Who We Are Data Collect AI Processing Subprocessors Usage Sharing Rights Cookies Contact

Privacy Policy

NoteX: AI Note Taker — operated by SotaLabs

Effective: 1 Sep 2024Last revised: 10 Feb 2026Version 2.0GDPR · CCPA Compliant

Our Core Privacy Commitments

We never use your data or content to train AI models

We never sell your personal data to third parties

All AI subprocessors are contractually prohibited from training use

You can export, correct, or delete your data at any time

We process only what is necessary for the features you use

Who We Are

Sotalabs Technology JSC ("Sotalabs", "we", "us", or "our") is the data controller for personal data collected through the NoteX: AI Note Taker application (the "App"), available on Google Play, the App Store, and atnotexapp.com.

By using NoteX, you agree to the collection and use of your data as described in this Privacy Policy. Please read it carefully. If you do not agree, please discontinue use of the App.

Data Protection Contact

For privacy-related questions, requests, or complaints:hello@notexapp.com

Data We Collect

Data You Provide Directly

Account information: name, email address, username, password (stored as a secure hash)
Profile settings and in-app preferences
Content you create: meeting transcripts, notes, summaries, flashcards, quizzes
Communications with us: support tickets, feedback, survey responses
Payment details — processed directly by our payment providers; we do not store card numbers

Data Collected Automatically

Device identifiers, operating system, app version
Usage events and feature interactions (anonymized where possible)
Crash reports and performance diagnostics (anonymized)
Session duration and log timestamps

Audio, Video & Meeting Content

When you record a meeting or upload audio/video content, NoteX processes this data to generate transcripts, summaries, and AI-powered outputs. This content is:

Transmitted securely over TLS 1.2+ to our AI processing pipeline
Processed transiently — AI subprocessors do not store it after processing completes
Stored in your account only — you control deletion at any time
Never used to train, fine-tune, or improve any AI or ML model

Google Calendar Integration

When you connect Google Calendar, NoteX reads event metadata (title, time, attendee names) to associate meetings with your notes. We do not store, share, or use Google Calendar data beyond the active session, and we fully comply with Google's Limited Use Policy for Workspace API data.

AI Processing & No-Training Commitment

Important — AI Processing Notice

NoteX uses third-party AI models (Google Gemini, OpenAI, and Anthropic Claude) to power transcription, summarization, and intelligent features. These models process your content as instructed by us, under strict contractual controls.

Our AI pipeline operates under the following principles:

No training use: We contractually prohibit all AI subprocessors from using your data to train, fine-tune, retrain, or benchmark any AI or ML model — for any purpose, ever.
Data minimization: Only the content required for a specific feature is sent for AI processing.
Purpose limitation: Content is processed only for the feature you invoke, not for other purposes.
Transient processing: AI providers process and immediately discard your content — no retention after the request completes.
Contractual controls: All AI subprocessors are contractually prohibited from using your data for training.
Your control: AI-powered features are opt-in and can be disabled in Settings at any time.

What this means in practice

Your meeting recordings are NOT used to improve Google Gemini, GPT, or Claude
Your notes and transcripts are NOT stored by AI providers after processing
Your data is NOT shared with AI providers for any purpose beyond your active request

Subprocessors

We use a limited, audited set of subprocessors to operate NoteX.

Cloud Infrastructure

Subprocessor	Service	Data Processed	Location
Google Cloud Platform	Primary cloud infrastructure, compute, storage, networking	All app data (encrypted at rest)	USA / EU
Amazon Web Services (AWS)	Backup storage, CDN, regional redundancy	Encrypted backups, static assets	USA / EU

AI Models (No Training Use)

Subprocessor	Models Used	Data Processed	Location
Google (Gemini)	Gemini Pro / Flash	Audio, transcripts, text — transiently	USA
OpenAI	GPT-4o / Whisper	Audio, transcripts, text — transiently	USA
Anthropic	Claude 3.x	Text, summaries — transiently	USA

Analytics, Payments & Notifications

Subprocessor	Service	Data Processed	Location
Google Analytics & Firebase	Product analytics, push notifications, A/B testing, crash reporting	Anonymized usage events, device tokens, crash logs	USA
RevenueCat	In-app subscription management (iOS & Android)	Purchase tokens, subscription status (no card data)	USA
LemonSqueezy	Web payment processing & billing	Billing info, email — card data handled by LemonSqueezy directly	USA

To request a copy of any subprocessor's DPA or to object to a new subprocessor, contact hello@notexapp.com.

