Try for free
Back to Home

Privacy Policy

Last updated: June 2026

This Privacy Policy describes how Joyolabs Dijital Hizmetler Anonim Şirketi ("we," "our," "us," or "Company") collects, uses, stores, and shares your personal information when you use CraftNote (the "Service" or "CraftNote") on the web, iOS, Android, watchOS, or via connectors that read CraftNote on your behalf.

We have written this policy to describe what actually happens to your data, end to end. Where there is a meaningful trade-off in our design, we describe it; where a control runs on our operations team rather than a self-serve UI, we say so. The goal is for the policy and the product to match.

1. Information We Collect

1.1 Content You Provide

When you use CraftNote, you may provide:

  • Audio recordings (voice memos, in-app recordings, video imports for which we extract audio client-side, meeting recordings, watchOS recordings, recordings made with the CraftNote Meeting Recorder browser extension (audio of the Google Meet call or browser tab you choose to record)).
  • Uploaded files: PDF, DOCX, DOC, XLSX, XLS, CSV, PPTX, EPUB, ODT, plus images attached to notes.
  • Notes and observations you type into the app.
  • Links you paste in (YouTube, podcasts, TikTok, Instagram, X), where the linked page or feed is fetched on your behalf so CraftNote can summarize it.
  • Calendar event metadata for meetings you ask CraftNote's meeting bot to join.
  • Free-text questions you ask CraftNote's chat feature ("chat with your notes").
  • Support messages and feedback you send us.

When you save a note, the note's title, transcript, summary, and any chat turn associated with it is chunked and sent to a text-embedding provider so we can power semantic search and the "chat with your notes" feature. See Section 6.6 for the data flow.

If you use CraftNote to record audio, you are responsible for obtaining consent from any individuals being recorded, as required by applicable local laws.

CraftNote is a general-purpose consumer tool and is not intended for special-category or sensitive data. You should not upload health or other special-category data (as defined under Article 9 of the GDPR or as "sensitive personal data" under Turkish data protection law, KVKK), or protected health information, unless you have a lawful basis and accept responsibility for that use. We are not a HIPAA-covered service. See Section 8 of our Terms of Use.

1.2 Account Information

We collect basic account information such as:

  • Email address.
  • Display name (if provided by your authentication provider).
  • Authentication credentials (Google, Apple, or email-link sign-in). We do not store your passwords for any of these methods.
  • Push notification tokens (Firebase Cloud Messaging on Android, APNs via FCM on iOS). We use these to deliver in-app notifications you have opted into.
  • OAuth refresh tokens issued to third-party AI assistants you connect (see Section 10). These are stored as SHA-256 hashes, not plaintext.
  • OAuth refresh tokens for calendar integrations you connect (Google Calendar, Microsoft Outlook), stored encrypted at rest in our database.
  • Subscription status, originating store, and renewal state mirrored from our payment processors.
  • Your iOS App Tracking Transparency consent decision (the result, not the prompt content).

1.3 Device and Usage Information

We automatically collect:

  • Device model, operating system version, app version, language, time zone.
  • Country, derived from two sources: your IP address at request time (coarse, derivable per request) and your App Store / Google Play storefront country code. The storefront country is stored on your PostHog person profile and joined with your usage and conversion data in our analytics warehouse. We do not collect precise location and do not request a location permission on any platform.
  • IP address and browser type (web).
  • Service usage events: screens viewed, features used, paywall views, conversions, errors. These power our product analytics and lifecycle notifications.
  • Time and duration of service use.
  • On Android, the Android Advertising ID (AAID) when you have not opted out of personalized ads at the system level. The AAID is forwarded to our attribution and analytics partners (including PostHog, AppsFlyer, and Meta) as a user property.
  • On iOS, the IDFA (Identifier for Advertisers) only after you grant App Tracking Transparency consent. Until you grant consent, IDFA is zero. Our SDK partners may still operate using their own non-IDFA anonymous identifiers (Meta auto-anon IDs, AppsFlyer's SDK-generated identifier) when ATT is denied; those identifiers continue to flow to Meta and AppsFlyer regardless of your ATT choice.
  • Anonymous identifiers generated by our SDKs at first launch (PostHog distinct id, AppsFlyer id, Adapty profile id). These persist across app sessions and are cross-referenced across services so that, for example, an event we send to AppsFlyer can be joined to your PostHog person profile.
  • Crash diagnostics (stack traces, breadcrumbs, device state at crash time) via Firebase Crashlytics on mobile. Stack traces and error messages we generate may incidentally include short fragments of note content when a code path throws while processing your data; we treat these as diagnostics, not as content, and do not analyze them.
  • Backend operational telemetry (function names, timings, error stack traces, pseudonymous user id, note id) via New Relic. We do not send note text, transcripts, summaries, or chat content to New Relic; backend code paths that touch user content redact arguments from log lines.

1.4 Session Capture (Web and Mobile)

We use PostHog session replay to record interactions with our apps so we can diagnose layout and interaction bugs. The configuration differs between web and mobile today, and we describe each honestly below.

