Privacy Policy
Last updated: June 4, 2026 (version 2026-06-04)
Summary
Fresh Jots is a rich-text note-taking service. This page explains, in plain language, what we collect, why we collect it, who we share it with, and the choices you have. The short version:
- We store your email, a hashed password, your notes, and — if you subscribe — a billing record returned by our payment processor.
- We never see or store your payment card. That lives with Lemon Squeezy.
- You can request a full
.zipexport of every note you've written at any time; we build it in the background and email you a one-time download link valid for 24 hours. You can close your account by emailing us.
1. Who we are
Fresh Jots ("we", "us", "our") is operated by Privately owned, based in North Macedonia, Skopje court. For the purposes of the EU/UK GDPR, we are the data controller for the personal information described below. You can reach us at support@freshjots.com.
2. What we collect and why
We collect only what we need to run the service. Specifically:
| Category | Data | Why | Legal basis (GDPR) |
|---|---|---|---|
| Account | Email address, bcrypt-hashed password | Create and secure your account; send password-reset emails | Contract |
| Profile | Display name, short bio (both optional) | Personalize the UI | Contract |
| Age & consent | Date of birth, timestamp and version of the Terms of Service you accepted at signup | Enforce our minimum age (16) and keep an audit record that you agreed to the Terms | Legal obligation; Contract |
| Notes | Title, filename, rich-text body, and any images embedded in a note | Deliver the core service: store and render the notes you create | Contract |
| Billing | Plan, subscription status, Lemon Squeezy subscription ID, renewal and end dates | Gate paid features, process renewals, honor cancellations | Contract |
| Technical logs | IP address, user agent, request path, timestamps, error traces | Debug the service; rate-limit sign-in, password-reset, and webhook traffic | Legitimate interests |
| Page views (public pages only) | Path you visited, country (resolved from your IP at request time and then discarded), referring site's hostname, and a same-day deduplication hash derived from your IP and user agent. The hash uses a salt that rotates at UTC midnight, so it cannot be linked across days. | Measure how the public marketing site is performing without identifying who visits it. Signed-in users are excluded; clicks and time-on-page are not tracked at all. | Legitimate interests |
We do not collect payment card numbers, CVVs, or bank details. Those are entered directly into Lemon Squeezy's hosted checkout and never reach our servers. We do not run web analytics, fingerprinting, or cross-site tracking on signed-in users beyond what is described above. The page-view counter for public pages is first-party (data never leaves our servers) and cookieless; raw rows are deleted after 90 days, with only aggregate counts retained longer.
3. How we use your data
- Operate the service — sign you in, save your notes, render the editor, serve per-note downloads, and build full-account export archives in the background.
- Communicate with you — password resets, account-confirmation messages, billing notices, and the one-time download link emailed to you when a full-account export is ready. We do not send marketing email.
- Bill and renew — process subscription events from Lemon Squeezy when you subscribe, and restore or revoke paid access accordingly.
- Protect the service — throttle abusive traffic, investigate incidents, and enforce our Terms of Service.
We do not sell your personal information. We do not use your notes to train AI models, and we do not share them
with third parties for their own purposes. That describes what we do with your notes on our own systems:
if you choose to connect a third-party application or AI client to your account — through an API token, the MCP
endpoint at /mcp, or our OAuth connection flow — your
notes are sent to that provider at your direction and are then governed by its privacy policy, not ours (see
“Applications you connect” below). We may derive aggregated, de-identified statistics about Service
usage (for example, total note counts or error rates) from the technical logs described above; these statistics
do not identify you, are never built from the contents of your notes, and are the “Usage Statistics”
referred to in the End-User License Agreement.
4. Who we share data with
We share the minimum data needed with a small number of trusted providers:
- Lemon Squeezy (payment processor and merchant of record). Receives your email and billing details when you check out, and sends us back a subscription ID, plan, status, and renewal dates via a signed webhook. See Lemon Squeezy's privacy policy.
- Our hosting and infrastructure providers. Your data is stored on servers operated by our hosting provider; encrypted backups are kept by the same provider. We configure these providers to process data only on our instructions.
- Email delivery. Transactional messages — password resets, account confirmations, billing notices, and the one-time download link for a full-account export — are delivered through a third-party email provider configured in our environment.
- Law enforcement and legal process. We will disclose information only when compelled by a valid legal request, and we will push back on overbroad requests where appropriate.
Applications you connect. On Dev and Team accounts you can connect third-party applications and AI clients to your account — through an API token, the MCP endpoint, or our OAuth flow. When you do, the notes and account data that application requests are sent to it at your direction. These applications are not our sub-processors: they act for you, under their own terms and privacy policy, and we do not control what they do with the data once it reaches them. Connect only applications you trust, grant them the least access they need, and remember that an AI client may forward your notes to its own model provider. You can cut off a token-based connection at any time by revoking the token on your API tokens page; for an OAuth connection, disconnect it from the application or email us to revoke it.
5. International transfers
Our providers (Lemon Squeezy, hosting and email vendors) may process data outside your country, including in the United States. Where required, we rely on Standard Contractual Clauses or equivalent safeguards published by the European Commission and the UK ICO. Email us for a copy of the current list.
