Privacy Policy

Last updated: May 18, 2026

1. Introduction

Altitude Information Systems LLC ("we", "our", or "us") operates ExpandNote, an AI-powered note-taking application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web platform (collectively, the "Service").

2. Information We Collect

Account Information

When you create an account, we collect your email address and authentication credentials. We use Supabase Auth for secure authentication.

Note Content

We store the notes you create, including titles, content, tags, and associated metadata (timestamps, favorite/archive/lock status). Your notes are stored in our Supabase database with row-level security (RLS) ensuring only you can access your data.

AI Processing Data

When you use AI Profiles, ExpandNote may send note title, note content, selected tags, AI Profile prompts, model/provider settings, and related metadata to the AI provider you configure (OpenAI, Anthropic, or OpenRouter) using your own API keys. OpenRouter may route requests to downstream model providers selected through OpenRouter. We do not store or log the content sent to these providers. Your API keys are encrypted at rest.

Voice Input Data

When you use voice input, your audio recording is sent to OpenAI's Whisper API for transcription using your API key. We do not store audio recordings after transcription is complete.

Email-to-Note Data

When you use the email-to-note feature, incoming emails are processed to extract the subject (note title), body (note content), and any attachments (PDF, Word documents). Email content is converted to notes and the original email data is not retained after processing. If you enable automatic AI Profiles and have granted AI data sharing consent, email-created note content can be sent to your selected AI provider for the configured automation.

AI Data Sharing Consent

ExpandNote asks for explicit in-app consent before sending note data, prompts, tags, model/provider settings, email-created note content, or audio recordings to third-party AI providers. If you decline or revoke consent, AI Profiles, automatic AI actions, and voice transcription are disabled until you consent again. Normal note creation, editing, tagging, sync, and account features remain available.

Usage Data

We collect error reports and performance data through Sentry to improve app stability. This includes device type, operating system version, and crash reports. We do not collect your note content in error reports.

3. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To sync your notes across devices using PowerSync
  • To process AI Profile executions using your configured AI providers
  • To transcribe voice input using OpenAI Whisper
  • To convert incoming emails to notes and, only with AI data sharing consent, run automatic AI Profiles on those notes
  • To send you service-related communications
  • To monitor and fix errors and performance issues

4. Data Storage and Security

Your data is stored on Supabase infrastructure with row-level security (RLS) policies ensuring data isolation between users. Notes are synced using PowerSync with offline-first architecture, meaning your data is stored locally on your device and synced to our servers when connected.

We implement industry-standard security measures including encryption in transit (TLS), encrypted API key storage, and secure authentication flows. However, no method of electronic storage is 100% secure, and we cannot guarantee absolute security.

5. Third-Party Services

We use the following third-party services:

  • Supabase — Database, authentication, and backend infrastructure
  • PowerSync — Real-time data synchronization
  • Vercel — Web application hosting
  • Sentry — Error monitoring and performance tracking
  • Resend — Email delivery for email-to-note and notifications
  • OpenAI, Anthropic, OpenRouter — AI processing, voice transcription, and AI Profile automation only after you grant in-app AI data sharing consent and use or configure those features. OpenRouter may route requests to downstream model providers selected through OpenRouter.

We require third-party service providers to protect personal data using appropriate security and confidentiality measures. AI provider processing is also governed by the provider terms and privacy commitments connected to the API key and provider account you configure.

6. Data Retention

We retain your notes and account data for as long as your account is active. Deleted notes are moved to trash and permanently removed after 30 days. Note version history is retained to enable version restoration.

If you delete your account from Settings or from the account deletion page, your ExpandNote account and associated notes, tags, AI Profiles, settings, encrypted API keys, email-to-note data, and account metadata are deleted. Some operational logs or backups may persist briefly for security, fraud prevention, or legal compliance before routine deletion.

7. Your Rights

You have the right to:

  • Access your personal data
  • Export your notes
  • Grant or revoke AI data sharing consent from Settings
  • Delete your account and associated data from Settings or the account deletion page
  • Opt out of non-essential data collection

8. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

10. Contact Us

If you have questions about this Privacy Policy, please contact us at support@expandnote.app or visit our Contact page.