Web. Session replay on our web app masks all on-screen text and all input values. The recording captures the DOM structure (which element you clicked, how a layout responded) but the actual contents of note titles, transcripts, summaries, chat messages, paywall copy, and input fields are blanked from the recording before it leaves your browser.

Mobile. Session replay on our iOS and Android apps currently captures screenshot-style snapshots of the rendered app interface during sessions. Those snapshots can include note titles, transcripts, summaries, chat messages, paywall copy, and any image visible on screen. We use this to diagnose Flutter UI bugs that are difficult to reproduce from logs alone. We are migrating mobile session replay to selective per-screen masking — the screens that render your note content (note detail, chat, transcript view, share modal) will be excluded from capture, while non-content screens (settings, paywall, recording UI shell) continue to capture. That work is scheduled for the next product cycle.

Session replay is enabled in production builds and disabled in development builds. If you would prefer to be excluded from session replay entirely (rather than partially masked or fully captured), email support@craftnote.com from the account you want excluded and we will set a per-user PostHog property that suppresses replay capture for that account on both web and mobile.

1.5 Information About Other People

Some CraftNote features cause us to receive or store information about people other than you. We process that information on the legal basis of your legitimate interest in using CraftNote with people you collaborate with (sharing a note, recording a meeting that includes them, drafting an email to them). We use that information only to deliver the feature you requested, do not market to those individuals, and do not enrich it from other sources.

  • Note sharing. When you share a note with another person by email, we store the recipient's email address (lowercased) on the note record so we can grant them read access when they sign in to CraftNote.
  • Meeting attendees. When you record or invite the CraftNote meeting bot to a calendar event, we store a snapshot of the event's attendees, including their email addresses, display names, and RSVP status, on the meeting note. We also keep a log of any summary emails you ask us to send to those attendees.
  • Email drafts. If you ask CraftNote to draft an email based on a note, the recipient list you provide is stored on the note record.
  • Speaker names. If you assign speaker names during diarization of a recorded conversation, those names are stored alongside the transcript.
  • Public note links. If you create a public share link for a note, the note content becomes accessible to anyone who has the link. The link does not expire automatically. We count the number of views on the link and store that count on the note. Revoking a public link disables fresh server-side reads of the linked content but does not invalidate copies that may already be cached at the content-delivery network edge (such copies expire from the cache within 24 hours by default). If a public note includes audio or document attachments, those attachments are served from separate media URLs (see Section 5.2) which can remain reachable to anyone who already captured the URL.

If you appear in a CraftNote recording, share, or attendee list and want your personal information removed, contact support@craftnote.com from the email address that appears in the record. We will erase the entry across our active systems within 30 days and from backups within 90 days, except where retention is required by applicable law.

1.6 Calendar and Meeting Integration Data

When you connect a Google Calendar or Microsoft Outlook calendar, CraftNote uses the corresponding calendar API on your behalf to read your events, including event titles, start and end times, descriptions, locations, meeting URLs, and attendee lists. We store an OAuth refresh token server-side so we can continue to read events when you are not in the app, and we register webhook channels so we are notified of event changes. You can disconnect a calendar from Settings inside the app, which revokes the token and cancels the webhook.

1.7 Browser Extension

If you install the CraftNote Meeting Recorder Chrome extension, it records audio only when you start a recording or join a Google Meet call with auto-capture enabled, and it always shows a recording indicator while capturing. To label speakers in your transcript, the extension reads participant names from the meeting page; these names appear only in your transcript. The extension stores your CraftNote sign-in session locally in your browser and sends reliability telemetry (such as capture errors) to our analytics provider.

2. How We Use Your Information

We use your information to:

  • Provide the core product: capture, transcribe, summarize, diarize, and organize your notes and recordings.
  • Run our AI features: text-to-speech, flashcards, quizzes, todo extraction, keynotes, email drafts, semantic search, chat with your notes, and connector-mediated access (Section 10).
  • Personalize the experience: language preference, sample content, defaults.
  • Communicate with you: subscription receipts, important service updates, and lifecycle notifications (e.g., reminders to review action items, paywall recovery, win-back messaging). Lifecycle notifications are delivered via push and can be muted at the device level or per-category via your operating system's notification settings.
  • Process payments, validate subscription state, and enforce paywalls and quotas.
  • Measure marketing performance, attribute installs, and optimize ad spend.
  • Diagnose crashes, debug issues, and improve product quality.
  • Protect the Service against fraud, abuse, and unauthorized access.
  • Comply with legal obligations.

We do not use your recordings, transcripts, summaries, or chat content to train any model, ours or a third party's. Our AI providers are contractually required not to train their models on the content we send them through their commercial APIs (see Section 6).

