Privacy Policy
Cimanote | cimanote.com
Last updated: 2026-04-17
Introduction
Cimanote is a web-based note-taking application operated by Broderick LLC, a South Dakota limited liability company doing business as Cimanote ("we," "us," or "our"). This Privacy Policy explains what personal information we collect when you use Cimanote, why we collect it, how we use and protect it, and what choices you have over your data.
We aim to be straightforward and transparent. If something in this document is unclear, please contact us through our contact form.
By using Cimanote (including cimanote.com, app.cimanote.com, and the Cimanote Chrome extension), you agree to the practices described in this policy. If you do not agree, please do not use the service.
1. Who We Are
Cimanote is built and operated by Broderick LLC, a South Dakota limited liability company. For privacy-related inquiries, contact us through our contact form.
2. Information We Collect
2.1 Account Information (via Google Sign-In)
Cimanote uses Google OAuth as its only authentication method. We do not offer username/password registration. When you sign in with Google, we receive the following from your Google account:
- Your email address
- Your display name
- Your profile photo URL
We use this information solely to create and identify your Cimanote account.
2.2 Content You Create
When you use Cimanote, we store the content you create on our servers, including:
- Notes - the text content of your notes, stored as structured JSON
- Notebooks - organisational groupings you create
- Tags - labels you apply to notes
- Attachments - files you upload, such as images, PDFs, and other documents (up to 25 MB per file)
This content belongs to you. We store it so the service works as intended.
2.3 AI-Processed Content (Knowledge Engine)
If you use Cimanote Pro, the Knowledge Engine feature processes the content of your notes to generate entity pages, cross-notebook synthesis, and knowledge summaries. This processing is performed by a third-party large language model (LLM) provider on a per-request basis. Your note content is sent to the LLM provider solely to generate your personal knowledge pages and is not retained by the provider for training or any other purpose. You can opt out of Knowledge Engine processing on a per-notebook or per-note basis in your settings.
2.4 Usage and Technical Metadata
We collect certain technical information to keep the service running and to improve it:
- Timestamps (when notes are created, modified, or synced)
- Sync event logs
- Subscription status (Free or Pro tier)
- Referral codes and referral relationships (if you use our referral program)
- In-app notification history
2.5 Payment Information
If you subscribe to Cimanote Pro, payments are processed by Stripe. We do not store your full payment card details. Stripe provides us with a payment confirmation, your subscription status, and billing timestamps. See Section 4 for more on Stripe.
2.6 Web Clipper (Chrome Extension)
The Cimanote Chrome extension allows you to save content from web pages directly to your account. When you clip a page, the extension sends the following to Cimanote:
- The page URL
- The page title
- The clip timestamp
- The page content (full page, article extract, or your selected text, depending on your chosen clip mode)
This data is stored in your Cimanote account alongside your other notes. You are responsible for ensuring you have the right to save and store third-party content. We do not verify the copyright status of clipped material.
2.7 Analytics Data
We use Google Analytics 4 (GA4) with Consent Mode v2 to understand how visitors use our marketing website (cimanote.com) and our web application (app.cimanote.com). Analytics data collection is subject to your cookie consent preferences:
- If you accept analytics cookies, GA4 collects anonymised usage data including page views, session duration, and general interaction patterns.
- If you decline analytics cookies, no analytics data is collected.
- GA4 does not have access to the content of your notes.
2.8 Error and Diagnostic Data
We use Sentry to monitor application errors. Sentry may collect anonymised stack traces, error messages, and associated user identifiers (such as your internal user ID) when the application encounters a problem. This data is used only to diagnose and fix bugs. Sentry session replays are configured with all text masked and all media blocked, so the content of your notes is never captured in error reports.
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Cimanote service (storing and syncing your notes) | Performance of a contract |
| Authenticating your identity via Google OAuth | Performance of a contract |
| Processing Pro subscription payments | Performance of a contract |
| Generating Knowledge Engine pages from your notes (Pro) | Performance of a contract |
| Diagnosing errors and improving reliability | Legitimate interest |
| Analysing website usage via Google Analytics (with consent) | Consent |
| Communicating service updates, security notices | Legitimate interest / contract |
| Administering the referral program | Legitimate interest |
| Complying with legal obligations | Legal obligation |
We do not:
- Sell your personal data or note content to any third party
- Use your note content to train AI or machine learning models
- Display advertising of any kind
- Share your data with third parties except as described in Section 4
4. Third-Party Services and Data Processors
To operate Cimanote, we rely on the following third-party service providers. Each processes data only as necessary to provide their respective service to us. We maintain data processing agreements with our key sub-processors as required by applicable data protection law.
4.1 Supabase
Role: Database, file storage, and authentication relay.
Data processed: All user data, including account information, note content, and attachments.
Server location: United States.
More info: supabase.com/privacy
4.2 Stripe
Role: Payment processing for Cimanote Pro subscriptions.
Data processed: Billing information, payment confirmation, subscription status. Stripe retains billing records as required by law (typically 7 years).
More info: stripe.com/privacy
4.3 Vercel
Role: Frontend hosting and content delivery network (CDN).
Data processed: Web request logs (IP addresses, browser information) as part of standard CDN operation.
Server location: United States (primary).
More info: vercel.com/legal/privacy-policy
4.4 Fly.io
Role: Real-time collaboration server hosting.
Data processed: Note content during active real-time collaboration sessions. Data is processed in memory during the session and is not persistently stored by Fly.io.
Server location: United States.
More info: fly.io/legal/privacy-policy
4.5 Resend
Role: Transactional email delivery.
