Privacy Policy

Effective May 19, 2026

1. Who We Are

NoteSmith is operated by VARO Industries. We are committed to protecting your personal data and respecting your privacy. This policy explains what information we collect, how we use it, and your rights regarding it.

2. Information We Collect

We collect the following types of information:

  • Account information: Name, email address, and hashed password when you register.
  • Content: Documents, chat messages, and comments you create within the Service.
  • Usage data: Pages visited, features used, and session timestamps for product improvement.
  • Security data: Two-factor authentication secrets (encrypted at rest), login timestamps, IP addresses for fraud prevention.

3. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To authenticate you and keep your account secure
  • To send transactional emails (email verification, invite emails, security alerts)
  • To respond to your support requests
  • To comply with legal obligations

We do not sell your personal data. We do not use your content for advertising.

4. Data Storage & Security

Your data is stored on servers in the European Union (Hetzner, Germany). We use industry-standard security practices including encrypted connections (TLS), hashed passwords (bcrypt), and isolated database access. Two-factor secrets are stored encrypted. No security measure is 100% foolproof — if you discover a vulnerability, please contact us at [email protected].

5. Third-Party Services

We use the following sub-processors:

  • Hetzner — server hosting (EU)
  • Resend — transactional email delivery

Each sub-processor is contractually bound to protect your data and process it only as instructed.

6. Cookies

We use essential cookies only: a session cookie to keep you logged in, and an optional 2FA verification cookie. We do not use tracking or advertising cookies.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Object to or restrict processing of your data
  • Data portability

To exercise any of these rights, contact us at [email protected].

8. Data Retention

We retain your account data for as long as your account is active. You may request deletion at any time. Backups may retain data for up to 30 days after deletion.

9. Changes to This Policy

We may update this policy. We will notify you of material changes via email or an in-app notice. Continued use of the Service after changes constitutes acceptance.

10. Contact

Privacy questions? Contact [email protected] or VARO Industries via varo.industries.