2.1 Legal Bases for Processing (EU / EEA / UK / Türkiye)

Where the GDPR, UK GDPR, or Turkish data protection law (KVKK) applies, we rely on the following legal bases. Most processing rests on more than one purpose; this table maps the primary basis for each.

| Purpose | Legal basis (GDPR Art. 6) | | --- | --- | | Providing the core product (capture, transcription, summarization, storage, semantic search and chat) | Performance of a contract — Art. 6(1)(b) | | Account creation, authentication, and subscription management | Performance of a contract — Art. 6(1)(b) | | Processing payments and validating subscription state | Performance of a contract — Art. 6(1)(b) | | Product quality, debugging, security, and fraud/abuse prevention | Legitimate interests — Art. 6(1)(f) | | Processing information about other people contained in your recordings | Legitimate interests — Art. 6(1)(f) | | Marketing measurement, attribution, advertising cookies, and session capture where consent is required | Consent — Art. 6(1)(a) | | Complying with legal obligations and responding to lawful requests | Legal obligation — Art. 6(1)(c) |

Where we rely on consent, you may withdraw it at any time without affecting processing that already took place. Any special-category data you choose to include is processed only on the basis of your explicit consent and responsibility (Art. 9(2)(a)); see the note in Section 1.1.

3. How We Share Information

3.1 We Do Not Sell Your Personal Information

We do not sell your personal information, your recordings, your transcripts, or your notes. We do not use your recordings or notes for advertising.

For users in California and other US states with comparable laws: we do share certain limited identifiers and event metadata with our attribution and advertising partners (Meta, Google Ads, AppsFlyer) to measure how well our marketing performs. Under the California Privacy Rights Act this can qualify as "sharing" for cross-context behavioral advertising. See Section 14 for how to opt out.

3.2 Categories of Recipients

  • Sub-processors we use to operate the Service (Section 4).
  • AI providers we send your content to in order to deliver AI features (Section 6).
  • Third-party AI assistants you explicitly connect through CraftNote, such as Anthropic's Claude.ai via the Model Context Protocol connector (Section 10).
  • People you share notes with, when you initiate that sharing.
  • Legal authorities, when we are required by law or to protect rights and safety.
  • A successor entity, in the event of a merger, acquisition, or restructuring.

Your recordings, transcripts, and summaries are private and never shared publicly or used for marketing purposes, except where you create a public share link for a specific note.

4. Sub-Processors

We engage the following third-party service providers (data processors and sub-processors) to support delivery of the Service. Each processes personal information on our behalf under confidentiality and security obligations and only for the purposes described below.

4.1 Infrastructure, Authentication, and Storage

  • Firebase (by Google LLC) – authentication, Firestore database, Cloud Storage, push notifications (FCM), Cloud Functions runtime, anti-abuse (App Check), crash diagnostics (Crashlytics), product analytics.
  • Google Cloud Platform – cloud compute, Cloud SQL Postgres (private network only, for OAuth state of connected assistants), Cloud Tasks (scheduled jobs), BigQuery (analytics data warehouse).
  • Cloudflare (Cloudflare, Inc.) – object storage (R2) for audio recordings, uploaded documents, generated audio outputs, and meeting recordings, with content delivery through Cloudflare's CDN.
  • Sign in with Google – federated authentication. Google shares your name, email, and profile photo with us when you choose to sign in with Google.
  • Sign in with Apple – federated authentication. Apple shares your email (or a private relay email) and a stable user identifier with us when you choose to sign in with Apple.

4.2 AI and Machine Learning

CraftNote routes your content through a chain of AI providers to deliver transcription, diarization, summarization, embeddings, chat, and text-to-speech. The active provider and fallback order are configured remotely (PostHog feature flags) so we can shift traffic without app updates. Section 6 describes which provider receives which class of data. The full set of AI providers we route to is:

  • OpenAI – large language model inference (chat tail, chat with uploaded files), text-to-speech (Read Aloud).
  • Google Vertex AI and Gemini API – transcription of audio (Gemini), large language model inference (Qwen3 series hosted on Vertex AI Model Garden — see "Indirect sub-processors" below), text embeddings, and YouTube link transcription (Gemini fetches the video from YouTube using the URL you provided).
  • Fireworks AI (Fireworks AI, Inc.) – large language model inference (gpt-oss, Kimi K2.5 — see "Indirect sub-processors") and the primary embeddings provider (Qwen3-Embedding).
  • Groq – transcription (Whisper) and language model inference (gpt-oss).
  • Replicate – transcription and diarization (WhisperX, whisper-diarization).
  • fal.ai (Features & Labels Inc.) – transcription and diarization, including ElevenLabs Scribe V2 and Cohere Transcribe hosted on fal.ai infrastructure — see "Indirect sub-processors" below.
  • EachLabs – AI workflow routing for transcription, diarization, and chat-with-files. EachLabs forwards requests to upstream providers including OpenAI, Alibaba Cloud (Qwen3-ASR), ElevenLabs, and Deepgram — see "Indirect sub-processors".
  • Deepgram – batch diarization through EachLabs, and live streaming transcription on the web app and in the CraftNote Meeting Recorder browser extension. In both cases, your browser streams audio directly to Deepgram over a WebSocket connection that our backend authenticates with a short-lived token; the audio does not transit our servers in that path.
  • xAI – audio transcription via the xAI Speech-to-Text API.
  • Weights & Biases Inference – large language model inference (Qwen3 fallback).
  • Supadata – fetches publicly available transcripts and metadata for YouTube, TikTok, X, and podcast URLs you paste into CraftNote.
  • Recall.ai – dispatches a meeting bot ("CraftNote Bot") to join Zoom, Google Meet, or Microsoft Teams calls when you request it. Recall.ai records mixed audio of the meeting and returns it to us for transcription. Recall.ai is a US data processor; meeting audio recorded via Recall.ai is processed in the United States regardless of where you are located. Recall.ai retains the recording for up to 24 hours.

