Privacy Policy
Last updated: April 3, 2026
1. Who We Are
Thanote is a product of Supasan Suklim. We operate the website and web application at https://thanote.com.
If you have questions about this Privacy Policy, contact us at: supasan.game@gmail.com
2. Our Privacy-First Approach
Thanote is built around a zero-knowledge, local-first architecture:
- No account required. You can use Thanote without signing up for an account. Your notes are stored in your browser's local storage by default.
- Client-side encryption. Sensitive notes protected with a master password are encrypted locally using AES-256-GCM before any data is written to disk or synced. We never have access to your unencrypted note content.
- No tracking in the editor. We do not read or analyze the content of your notes, tasks, or any other workspace data.
3. Information We Collect
3a. Information You Provide
- Note content: Stored entirely on your device (browser localStorage or, with Local Folder Mode, on your file system). Not transmitted to Thanote servers.
- Master password: Never stored or transmitted. A PBKDF2-derived key is used locally to encrypt/decrypt notes via AES-256-GCM.
- Google account (optional): If you enable Google Drive Sync, we request OAuth access tokens scoped only to the Thanote application folder in your Google Drive. We do not store your Google credentials.
- AI provider API keys (optional): If you configure an OpenAI or Gemini API key for the AI assistant, the key is stored only in your browser's localStorage and is sent directly from your browser to the respective AI provider. We never receive or store your API key on our servers.
- Biometric data: Touch ID, Face ID, and Windows Hello credentials are managed entirely by your device's operating system via the WebAuthn standard. Biometric data never leaves your device and is never transmitted to Thanote.
3b. Information Collected Automatically
| Data | Purpose | Retention |
|---|---|---|
| Page views, session duration, feature usage events (via Google Analytics) | Understand how the app is used so we can improve it | 26 months (Google Analytics default) |
| Browser type, operating system, screen resolution (via Google Analytics) | Ensure compatibility across devices | 26 months |
IP addresses and other analytics data are never linked to the content of your notes or personal identifiers.
4. Cookies and Local Storage
Thanote uses browser localStorage and IndexedDB to store your notes, preferences, and app state entirely on your device. These are not cookies and cannot be accessed by any third party. We do not use cross-site tracking cookies.
Google Analytics sets first-party cookies (_ga, _gid) for session tracking. You can opt out using Google Analytics Opt-out Browser Add-on.
5. How We Use Information
We use the automatically collected data only to:
- Improve the functionality, performance, and user experience of Thanote
- Identify and fix bugs and errors
- Understand which features are used most, to prioritize improvements
- Ensure the security and integrity of the service
We do not use your data for advertising, profiling, or sale to third parties.
6. Data Sharing and Third Parties
We do not sell, rent, or trade your personal information. We share minimal data only with the following sub-processors:
- Google Analytics – anonymous usage analytics. Google Privacy Policy
- Netlify – web hosting (processes standard access logs). Netlify Privacy Policy
- Cloudflare Workers – used for the note-sharing feature and the built-in Thanote AI assistant. Shared notes are ephemeral and encrypted; metadata (share ID, expiry) is processed by Cloudflare. AI prompts sent via Thanote AI are processed by Cloudflare Workers AI. Cloudflare Privacy Policy
- Google Drive API – only if you opt in to Google Drive Sync. Data is stored in your own Google Drive account. Google Privacy Policy
- OpenAI / Google Gemini / Anthropic Claude – only if you configure a personal API key in Settings. Your prompts are sent directly from your browser to the AI provider under their respective terms of service.
7. Thanote AI (Cloudflare Workers AI)
Thanote includes a built-in AI assistant powered by Cloudflare Workers AI. When you use this feature:
- Your prompts and any note content provided as context are sent to Cloudflare Workers AI running on Cloudflare's infrastructure.
- Requests are authenticated with a bearer token and processed server-side. No prompt data is stored by Thanote after the response is returned.
- Cloudflare's data processing is governed by their Privacy Policy and Trust Hub.
- A daily usage quota (15 requests per day) is tracked locally in your browser's localStorage. No usage data is sent to Thanote's servers.
- If you prefer not to use Thanote AI, you can configure your own OpenAI, Gemini, or Claude API key in Settings instead.
8. Note Sharing Feature
When you use the Share Note feature, the note content is encrypted client-side and uploaded to Cloudflare Workers. The decryption key is included only in the URL fragment (#key), which is never sent to our servers. Shared notes are stored temporarily and automatically deleted after expiry. Only someone with the exact share link can decrypt and read the note.
9. Children's Privacy
Thanote is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child under 13 has provided us with personal information, please contact us at supasan.game@gmail.com and we will delete it.
10. Data Security
We implement appropriate technical and organizational measures to protect the information we process:
- All traffic to thanote.com is served over HTTPS/TLS.
- AES-256-GCM encryption is applied client-side to password-protected notes before any sync occurs.
- Master passwords are never transmitted or stored — only a PBKDF2-derived key is used locally.
- Biometric credentials are managed by your device OS via WebAuthn and never leave your device.
11. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access & portability: You can export all your notes at any time from Settings → Import / Export.
- Deletion: Because notes are stored locally on your device, you can delete them at any time from within the app or by clearing your browser data. For analytics data held by Google Analytics or Sentry, contact us and we will submit deletion requests on your behalf.
- Opt-out: You can opt out of Google Analytics tracking using the Google Analytics opt-out add-on.
- GDPR (EU residents): You have the right to access, rectify, erase, restrict processing, and object to processing of your personal data. Contact us at supasan.game@gmail.com.
- CCPA (California residents): We do not sell personal information. You have the right to know what personal data we collect and to request deletion.
12. Data Retention
Note data is stored on your device until you delete it. Analytics data is retained as described in Section 3b.
13. International Data Transfers
Thanote is operated from the United States. If you are located outside the US, please note that analytics and error-reporting data may be transferred to and processed in the United States. Such transfers are subject to appropriate safeguards (e.g., Google's and Sentry's standard contractual clauses).
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically. Continued use of Thanote after a policy update constitutes acceptance of the revised policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:
- Email: supasan.game@gmail.com
- Website: https://thanote.com
- Company: Supasan Suklim