Privacy Policy

1. Introduction

XNote, Inc. (“XNote”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal data. This Privacy Policy describes how we collect, use, disclose, and otherwise process personal data in connection with our applications, websites, and related services (collectively, the “Services”). 

For the purposes of applicable data protection laws, including the General Data Protection Regulation (“GDPR”), XNote acts as a data controller with respect to personal data processed through the Services.

Where XNote processes personal data on behalf of its customers, XNote acts as a data processor and such processing is governed by applicable Data Processing Agreements (DPA). 

Where required under applicable law, XNote has appointed EU and UK representatives in accordance with Article 27 GDPR.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

We collect personal data that you provide directly to us, data generated through your use of the Services, and data obtained through integrations with third-party services.

We collect and process personal data only to the extent necessary for the purposes described in this Privacy Policy and in accordance with applicable data protection laws.

XNote does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals within the meaning of applicable data protection laws.

This may include the following categories of data:

Account and Profile Information

• Name, email address, profile details, and account preferences
  
  

Technical and Usage Data

• Device type, operating system, application version

• IP address and technical identifiers

• Usage logs, interaction data, and system activity
  
  

User-Generated Content

• Notes, handwritten inputs, structured data, and associated metadata

• Audio and video recordings, where applicable

• Transcripts, including timestamps and speaker attribution
  
  

AI-Generated and Derived Data

• Summaries, structured outputs, semantic embeddings

• Insights generated through AI-based processing of user content
  
  

Integration Data

• Data obtained through connected third-party services

• Examples may include calendar events or synchronized content
  
  

Billing and Subscription Data

• Subscription status and transaction-related information

• Payment processing is handled by third-party providers, and XNote does not store full payment card details
  
  

Communications and Support Data

• Support requests, feedback, and other communications submitted to us
  
  

We may also collect personal data from third-party sources where users choose to enable integrations or where such data is necessary for the functionality of the Services.

Users are responsible for ensuring that the personal data they provide is accurate and up to date.

3. Purposes of Processing

We process personal data for the purposes of providing, maintaining, and improving the Services, including enabling core functionality, authenticating users, processing content, and delivering AI-powered features.

We also process personal data to monitor system performance, ensure security, provide customer support, and comply with applicable legal obligations.

Processing is carried out on the basis of contractual necessity, our legitimate interests in operating, securing, and improving the Services, and, where applicable, compliance with legal obligations or user consent.

Where required, we rely on user consent for specific processing activities such as certain analytics, cookies, or integrations.

4. AI Processing

The Services incorporate artificial intelligence technologies that enable features such as speech-to-text transcription, content analysis, summarization, and structured data extraction.

In order to provide these features, relevant user data, including audio recordings, text, and images, may be processed by third-party AI service providers acting on our behalf.

Such providers act as sub-processors and are contractually bound to process data only in accordance with XNote’s instructions.

XNote does not use customer data submitted through the Services to train or improve general-purpose AI models.

XNote does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.

AI-based features are designed to support user productivity and do not replace human judgment or decision-making.

AI processing is limited to providing the requested functionality and does not involve independent reuse of customer data by such providers.

5. Disclosure of Personal Data

We may disclose personal data to third-party service providers that support the operation of the Services, including infrastructure providers, AI processing providers, analytics and monitoring services, payment processors, and integration partners.

Such disclosures are made only where necessary and are subject to contractual obligations requiring appropriate data protection and security measures. XNote does not sell or commercially exploit personal data.

XNote engages a limited number of trusted third-party vendors acting as sub-processors to support the delivery of the Services. These may include, for example:

• Cloud infrastructure and hosting providers (e.g., Hetzner)

• Backend, database, and storage providers (e.g., Supabase)

• AI and data processing providers (e.g., Microsoft Azure OpenAI, AssemblyAI)

• Analytics and monitoring tools (e.g., PostHog, Mixpanel, Sentry)

• Payment and subscription providers (e.g., Apple, Google, Shopify, Adapty)

All sub-processors are carefully selected and are contractually bound to process personal data only on behalf of XNote and in accordance with applicable data protection laws.

An up-to-date list of sub-processors may be made available upon request, and XNote will take reasonable steps to notify customers of material changes where required.

6. International Data Transfers

Personal data may be transferred to and processed in jurisdictions outside of your country of residence, including the United States. 

Where required under applicable law, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs), to ensure that personal data transferred outside the European Economic Area is subject to an adequate level of protection.

7. Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes described in this Privacy Policy, including the provision, maintenance, and improvement of the Services, as well as compliance with applicable legal obligations.

User-generated content, including notes, audio recordings, and transcripts, is retained for the duration of the user’s account and remains available until deleted by the user. Upon user-initiated deletion of specific content, such data is removed without undue delay from active systems.

Where a user requests deletion of their account, personal data associated with the account is permanently deleted within a reasonable period, and no later than 14 days following the deletion request, subject to limited retention where required for legal or technical purposes.