Indirect sub-processors. The routing providers above forward requests to the following further sub-processors. Audio or text content passes through them when the corresponding model is selected:

  • ElevenLabs (United States) – reached via fal.ai and EachLabs (Scribe V2 model).
  • Cohere (Canada / United States) – reached via fal.ai (Cohere Transcribe model).
  • Alibaba Cloud / Qwen (People's Republic of China) – reached via EachLabs (Qwen3-ASR transcription) and via Google Vertex AI Model Garden (Qwen3 LLM hosted on Vertex). When EachLabs routes to the Qwen3-ASR endpoint, audio is processed by Alibaba Cloud. When Vertex AI Model Garden hosts Qwen3, content is processed inside Google's infrastructure under Google's data-processing terms.
  • Moonshot AI (People's Republic of China) – reached via Fireworks AI (Kimi K2.5 LLM hosted by Fireworks). When Fireworks hosts the Kimi model, content is processed inside Fireworks' infrastructure under Fireworks' data-processing terms.

The routing relationship matters for legal purposes (our contract is with the routing provider, not with the upstream sub-processor) but you should know that your audio or text content is, in practice, processed by these upstream parties when the corresponding routing decision is made. We disclose the full chain here so you can make informed decisions, particularly regarding transfers to the People's Republic of China when Alibaba Qwen models are selected by the routing chain.

4.3 Product Analytics, Session Capture, and Experimentation

  • PostHog (PostHog Inc.) – product analytics events, session replay with text and image masking (as described in Section 1.4), feature flag evaluation, and aggregate usage metrics. PostHog events are mirrored to our BigQuery dataset for marketing-automation queries.

4.4 Subscription Management and Payments

  • Adapty – subscription management, receipt validation, in-app purchase analytics, and integrations with our analytics partners.
  • Superwall – paywall presentation and paywall analytics.
  • Paddle – payment processing and Merchant-of-Record services for web subscriptions.
  • FunnelFox – web cancellation funnel for Paddle subscriptions.

4.5 Attribution, Conversion, and Marketing Analytics

  • AppsFlyer – mobile install attribution and event measurement. AppsFlyer receives device identifiers (IDFA on iOS only after ATT consent, IDFV, AAID on Android), event names, and install metadata.
  • Meta (Meta Platforms, Inc.) – Meta SDK and Meta Conversions API for install attribution and conversion measurement on Facebook and Instagram. Meta receives hashed email or phone, advertising identifiers (when permitted by your platform settings), the Meta browser cookie (_fbp) on web, and event metadata.
  • Google Ads, Google Analytics 4, and Google Tag Manager – web and app conversion measurement, web analytics, and tag dispatch. Hashed user data, Google click identifiers (gclid / gbraid), and event metadata are sent to Google Ads. Google Analytics receives event analytics tied to a pseudonymous client identifier.

4.6 Calendar and Meeting Integrations

  • Google Calendar API – when you connect a Google Calendar, we use the Calendar API to read your events on your behalf. We store an OAuth refresh token server-side.
  • Microsoft Graph (Microsoft Corporation) – when you connect an Outlook or Microsoft 365 calendar, we use Microsoft Graph to read your events and meeting metadata on your behalf. We store an OAuth refresh token server-side.

4.7 Operational Monitoring

  • New Relic – backend application performance monitoring and log aggregation. We send pseudonymous user identifiers, note identifiers, function names, timings, and error stack traces. We do not send the text of your notes, transcripts, or chat content to New Relic.

We will update this list as we add, remove, or change processors. If a sub-processor change materially affects how your data is handled, we will update the "Last updated" date on this policy.

