Privacy Policy
Last updated: 24 June 2026
This Privacy Policy describes how NotesFlowAI ("we", "us", "our") collects, uses, and protects information when you use our mobile application and web services (the "Service").
1. Information We Collect
- Account information: name, email address, mobile number, and authentication identifiers (e.g., Google Sign-In ID).
- Study content: note images you upload, AI-generated summaries, flashcards, quizzes, and chat transcripts.
- Usage data: feature usage counts, daily AI request volumes, streaks, quiz attempts.
- Device and diagnostics: device model, OS version, approximate location derived from IP address, crash reports, and performance traces.
- Payment metadata: subscription plan, billing dates, and payment identifiers returned by Razorpay. We do not store full card numbers or CVV values.
2. How We Use Your Information
- To operate, maintain, and improve the Service.
- To authenticate you and protect your account from abuse.
- To process subscription payments and enforce plan limits.
- To send service notifications, OTP codes, and (with your consent) product updates.
- To generate AI summaries, flashcards, quizzes, and chat responses based on content you upload.
- To monitor errors and crashes via Sentry for the purpose of improving stability.
3. AI Processing and Third-Party Providers
Text extracted from your uploaded images is sent to large-language-model providers (currently OpenAI and, where configured, OpenRouter / NVIDIA NIM) strictly to fulfil the feature you triggered. We do not authorise these providers to train models on your inputs and we route requests through our own server-side gateway so that your raw account identifiers are never exposed to them.
4. Data Storage and Security
All data is stored in Supabase Postgres and Supabase Storage in the AWS Mumbai region, protected by row-level security policies that ensure only you (and explicit folder collaborators you authorise) can read your content. Passwords are hashed by Supabase Auth; we never see them in plaintext. Signed download URLs expire after 10 minutes.
5. Sharing With Third Parties
We do not sell your personal information. We share data only with:
- Supabase — database, authentication, file storage.
- OpenAI / OpenRouter / NVIDIA NIM — AI processing.
- Razorpay — payment processing.
- Sentry — crash and error monitoring.
- Firebase Cloud Messaging — push notification delivery.
- Law-enforcement agencies — only when required by a valid legal order.
6. Your Rights
You may at any time:
- Access or export your uploaded notes from within the app.
- Delete individual notes, folders, or your entire account; deletion removes the underlying files from storage and the associated database rows.
- Request a data export or full erasure by emailing notesflowai@gmail.com; we respond within 30 days.
- Withdraw consent for non-essential push notifications via the in-app Settings screen.
7. Children
NotesFlowAI is intended for users aged 13 and above. If you believe a child under 13 has provided personal information, contact us and we will delete it.
8. Data Retention
We retain your data for as long as your account is active. After account deletion, we purge personal data within 30 days, except where retention is required by law (e.g., tax records for payment receipts).
9. International Transfers
Some processors (OpenAI, Sentry) operate servers outside India. By using the Service you consent to your data being processed in the United States and European Union under standard contractual clauses.
10. Compliance
We process personal data in accordance with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and, where applicable, the EU General Data Protection Regulation (GDPR).
11. Changes to This Policy
We may update this Policy from time to time. Material changes will be announced via in-app notification at least 7 days before they take effect.
12. Contact
For privacy questions, grievances, or to exercise any right above, contact our Grievance Officer at notesflowai@gmail.com.