How We Use Your Data

Legal Bases (GDPR Article 6)

ContractArt. 6(1)(b) — Providing the NoteX service, processing transactions, managing your account, delivering AI-powered features.

Legitimate InterestArt. 6(1)(f) — Security monitoring, fraud prevention, anonymized product analytics, and improving service quality where our interest does not override your rights.

Legal ObligationArt. 6(1)(c) — Compliance with applicable laws, tax obligations, and regulatory orders.

ConsentArt. 6(1)(a) — Marketing emails, optional personalization, Google Calendar integration. You may withdraw consent at any time in Settings.

What We Never Do

Sell your personal data to any third party
Use your content to train, fine-tune, or benchmark AI models
Share your meeting content with advertisers
Make fully automated decisions with legal or significant effects without human oversight
Use sensitive personal data incidentally captured in meetings for secondary purposes

Data Sharing

We do not sell, rent, or broker your personal data. We share data only in these limited circumstances:

With subprocessors listed in Section 4, solely to operate the service
With Sotalabs affiliates, subject to equivalent data protection standards
In connection with a merger, acquisition, or asset sale — we will notify you in advance and ensure equivalent privacy obligations apply
When required by law, court order, or regulatory authority — we will notify you where legally permitted to do so
To protect the rights, safety, or property of Sotalabs, our users, or the public in cases of confirmed fraud or security incidents

We may share aggregated, de-identified data that cannot reasonably identify you for research or benchmarking purposes.

International Data Transfers

NoteX is operated from Vietnam. Our subprocessors may process data in the United States and European Union. For transfers outside the EEA, we rely on the following safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements incorporating GDPR-compliant transfer mechanisms
Encryption in transit (TLS 1.2+) and at rest (AES-256) for all transferred data
Subprocessor assessment for SOC 2 Type II or equivalent security certification

Data Retention

We retain your data only as long as necessary for the purposes described here or as required by law.

Data Category	Retention Period	Reason
Account data	Account lifetime + 30 days post-deletion	Service provision
Meeting transcripts & notes	Until deleted by user or account closed	User-controlled
Billing records	7 years	Legal / tax
Usage analytics (anonymized)	24 months	Product improvement
Support tickets	3 years	Legal defence
Security & audit logs	12 months	Security monitoring
Deleted content	Purged within 30 days of deletion request	GDPR Art. 17

Upon account deletion, data purge begins within 30 days. Billing records are retained for 7 years as required by Vietnamese and international tax law.

Security

We implement industry-standard technical and organizational security measures:

Encryption in transit: TLS 1.2+ for all data transmissions between your device and our servers
Encryption at rest: AES-256 for all stored data and backups
Access controls: Role-based access, least-privilege principles, mandatory MFA for all administrative access
Security monitoring: Continuous threat detection, intrusion detection systems, and incident response procedures
Vendor assessments: Subprocessors are evaluated for SOC 2 Type II or equivalent compliance
Regular testing: Annual penetration testing and quarterly vulnerability assessments

In the event of a personal data breach that is likely to affect your rights, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR.

User Data Deletion

You are entitled to request us to delete your Personal Information, except for the following circumstances: 1. your account has been identified to commit illegal activities; 2. there are completed or ongoing transactions of copyright licensing in your account; 3. your account has outstanding debts or unresolved disputes; 4. NoteX is requested to keep your Personal Information according to relevant laws and regulations or the requirements of judicial or administrative authorities.

You can delete your personal information by contacting hello@notexapp.com. You understand that we shall delete your personal information within the period regulated by applicable laws after verifying your identity.

Your Privacy Rights

Depending on your jurisdiction, you have the following rights. Contact hello@notexapp.com to exercise any of them. We respond within 30 days (GDPR) or 45 days (CCPA).

Access

Request a copy of all personal data we hold about you in a structured, readable format.

Rectification

Correct inaccurate or incomplete personal data. You can update most data directly in the app.

Erasure

Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Restriction

Ask us to pause processing of your data in certain circumstances while you contest its accuracy or use.