5. Data Storage, Encryption, and Retention

5.1 Where Your Data Lives

  • Notes, transcripts, summaries, AI outputs (flashcards, quizzes, todos, action items, email drafts, diarization), chat sessions, vector embeddings, folders, and todos are stored in Google Cloud Firestore. Each document is owned by your Firebase user identifier and access is gated by per-collection security rules.
  • Audio recordings, uploaded documents, downloaded YouTube audio, generated text-to-speech audio, summary podcasts, and meeting bot recordings are stored either in Google Cloud Storage or in Cloudflare R2 (with content delivery through a content delivery network).
  • OAuth state for connected AI assistants (authorization codes, refresh-token hashes) is stored in Google Cloud SQL Postgres on a private network only. We store SHA-256 hashes of authorization codes and refresh tokens, not the original values.
  • OAuth refresh tokens for calendar integrations are stored in Firestore, scoped to your account.
  • Subscription state is mirrored from Adapty into Firestore so paywalls and quotas can be enforced offline.
  • Analytics events are sent to PostHog and mirrored into BigQuery for marketing automation.
  • Backend operational telemetry is sent to New Relic.
  • On-device: we keep light client state in unencrypted device-sandbox storage (onboarding flags, last-selected language, deduplication keys, UI state). We do not keep your notes themselves on the device beyond the lifetime of a recording or upload in progress.

5.2 How Media Files Are Protected

Audio recordings, uploaded documents, and generated audio (text-to-speech, summary podcasts, meeting bot recordings) are stored on Cloudflare R2 and served through a content delivery network. Each file's URL is composed of your Firebase user identifier combined with a random note identifier — together roughly 285 bits of randomness. This makes the URL practically unguessable: random enumeration or brute-force discovery is not a realistic threat against this design.

We use this design instead of short-lived signed URLs because the AI providers we route to need to fetch the file as part of processing your note. A stable fetch-by-URL design lets us hand the file off cleanly to those providers. The trade-off is that the URL itself functions as a credential: if you share the URL, or if a recipient logs it during processing, anyone with that URL can access the file. The unguessable entropy is the access barrier rather than a separately checked token.

When you delete a note, we delete its associated R2 object. CDN edge caches can retain a copy for up to 24 hours before the deletion fully propagates. We are migrating sensitive content classes that do not need long-lived CDN caching to signed-URL gating with short expiry; that work is scheduled for completion within the next two product quarters.

5.3 Encryption

All backends we use (Firestore, Google Cloud Storage, Cloudflare R2, Google Cloud SQL, BigQuery, Firebase Auth) encrypt data at rest using vendor-managed AES-256. All traffic to these services uses TLS 1.2 or higher. Authentication to our private database uses Cloud Identity and Access Management rather than passwords.

5.4 Retention by Data Type

  • Notes, transcripts, summaries, embeddings, and audio / document blobs remain on your account until you delete the individual note or close your account (see Section 5.5). Deleting a note removes its database record and the audio or document file associated with it; CDN edge caches expire within 24 hours.
  • Calendar events we have cached for the meeting bot or for surfacing in-app are auto-purged after 2 years.
  • Unfinished meeting recordings (capture sessions that were never finalized into a note) are auto-deleted 30 days after the last chunk arrives.
  • Authorization codes for connected AI assistants expire after 10 minutes and are purged daily.
  • Refresh tokens for connected AI assistants remain until you disconnect the assistant from Settings → Connected Apps, or you delete your account.
  • AI provider request and response logs are retained by each provider under its own policy, typically for up to 30 days for abuse monitoring. The actual window varies by provider and by tier (some providers offer zero-retention enterprise contracts; we are on standard commercial tiers and disclose the "up to 30 days" window as the practical worst case our users should plan for).
  • Analytics events in PostHog, BigQuery, AppsFlyer, Meta, Google Ads, GA4, and Adapty are retained under each vendor's plan-level retention policy.
  • Recall.ai meeting recordings are kept by Recall.ai for up to 24 hours before they are deleted on their side. We retain only the copy stored to our own R2 bucket after the bot finishes.

5.5 Account Deletion

You can delete your account from Settings → Delete Account in the mobile app. When you initiate deletion, we immediately delete your Firebase Auth identity, sign you out, and clear the local app state on your device. Our operations team then carries out the full erasure across the rest of our systems — orphaned Firestore documents, audio files in Cloud Storage and R2, push notification tokens, connected-assistant refresh tokens, calendar webhook channels, and analytics person profiles — on a 30-day completion target for active systems and a 90-day target for backups, except where retention is required by applicable law (for example, tax records for completed transactions).

We are in the process of automating that cascade into a single in-app delete action. Until that automation ships, the most reliable way to confirm full erasure across every backend is to email support@craftnote.com from the address associated with your account requesting full deletion; we acknowledge such requests within 5 business days and complete them within the 30-day target above.

Cancelling a paid subscription is separate from deleting your account. You cancel subscriptions through the store where you purchased them (App Store, Google Play, or Paddle).

6. AI Provider Data Flows

This section explains, per feature, what content we send to AI providers, what we get back, and what those providers do with the content. Provider selection within each chain is configured remotely (PostHog feature flags) so we can shift traffic without app updates.

6.1 Transcription (Audio → Text)

Audio recordings (voice memos, in-app recordings, imported video and audio, uploaded files, and meeting bot capture) are sent to one of: ElevenLabs Scribe V2 (via fal.ai or EachLabs), Wizper (via fal.ai or EachLabs), Groq Whisper, Google Gemini, Alibaba Qwen3-ASR Flash (via EachLabs — this routes audio through Alibaba Cloud in the People's Republic of China), xAI Speech-to-Text, Replicate WhisperX, or Cohere Transcribe (via fal.ai). For most providers, we provide a Cloudflare R2 URL and the provider fetches the audio. For Gemini, we send the audio bytes inline. The provider returns timestamped transcript text.

