Privacy Policy

This policy explains what personal data CoNote collects, why, and what rights you have. It applies to the CoNote application and website. The controller responsible for processing is:

SKAJ Ventures GmbH
Sonnenlandstraße 4, 14471 Potsdam, Germany
hello@conote.io

Full provider details are in our Imprint.

For account, billing, website, and security data we act as the controller and this policy applies. For the content your team puts into its logbook (notes, imports, and integration events), we act as a processor on behalf of your team, which is the controller of that content. That relationship is governed by our Data Processing Agreement.

• Account data: name, email address, and a hashed password when you register.
• Team content: the notes, imports, and integration events your team puts into its logbook, including metadata from connected services (for example commit messages from GitHub or container versions from Google Tag Manager).
• Billing data: handled by Stripe; we store your Stripe customer id and subscription status, never card numbers.
• Technical data: IP address and user agent for active sessions and security logging.

• to provide and operate the Service (Art. 6(1)(b) GDPR, contract performance);
• to send transactional email such as verification, password reset, invitations, and billing notices (Art. 6(1)(b) GDPR);
• to secure the Service through rate limiting, abuse prevention, and session management (Art. 6(1)(f) GDPR, legitimate interest);
• to process payments and meet tax and accounting obligations (Art. 6(1)(b) and Art. 6(1)(c) GDPR);
• to display your company name and logo as a customer reference, and to publish a statement you provide on request (Art. 6(1)(b) and Art. 6(1)(f) GDPR, as agreed in our Terms).

We do not sell personal data and we do not use your team content for advertising.

When you connect an integration, we store only what the integration needs: encrypted credentials (for example an OAuth refresh token with read-only scope) and the events it produces. Disconnecting an integration stops collection; its existing events remain in your logbook until deleted.

We share data only with the processors needed to run the Service:

• Vercel (hosting) and our PostgreSQL database provider (Neon)
• Stripe (payments)
• Resend (transactional email)
• Upstash (rate limiting), where configured

Each processor acts under a data processing agreement and only on our instructions. Public authorities receive data only where we are legally required to disclose it.

Some processors may process data outside the European Economic Area (for example in the United States). Where they do, transfers are safeguarded by the European Commission's Standard Contractual Clauses or an adequacy decision. A copy of the relevant safeguards is available on request.

Account and team data are kept until you delete them. Deleting a team (or the account of its sole owner) permanently removes all team data, including notes, integrations, and credentials, with no soft-delete. Expired verification and reset tokens are purged automatically. Where statutory retention periods apply (for example to invoices), we retain the relevant records for the legally required period before deletion.

Under the GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interest (Art. 21). You can exercise most of these directly: edit your profile in Settings or delete your account in Settings. For anything else, email us and we will respond within one month.

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). Our lead authority is the State Commissioner for Data Protection and the Right to Inspect Files Brandenburg (Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg).

Passwords are hashed, integration and webhook credentials are encrypted at rest (AES-256-GCM), and all traffic is encrypted in transit. No method of storage is fully secure; we notify affected users and the supervisory authority of any breach as required by law.

The Service is not directed at children under 16, and we do not knowingly collect their data.

We may update this policy; material changes are announced by email or an in-product notice before they take effect.

Privacy questions: hello@conote.io.