Privacy Policy

Effective Date: October 1, 2025
Last Updated: October 1, 2025
Version: 1.0

Table of Contents

1. Introduction
2. Information We Collect
3. How We Use Your Information
4. AI Processing and Data Usage
5. Data Storage and Security
6. Data Sharing and Disclosure
7. Your Rights and Choices
8. Data Retention
9. International Data Transfers
10. Children's Privacy
11. Changes to This Policy
12. Contact Us

1. Introduction

Thoughtmarks ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services (collectively, the "Service").

This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using Thoughtmarks, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using our Service:

Account Information

Email address (required for account creation and communication)
Display name (optional, for personalization)
Profile photo (optional)
Password (encrypted and never stored in plain text)

Content You Create

Thoughtmarks (your notes, voice recordings, and captured thoughts)
Tags and labels you assign to your content
Bins and organizational structures you create
Voice recordings (if you use voice capture features)
Search queries within the app

Device and Settings Information

App settings and preferences you configure
Device type, model, and operating system version
Unique device identifiers (for security and fraud prevention)
Language and region preferences

2.2 Information Automatically Collected

Usage Analytics

Feature usage patterns (which features you use and how often)
Session duration and frequency
Navigation paths within the app
Performance metrics (app crashes, load times, errors)

Technical Information

IP address (for security and fraud prevention)
Device information (screen size, device model, OS version)
Network information (carrier, connection type)
Time zone and locale settings

2.3 AI and Machine Learning Data

When you use AI features:

Voice transcriptions (if using voice-to-text features)
AI query inputs (prompts you provide to AI assistants)
AI interaction history (to improve AI responses)
Embedding vectors (mathematical representations of your content for semantic search)

Important: Your AI processing choice (on-device vs. cloud) affects what data leaves your device. See Section 5 for details.

2.4 Information We Do NOT Collect

We do NOT collect:

❌ Biometric data (Face ID/Touch ID authentication happens on-device only)
❌ Contacts or address book
❌ Location data (unless you explicitly enable location-based reminders)
❌ Health data (Apple Watch integration only syncs Thoughtmarks, not health metrics)
❌ Payment information (handled by Apple App Store)

3. How We Use Your Information

3.1 Core Service Operations

We use your information to:

Provide core functionality: Store, organize, and retrieve your Thoughtmarks
Enable synchronization: Sync your data across your devices
Process AI requests: Provide AI-powered features (search, suggestions, transcription)
Maintain security: Authenticate your identity and protect your account
Backup and recovery: Enable data backup and restoration

3.2 Service Improvement

We use anonymized and aggregated data to:

Improve app performance: Identify and fix bugs, crashes, and slow performance
Enhance user experience: Understand which features are most valuable
Develop new features: Inform product development based on usage patterns
Optimize AI models: Improve accuracy and relevance of AI features

Privacy Protection: All analytics data is protected with differential privacy (ε=0.1 Laplace noise) and k-anonymity (k≥5 cohorts). See our Privacy Policy Compliance documentation for technical details.

3.3 Communication

We use your email address to:

Send account notifications: Password resets, security alerts
Deliver service updates: Important changes to our Service
Provide support: Respond to your inquiries and support requests
Send optional updates: New features, tips, and product news (opt-in only)

4. AI Processing and Data Usage

4.1 Processing Modes

You choose how your data is processed for AI features:

🔒 On-Device Processing (Most Private)

Location: AI runs entirely on your device
Privacy: Your data never leaves your device
Speed: Fastest processing (no network latency)
Capabilities: Limited to on-device AI models
Requirements: Modern iPhone/iPad with Neural Engine

🔐 Cloud Encrypted Processing (Balanced)

Location: AI processing on our secure servers
Privacy: Data encrypted in transit and at rest
Speed: Slightly slower (network dependent)
Capabilities: Advanced AI features and larger models
Data retention: Encrypted data cached for 24 hours, then deleted

4.2 AI Training

Your data is NEVER used to train AI models without explicit opt-in.

Default: Your Thoughtmarks and AI queries are not used for training
Opt-in training: You can choose to contribute anonymized data to improve AI (fully optional)
Anonymization: If you opt-in, data is stripped of all identifying information
Control: Opt-out anytime without affecting service quality

For complete details on AI features and data usage, see our AI & Machine Learning Usage Policy.

5. Data Storage and Security

5.1 Storage Locations

On-Device Storage

Local database: Thoughtmarks content, settings, and metadata
Keychain (iOS): Sensitive credentials and encryption keys (hardware-backed)
Secure Enclave (iOS): Biometric authentication data (never leaves device)

Cloud Storage (Optional)

Encrypted backups: Your data encrypted before upload
Cloud sync: Encrypted data synchronized across devices
Server location: EU-based servers (GDPR-compliant infrastructure)

5.2 Security Measures

Encryption

At rest: AES-256 encryption for all stored data
In transit: TLS 1.3 for all network communications
End-to-end: Optional E2EE for cloud-synced data

Access Controls

Multi-factor authentication (optional 2FA)
Biometric authentication (Face ID, Touch ID)
Session management: Auto-logout after inactivity
Device authorization: Control which devices can access your account

Infrastructure Security

Regular security audits: Quarterly penetration testing
Vulnerability scanning: Automated security monitoring
Incident response plan: 24-hour breach notification commitment
Data isolation: Multi-tenant architecture with strict isolation

7. Your Rights and Choices

7.1 Access and Portability

Right to Access: Request a copy of your personal data
Data Export: Download your Thoughtmarks and data in a portable format
Data Portability: Transfer your data to another service

7.2 Correction and Deletion

Right to Correct: Update or correct inaccurate information
Right to Delete: Request deletion of your personal data
Account Deletion: Permanently delete your account and all associated data

Learn about Account Deletion

7.3 Control and Consent

Opt-Out of Marketing: Unsubscribe from promotional emails
Analytics Opt-Out: Disable usage analytics and telemetry
AI Features: Control which AI features can access your data
Withdraw Consent: Revoke previously granted permissions

7.4 GDPR Rights (European Users)

If you are located in the European Economic Area, you have additional rights under GDPR:

Right to restriction of processing
Right to object to processing
Right to lodge a complaint with a supervisory authority
Right not to be subject to automated decision-making

7.5 CCPA Rights (California Users)

If you are a California resident, you have rights under CCPA:

Right to know what personal information we collect
Right to know whether we sell or disclose personal information
Right to say no to the sale of personal information
Right to non-discrimination for exercising your rights

8. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy:

Data Type	Retention Period	Reason
Account Data	While active + 30 days	Service delivery
Content	According to your preferences	User control
Usage Data	12 months, then anonymized	Analytics
Backups	90 days after deletion	Data protection

You can request deletion of your data at any time through the app settings or by contacting us.

9. International Data Transfers

Thoughtmarks operates globally. Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

Standard Contractual Clauses for EU data transfers
Adequate protection mechanisms as required by law
Encryption of data in transit and at rest
Compliance with local data protection requirements

10. Children's Privacy

Thoughtmarks is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will delete the information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new Privacy Policy in the app
Sending you an email notification
Displaying a prominent notice in the app

Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]
Data Protection Officer: [email protected]
GDPR Inquiries: [email protected]
CCPA Inquiries: [email protected]
General Support: [email protected]