Data processed: Name and email address submitted via the contact form or waitlist on cimanote.com. This data is used solely to deliver emails and is not stored by us beyond what Resend retains as part of its email delivery logs.
Server location: United States.
More info: resend.com/privacy
4.6 Google Analytics
Role: Website and application analytics.
Data processed: Anonymised usage data (page views, session duration, interaction events) collected only when the user has granted analytics consent via the cookie banner. GA4 does not have access to note content.
More info: policies.google.com/privacy
4.7 Sentry
Role: Application error monitoring.
Data processed: Anonymised error reports, stack traces, and user identifiers. Session replays have all text masked and all media blocked.
More info: sentry.io/privacy
4.8 Google OAuth
Role: Identity provider (sign-in only).
Data processed: Google manages your Google account credentials. We receive only your email, display name, and profile photo URL.
More info: policies.google.com/privacy
We require all third-party processors to maintain appropriate security standards and to process data only for the purposes we specify.
5. Data Storage and Security
All Cimanote data is stored in the United States on infrastructure provided by Supabase, Vercel, and Fly.io. If you are located outside the United States, your data will be transferred to and processed in the United States. By using Cimanote, you consent to this transfer.
We take reasonable technical and organisational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Encryption at rest for stored data
- Database-level access controls via Supabase Row Level Security
- Authentication handled through Google OAuth - we never store your password
- Rate limiting on API endpoints
- Input validation on all user-submitted data
No system is completely secure. If you believe your account has been compromised, please contact us immediately through our contact form.
6. Cookies
Cimanote uses a minimal number of cookies:
- Session cookies - set by Supabase to maintain your authenticated session. These are necessary for the service to function. They expire when you sign out or your session ends.
- Analytics cookies - Google Analytics 4 cookies, set only after you grant consent via the cookie banner on your first visit. These help us understand how the service is used. You can decline analytics cookies and still use Cimanote fully.
- Sentry error-tracking cookies - Sentry may set session-scoped cookies to help trace and diagnose application errors.
We do not use advertising cookies, third-party tracking cookies, or any cookies for behavioural profiling.
You can control cookies through your browser settings, but disabling session cookies will prevent you from signing in to Cimanote.
7. Data Retention
| Data type | Retention period |
|---|---|
| Notes, notebooks, tags, attachments | Retained until you delete them or close your account |
| Account information | Retained until account deletion |
| Usage metadata and sync logs | Retained until account deletion |
| Referral and notification records | Retained until account deletion |
| Knowledge Engine generated pages | Retained until you delete them or close your account |
| Stripe billing records | Retained as required by applicable law (typically 7 years) |
| Sentry error logs | Subject to Sentry's retention policy (typically 90 days) |
| Google Analytics data | Subject to Google's retention settings (configured to 14 months) |
On account deletion: Your notes and personal data are deleted within 30 days of your request. Encrypted database backups are purged within 90 days. Stripe billing records are retained separately in accordance with financial regulations.
8. Your Rights and Choices
8.1 All Users
Regardless of where you live, you can:
- Access your data - sign in to Cimanote to view all your notes, notebooks, tags, and account information.
- Export your data - export your notes in Markdown or HTML format from within the app, individually or as ZIP archives.
- Delete individual notes - delete any note or attachment at any time from within the app.
- Delete your account - request full account deletion through our contact form. We will process your request within 30 days.
8.2 GDPR Rights (EEA and UK Users)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or the UK GDPR:
- Right of access - request a copy of the personal data we hold about you.
- Right to rectification - request correction of inaccurate personal data.
- Right to erasure - request deletion of your personal data ("right to be forgotten").
- Right to data portability - receive your data in a structured, machine-readable format.
- Right to object - object to processing based on legitimate interests.
- Right to restriction - request that we restrict processing of your data in certain circumstances.
- Right to withdraw consent - where processing is based on consent (such as analytics cookies), withdraw that consent at any time.
To exercise any of these rights, contact us through our contact form. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
Note on legal basis: Our primary legal basis for processing your data is the performance of the contract between you and Cimanote (i.e., providing the service). Where we rely on legitimate interests, we have balanced them against your privacy rights.
Data controller: Broderick LLC, doing business as Cimanote, contactable through our contact form.
8.3 CCPA Rights (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know - request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, and the business purpose for collecting it.
- Right to delete - request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to correct - request correction of inaccurate personal information.
- Right to opt out of sale or sharing - we do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of.
- Right to non-discrimination - we will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, contact us through our contact form. We will respond within 45 days.
Categories of personal information collected: identifiers (name, email, user ID); internet/network activity (sync logs, error logs); commercial information (subscription status, billing records); and content you create (notes, attachments).
We do not sell personal information. We do not share personal information with third parties for cross-context behavioural advertising.
9. Children's Privacy
Cimanote is not intended for children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has created a Cimanote account, please contact us through our contact form and we will delete the account promptly.
10. Links to Other Websites
Cimanote may display links to external websites (for example, in clipped content). We are not responsible for the privacy practices of those websites. This Privacy Policy applies only to Cimanote.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this document and, where the changes are material, notify you by email or via an in-app notice. Continued use of Cimanote after changes are posted constitutes your acceptance of the revised policy.
12. Governing Law
This Privacy Policy will be governed by the laws of the State of South Dakota. Any action related to or arising out of this policy will be subject to the exclusive jurisdiction of the state or federal courts located in South Dakota.
13. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Broderick LLC (d/b/a Cimanote)
Website: cimanote.com/contact
We aim to respond to all privacy enquiries within 30 days.