6.2 Diarization (Who Spoke When)

Diarized audio (assigning who said what) is processed by Scribe V2 (fal.ai or EachLabs), Deepgram Nova-3 (via EachLabs), or whisper-diarization community models hosted on EachLabs, fal.ai, or Replicate.

6.3 Live Transcription (Web)

When you enable live transcription on the web app, your browser opens a WebSocket connection directly to Deepgram and streams raw 16-kHz PCM audio there in real time. The audio does not transit our servers in this flow — CraftNote's backend only mints a 30-second-scoped authentication token that your browser presents to Deepgram. Whether live transcription is enabled for your session is controlled by a server-side feature flag; live transcription is currently a default-on feature on the web app.

6.4 Meeting Bot

When you ask CraftNote to join a meeting on Zoom, Google Meet, or Microsoft Teams, we use Recall.ai to dispatch a bot named "CraftNote Bot." Recall.ai joins the meeting, records mixed audio, and returns the recording to us. We then run our standard transcription chain on the recording. Recall.ai receives the meeting URL, the bot's display name, an internal user identifier that uniquely identifies your CraftNote account within Recall.ai's systems, and the calendar event identifier of the meeting. We do not send your email address, name, or other personal contact information to Recall.ai. Recall.ai operates in the United States; meeting audio recorded via Recall.ai is processed there regardless of where you are located.

6.5 Summary, Translation, Templates, Flashcards, Quiz, Todo, Email Drafts, Chat

Your transcripts, summaries, and chat questions are sent to a language model chain. When you use the chat-with-files feature, the file contents (PDF, DOCX, XLSX, PPTX, EPUB, ODT) are also sent. Providers in the chain include Google Vertex AI (hosting Alibaba Qwen3), Weights & Biases Inference (Qwen3 fallback), Fireworks AI (gpt-oss and Moonshot Kimi), Groq (gpt-oss), EachLabs (routing to OpenAI gpt-4.1), and OpenAI (gpt-4.1) directly. In the chat feature, the model can request fragments of your other notes through internal tool calls; those fragments are included in subsequent prompts to the same provider.

6.6 Embeddings (Verbatim Note Text → Vector)

To power semantic search across your notes and the "chat with your notes" feature, every note's title, transcript, summary, and chat turn is chunked and converted to a numerical embedding. The verbatim text of each chunk is sent to the embedding provider (Fireworks AI primary, Google Gemini fallback). We store the returned vector together with the originating chunk text in our database so we can later retrieve and cite the chunk.

6.7 Text-to-Speech (Read Aloud)

When you tap Read Aloud, the summary or transcript text is sent to OpenAI's text-to-speech models, which return audio.

6.8 YouTube and Social Link Transcription

When you create a note from a YouTube URL, we send only the URL to Google Gemini, which fetches the video from YouTube on our behalf. For TikTok, X, and podcast links, we send the URL to Supadata, which returns the publicly available transcript and metadata for the URL.

6.9 What Providers Do With Your Content

The AI providers above either contractually do not train their models on customer inputs (the case for OpenAI's API, Anthropic's API, Google Vertex AI paid tier, Gemini API paid tier, Fireworks AI, Weights & Biases Inference, Groq, Deepgram paid tier, Recall.ai, fal.ai), or they operate as routers and sub-processors for providers that contractually do not. Several providers retain request and response logs for up to 30 days for abuse monitoring. The specific retention windows vary by provider and we are working with each provider to align them with a documented schedule we can publish here.

6.10 What We Do Not Send to AI Providers

We do not send your email address, contact list, phone number, address book, payment information, or persistent advertising identifiers to AI providers. The single exception is Recall.ai, which receives an internal user identifier (Section 6.4) that uniquely identifies your CraftNote account within Recall.ai's systems but does not include your email or name. Your display name and other profile metadata are not sent as separate fields, though they may appear inside transcript or summary text if you or another speaker said them during the recording. Free-form note content can include any text or speech you chose to capture; we do not pre-filter free-form content before sending it.

7. Cookies and Similar Technologies

Our web app and marketing website (craftnote.com) use cookies and similar storage technologies. We do not currently surface a cookie banner on either site; instead, we describe below what is set, by which third party, for what purpose, and how you can opt out. We are evaluating a consent-management platform for a future release.

