Privacy Policy

Notewell (“we,” “us,” or “our”) operates the notewell.io website and related services. If you have questions about this Privacy Policy, contact us at privacy@notewell.io.

Information you provide directly:

• –Account information — name, email address, and profile image (via Google OAuth or email sign-in).
• –Notes and documents you upload or connect via third-party integrations (Notion, Google Drive, OneNote, Evernote).
• –Study responses you submit during review sessions.
• –Communication channel details — phone number (SMS) or Telegram chat ID — if you choose to add those channels.

Information collected automatically:

• –Authentication session tokens, stored as secure HTTP-only cookies.
• –Basic server logs (IP address, browser type, pages visited) for security and debugging.
• –Spaced-repetition metadata — review dates, scores, and intervals — to power the SM-2 scheduling algorithm.

We use the information we collect to:

• –Create and manage your account and authenticate you.
• –Generate AI-powered flashcards from your notes using Anthropic Claude.
• –Deliver study prompts via your chosen channels (email, SMS, Telegram, or web).
• –Schedule and track spaced-repetition reviews.
• –Grade open-ended answers and provide feedback — entirely server-side.
• –Respond to support inquiries.
• –Detect and prevent fraud, abuse, or security incidents.

Notewell uses Anthropic's Claude API to generate flashcard questions from your notes and to evaluate your answers. Your note content is sent to Anthropic's API solely to perform these functions. We do not authorize Anthropic to use your content to train their models, in accordance with their API usage policies. Your answers and flashcard content are never used to train Notewell's own models.

When you connect Notion, Google Drive, OneNote, or Evernote, we obtain OAuth access tokens to read the specific notes you select. These tokens are encrypted at rest using AES-256-GCM. We do not read, modify, or delete content in your third-party accounts beyond what you explicitly authorize during setup.

We do not sell your personal data. We share information only:

• –With service providers (Neon for database hosting, AWS S3 for file storage, Resend for email, Twilio for SMS, Telegram for messaging) — solely to operate the Service.
• –With Anthropic's Claude API to generate and grade flashcard content.
• –When required by law, court order, or to protect the rights and safety of Notewell or others.
• –In connection with a merger, acquisition, or sale of substantially all assets, provided the acquiring party agrees to honor this Privacy Policy.

We retain your account data and User Content for as long as your account is active. Review attempt history is retained to power personalized scheduling. Server logs are retained for up to 90 days. When you delete your account, we permanently delete your personal data and User Content within 30 days, unless we are required by law to retain it longer.

We implement industry-standard security measures, including TLS encryption in transit, AES-256-GCM encryption for sensitive tokens at rest, and short-lived authentication sessions. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security, but we take it seriously and will notify you promptly in the event of a breach affecting your data.

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. You can:

• –Export your collections and flashcard data from your account settings.
• –Delete individual collections or your entire account from the settings page.
• –Request a copy of all personal data we hold by emailing privacy@notewell.io.
• –Opt out of non-essential communications at any time.

If you are located in the European Economic Area or United Kingdom, you have additional rights under GDPR/UK GDPR including the right to lodge a complaint with a supervisory authority.

Notewell uses only functional cookies necessary to operate the Service: a session cookie to keep you logged in and a CSRF token for security. We do not use advertising or tracking cookies.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the Service at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

For privacy-related questions or requests, contact us at privacy@notewell.io.