Privacy Policy

1. Introduction

Open Note ("Application", "we") is an open source local-first note-taking application. Our privacy philosophy is simple:

We do not collect your data. Period.

This Privacy Policy explains how the Application handles information, including scenarios where data may be shared with third-party services when you choose to use the cloud synchronization feature.

2. Data We Collect

2.1. Data collected by the Application: None

Open Note does not collect, transmit or store any personal or usage information. Specifically:

• No telemetry — We do not track how you use the Application
• No analytics — We do not measure usage, session or behavior metrics
• No personal data collection — We do not ask for name, email or any identification
• No account required — The Application works 100% without login
• No server communication — The Application does not connect to any of our servers
• No automatic crash reports — Error logs remain local on your device

2.2. Data generated by usage

Notes, annotations, settings and all data you create in Open Note are stored exclusively on your device, in the open .opn.json format. This data is never sent to us.

3. Local Storage

All Open Note data is stored locally on your device's filesystem:

• Pages: .opn.json files organized in folders (Workspace → Notebook → Section)
• Assets: Images and attached files in each section's assets/ folder
• Global settings: ~/.opennote/app_state.json
• Search index: .opennote/index/ (derived data, rebuildable)
• Trash: .trash/ with 30-day retention

You have full control. You can read, edit, copy, move or delete these files directly. Backup is as simple as copying the workspace folder.

4. Cloud Synchronization

Cloud synchronization is fully optional and opt-in. The Application works 100% offline without it.

If you choose to enable synchronization:

• Your data is transmitted directly from your device to the chosen cloud provider (Google Drive, OneDrive or Dropbox)
• No data passes through Open Note servers — communication is exclusively between your device and the provider
• The Application requests only the minimum necessary permissions:
  • Google Drive: drive.file — access only to files created by Open Note, not your entire Drive
  • OneDrive: Files.ReadWrite.AppFolder — access only to an isolated app folder
  • Dropbox: Access only to an app-specific folder
• You can disconnect at any time — your local and remote data remain intact
• Disconnecting never deletes data — neither local nor remote

5. OAuth 2.0 Authentication

To connect with cloud providers, we use the OAuth 2.0 protocol:

• Authentication occurs directly on the provider's website (Google, Microsoft, Dropbox)
• Open Note never has access to your password for these services
• Authentication tokens are securely stored in the native operating system keychain/keyring:
  • macOS: Keychain
  • Windows: Credential Manager
  • Linux: Secret Service (GNOME Keyring / KDE Wallet)
• Tokens are never stored in plain text on the filesystem
• When you disconnect a provider, tokens are revoked with the provider and removed from the local keychain

6. Third-Party Services

When you opt for synchronization, your data is processed by cloud providers according to their respective privacy policies:

• Google: Google Privacy Policy
• Microsoft: Microsoft Privacy Statement
• Dropbox: Dropbox Privacy Policy

We recommend reading these services' privacy policies before enabling synchronization.

7. This Website (GitHub Pages)

This website is hosted on GitHub Pages (GitHub, Inc.). GitHub may collect technical data (such as IP address and user agent) per their privacy policy. Open Note does not add any trackers, cookies or analytics scripts to this site.

• No tracking cookies
• No Google Analytics or similar
• No tracking pixels
• Fonts loaded from Google Fonts (see Google's policy)

8. Security

We adopt the following security practices:

• Encrypted tokens via the native OS keychain
• Mandatory HTTPS for all communication with cloud APIs
• Minimal permissions (principle of least privilege) for each provider
• Open source — anyone can audit the code at github.com/l3co/open-note
• No central server dependency — there is no remote attack surface on Open Note's side

Your device's security is your responsibility. We recommend keeping your operating system up to date and protecting your device with a password.

9. Your Rights

Since Open Note is local-first and does not collect data, you already have full control over your information:

• Access: All your data is on the filesystem, accessible at any time
• Portability: Open JSON format — export, copy, migrate freely
• Deletion: Delete files from your device at any time
• Disconnection: Remove cloud synchronization whenever you want
• Transparency: Open source code available for audit

For data stored with cloud providers (when synchronization is active), refer to each provider's rights per their policies and applicable legislation (GDPR, CCPA, etc.).

10. Children's Privacy

Open Note does not collect personal data from anyone, including children. The Application does not require an account, email or any identification. However, the cloud synchronization feature depends on an account with providers (Google, Microsoft, Dropbox), which have their own age requirements.

11. Changes to this Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with a revised update date. The complete change history is available in the project repository.

12. Contact

For questions about this Privacy Policy, please contact us through:

• GitHub Issues: github.com/l3co/open-note/issues
• Repository: github.com/l3co/open-note