  • Firebase Auth session cookie (essential) – keeps you signed in. Required for the app to function. Cleared when you sign out.
  • PostHog distinct ID (analytics, including session replay with masking) – a randomly generated identifier persisted in localStorage and a first-party cookie so we can stitch events from the same browser. Reset when you sign out.
  • Google Analytics 4 (_ga, ga*) (analytics) – a randomly generated client identifier set by Google Analytics via Google Tag Manager.
  • Google Tag Manager (gtm*) (tag dispatch) – metadata that Google Tag Manager needs to dispatch downstream tags. Set on the marketing site only.
  • Meta Pixel (_fbp) (advertising) – a first-party Meta cookie used for Meta Pixel + Meta Conversions API attribution.
  • Google Ads conversion cookies (gcl*) (advertising) – Google click identifiers used for Google Ads conversion measurement.

You can clear cookies at any time using your browser's privacy controls. You can opt out of personalized advertising from Meta and Google at Meta's settings and Google's Ads Settings. You can also email support@craftnote.com to ask us to suppress non-essential analytics and advertising tags for your account.

8. Information Disclaimer

  • CraftNote is a productivity and educational service, not a professional service.
  • We do not provide legal, medical, or professional advice.
  • Our transcriptions and summaries are for informational purposes only and may contain errors.
  • Always consult qualified professionals for critical decisions.
  • We are not liable for any decisions made based on our outputs.

9. Your Rights and Choices

Depending on where you live, you have rights under privacy laws such as the EU and UK GDPR, the California Consumer Privacy Act and California Privacy Rights Act, and similar frameworks. These can include the right to access, correct (rectify), delete (erase), port, restrict, or object to the processing of your personal information, and the right not to be subjected to certain automated decisions. We honor these requests regardless of where you live.

If you are in the European Economic Area, United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority.

9.1 In-App Controls

  • Delete a note. Notes can be deleted individually from the app. Deleting a note removes its database record and the audio or document file associated with it.
  • Edit a note (rectification). Note titles, transcripts, and other text fields can be edited in-app to correct inaccuracies.
  • Disconnect a connected AI assistant. On the web, open Settings → Connected Apps in the CraftNote web app and remove the assistant. This deletes the refresh token immediately. (Connected-apps management is web-only today; we plan to add it to mobile.)
  • Disconnect a calendar. Settings → Calendar integrations on mobile. This revokes the OAuth token and cancels the webhook channel.
  • Stop a meeting bot. Settings → Meeting bot, or the per-session controls.
  • Delete your account. Settings → Delete Account on mobile. See Section 5.5.
  • Manage app permissions. Microphone, camera, and photo access can be granted or revoked from your device settings at any time. iOS App Tracking Transparency consent can be changed from Settings → Privacy → Tracking. Android Advertising ID can be reset or deleted from Settings → Privacy → Ads.
  • Manage push notifications. From your device settings or the in-app notification settings page.

9.2 Requests via Support

For rights and choices that do not yet have a self-serve path inside the app, contact support@craftnote.com from the email associated with your account. We acknowledge these requests within 5 business days and:

  • Process a complete data-export request (a copy of your notes, transcripts, summaries, and account metadata) within 30 days.
  • Process a complete erasure request (deletion from active systems within 30 days, from backups within 90 days, except where retention is required by law).
  • Process a request to opt out of analytics and session capture for your account.
  • Process a request to opt out of marketing communications and lifecycle notifications.
  • Process a request to restrict or object to specific processing.
  • Respond to other questions about your data.

We will not retaliate against you for exercising any of these rights. If you live in California, you may designate an authorized agent to make requests on your behalf.

10. Third-Party AI Assistant Connections (Model Context Protocol)

CraftNote offers an optional integration that lets you connect external AI assistants — such as Anthropic's Claude.ai — to your CraftNote account using the Model Context Protocol (MCP). This section explains exactly what happens when you choose to connect.

10.1 How the Connection Works

When you authorize a third-party AI assistant through CraftNote's MCP connector endpoint, you complete an OAuth 2.1 authorization flow. After you sign in and approve, CraftNote issues the assistant an access token scoped to read-only operations on your own notes.

10.2 What We Share with the Connected Assistant

The connected assistant can call a small set of read-only tools (currently: list and search your notes, fetch a note's content, list folders, list outstanding action items, and run semantic search across your notes). When you ask the assistant a question that uses these tools, the content of the matching notes (titles, transcripts, summaries, action items) is returned to the assistant so it can answer you.

The assistant becomes a third-party recipient of that note content, governed by the assistant provider's own privacy policy — for Claude.ai, that is Anthropic's privacy policy. We do not share your CraftNote login credentials, payment information, contacts, location, or device identifiers with the assistant.

10.3 What We Store to Operate the Connection

To keep the connection working, we store on Google Cloud SQL (private network only): the OAuth client identifier and name of the assistant you connected; the redirect URLs it registered; and a refresh token tied to your CraftNote user ID. Short-lived authorization codes are kept for 10 minutes. Access tokens are not server-persisted (they live in the assistant's memory for one hour, then expire). Refresh tokens rotate on each use and expire after 30 days of inactivity.

