YellowNotes
Login

Privacy Policy

We respect your privacy. We collect the minimum necessary data to provide authentication and store your notes. Authentication is performed by third-party providers you choose (e.g., Google) to avoid storing passwords. We never sell your data.

Data we store

  • Basic profile information from your login provider (name, email)
  • Additional profile information provided by you (avatar, signature texts)
  • Your YellowNotes and topics and data they contain

Your actionables in regards to your data privacy

  • Export or delete your YellowNotes data anytime by using the account panel.
  • Delete your account and all data entirely at anytime by using the account panel.

Security and Privacy Architecture Overview

Our platform is built with a security-first, privacy-by-design philosophy. We combine modern cloud infrastructure — Node.js, Linux, and Kubernetes — with a federation-only authentication model, allowing users to select their identity providers.(currently only Google) This approach simplifies our systems, and strengthens data protection for you.

1. Federated Identity and Simplified Authentication

We do not store or manage user passwords. All authentication is handled through established, standards-based identity providers (e.g., SAML, OIDC, or OAuth2). Users may connect and merge multiple federated identities (currently only Google) under one account for convenience and flexibility.

By removing direct authentication from our infrastructure, we minimize the risk of credential theft and simplify compliance.

2. User Data Control and Transparency

We believe users should have full control over their data. At any time, each user can:

  • Download a complete copy of their personal data.
  • Delete their account and all associated data permanently.

Our systems automatically ensure that deletion extends to all third-party services we contract with directly. We respect that identity providers used for authentication remain the responsibility of the user.

3. Distributed Data Ownership and Access Control

Access decisions are made as close as possible to the data itself. Data owners define who can access their information, while our central security systems handle monitoring and enforcement. This model supports scalability, transparency, and clear accountability without compromising control.

4. Privacy-Aligned Automation (Upcoming)

To further strengthen compliance and reduce unnecessary data retention, we are introducing automatic deprovisioning for inactive users. Accounts with no activity for 120 days will be automatically deleted after advance notice.

Before deletion, all user data will be securely exported, digitally signed, and sent to the account owner. The export file can later be used to fully restore the account — preserving previous state and permissions.

Our Commitment

We design every system around three principles:

  1. User sovereignty — users own their identities and their data are entirely their own.
  2. Transparency — all processes are auditable, reversible, and standards-based.
  3. Security through simplicity — by reducing unnecessary complexity, we reduce risk.

Our goal is to make security, privacy, and compliance an integral — not obstructive — part of the user experience.

© 2025 YellowNotes