Privacy Policy

Effective date: May 28, 2026

B2 Notes ("we", "us", "our") operates the b2notes.com website and application. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Information We Collect

Account Information

When you register, we collect your email address and a hashed password. We never store your password in plain text. You may optionally upload a profile avatar.

Notes & Content

We store the content you create — notes, kanban boards, mind maps, drawings, calendar events, and associated metadata (titles, tags, folders, links). This data is stored on our servers to provide the service.

Encrypted Notes (Vault)

When you use the encryption vault, your note content is encrypted client-side using XChaCha20-Poly1305 before it leaves your browser. We store only the encrypted blob. We cannot read, decrypt, or recover encrypted note content — this is a zero-knowledge architecture. If you lose your vault password, encrypted notes cannot be recovered.

Activity Data

We log user actions (e.g., creating, editing, or deleting items) to power the dashboard activity heatmap and recent activity feed. Duplicate actions within 5 minutes are throttled.

File Uploads

Uploaded files (images, audio recordings, avatars) are stored on our servers in user-specific directories. Uploaded files are accessible only to the authenticated user who uploaded them.

Spotify Integration

If you connect your Spotify account, we store your Spotify access token and refresh token in your user settings to maintain the connection. We do not store your Spotify password. You can disconnect at any time, which deletes the stored tokens.

2. How We Use Your Information

• Provide the service — store, sync, and display your notes and content across your devices
• Authentication — verify your identity when you log in
• Two-Factor Authentication — send one-time verification codes to your email when unlocking the encryption vault
• Activity features — power the dashboard heatmap, recent activity, and calendar views
• Theme & settings — remember your preferences across sessions

3. Cookies & Sessions

We use a session cookie to keep you logged in. This cookie contains only a session identifier — no personal data. We also store UI preferences (panel widths, folder collapse states) in your browser's localStorage. We do not use third-party tracking cookies or analytics services.

4. Third-Party Services

• Google Fonts — We load fonts from fonts.googleapis.com. Google may log font requests per their Privacy Policy.
• Spotify — If you connect Spotify, playback uses the Spotify Web Playback SDK. Spotify's use of your data is governed by the Spotify Privacy Policy.
• CDN Libraries — Static JavaScript libraries loaded from CDNs with no data collection.

5. Data Security

• All connections use HTTPS
• Passwords are hashed using bcrypt (12 salt rounds)
• CSRF protection on all API endpoints
• Rate limiting on login and registration
• Content Security Policy (CSP) headers
• Encrypted notes use client-side XChaCha20-Poly1305 with Argon2id key derivation

6. Administrative Access

Designated administrators may view limited account metadata for the purpose of customer support, billing, security, and abuse prevention. Specifically, administrators may see:

• Your username, email address, and account creation date
• Your subscription status and trial dates
• Your last-active timestamp and a derived "online" indicator (active in the last 5 minutes)
• Aggregate counts of items you've created (number of notes, mind maps, drawings, etc.) — never the items themselves
• Total storage used by your notes (size in bytes), without access to the contents
• Aggregate activity statistics, including how often and at what hours you use the app
• The IP address and user-agent recorded at account creation and at submission of any support ticket

Administrators cannot view note titles, note contents, file uploads, search terms, anything stored in encrypted notes, or specific items you are working on. Encrypted notes are mathematically inaccessible to us — even administrators with full database access cannot read them.

All administrative access actions are recorded in an internal audit log with timestamp, the administrator's identity, and the nature of the access. If you wish to know what administrative access has occurred against your account, contact support@b2notes.com.

7. Data Retention

Your data is retained as long as your account is active. Deleted notes are soft-deleted (moved to Trash) and can be restored. Permanently deleting a note removes it from the database. Contact us to request full account deletion.

8. Your Rights

• Access & Export — Export any note as HTML, Markdown, PDF, or plain text
• Correction — Edit your content and profile at any time
• Deletion — Delete individual notes or request full account deletion
• Disconnect — Disconnect third-party integrations at any time

9. Children's Privacy

B2 Notes is not directed at children under 13. We do not knowingly collect information from children under 13.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date.

11. Contact

Questions about this Privacy Policy:
support@b2notes.com