10.4 What We Log About Your Usage

Each time the assistant calls a tool, we record an aggregate event in PostHog containing: the tool name, the assistant's client identifier, your CraftNote user ID, and timing information. We do not log the arguments you or the assistant pass to those tools in analytics events, and our backend operational telemetry (New Relic) also redacts tool-call arguments from log lines, so your search queries and the questions you ask the assistant are not stored by us beyond the duration of the request itself.

10.5 What We Do Not Do

We do not copy your notes into a separate database for the assistant. Each tool call reads your notes live from your existing CraftNote storage. We do not allow the assistant to write to, modify, or delete your notes. We do not use your conversations with the assistant to train any model, ours or a third party's.

10.6 How to Disconnect

You can revoke a connected assistant's access at any time. Either method below severs access immediately on the assistant's next request:

  • From CraftNote: in the web app, open Settings → Connected Apps and remove the assistant. This deletes the refresh token; the assistant's next call returns an authentication error.
  • From the assistant: disconnect or remove the CraftNote connector from the assistant's own settings (for example, Claude.ai → Settings → Connectors → CraftNote → Disconnect).

10.7 Additional Sub-Processors Used Only for This Feature

Beyond the sub-processors listed in Section 4, the MCP connection uses Google Cloud SQL for storing OAuth state. No new categories of data leave the European and US Google Cloud regions already disclosed in Section 4.

10.8 Questions

Privacy questions specific to the MCP connection can be sent to support@craftnote.com.

11. International Data Transfers

We are based in Turkey and operate the Service from Google Cloud regions in the United States and Europe. Our sub-processors and indirect sub-processors are located in the United States, the European Union, the United Kingdom, Turkey, Canada (Cohere), and the People's Republic of China (Alibaba Cloud / Qwen and Moonshot AI — reached only when the AI routing chain selects a Qwen-based model or the Kimi LLM, as described in Section 4.2). Recall.ai processes meeting recordings in the United States regardless of where you are located. When you use CraftNote from outside these regions, your information will be transferred to and processed in them.

Where required, transfers from the European Economic Area, United Kingdom, or Switzerland to countries that have not received an adequacy decision rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards built into our sub-processors' data-processing agreements. If you are located in the EEA or UK and are uncomfortable with transfers to a particular jurisdiction (for example, the People's Republic of China via the Qwen routing chain), email support@craftnote.com and we will set a per-user PostHog property that excludes your account from the affected provider routing where technically feasible.

12. Children's Privacy

CraftNote is not directed to children under 13 (or under 16 in jurisdictions where that is the relevant age of consent for data processing). By using CraftNote, you confirm that you are above the relevant age threshold for your jurisdiction. We do not knowingly collect personal information from children under those ages. If you believe a child has provided personal information to us, please contact support@craftnote.com and we will delete the information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For material changes that affect how your data is processed, we will additionally send an email notification at least 14 days before the change takes effect, to the email address associated with your account. You are advised to review this Privacy Policy periodically.

14. California Residents: Your Privacy Rights

If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information, in addition to the rights described in Section 9.

Categories of personal information we collect — identifiers (Firebase UID, email, IP address, advertising identifiers), commercial information (subscription status), internet activity (usage events, session-replay structure with masked content), audio/visual data (audio recordings you create), geolocation data (coarse country only), professional information (only if you include it in a note), inferences drawn from the above (e.g., language preference). Sources and purposes are described in Sections 1 and 2.

We do not "sell" your personal information as that term is defined under the CCPA.

We do "share" certain personal information for cross-context behavioral advertising, as that term is defined under the CPRA. Specifically: hashed email or phone, advertising identifiers, the Meta browser cookie (_fbp), and event metadata are shared with Meta, Google Ads, and AppsFlyer to measure how well our marketing campaigns perform.

Your CPRA rights:

  • Right to know what personal information we collect, use, share, and retain.
  • Right to delete personal information we collected from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of your personal information.
  • Right to limit the use of your sensitive personal information.
  • Right to non-discrimination for exercising any CPRA right.

To exercise your "Do Not Sell or Share My Personal Information" right, email support@craftnote.com with the subject line "Do Not Sell or Share My Personal Information." We will suppress sharing for cross-context behavioral advertising for your account within 15 business days. You can also use the Global Privacy Control signal in your browser; we honor it as an opt-out request when we receive it on our web app and marketing website (craftnote.com).

Authorized agents. You may designate an authorized agent to make a CPRA request on your behalf. We will require proof of the agent's authority.

15. Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: support@craftnote.com

Company: Joyolabs Dijital Hizmetler Anonim Şirketi (Istanbul, Türkiye)

As the company is established in Türkiye, the Turkish data protection law (KVKK) and the Turkish Personal Data Protection Authority (KVKK Kurumu) apply to our processing, alongside the GDPR and UK GDPR where they apply to EEA and UK users.

We have not appointed a Data Protection Officer or an EU Article 27 representative. If you are an EEA or UK data subject and need a local representative for a complaint or inquiry, please email the address above and we will provide the appropriate point of contact.

Try CraftNote on the web

AI-powered notes from your meetings, lectures, PDFs, and videos — no install needed.

Open CraftNote