Privacy Policy

Last Updated: October 19, 2025

1. Introduction

Cirth Notes ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our note-taking application and services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Password (encrypted)
  • Username

2.2 Content Data

We store the content you create in Cirth Notes, including:

  • Notes, titles, and summaries
  • Study guides and flashcards
  • Quizzes and questions
  • Tags and collections
  • File attachments and images

2.3 Usage Information

We automatically collect certain information about your use of the Service:

  • Log data (IP address, browser type, access times)
  • Device information
  • Feature usage patterns

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve our services
  • Process and store your notes and content
  • Generate AI-powered features (titles, tags, summaries, quizzes, flashcards)
  • Authenticate your account and ensure security
  • Communicate with you about service updates
  • Analyze usage patterns to improve user experience
  • Detect and prevent fraud or abuse

4. Data Storage and Security

4.1 Encryption Architecture

Cirth Notes uses a robust 4-tier envelope encryption system to protect your data:

  • Tier 1: Server Key Encryption Key (SERVER_KEK) - Stored as environment variable, used only for OAuth users
  • Tier 2: User Master Data Encryption Key (DEK) - Unique per user, derived from password or randomly generated
  • Tier 3: Item DEKs - Individual encryption keys for each field of your data
  • Tier 4: Encrypted Data - Your actual content encrypted with AES-256-GCM via Fernet

4.2 Encryption Algorithms

We use industry-leading cryptographic standards:

  • Password Authentication: Bcrypt for password hashing
  • Key Derivation: Argon2id (OWASP recommended) with 64 MB memory cost
  • Data Encryption: Fernet (AES-256-GCM + HMAC-SHA256)
  • Transport Security: HTTPS/TLS 1.2+ for all data transmission

4.3 Authentication Methods and Encryption

Password Users (Zero-Knowledge Encryption):

  • Your encryption key is derived from your password using Argon2id
  • We NEVER store your encryption key in our database
  • Your key is re-derived each time you log in
  • The server cannot decrypt your data without your password
  • Important: If you lose your password, your data cannot be recovered - this is true zero-knowledge encryption
  • During active sessions (24 hours), your encryption key is temporarily cached in Redis for performance

OAuth/Google Sign-In Users (Non-Zero-Knowledge Encryption):

  • Your encryption key is randomly generated and encrypted with our SERVER_KEK
  • Your encrypted key is stored in our database
  • The server can decrypt your data using the SERVER_KEK (stored in environment variables)
  • This allows for password recovery and seamless multi-device access
  • Your data is still encrypted at rest and in transit, but is not zero-knowledge
  • During active sessions (24 hours), your encryption key is temporarily cached in Redis for performance

4.4 Session Management

When you log in, your encryption key is cached in Redis with a 24-hour expiration:

  • Sessions expire after 24 hours of inactivity
  • After session expiration, you must log in again to access your data
  • Logging out immediately invalidates your session and deletes cached keys
  • Each session has a unique identifier stored in your JWT token

4.5 Per-Field Encryption

Every field in your data (content, summaries, quiz questions, flashcard text, etc.) is encrypted with its own unique encryption key. This provides:

  • Forward secrecy - updating content generates new encryption keys
  • Granular security - compromise of one field doesn't affect others
  • Selective decryption - we can decrypt only the fields you request

4.6 Data Location

Your encrypted data is stored on secure cloud servers. We use trusted third-party hosting providers that comply with industry security standards (SOC 2, ISO 27001).

5. AI Processing

When you use AI-powered features (title generation, summaries, quizzes, flashcards), your note content may be processed by third-party AI services. We:

  • Only send the minimum necessary content for processing
  • Do not share your personal information with AI providers
  • Use AI providers that respect data privacy
  • Do not use your content to train AI models (unless you opt-in)

6. Sharing and Public Features

6.1 Share Links - Anonymous by Design

When you create a share link, the content becomes publicly accessible to anyone with the link. Shared links are completely anonymous - recipients cannot see who created the share.