Portability

Receive your personal data in a machine-readable format (JSON or CSV) to transfer to another provider.

Object

Object to processing based on legitimate interest or for direct marketing — unconditional for marketing.

Withdraw Consent

Revoke consent at any time in Settings without affecting the lawfulness of prior processing.

Lodge a Complaint

Contact your local data protection authority (e.g., your EU supervisory authority or the ICO in the UK).

Account & Data Deletion

To delete your account and personal data, go to Settings → Account → Delete Account in the app, or email hello@notexapp.com. We will process verified deletion requests within 30 days.

We may decline requests that would compromise account security (e.g., outstanding legal proceedings, unresolved disputes, or legal retention obligations). We will explain any such limitation in writing.

California Residents (CCPA / CPRA)

In addition to the rights in Section 10, California residents have the following rights under the CCPA as amended by the CPRA:

Right to Know: What personal information we collect, use, disclose, and sell (we do not sell)
Right to Delete: Request deletion of your personal information held by us and our service providers
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale / Sharing: We do not sell or share personal information for cross-context behavioral advertising; no opt-out is required
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
Right to Limit Sensitive PI Use: We do not use sensitive personal information for inferential or secondary purposes

To submit a CCPA request: hello@notexapp.com or via in-app Settings. Authorized agents may submit requests on your behalf with documented authorization.

Children's Privacy

NoteX is not directed to children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

If you believe a child has provided personal data through our App, please contact hello@notexapp.com immediately and we will delete it promptly.

Cookies & Tracking Technologies

The NoteX web application (notexapp.com) uses cookies and similar technologies for authentication, security, and analytics.

Cookie Type	Purpose	Can Opt-Out?
Strictly Necessary	Authentication, session security, CSRF protection	No — required for the service to function
Analytics (Firebase / Google Analytics)	Understanding feature usage and performance (anonymized)	Yes — via in-app Settings
Marketing / Attribution	Ad performance measurement on third-party platforms	Yes — requires explicit consent

We do not use cross-site tracking, browser fingerprinting, or persistent user profiling for advertising.

Changes to This Policy

We may update this Privacy Policy periodically. For material changes that affect your rights or how we process your data, we will:

Post the updated policy atnotexapp.com/privacywith an updated Effective Date
Send an in-app notification and/or email at least 30 days before changes take effect
Require renewed consent where the applicable legal basis requires it

Continued use of NoteX after the effective date of non-material changes constitutes acceptance of the updated policy.

Contact Us

For questions, requests, or complaints regarding this Privacy Policy or our data practices:

Privacy & Data Requests

hello@notexapp.com

General Support

hello@notexapp.com

Company

Sotalabs Technology JSC, Vietnam

Policy Page

notexapp.com/privacy

EU residents may also contact their national data protection supervisory authority if they believe their rights have not been respected.

Who We Are Data Collect AI Processing Subprocessors Usage Sharing Rights Cookies Contact

Privacy Policy

NoteX: AI Note Taker — operated by SotaLabs

Effective: 1 Sep 2024Last revised: 10 Feb 2026Version 2.0GDPR · CCPA Compliant

Our Core Privacy Commitments

We never use your data or content to train AI models

We never sell your personal data to third parties

All AI subprocessors are contractually prohibited from training use

You can export, correct, or delete your data at any time

We process only what is necessary for the features you use

Who We Are

By using NoteX, you agree to the collection and use of your data as described in this Privacy Policy. Please read it carefully. If you do not agree, please discontinue use of the App.

Data Protection Contact

For privacy-related questions, requests, or complaints:hello@notexapp.com

Data We Collect

Data You Provide Directly

Account information: name, email address, username, password (stored as a secure hash)
Profile settings and in-app preferences
Content you create: meeting transcripts, notes, summaries, flashcards, quizzes
Communications with us: support tickets, feedback, survey responses
Payment details — processed directly by our payment providers; we do not store card numbers

Data Collected Automatically

Device identifiers, operating system, app version
Usage events and feature interactions (anonymized where possible)
Crash reports and performance diagnostics (anonymized)
Session duration and log timestamps

Audio, Video & Meeting Content

When you record a meeting or upload audio/video content, NoteX processes this data to generate transcripts, summaries, and AI-powered outputs. This content is:

