletion
Avatar URL	Performance of contract (Art. 6.1.b)	Until account deletion

Automatically Collected by Firebase Authentication

Data	Legal Basis (GDPR)	Retention
IP address	Legitimate interest (Art. 6.1.f) — security	Managed by Google per Firebase terms
User agent string	Legitimate interest (Art. 6.1.f) — security	Managed by Google per Firebase terms
Sign-in timestamps	Legitimate interest (Art. 6.1.f) — security	Managed by Google per Firebase terms

Third-Party Sign-In

If you sign in with Apple or Google, we receive your email address, display name, and avatar URL via OAuth 2.0. We do not receive or store your Apple or Google password.

AI Usage Data

Data	Legal Basis (GDPR)	Retention
AI credits used per billing period	Performance of contract (Art. 6.1.b)	Until account deletion
Per-request metadata: feature used, token counts (input/output), credit cost, timestamp	Legitimate interest (Art. 6.1.f) — service operation and abuse prevention	Rolling 90 days, then automatically deleted

AI usage data does not include the content of your text. Only aggregate token counts and the name of the feature used are recorded.

Subscription Data

Data	Legal Basis (GDPR)	Retention
Subscription tier (free/pro)	Performance of contract (Art. 6.1.b)	Until account deletion
Billing interval, expiration date	Performance of contract (Art. 6.1.b)	Until account deletion
Payment transaction data	Performance of contract (Art. 6.1.b)	Managed by Stripe per their terms

5. AI-Powered Features

NoteBee offers optional AI features powered by Google Vertex AI (Gemini). These features process your selected text content on Google's servers and return the result to your device.

How it works

You select text and choose an AI action (e.g., "Rewrite," "Summarize")
The selected text is sent to Google Vertex AI via Firebase AI Logic
Google's Gemini model processes the text and returns the result
The result is displayed in NoteBee on your device

What is sent to Google

The text you select for AI processing
A template identifier (which AI action you chose)
Input parameters (e.g., desired tone, target language)

What is NOT sent to Google

Your entire template library
Templates you did not select for AI processing
Your account information (email, name, password)
Any local data or preferences

Your consent

Before using AI features for the first time, NoteBee displays a notice explaining that your content will be sent to Google for processing. You must acknowledge this before AI features are enabled. You may decline and continue using NoteBee without AI features.

Google's data handling

Google processes content under their Cloud Data Processing Addendum and Vertex AI terms. Google is contractually prohibited from using customer data submitted via Vertex AI to train its models. NoteBee has verified this restriction and monitors compliance through Google's published terms and data processing commitments.

6. What Data NoteBee Stores Locally

All template content is stored in a local SQLite database at:

~/Library/Application Support/NoteBee/notebee.store

This data is never transmitted to any server.

Local database contents

User profile (local copy): Firebase user ID, email, display name, avatar URL
Template data: titles, body text (plain + rich text), annotations, snippet keywords, categories, version history, translations
Usage metadata: usage count per template, last used date, word/character counts, creation/modification dates

UserDefaults (preferences)

Quick paste behavior setting
Snippet expansion toggle and mode
Subscription status cache (for offline display)
AI quota cache (for offline display)
Daily activity counters (templates used, edits made)
AI consent acknowledgement flag

macOS Keychain

No encryption keys are stored in the Keychain in this version (encryption features are not active).

7. What NoteBee Does NOT Collect

NoteBee does not collect, transmit, or process:

Analytics or telemetry data
Crash reports
Advertising identifiers or tracking IDs
Location data
Camera or microphone data
Contacts, calendars, or photos
Browsing history
Device identifiers (beyond standard Firebase SDK metadata)
Keystroke logging — the snippet expansion feature uses a 32-character in-memory buffer for keyword matching only; this buffer is never stored, logged, or transmitted

8. How We Use Your Data

Purpose	Data Used	Legal Basis
Account management	Email, display name, password	Contract (Art. 6.1.b)
Authentication	Email, sign-in metadata, third-party tokens	Contract (Art. 6.1.b)
AI text processing	Selected text content (only when you invoke AI)	Consent (Art. 6.1.a)
Basic translation	Selected text content (only when you invoke translation)	Contract (Art. 6.1.b)
AI usage tracking	Token counts, credits consumed	Legitimate interest (Art. 6.1.f)
Subscription management	Subscription tier, billing data	Contract (Art. 6.1.b)
Security	IP address, sign-in metadata	Legitimate interest (Art. 6.1.f)
Software updates	App version, macOS version, architecture	Legitimate interest (Art. 6.1.f)

We do NOT use your data for:

Advertising, marketing profiling, or behavioral targeting
Selling, renting, sharing, or trading personal data
Training machine learning or AI models
Behavioral tracking or analytics
Building or enriching user profiles for any purpose beyond providing the core service
Cross-context behavioral advertising

9. Third-Party Service Providers

Google Firebase Authentication (Google LLC, USA/EU)

Data processed: Email, hashed password, IP address, user agent, sign-in metadata
Purpose: User authentication and account management
Data region: EU (europe-west)

Google Cloud Firestore (Google LLC, USA/EU)

Data processed: User profile, subscription status, AI usage quota, AI transaction logs
Purpose: Account data persistence and usage tracking
Data region: EU (europe-west)

Google Vertex AI / Gemini (Google LLC, USA/EU)

Data processed: User-selected text content (only when AI features are invoked)
Purpose: AI-powered text generation
Data handling: Google is contractually prohibited from using Vertex AI customer data to train its models.

