← Back to vim-notes

Privacy Policy

Last Updated: November 13, 2025

1. Introduction

vim-notes ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application.

We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data We Collect

2.1 Account Information

  • GitHub user ID (when you sign in with GitHub OAuth)
  • Email address (from your GitHub account)
  • GitHub username and avatar (public profile information)

2.2 User Content

  • Notes (title, content, metadata) you create
  • Shared notes and their expiration settings
  • Storage preferences (localStorage, Supabase, GitHub Gist)

2.3 Technical Data

  • IP address (for rate limiting and security)
  • Browser type and version
  • Device information (mobile, desktop)
  • Session cookies (for authentication)
  • Error logs and performance metrics (via Sentry and Vercel Analytics)

3. How We Use Your Data

We use your data for the following purposes:

  • Service Provision: Store and sync your notes across devices
  • Authentication: Verify your identity via GitHub OAuth
  • Security: Rate limiting, fraud prevention, abuse detection
  • Analytics: Improve performance and user experience (anonymized)
  • Legal Compliance: Respond to legal requests and enforce our terms

4. Email Communications

4.1 Opt-In Process

We only send email notifications if you explicitly opt-in. Email notifications are disabled by default.

  • Visit /app/notifications to enable email notifications
  • Click the checkbox to opt-in to product updates
  • Your preference is stored in your account settings

4.2 What We Send

If you opt-in, we may send:

  • New Feature Announcements: When major features are released
  • Version Releases: Notifications for significant updates (v0.5.0, v1.0.0, etc.)
  • Security Updates: Critical security patches or important changes
  • Product Updates: Occasional product news and improvements

Frequency: Approximately 1-2 emails per month. We respect your inbox and never spam.

4.3 Opt-Out Process

You can opt-out at any time:

  • In-app: Visit /app/notifications and uncheck the email notifications option
  • Email Links: Click the "Unsubscribe" link at the bottom of any email
  • Instant Effect: Opt-out is effective immediately

4.4 Email Service Provider

We use OneSignal to send email notifications. OneSignal processes your email address only when you opt-in.

  • Your email is shared with OneSignal only if you enable notifications
  • OneSignal privacy policy: https://onesignal.com/privacy_policy
  • We never sell or share your email with third parties for marketing
  • All emails are sent from our verified domain

4.5 GDPR Compliance

Our email notifications comply with GDPR requirements:

  • Explicit Consent: Opt-in required (GDPR Article 6)
  • Right to Withdraw: Easy opt-out at any time (GDPR Article 7)
  • Data Minimization: Only email and user ID shared with OneSignal
  • Transparency: Clear disclosure of data processing
  • Data Portability: Email preference included in data export

5. Data Storage and Security

5.1 Storage Options

You control where your notes are stored:

  • localStorage: Stored locally in your browser (we cannot access this data)
  • Supabase: Stored in our PostgreSQL database with Row Level Security (RLS)
  • GitHub Gist: Stored in your personal GitHub account (you own the data)

5.2 Security Measures

  • All data transmitted over HTTPS (TLS 1.3)
  • Database protected with Row Level Security (RLS) policies
  • Passwords never stored (GitHub OAuth handles authentication)
  • Rate limiting to prevent abuse
  • Input validation to prevent XSS and SQL injection
  • Security headers (CSP, HSTS, X-Frame-Options, etc.)

6. Third-Party Services

We use the following third-party services:

  • Supabase: Database and authentication (US/EU servers)
  • GitHub: OAuth authentication and Gist storage
  • Vercel: Hosting and analytics (privacy-friendly)
  • Sentry: Error tracking (anonymized, no PII)
  • OneSignal: Email notifications (opt-in only, see Section 4)
  • Google Fonts: Typography (no tracking cookies)

Each service has its own privacy policy. We recommend reviewing them:

7. Your Rights Under GDPR

As a user in the EU/EEA, you have the following rights:

  • Right to Access (Article 15): Request a copy of your data
  • Right to Rectification (Article 16): Correct inaccurate data
  • Right to Erasure (Article 17): Delete your account and all data
  • Right to Data Portability (Article 20): Export your data in a machine-readable format (ZIP)
  • Right to Object (Article 21): Object to processing of your data
  • Right to Restriction (Article 18): Restrict processing of your data

How to Exercise Your Rights

You can exercise these rights directly in the app:

  • Export Data: Settings → Data & Privacy → Export Data (ZIP)
  • Delete Account: Settings → Data & Privacy → Delete Account
  • Other Requests: Contact us at privacy@vim-notes.example.com

8. Data Retention

We retain your data for the following periods:

  • Notes: Until you delete them or your account
  • Shared Notes: Until expiration date or manual deletion
  • Account Data: Until you delete your account
  • Error Logs: 30 days (Sentry retention policy)
  • Analytics Data: 90 days (aggregated, anonymized)

When you delete your account, all data is permanently removed within 24 hours.

9. Cookies

We use the following cookies:

  • Essential Cookies: Authentication session (sb-access-token, sb-refresh-token) - Required
  • Preferences: Onboarding state, storage preferences - Functional
  • Analytics: Vercel Analytics (anonymized, no tracking) - Optional

You can control cookie preferences in your browser settings.

10. Children's Privacy

vim-notes is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting the new policy on this page
  • Updating the "Last Updated" date
  • Showing an in-app notification (for major changes)

Continued use of vim-notes after changes constitutes acceptance of the new policy.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact us:

Email: privacy@vim-notes.example.com

Data Protection Officer: (if applicable)

Response Time: We aim to respond within 30 days (GDPR requirement)

12. Supervisory Authority

If you are in the EU/EEA and believe we are not complying with GDPR, you have the right to lodge a complaint with your local data protection authority.

This privacy policy is effective as of November 9, 2025 and applies to vim-notes v0.5.0 and later.

Back to vim-notes