Privacy Policy

Privacy
Policy

Your notes and passwords are encrypted with AES-256 on your device before they ever reach our servers. We cannot read your content — not even our team.

Effective May 13, 2026 Last updated May 13, 2026 App version 1.0
Never sold
No advertisers, no data brokers, no exceptions.
AES-256 client-side
Content encrypted on your device before it reaches us.
No AI training
Your notes are never used to train models. Ever.
Yours to take
Export or delete on request. No questions asked.
TL;DR

The 30-second version.

  • Notes, to-dos, and folder passwords are encrypted with AES-256 on your device — we store ciphertext and cannot read your content.
  • We collect your name, email, and date of birth to run your account. Preferences stay on your device.
  • We use Supabase (GDPR-compliant, AWS-hosted) for storage. Google Sign-In and Google Play are the only third-party integrations.
  • You can view, export, correct, or delete your data at any time. Account deletion is processed within 1–3 business days.
01
Overview

This Privacy Policy describes how Notly ("we", "our", or "us") collects, uses, and protects your personal information when you use our mobile application and related services.

By creating an account or using Notly, you agree to the practices described in this policy. If you do not agree, please discontinue use of the app.

🔒 Privacy-first design

All your notes, to-dos, and folder passwords are encrypted using AES-256 on your device before being stored or transmitted. We cannot read your content — not even our own team.

02
Data We Collect

We collect only the minimum data needed to provide the Notly service. Here is a complete breakdown:

Data type Details Encrypted? Required?
Name Display name you register with No Yes
Email address Used for login and account recovery No Yes
Date of birth Optional — used to personalise experience No No
Notes & titles All note content and titles AES-256
To-dos & titles All to-do items and list titles AES-256
Folder names Names of folders you create AES-256
Folder passwords Passwords set on locked folders AES-256
Avatar selection Your chosen profile avatar style No
Widget configuration Home screen widget layout preferences No
Notification preferences Reminder and streak notification settings No
Plan / subscription Free, Pro, or Pro+ plan identifier No
✅ What we do NOT collect

We do not collect device identifiers, location data, contacts, browsing history, advertising IDs, or any data from other apps. Payment information is handled entirely by Google Play and is never seen or stored by us.

03
Encryption & Security

Security is built into the foundation of Notly, not added as an afterthought.

Client-side AES-256 encryption

All note content, to-do content, and folder names are encrypted on your device using AES-256 before being sent to our servers. The data stored in our database is unreadable ciphertext — we cannot see, read, or access your content under any circumstances.

Folder password encryption

Passwords you set on locked folders are also encrypted with AES-256 before storage. We store only the encrypted form — it is impossible for us (or anyone who gains database access) to recover your folder password in plaintext.

Encryption keys

Your personal encryption key is derived from your unique account identifier and stored securely on your device using the platform's secure storage (Android Keystore / iOS Secure Enclave). The key never leaves your device in plain form.

Transport security

All communication between the app and our servers uses HTTPS with TLS 1.2 or higher, providing an additional encryption layer in transit on top of the content-level AES-256 encryption described above.

⚠️ Important: loss of encryption key

Because your content is encrypted client-side, if your account data is cleared from the device and you cannot restore it, the encrypted content on our servers may become unreadable. We strongly recommend keeping your login credentials safe.

04
How We Use Your Data

We use your data strictly to provide and improve the Notly service:

  • To create and manage your account
  • To sync your encrypted notes, to-dos, and folders securely across sessions
  • To display your profile name and avatar within the app
  • To send you notifications you have opted into (streaks, due date reminders)
  • To manage your subscription plan and apply the correct feature limits
  • To process account deletion requests when submitted
  • To troubleshoot technical issues (using anonymised error logs only)

We do not sell your data, use it for advertising, share it with data brokers, or use it for any purpose not listed above.

05
Third-Party Services

Notly uses a small number of carefully selected third-party services:

Supabase (database & authentication)

We use Supabase to store account information and encrypted user data. Supabase is GDPR-compliant and hosted on Amazon Web Services (AWS). Supabase enforces Row Level Security (RLS), meaning only you can access your rows. Only encrypted ciphertext is stored — Supabase cannot read your notes or to-dos. Supabase Privacy Policy →

Google Sign-In (OAuth)

If you choose to sign in with Google, we receive your Google account name and email address to create your Notly profile. We do not receive your Google password or any other Google account data. Google Privacy Policy →

Google Play (payments)

Subscription payments are processed entirely by Google Play. We never receive, see, or store your payment card details or billing information. Refunds and billing disputes are handled directly through Google Play. Google Play Terms →

We do not integrate any advertising SDKs, analytics platforms (e.g. Firebase Analytics, Mixpanel), or data brokers.

06
Push Notifications

Notly may send push notifications to your device for the following purposes:

  • Daily streak reminders — a daily reminder to keep your note-taking streak alive (opt-in, time configurable)
  • Due date alerts — reminders for notes or to-dos that have a due date set (1 day, 1 hour, 30 min, and 5 min before)

You can disable all notifications at any time through the app's Profile → Notification Settings screen, or via your device's system notification settings. Disabling notifications does not affect any other functionality.

We do not use notifications to send marketing messages, advertisements, or promotional content.

07
Biometric Authentication
✅ Processed entirely on your device

Biometric data (fingerprint or face recognition) used to unlock Notly is processed exclusively by your device's operating system. Notly never accesses, stores, or transmits your biometric data in any form. We simply receive a pass/fail result from the device.

Biometric lock is an optional feature. If you choose not to use it, or if your device does not support it, standard session-based authentication is used instead.

08
Account Deletion

You have the right to request deletion of your account and all associated data at any time.

How to request deletion

In the app: go to Profile → Settings → Delete Account. Type DELETE ACCOUNT to confirm. Your account will be immediately suspended and a deletion request will be sent to our team.

Processing time

Account deletion is completed within 1–3 business days. During this period your account is suspended — you cannot log in or access your data. Once complete, all your data (account record, encrypted notes, encrypted to-dos, folders) is permanently removed from our systems.

Re-registration

After your account has been fully deleted, you may register again with the same email address if you wish.

You may also request deletion by emailing us directly at hi@notly.co.

09
Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right to access — request a copy of the personal data we hold about you
  • Right to correction — request correction of inaccurate personal data (update in Account Info within the app)
  • Right to erasure — request deletion of your account and all associated data (see Section 8)
  • Right to portability — export your notes and to-dos using the in-app Export feature (Pro and Pro+ plans)
  • Right to object — object to processing of your personal data in certain circumstances
  • Right to withdraw consent — withdraw consent for optional data processing (e.g. notifications) at any time

If you are located in the European Economic Area (EEA), you also have rights under the GDPR, including the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at hi@notly.co. We will respond within 30 days.

10
Children's Privacy

Notly is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hi@notly.co and we will promptly delete the information.

11
Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the app, our practices, or applicable law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you via an in-app notification or email for significant changes

Your continued use of Notly after any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

12
Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please get in touch:

Notly Support

Email: hi@notly.co
Website: notly.co

We aim to respond to all privacy-related inquiries within 5 business days.

Questions about your privacy?

We aim to respond to all privacy-related requests within 5 business days.

hi@notly.co