Preview

Legal

Privacy Policy

We built Sovernote because we believe privacy is a right, not a feature. This policy reflects that.

Effective date: April 4, 2026  ·  Last updated: April 4, 2026

1. Introduction

Sovernote (“we”, “us”, “our”) provides a local-first note-taking and database application (“the Service”). The desktop application stores all your content locally on your device. If you choose to use our optional cloud sync feature, some information is transmitted to our servers as described below.

This policy describes what information we collect, how we use it, and your rights regarding it. Our guiding principle is to collect as little as possible and to never sell or misuse what we do collect.

2. Jurisdiction & legal basis

Sovernote is operated by a company incorporated (or in the process of being incorporated) in Estonia (European Union). We are subject to the General Data Protection Regulation (GDPR) and Estonian law. The supervisory authority with primary jurisdiction is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Our legal bases for processing personal data are:

  • Contract — processing your account credentials and billing information to provide the cloud sync service you signed up for (Art. 6(1)(b) GDPR).
  • Legitimate interest — aggregate, anonymised analytics to understand how our website is used (Art. 6(1)(f) GDPR). No personal data is involved.
  • Legal obligation — retaining transaction records as required by EU tax law (Art. 6(1)(c) GDPR).

As an EU resident you have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing. To exercise any of these rights, contact us at privacy@sovernote.com. You also have the right to lodge a complaint with your national data protection authority.

3. Local use — no data collection

When you use the Sovernote desktop application without a cloud account, we collect nothing. All your notes, databases, and settings are stored in a local SQLite database on your device. No content, metadata, or usage data is transmitted anywhere. You can use Sovernote indefinitely in this mode with zero network activity.

4. Cloud account and sync

If you choose to create an account for cloud sync, we collect and store the following:

  • Username — your chosen handle. It acts as the salt for key derivation and is immutable once set. We recommend using a pseudonym rather than your real name if privacy is a priority.
  • Email address (optional) — only if you provide one for account recovery. We do not require an email to register.
  • Public key — your Ed25519 public key, derived client-side from your password. We store only the public key; your password and private key never reach our servers.
  • Encrypted document blobs — when cloud sync is enabled, Yjs update blobs are uploaded to our servers. These blobs are encrypted client-side before transmission. We cannot decrypt or read your content.
  • Billing information — if you subscribe to a paid plan, payment is processed by our Merchant of Record, Creem. We do not store full card numbers on our servers.

5. Zero-knowledge encryption

For cloud sync, Sovernote uses end-to-end zero-knowledge encryption. Your password is processed through Argon2id locally to derive Ed25519 and X25519 keypairs. Authentication uses a challenge-response protocol — your private key signs a server-issued nonce, so your password is never transmitted. Document contents are encrypted on your device before upload.

We cannot read your documents, even if compelled to by a third party. All we store is ciphertext.

6. Analytics

Our website (sovernote.com) uses Umami, a privacy-respecting analytics tool. Umami does not use cookies, does not collect personal data, and does not fingerprint visitors. It records only aggregate page view counts and basic referrer information. No data is shared with advertising networks.

The desktop application contains no analytics or telemetry by default.

7. Cookies

The marketing website sets no cookies. If you sign in to the web application (a feature available to paid subscribers), a session cookie is used to maintain your authenticated session. This cookie is scoped to the authenticated subdomain and is not used for tracking.

8. Third-party services

We use the following third-party services:

  • Creem — Merchant of Record for paid subscriptions. Creem handles payment processing and tax compliance. Creem’s privacy policy governs data collected during checkout.
  • Umami — self-hosted, cookie-free website analytics. No personal data is collected.
  • Contabo — our servers run on European infrastructure. Customer content stored on our servers is zero-knowledge encrypted.
  • OVH — transactional email delivery (account confirmation, billing receipts). Your email address is processed by OVH solely to deliver these messages.

We do not use Google Analytics, Facebook Pixel, or any advertising-based tracking service.

9. Data retention

For cloud accounts, we retain your data for as long as your account is active. If you delete your account, all server-side data (encrypted blobs, username, public key) is permanently deleted within 30 days. Local data on your device is unaffected — it remains under your control.

10. Your rights

You have the right to:

  • Access — request a copy of any personal data we hold about you.
  • Deletion — request deletion of your account and all associated server-side data.
  • Portability — export your documents as Markdown and CSV at any time from within the app.
  • Correction — update your email address from your account settings.

To exercise any of these rights, email us at privacy@sovernote.com.

11. Children’s privacy

Sovernote is not directed at children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email (if you have provided one) or via an in-app notice at least 30 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

Continued use of the Service after the effective date of a change constitutes acceptance of the updated policy.

13. Contact

Privacy-related questions or requests: privacy@sovernote.com
General enquiries: hello@sovernote.com