stownote

Privacy Policy

Last updated: May 30, 2026

Draft — pending legal review. This document is a good-faith working draft. It must be reviewed by a qualified attorney before stownote launches publicly or is submitted to the Chrome Web Store.

stownote ("stownote," "we," "us") is a browser extension and accompanying website that lets you stash notes and gift cards at specific websites. This policy explains what we collect, how we use and protect it, and the choices you have. It applies to the stownote Chrome extension and the stownote.com website.

1. Information we collect

  • Account identity. When you sign in, our authentication provider, Clerk, processes your email address and, if you use a social login, the basic profile your provider returns. We receive a Clerk user identifier that we use to associate your data with you.
  • Your stashed content. The notes you write, and the website match rules (domain, URL, or pattern) you attach them to. This content is stored so we can sync it to you wherever you sign in.
  • Gift-card secrets. If you save a gift card, we store the card number, PIN, expiry, and any note you add. Because these are secrets, we encrypt them before they are written to our database (see "How we protect your data").
  • Billing information. If you upgrade to a paid plan, payment is handled by Paddle, our Merchant of Record. We do not see or store your full card details; we receive your subscription status from Paddle.
  • Operational data. Standard server logs (IP address, timestamps, error traces) generated when the extension or site talks to our API, used to operate and secure the service.

2. What we do NOT collect

  • We do not track your browsing history. The extension evaluates whether the current page matches one of your saved rules locally, in your browser; it does not send us the pages you visit.
  • We do not sell your data, and we do not use your notes or gift-card contents for advertising or to train AI models.

3. How we use your information

  • To store and sync your notes and gift cards across your devices.
  • To authenticate you and keep your data scoped to your account.
  • To process subscriptions and enforce plan limits.
  • To operate, secure, debug, and improve the service.
  • To respond to your support requests.

4. How we protect your data

stownote stores user secrets. Gift-card details are a bearer secret, so we encrypt them with AES-256-GCM before they are saved to our database. The encryption key is held only in our server environment, never in the database, so a database leak alone does not expose your gift-card contents. This protects data at rest: a stolen copy of our database yields only ciphertext. It does not make stownote a zero-knowledge service — to display a gift card, the plaintext code and PIN travel from our servers to your extension over an encrypted TLS connection, and our servers (and you, as the signed-in owner) can decrypt your cards. All data in transit is protected with TLS.

5. Service providers

  • Clerk — authentication and account management. Clerk processes your sign-in identity. See Clerk's privacy policy.
  • Paddle — payments and subscription billing as our Merchant of Record. Paddle processes your payment details and handles applicable sales tax/VAT. See Paddle's privacy policy.
  • Supabase — managed PostgreSQL database hosting for your stashed content (gift-card secrets encrypted as described above).
  • Vercel — hosting for our website and API.

6. Data retention

We keep your stashed content until you delete it or close your account. Deleted entries are removed from active use immediately and purged from backups in the normal backup-rotation cycle. Operational logs are retained for a limited period for security and debugging.

7. Deleting your data

You can delete any individual note or gift card from the extension at any time. To delete your entire account and all associated data, email us at privacy@stownote.com and we will erase your stored content and account record. Note that losing access to our encryption key, or your deletion of a gift card, makes that data permanently unrecoverable.

8. Your rights

Depending on where you live (for example under GDPR or CCPA), you may have the right to access, correct, export, or delete your personal data, and to object to certain processing. To exercise any of these rights, contact us at privacy@stownote.com.

9. Children

stownote is not directed to children under 13, and we do not knowingly collect their data.

10. Changes to this policy

We may update this policy. We will revise the "Last updated" date above and, for material changes, provide a more prominent notice.

11. Contact

Questions about this policy or your data? Email privacy@stownote.com.

Privacy Policy · stownote