Privacy Policy

Dim Notes is a product of Hidden Noxen, a company registered in the Cayman Islands. When this policy says "we", "us", or "our", it means Hidden Noxen.

For privacy-related enquiries, contact us at: privacy@dimnotes.com

We collect only what is necessary to operate the service.

Account data

• —Your email address and display name — provided when you create an account
• —Authentication method (password, Google, Apple, or Microsoft OAuth)
• —Your unlock method preference (TOTP, email OTP, or biometrics+PIN)
• —Your PIN, stored as a one-way hash — we cannot recover or read it
• —Your TOTP secret, stored encrypted — we cannot read your authenticator codes
• —Recovery codes, stored as one-way hashes — we cannot read the codes themselves

Notes and content

• —Your notes, folders, tags, and attachments — stored in our database
• —Note content is locked behind your PIN/unlock method. We do not have access to your unlock credentials and cannot read your notes
• —File attachments (images, PDFs) stored in encrypted cloud storage

Usage and technical data

• —Anonymous usage analytics (which features are used, how often) — via PostHog
• —Error reports and crash logs — via Sentry. These may include device/browser info but not note content
• —IP address — used for rate limiting and abuse prevention, not stored permanently

Payment data

• —We do not collect or store your payment card details
• —Payments are processed by Paddle, who acts as the merchant of record. Paddle has its own privacy policy
• —We receive confirmation of whether your subscription is active or cancelled — nothing more

• —We do not read, scan, or analyse the content of your notes
• —We do not sell, rent, or share your personal data with third parties for marketing purposes
• —We do not show you advertisements
• —We do not use your data to train AI models
• —We do not send you marketing emails unless you explicitly opted in to our waitlist or announcements
• —We do not collect government-issued ID, date of birth, physical address, or any other identity documents — by design

This last point has an important consequence: because we deliberately collect minimal identity information, we are unable to verify the identity of someone claiming to be locked out of an account. As a result, we cannot manually unlock accounts, reset PINs, or restore access to unlock credentials. This protects all of our users — it means no one can social-engineer their way into your account by contacting support. When you set up your account, you are given recovery codes for exactly this reason. Store them somewhere safe.

To operate Dim Notes, we use the following third-party services. Each has its own privacy policy.

• —Clerk — authentication and account management (clerk.com)
• —Supabase — database and file storage (supabase.com)
• —Paddle — payment processing and subscription management (paddle.com)
• —Resend — transactional email delivery (resend.com)
• —PostHog — product analytics (posthog.com)
• —Sentry — error monitoring (sentry.io)
• —Vercel — application hosting and infrastructure (vercel.com)
• —Cloudflare — DNS, CDN, and DDoS protection (cloudflare.com)

These services are given access only to the data they need to perform their function. We do not share your note content with any third party.

• —Your account and all associated data is kept for as long as your account is active
• —If you delete your account, all data — notes, folders, tags, attachments, settings, and recovery codes — is permanently deleted immediately
• —Anonymised analytics data (PostHog) may be retained for up to 12 months
• —Error logs (Sentry) are automatically deleted after 90 days

Depending on where you live, you may have rights under GDPR, CCPA, or similar laws. Regardless of where you are, we honour the following:

• —Right to access — you can request a copy of the data we hold about you
• —Right to deletion — you can delete your account at any time at dimnotes.com/delete-account. All data is removed immediately
• —Right to correction — contact us to correct inaccurate account information
• —Right to portability — you can export your notes at any time from within the app

To exercise any of these rights, email us at privacy@dimnotes.com. We will respond within 30 days.

• —We use a session cookie to keep you signed in to your account
• —We use a separate secure cookie to store your unlock session (so you do not have to re-enter your PIN on every page load)
• —We use localStorage to remember your theme preference (light/dark/auto)
• —We do not use advertising cookies or third-party tracking cookies

Dim Notes is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has created an account, contact us and we will delete it promptly.

If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the current version.

Continued use of Dim Notes after a policy change constitutes acceptance of the updated policy.

For any questions about this policy or how we handle your data:

• —Email: privacy@dimnotes.com
• —Company: Hidden Noxen, Cayman Islands