Privacy Policy

Effective date: April 1, 2026

Base 2 Notes ("we", "us", "our") operates the base-2-notes.com website and application. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Information We Collect

Account Information

When you register, we collect your email address and a hashed password. We never store your password in plain text. You may optionally upload a profile avatar.

Notes & Content

We store the content you create — notes, kanban boards, mind maps, drawings, calendar events, and associated metadata (titles, tags, folders, links). This data is stored on our servers to provide the service.

Encrypted Notes (Vault)

When you use the encryption vault, your note content is encrypted client-side using XChaCha20-Poly1305 before it leaves your browser. We store only the encrypted blob. We cannot read, decrypt, or recover encrypted note content — this is a zero-knowledge architecture. If you lose your vault password, encrypted notes cannot be recovered.

Activity Data

We log user actions (e.g., creating, editing, or deleting items) to power the dashboard activity heatmap and recent activity feed. Duplicate actions within 5 minutes are throttled.

File Uploads

Uploaded files (images, audio recordings, avatars) are stored on our servers in user-specific directories. Uploaded files are accessible only to the authenticated user who uploaded them.

Spotify Integration

If you connect your Spotify account, we store your Spotify access token and refresh token in your user settings to maintain the connection. We do not store your Spotify password. You can disconnect at any time, which deletes the stored tokens. Music playback data is exchanged directly between your browser and Spotify's servers.

2. How We Use Your Information

• Provide the service — store, sync, and display your notes and content across your devices
• Authentication — verify your identity when you log in
• Two-Factor Authentication — send one-time verification codes to your email when unlocking the encryption vault (once per login session)
• Activity features — power the dashboard heatmap, recent activity, and calendar views
• Theme & settings — remember your preferences (theme, density, editor settings) across sessions

3. Cookies & Sessions

We use a PHP session cookie to keep you logged in. This cookie contains only a session identifier — no personal data. We also store UI preferences (panel widths, folder collapse states) in your browser's localStorage. We do not use third-party tracking cookies or analytics services.

4. Third-Party Services

• Google Fonts — We load fonts from fonts.googleapis.com and fonts.gstatic.com. Google may log font requests per their Privacy Policy.
• Spotify — If you connect Spotify, playback uses the Spotify Web Playback SDK. Spotify's use of your data is governed by the Spotify Privacy Policy.
• Quill.js & Fabric.js — Loaded from CDNs (cdn.jsdelivr.net, cdnjs.cloudflare.com). These are static JavaScript libraries with no data collection.

5. Data Security

• All connections use HTTPS with HSTS enforcement
• Passwords are hashed using PHP's password_hash() (bcrypt)
• CSRF protection on all API endpoints
• Rate limiting on login and registration to prevent brute-force attacks
• File upload validation (type, size) with PHP execution blocked in upload directories
• Content Security Policy (CSP) headers to mitigate XSS
• Encrypted notes use client-side XChaCha20-Poly1305 with Argon2id key derivation

6. Data Retention

Your data is retained as long as your account is active. Deleted notes are soft-deleted (moved to Trash) and can be restored. Permanently deleting a note removes it from the database. If you wish to delete your account and all associated data, contact us at the email below.

7. Your Rights

• Access & Export — You can export any note as HTML, Markdown, PDF, or plain text at any time
• Correction — You can edit your content and profile information at any time
• Deletion — You can delete individual notes, or request full account deletion
• Disconnect — You can disconnect third-party integrations (Spotify) at any time

8. Children's Privacy

Base 2 Notes is not directed at children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the service after changes constitutes acceptance.

10. Contact

If you have questions about this Privacy Policy or your data, contact us at:
support@base-2-notes.com