What recipients CAN see:

  • The shared content (note, quiz, flashcards, or study guide)
  • Title, summary, and tags of the shared item
  • The original creation date of the item

What recipients CANNOT see:

  • Your name, email, or profile information
  • Your user ID or any identifying information
  • When the share link was created
  • How many times the link has been viewed
  • Your other notes or content not included in the share
  • Any "Shared by..." attribution

6.2 How Shared Content is Stored

When you create a share link, the content is decrypted and stored in plaintext in our database. This is intentional and necessary because:

  • Shared content is public, so encryption is not needed for privacy
  • This allows both password users (zero-knowledge) and OAuth users to share content
  • Recipients can view shared content without requiring any encryption keys
  • You control what you share - only content you explicitly choose to share is decrypted

6.3 Share Link Expiration

You can set expiration times for share links:

  • 1 hour, 24 hours, 1 month, 1 year, or never (permanent)
  • Default expiration is 24 hours (recommended for privacy)
  • Expired shares are automatically deleted from our database
  • You can revoke share links at any time before expiration

6.4 Share Analytics (Creator Only)

As the creator of a share link, you can see analytics about your shares:

  • Number of views (how many times the link was accessed)
  • Number of saves (how many users added it to their collection)
  • Last viewed timestamp

These analytics are only visible to you and are never shared with recipients or other users.

6.5 Third-Party Sharing

We do not sell, trade, or rent your personal information to third parties. We may share information only in these cases:

  • With your explicit consent
  • To comply with legal obligations
  • To protect our rights and prevent abuse
  • With service providers who help us operate (under strict confidentiality agreements)

7. Server Data Access and Capabilities

7.1 Password Users (Zero-Knowledge)

What the server can access:

  • Your email and bcrypt password hash (for authentication only)
  • Encrypted data and encrypted encryption keys (cannot decrypt without your password)
  • Unencrypted metadata (titles, tags, timestamps)
  • During active sessions (24 hours): Temporary access to decrypt/encrypt your data
  • Shared content you explicitly choose to share (stored decrypted)

What the server CANNOT access:

  • Your password or encryption key (we never store these)
  • Your encrypted content after your session expires (24 hours)
  • Your data if you lose your password (true zero-knowledge = no recovery possible)

7.2 OAuth/Google Users (Non-Zero-Knowledge)

What the server can access:

  • Your email, name, and profile picture from Google
  • Your encrypted encryption key (can decrypt using SERVER_KEK)
  • All your encrypted data (can be decrypted at any time)
  • Unencrypted metadata (titles, tags, timestamps)
  • Shared content you explicitly choose to share

Important: By using Google Sign-In, you acknowledge that your data is not zero-knowledge. The server has the technical capability to decrypt your data using the SERVER_KEK. However, we commit to only decrypting your data when necessary to provide the Service to you (e.g., when you request it through the application).

7.3 Google OAuth Data Collection

When you sign in with Google, we receive:

  • Your Google ID (used to identify your account)
  • Your email address
  • Your name and profile picture

We do not have access to your Google password or any other Google account data. We only use the information necessary to create and maintain your Cirth Notes account.

8. Your Rights and Choices

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct your information
  • Deletion: Request deletion of your account and data
  • Export: Download your notes and content
  • Opt-out: Disable certain features or communications

Note for Password Users: Account deletion is permanent and irreversible. Without your password, we cannot decrypt your data to export it. Please export your data before deleting your account.

9. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal information and content within 30 days, except:

  • Data required for legal compliance
  • Anonymized usage statistics
  • Backup copies (automatically deleted within 90 days)
  • Active share links (deleted when they expire or are revoked)

Session data (encryption keys cached in Redis) is automatically deleted after 24 hours or upon logout.

10. Cookies and Tracking

We use essential cookies and similar technologies to:

  • Keep you logged in (JWT tokens stored in local storage)
  • Remember your preferences (theme, font size)
  • Maintain your session for 24 hours
  • Analyze service usage (anonymized)

You can disable cookies in your browser settings, but this may affect functionality.

11. Children's Privacy

Cirth Notes is not intended for users under 13 years of age. We do not knowingly collect information from children under 13. If you believe we have collected such information, please contact us immediately.

12. International Users

If you are accessing Cirth Notes from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using the Service, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us through the application support channels.

15. Alpha Version Notice

As Cirth Notes is currently in alpha testing, our privacy practices may evolve as we develop new features. We will update this policy to reflect any significant changes to how we handle your data.