Operational data, including system logs and security-related records, is retained for a limited period necessary to ensure the security, integrity, and performance of the Services. 

Backup data is maintained for the purpose of ensuring system resilience and recovery. Backup retention periods are limited and typically do not exceed 7 days. Backup data is securely stored and is automatically overwritten or deleted following the expiration of the applicable retention period. Operational data, including system logs and security-related records, is generally retained for up to 14 days.

Certain data processed by third-party service providers (such as analytics or infrastructure providers) may be retained in accordance with their respective retention policies. XNote takes reasonable steps to ensure that such retention is aligned with applicable data protection requirements.

At the end of the applicable retention period, personal data is securely deleted, anonymized, or otherwise rendered inaccessible, unless continued retention is required by law.

8. Data Subject Rights

Where applicable under data protection law, including the GDPR, individuals may have the right to access, correct, delete, or restrict the processing of their personal data, as well as the right to data portability and to object to certain processing activities.

We may take reasonable steps to verify the identity of the requester before processing such requests.

Requests to exercise these rights may be submitted to: privacy@xnote.ai 

We will respond to such requests within applicable legal timeframes.

9. Data Security

XNote maintains technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction.

We implement security measures aligned with industry standards and continuously review and improve our security posture.

These measures include, but are not limited to:

• Encryption of data in transit (e.g., TLS) and at rest where applicable

• Access controls based on the principle of least privilege and role-based access management

• Authentication mechanisms, including secure credential management

• Secure infrastructure configurations and network protections

• System monitoring, logging, and anomaly detection mechanisms

• Regular security assessments and internal reviews of security practices

• Use of trusted service providers that maintain appropriate security standards

• Employee confidentiality obligations and access restrictions
  
  

Access to personal data is limited to authorized personnel with a legitimate business need and is subject to appropriate safeguards.

While we take commercially reasonable steps to protect personal data, no system can be guaranteed to be completely secure. In the event of a data breach, XNote will take appropriate steps to investigate, mitigate, and notify affected parties and authorities where required under applicable law.

10. Sensitive Data

The Services are not specifically designed for the processing of sensitive personal data, including health-related information, biometric data, or other special categories of data under applicable laws.

Users are advised not to submit such data unless explicitly agreed in a separate contractual arrangement with appropriate safeguards.

Where sensitive personal data is processed based on a specific agreement, XNote implements additional technical and organizational safeguards appropriate to the nature and risk of such data.

XNote does not intentionally collect or process sensitive personal data unless explicitly required for a defined and lawful purpose.

Where required, additional contractual safeguards such as Data Processing Agreements or Business Associate Agreements may apply.

11. Children’s Data

The Services are not intended for use by children.

XNote does not knowingly collect personal data from individuals under the age required by applicable law. If we become aware that such data has been collected without appropriate authorization, we will take steps to delete it.

If you believe that a child has provided personal data through the Services, please contact us so that appropriate action can be taken.

12. Cookies and Analytics

We use analytics and monitoring tools to understand usage patterns and improve the functionality and performance of the Services.

Such tools may collect pseudonymized or aggregated information, including device identifiers, usage data, and interaction metrics.

Depending on your location, we may rely on consent mechanisms for the use of cookies or similar technologies, particularly for analytics and tracking purposes.

Users may control or disable cookies through their browser or device settings, although some features of the Services may be affected. 

13. California Privacy Notice

If you are a resident of California, you may have rights under the California Consumer Privacy Act (CCPA), including:

• The right to request access to personal data we collect about you

• The right to request deletion of such data

• The right to receive information about how your personal data is collected, used, and disclosed

XNote does not sell personal data.

We do not discriminate against users for exercising their privacy rights.

Requests may be submitted to: privacy@xnote.ai

14. Changes to This Policy

We may update this Privacy Policy from time to time. Any updates will be made available through the Services with an updated effective date.

Where changes are material, we will take reasonable steps to notify users through appropriate channels.

Continued use of the Services after such updates constitutes acknowledgment of the updated Policy.

15. EU and UK Representatives 

In accordance with Article 27 of the General Data Protection Regulation (GDPR) and the UK GDPR, XNote has appointed the following representatives:

EU Representative  

Prighter EU Rep GmbH  

Schellinggasse 3/10  

1010 Vienna  

Austria  

UK Representative  

Prighter Ltd  

20 Mortlake Mortlake High Street  

London, SW14 8JN  

United Kingdom  

For privacy-related inquiries, data subject requests, or communications with supervisory authorities, you may also contact our representatives via:  

https://app.prighter.com  

Please include the following reference in all correspondence:  

ID-17555557034

16. Contact Information

For data protection-related inquiries, you may contact our privacy team at: privacy@xnote.ai

XNote, Inc.
320 Cobble Creek, Suite 212
Newark, DE 19702
privacy@xnote.ai