Transmitted securely over TLS 1.2+ to our AI processing pipeline
Processed transiently — AI subprocessors do not store it after processing completes
Stored in your account only — you control deletion at any time
Never used to train, fine-tune, or improve any AI or ML model

Google Calendar Integration

AI Processing & No-Training Commitment

Important — AI Processing Notice

Our AI pipeline operates under the following principles:

No training use: We contractually prohibit all AI subprocessors from using your data to train, fine-tune, retrain, or benchmark any AI or ML model — for any purpose, ever.
Data minimization: Only the content required for a specific feature is sent for AI processing.
Purpose limitation: Content is processed only for the feature you invoke, not for other purposes.
Transient processing: AI providers process and immediately discard your content — no retention after the request completes.
Contractual controls: All AI subprocessors are contractually prohibited from using your data for training.
Your control: AI-powered features are opt-in and can be disabled in Settings at any time.

What this means in practice

Your meeting recordings are NOT used to improve Google Gemini, GPT, or Claude
Your notes and transcripts are NOT stored by AI providers after processing
Your data is NOT shared with AI providers for any purpose beyond your active request

Subprocessors

We use a limited, audited set of subprocessors to operate NoteX.

Cloud Infrastructure

Subprocessor	Service	Data Processed	Location
Google Cloud Platform	Primary cloud infrastructure, compute, storage, networking	All app data (encrypted at rest)	USA / EU
Amazon Web Services (AWS)	Backup storage, CDN, regional redundancy	Encrypted backups, static assets	USA / EU

AI Models (No Training Use)

Subprocessor	Models Used	Data Processed	Location
Google (Gemini)	Gemini Pro / Flash	Audio, transcripts, text — transiently	USA
OpenAI	GPT-4o / Whisper	Audio, transcripts, text — transiently	USA
Anthropic	Claude 3.x	Text, summaries — transiently	USA

Analytics, Payments & Notifications

Subprocessor	Service	Data Processed	Location
Google Analytics & Firebase	Product analytics, push notifications, A/B testing, crash reporting	Anonymized usage events, device tokens, crash logs	USA
RevenueCat	In-app subscription management (iOS & Android)	Purchase tokens, subscription status (no card data)	USA
LemonSqueezy	Web payment processing & billing	Billing info, email — card data handled by LemonSqueezy directly	USA

To request a copy of any subprocessor's DPA or to object to a new subprocessor, contact hello@notexapp.com.

How We Use Your Data

Legal Bases (GDPR Article 6)

ContractArt. 6(1)(b) — Providing the NoteX service, processing transactions, managing your account, delivering AI-powered features.

Legitimate InterestArt. 6(1)(f) — Security monitoring, fraud prevention, anonymized product analytics, and improving service quality where our interest does not override your rights.

Legal ObligationArt. 6(1)(c) — Compliance with applicable laws, tax obligations, and regulatory orders.

ConsentArt. 6(1)(a) — Marketing emails, optional personalization, Google Calendar integration. You may withdraw consent at any time in Settings.

What We Never Do

Sell your personal data to any third party
Use your content to train, fine-tune, or benchmark AI models
Share your meeting content with advertisers
Make fully automated decisions with legal or significant effects without human oversight
Use sensitive personal data incidentally captured in meetings for secondary purposes

Data Sharing

We do not sell, rent, or broker your personal data. We share data only in these limited circumstances:

With subprocessors listed in Section 4, solely to operate the service
With Sotalabs affiliates, subject to equivalent data protection standards
In connection with a merger, acquisition, or asset sale — we will notify you in advance and ensure equivalent privacy obligations apply
When required by law, court order, or regulatory authority — we will notify you where legally permitted to do so
To protect the rights, safety, or property of Sotalabs, our users, or the public in cases of confirmed fraud or security incidents

We may share aggregated, de-identified data that cannot reasonably identify you for research or benchmarking purposes.

International Data Transfers

NoteX is operated from Vietnam. Our subprocessors may process data in the United States and European Union. For transfers outside the EEA, we rely on the following safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements incorporating GDPR-compliant transfer mechanisms
Encryption in transit (TLS 1.2+) and at rest (AES-256) for all transferred data
Subprocessor assessment for SOC 2 Type II or equivalent security certification

Data Retention

We retain your data only as long as necessary for the purposes described here or as required by law.

