Privacy Policy

What we collect

Free tier (no account). Your boards, notes, files, and preferences live entirely in your browser’s IndexedDB and localStorage — that content never leaves your device and we cannot read it. We do collect content-free product analytics: a random device and session id, the app version, your device type (desktop / tablet / mobile), your plan tier (free or paid), a timestamp, and the names of in-app events (for example “app opened” or “note created”), plus coarse buckets such as an error category. We do not collect your note text, board content, file contents, file paths, or any personal identifier. You can turn analytics off any time in Settings → Privacy, and we honor your browser’s Do Not Track and Global Privacy Control signals. We use no advertising or third-party tracking cookies.

Cloud Sync subscribers. When you subscribe and sign in, we collect:

• Email address — used to identify your account and to send sign-in links.
• Board content you choose to sync — the notes, containers, file references, and metadata on the boards you sync. Linked files are handled in two ways. For linked text files (such as .md, .txt, or source files), a snapshot of the text content is synced to the cloud along with the file path — that content may include source code, and absolute paths can reveal your project structure. For linked binary files (images, PDFs, audio, video), the bytes never leave your device — only the file path is synced, and your other devices show a placeholder until you grant them access to the same file.
• Subscription status — whether your subscription is active, the plan you chose (monthly or yearly), and the date it next renews.
• Operational logs — minimal server logs for debugging and abuse prevention (IP hash, request path, response code). We do not log raw email addresses, raw tokens, or the contents of your boards.

We do not collect: payment card numbers (Stripe handles those directly), your real name, your phone number, your location, or any data from third-party trackers.

How we use it

• Provide the service. Sync your boards across your devices, send sign-in links, process subscription billing.
• Keep the service running. Detect and prevent abuse, fix bugs, monitor uptime.
• Communicate about your account. Send transactional email (sign-in links, payment receipts, account deletion confirmations). We do not send marketing email.

We do not sell your data, share it with advertisers, use it to train AI models, or profile you for targeting.

Sub-processors

We use a small set of third-party providers to operate Stickypad. Each is contractually bound to keep your data confidential and use it only to provide their service to us.

• Amazon Web Services (AWS) — hosting and infrastructure (Cognito for accounts, S3 for board storage, Lambda for the API, CloudFront for the CDN). United States.
• Stripe — subscription billing and payment processing. Stripe receives your email address and the payment information you enter on their hosted checkout page. United States.
• Resend — transactional email delivery (sign-in links, account notifications). Resend receives your email address and the message body. United States.

How long we keep it

• Active subscribers: board content and account data are kept as long as your subscription is active.
• If your subscription lapses or you cancel (but keep your account): your synced board content is retained so you can re-subscribe and resume where you left off. Sync pauses while you have no active subscription — your data is not deleted. To remove your data, delete your account (below).
• After you delete your account: a 30-day soft-delete grace period lets you restore the account by signing in again with the same email. After 30 days the account, your synced board content, and our internal subscription/customer mapping row are permanently deleted (Stripe retains its own billing records, as described under “How long we keep it” below). You can request immediate hard-deletion (no grace) by emailing support; we comply within 30 days as required by GDPR Article 17.
• Retained after account deletion (limited records): two minimal records persist after permanent deletion. A one-way hashed fingerprint of your email address (a SHA-256 hash, never the address itself) is kept solely to prevent that email from being re-registered after a deliberate deletion. An append-only account-lifecycle ledger keeps bounded event records — an internal account identifier (your Cognito subject id), the event type, a timestamp, and bounded metadata such as a cancellation reason or salted hashes — never your board content and never your raw email. Deletion rights are not absolute; we retain these limited pseudonymized records only where necessary for account security, our legal obligations, or legal claims.
• Operational logs: retained for up to 90 days for security investigation, then deleted.
• Billing records: Stripe retains transaction records for as long as their own retention policy and applicable tax law require (typically 7 years for the merchant). We retain only the customer-id mapping needed to process renewals and refunds.

Your rights

Depending on where you live (GDPR if you’re in the EU/UK, CCPA if you’re in California, similar rights elsewhere), you have the right to:

• Access the data we hold about you. Email support@stickypad.io to request a copy.
• Correct inaccurate data. Most fields are user-editable directly in the app.
• Delete your account and all associated data (see “How long we keep it” above).
• Export your boards. Stickypad has a built-in board export feature (Settings → Export); for cloud-side data that isn’t in your local copy, email support.
• Object to or restrict processing for any reason. Email support to discuss your case.
• Withdraw consent at any time by cancelling your subscription and deleting your account.

We respond to all requests within 30 days. There is no charge.

Cookies and similar storage

Stickypad uses your browser’s localStorage and IndexedDB to store your boards, preferences (theme, view options), and — for Cloud Sync subscribers — a session marker so you stay signed in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Stripe’s checkout page may set its own cookies for fraud prevention; that’s governed by Stripe’s privacy policy.

Children

Stickypad is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has subscribed, email support@stickypad.io and we will delete the account and any associated data.

Security

We use industry-standard security: encrypted connections (TLS 1.2+), encryption at rest for stored board data (AWS-managed keys), per-user access isolation in our API, scoped IAM permissions on every server-side action, and minimal logging of sensitive fields. No system is perfectly secure; if we discover a security incident affecting your account we will notify you by email without undue delay.

International transfers

Our infrastructure is hosted in the United States. If you access Stickypad from outside the US, your data is transferred to and processed there. Where required by GDPR or similar law, the transfer is covered by our sub-processors’ standard contractual clauses.

Changes to this policy

If we change this policy in a way that materially affects how we handle your data, we will email subscribers at least 30 days before the change takes effect. Smaller changes (clarifications, contact details) update the effective date at the top.