6. Cookies and browser storage
What the browser stores for Fresh Jots is either strictly necessary to keep you signed in and protect against attacks, or functional — remembering UI preferences you have set. We do not run advertising scripts at all and we do not run analytics scripts in your browser. Visitors to our public marketing pages are counted server-side by a first-party, cookieless page-view counter — it sets no cookie, runs no JavaScript on the page, never persists your IP or user agent, and is disabled for signed-in users. See section 2 ("What we collect and why") for the exact fields stored.
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
_session |
Essential cookie | Keeps you signed in | Session |
| CSRF token | Essential (meta + cookie) | Prevents cross-site request forgery | Session |
remember_user_token |
Essential (if you choose "remember me") | Keeps you signed in across browser restarts | Up to 2 weeks |
app_theme, app_font, app_font_size |
Functional cookies | Remember your theme, reading font, and text size | ~20 years (permanent) |
Essential and functional cookies are required for the app to work and are set without separate consent. We do not set any advertising or analytics cookies. You can clear cookies from your browser's site storage at any time; essential cookies will be re-issued the next time you sign in.
7. How long we keep your data
- Account and notes — retained for as long as your account exists. Closing your account deletes your user record, all notes (including rich-text bodies and embedded images), and our local subscription link.
- Billing records — local subscription rows are removed with your account. Transaction records required for tax and accounting are retained by our payment processor, Lemon Squeezy, under their own retention schedule (typically seven years).
- Server logs — retained for up to 30 days for debugging and abuse investigation, then rotated out.
- Public-page view counts — individual row data (path, country, referrer hostname, daily-rotating hash) is deleted after 90 days. If we add a longer-retention aggregate (e.g. "visitors per day per page, no per-visitor field") in the future, this section will be updated before that change ships.
- Backups — encrypted backups are retained for up to 30 days and then overwritten. Deletion requests complete in your live database immediately and propagate out of backups within this window.
8. Your rights
Subject to your jurisdiction's laws (including the EU/UK GDPR and the California CCPA), you can:
- Access the personal data we hold about you.
- Correct your name, bio, or email from your profile, or by contacting us.
- Export (data portability) every note you have written as a
.zipcontaining.txt,.docx, and.pdfcopies — from Options, on any account, at any time, even after a subscription ends. - Delete your account and all associated notes yourself from the Cancel my account button on your profile edit page. If you'd rather we process the deletion, email support@freshjots.com from your account's email address. We complete deletions within 30 days.
- Restrict or object to certain processing (for example, our legitimate-interest log processing).
- Complain to your local data-protection authority — in the EU, your national supervisory authority; in the UK, the Information Commissioner's Office (ico.org.uk).
We will not discriminate against you for exercising any of these rights. We respond to verified requests within 30 days.
9. How we protect your data
For a human-readable summary — encryption posture, authentication, dependency scanning, and how to report a vulnerability — see the Security page. The technical specifics enforced by the application include:
- All traffic to and from the app is served over HTTPS.
- Passwords are stored as bcrypt hashes; we never see or store your plaintext password.
- Sensitive parameters — passwords, tokens, card fields, SSNs, note bodies, bios, and dates of birth — are filtered out of server logs.
- A strict Content Security Policy and CSRF protection are enforced on every page.
- Sign-in, password-reset, and webhook endpoints are rate-limited by IP to slow credential-stuffing and abuse.
- Access to production data is limited to a small number of staff on a need-to-know basis.
No system is perfectly secure. If we ever discover a breach that affects your personal data, we will notify you and, where required, the relevant regulator, without undue delay.
10. Children
Fresh Jots is not intended for children under 16 (under 13 in the United States). We do not knowingly collect personal data from children, and the signup form rejects any date of birth that would make the applicant under 16. If you believe a child has created an account, contact us at support@freshjots.com and we will delete the account and any associated data.
11. Automated decision-making
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.
12. Changes to this policy
We may update this policy as the service evolves. The "Last updated" date at the top of this page always reflects the current version. Material changes — for example, a new category of data or a new third-party processor — will be announced by email or an in-app notice before they take effect.
13. Contact
Privacy and data-subject requests:
support@freshjots.com.
General support:
support@freshjots.com.
14. Browser extension
The optional Fresh Jots Quick Note browser extension lets you compose and send plain-text notes to your account from a toolbar popup. It is a separate install — none of what follows applies unless you've added it to your browser.
What the extension collects
Only the data you type into it: the title and body of each note, plus the API token you paste into its settings panel. The extension does not read pages you visit, your browsing history, your bookmarks, or anything else outside its own popup.
Where data is sent
Note text and your API token are sent only to the Base URL you configure in the settings panel (default
https://freshjots.com). The extension makes no network requests
to any other server. There are no analytics, no telemetry, and no third-party trackers — the codebase is small and
auditable.
Where data is stored locally
Your API token and Base URL are stored in chrome.storage.local,
which is sandboxed to the extension and never synced to a Mozilla / Google account. Note content is not retained on
your device — once Send completes, the popup empties and the text is only on Fresh Jots' servers (subject to the rest
of this policy).
Permissions the extension requests
-
storage— to remember your token and base URL between popups. -
https://freshjots.com/*— to send notes to your account. The extension cannot access any other domain.
Revoking access
Open API tokens and revoke the token. The extension stops working immediately — even if it stays installed. Uninstalling the extension also clears the locally stored token and base URL.