Data Category	Retention Period	Reason
Account data	Account lifetime + 30 days post-deletion	Service provision
Meeting transcripts & notes	Until deleted by user or account closed	User-controlled
Billing records	7 years	Legal / tax
Usage analytics (anonymized)	24 months	Product improvement
Support tickets	3 years	Legal defence
Security & audit logs	12 months	Security monitoring
Deleted content	Purged within 30 days of deletion request	GDPR Art. 17

Upon account deletion, data purge begins within 30 days. Billing records are retained for 7 years as required by Vietnamese and international tax law.

Security

We implement industry-standard technical and organizational security measures:

Encryption in transit: TLS 1.2+ for all data transmissions between your device and our servers
Encryption at rest: AES-256 for all stored data and backups
Access controls: Role-based access, least-privilege principles, mandatory MFA for all administrative access
Security monitoring: Continuous threat detection, intrusion detection systems, and incident response procedures
Vendor assessments: Subprocessors are evaluated for SOC 2 Type II or equivalent compliance
Regular testing: Annual penetration testing and quarterly vulnerability assessments

In the event of a personal data breach that is likely to affect your rights, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR.

User Data Deletion

Your Privacy Rights

Depending on your jurisdiction, you have the following rights. Contact hello@notexapp.com to exercise any of them. We respond within 30 days (GDPR) or 45 days (CCPA).

Access

Request a copy of all personal data we hold about you in a structured, readable format.

Rectification

Correct inaccurate or incomplete personal data. You can update most data directly in the app.

Erasure

Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Restriction

Ask us to pause processing of your data in certain circumstances while you contest its accuracy or use.

Portability

Receive your personal data in a machine-readable format (JSON or CSV) to transfer to another provider.

Object

Object to processing based on legitimate interest or for direct marketing — unconditional for marketing.

Withdraw Consent

Revoke consent at any time in Settings without affecting the lawfulness of prior processing.

Lodge a Complaint

Contact your local data protection authority (e.g., your EU supervisory authority or the ICO in the UK).

Account & Data Deletion

To delete your account and personal data, go to Settings → Account → Delete Account in the app, or email hello@notexapp.com. We will process verified deletion requests within 30 days.

California Residents (CCPA / CPRA)

In addition to the rights in Section 10, California residents have the following rights under the CCPA as amended by the CPRA:

Right to Know: What personal information we collect, use, disclose, and sell (we do not sell)
Right to Delete: Request deletion of your personal information held by us and our service providers
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale / Sharing: We do not sell or share personal information for cross-context behavioral advertising; no opt-out is required
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
Right to Limit Sensitive PI Use: We do not use sensitive personal information for inferential or secondary purposes

To submit a CCPA request: hello@notexapp.com or via in-app Settings. Authorized agents may submit requests on your behalf with documented authorization.

Children's Privacy

NoteX is not directed to children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

If you believe a child has provided personal data through our App, please contact hello@notexapp.com immediately and we will delete it promptly.

Cookies & Tracking Technologies

The NoteX web application (notexapp.com) uses cookies and similar technologies for authentication, security, and analytics.

Cookie Type	Purpose	Can Opt-Out?
Strictly Necessary	Authentication, session security, CSRF protection	No — required for the service to function
Analytics (Firebase / Google Analytics)	Understanding feature usage and performance (anonymized)	Yes — via in-app Settings
Marketing / Attribution	Ad performance measurement on third-party platforms	Yes — requires explicit consent

We do not use cross-site tracking, browser fingerprinting, or persistent user profiling for advertising.

Changes to This Policy

We may update this Privacy Policy periodically. For material changes that affect your rights or how we process your data, we will:

Post the updated policy atnotexapp.com/privacywith an updated Effective Date
Send an in-app notification and/or email at least 30 days before changes take effect
Require renewed consent where the applicable legal basis requires it

Continued use of NoteX after the effective date of non-material changes constitutes acceptance of the updated policy.

Contact Us

For questions, requests, or complaints regarding this Privacy Policy or our data practices:

Privacy & Data Requests

hello@notexapp.com

General Support

hello@notexapp.com

Company

Sotalabs Technology JSC, Vietnam

Policy Page

notexapp.com/privacy

EU residents may also contact their national data protection supervisory authority if they believe their rights have not been respected.