Google Firebase Remote Config (Google LLC, USA/EU)

Data processed: Standard SDK device metadata
Purpose: Deliver application configuration

Google Firebase App Check (Google LLC + Apple Inc.)

Data processed: Device attestation token
Purpose: Verify app authenticity and prevent abuse

Apple Inc. (USA)

Sign In with Apple: Email, display name
Translation framework: User-selected text content for basic translation
App Attest: Device attestation for Firebase App Check

Google LLC (USA)

Google Sign-In: Google account token

RevenueCat Inc. (USA)

Data processed: Firebase user ID, subscription status, purchase transactions
Purpose: Subscription management

Stripe Inc. (USA)

Data processed: Payment information, Firebase user ID
Purpose: Payment processing for subscriptions

NoteBee never sees or stores your payment card details.

Sparkle (Open Source)

Data processed: App version, macOS version, device architecture
Purpose: Checking for application updates

10. Cookies and Tracking Technologies

NoteBee macOS Application

The app does not use cookies, tracking pixels, advertising identifiers, or any form of analytics or telemetry.

notebee.cloud Website

Only essential session cookies and TLS/HTTPS. No analytics, no advertising cookies, no social media tracking.

11. International Data Transfers

NoteBee is operated from Poland (EU). Primary data storage is in EU (europe-west). Safeguards for US transfers include:

EU Standard Contractual Clauses
EU-US Data Privacy Framework
TLS encryption
Regular security audits

12. Data Retention

Data	Retention Period	Deletion Method
Account data	Until account deletion	Account deletion in Settings
Local templates and content	Until deletion or app uninstall	Manual or app removal
AI usage quota	Until account deletion	Account deletion
AI transaction logs	Rolling 90 days	Automatic
Subscription data	Until account deletion	Account deletion
Payment data (Stripe)	Per Stripe's retention policy	Contact Stripe
Diagnostic logs	Managed by macOS	Automatic rotation

13. Subscription and Payments

Free tier: Full editing, basic translation, 50 AI credits/month.

Pro subscription: 1,000 AI credits/month, processed via Stripe through RevenueCat.

NoteBee never sees or stores your payment card details. All payment processing is handled by Stripe. Subscription management (status, billing interval, expiration) is handled by RevenueCat.

14. Diagnostic Logs

NoteBee uses macOS unified logging (OS Log). Logs are stored locally on your device and are never transmitted to any server. Sensitive values (such as email addresses) are masked in log output.

15. System Permissions (macOS)

NoteBee may request the following macOS permissions:

Clipboard access — for paste operations
Accessibility — for auto-paste and global hotkey functionality
Input Monitoring — for snippet expansion (uses a 32-character in-memory buffer; never stored or transmitted)
Internet access — for authentication, AI features, translation, subscription verification, and update checks

NoteBee does not request access to your camera, microphone, location, contacts, calendar, photos, screen recording, or full disk.

16. Data Security

Local data protected by macOS file permissions and FileVault
All network traffic uses HTTPS/TLS
Firebase App Check validates app authenticity
Data breach notification within 72 hours per GDPR Article 33

If you are in the EU/EEA, you have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate personal data
Erasure — request deletion of your personal data
Restrict processing — limit how we use your data
Data portability — receive your data in a portable format
Object — object to processing based on legitimate interest
Withdraw consent — for processing based on consent (e.g., AI features)

Contact privacy@notebee.cloud to exercise your rights. We will respond within 30 days.

Supervisory authority: UODO (Urząd Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland — uodo.gov.pl

18. Your Rights Under US State Privacy Laws

NoteBee respects privacy rights under state laws in California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, Minnesota, Maryland, Nebraska, New Hampshire, and New Jersey.

NoteBee does not:

Sell personal data
Engage in targeted advertising
Profile users for automated decision-making

To exercise your rights, contact privacy@notebee.cloud.

19. Children's Privacy

NoteBee is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact privacy@notebee.cloud.

20. Accessibility

This policy is written in plain language with clear headings to improve readability. If you need this policy in an alternative format, contact support@notebee.cloud.

21. Changes to This Policy

Version	Date	Changes
1.0	February 19, 2026	Initial policy (local-only)
2.0	February 22, 2026	Added AI features, Firestore, subscriptions, translation, Remote Config, App Check
2.1	February 22, 2026	Added cookies section, expanded US state coverage to 17 states, data breach procedures, revenue model transparency, Do Not Track, CCPA notice-at-collection, accessibility section

22. Contact Us

Email: privacy@notebee.cloud
Support: support@notebee.cloud
Supervisory Authority: UODO, ul. Stawki 2, 00-193 Warsaw, Poland — https://uodo.gov.pl