Privacy Policy

Last updated: 2026-05-14

This Privacy Policy describes how Personal Notes (the "Service"), operated by PERSONAL NOTES ("we", "us"), collects, uses and stores information when you use the Service at personal-notes.com and mcp.personal-notes.com.

1. Information we collect

When you authenticate to the Service through Google, Google shares the following information with us, as defined by the OAuth scopes openid, email, and profile:

• Your Google account identifier (an opaque sub value)
• Your email address
• Your display name

Of these, only the opaque Google account identifier is persisted on our servers, used as an internal user key in the form google:<sub>. Your email address and display name are received during the sign-in callback and discarded immediately — they are not written to any storage we operate.

2. Content you create

When you ask your AI assistant to save a note, the text content of that note is stored on our servers along with a timestamp and a unique note identifier. Notes are scoped to your account and are never shared with other users of the Service.

3. How we use information

We use the data described above solely to:

• Authenticate you and authorize requests from your AI assistant
• Store, list, and return the notes you create
• Operate and secure the Service (e.g., abuse rate-limiting on sign-in endpoints, retaining short-lived IP-based counters)

We do not sell, rent, or share your data with third parties for marketing or advertising purposes.

4. Where data is stored

The Service runs on Cloudflare Workers and Cloudflare KV. Cloudflare may process and store data in any of its global data centers; see Cloudflare's privacy documentation for details.

5. Data transfers

Because Cloudflare operates a globally distributed network, data processed by the Service may be transferred to, stored in, or accessed from countries outside your country of residence, including countries that may not provide the same level of data protection as your jurisdiction. Where required by applicable law, such transfers rely on appropriate safeguards (for example, the European Commission's Standard Contractual Clauses for transfers out of the EEA). Cloudflare acts as a data processor on our behalf for this purpose.

6. Retention and deletion

Notes are retained until you ask your AI assistant to delete them, or until you request deletion of your account. To request deletion of your account and all associated notes, email [email protected] from the Google account you used to sign in. Account deletion is irreversible.

Short-lived rate-limit counters (per-IP, per-hour or per-day) expire automatically within 24 hours.

7. Third parties

• Google — used as the identity provider via OAuth. Subject to Google's privacy policy.
• Cloudflare — hosting provider for both the landing site and the MCP server. Subject to Cloudflare's privacy policy.

No other third parties receive your data.

8. Legal bases for processing

Where the EU General Data Protection Regulation (GDPR) or equivalent law applies, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Service you have asked to use, including authenticating you and storing the notes you create.
• Legitimate interests (Art. 6(1)(f) GDPR) — to keep the Service operational and protect it against abuse (for example, short-lived rate-limit counters on sign-in endpoints).
• Consent (Art. 6(1)(a) GDPR) — where we ask for your explicit consent, for example through the consent screen displayed before your AI assistant first connects to the Service. You may withdraw your consent at any time by disconnecting the Service from your AI assistant or by requesting account deletion.

9. Your rights

Depending on your jurisdiction (notably under the EU GDPR), you may have the right to access, correct, export, or delete your data, and to lodge a complaint with a supervisory authority. To exercise these rights, email [email protected] from the Google account associated with the data.

10. Children

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect data from them.

11. Changes to this policy

We may update this policy. Material changes will be reflected in the "Last updated" date above and, where appropriate, communicated through the Service.

12. Contact

Questions about this policy: [email protected].