← Back to Notora

Notora — Privacy Policy

Last updated: 7 June 2026

This Privacy Policy describes how Fivehy Ltd ("we", "us" or "our") collects, uses, shares and protects information when you use the Notora mobile application (the "App"). We are committed to handling your data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller for personal data processed by the App is Fivehy Ltd, with its registered office at A L 182-184 High Street North, Area 1/1, East Ham, London, United Kingdom, E6 2JA. You can reach us at moc.yhevif@olleh .

2. The Short Version

Notora stores your notes on your device. Sync is optional. If you enable it, your notes are end-to-end encrypted before they leave your device — we cannot read them. We do not use advertising, do not sell data, and do not train AI models on your notes.

3. What We Collect

We process the following categories of personal data:

• On-device data: notes, folders, tags and app preferences live on your device. We do not collect this unless you explicitly enable sync.
• Account data (only if you enable sync): an email address and an authentication secret (stored as a salted hash by our auth provider).
• Encrypted note blobs (only if you enable sync): your notes are encrypted on the device with keys we cannot access, and the resulting ciphertext is stored by our sync provider. We can see that data exists, but not what it contains.
• Technical data: device type, operating system and app version, and standard server logs (including IP address, used for security and abuse prevention).

4. How We Use Your Data

• To run the App on your device.
• To sync your (encrypted) notes between your devices, when you enable sync.
• To create and manage your account, when you enable sync.
• To improve reliability, performance and security of the App.
• To respond to your support requests.
• To comply with legal obligations.

We do not sell your personal data, we do not use it for advertising, and we do not train AI models on Your Content.

5. Legal Bases (UK GDPR)

• Contract: to provide the App and the features you sign up for.
• Consent: for optional features such as sync.
• Legitimate interests: security, fraud prevention, diagnostics and improving the service.
• Legal obligation: where the law requires us to process data.

6. Sub-processors

To provide the optional sync feature we rely on the following sub-processors, each bound by appropriate data-protection terms.

• Supabase Inc. (USA) — database, authentication and storage for the sync feature. Note bodies are stored only in encrypted form; Supabase has no access to your decryption keys.
• Apple Inc. and Google LLC (App Store / Google Play) — distribute the App and may provide aggregate store analytics and crash data to us.

7. International Transfers

Some of our sub-processors are based outside the United Kingdom and the European Economic Area. Where personal data is transferred outside the UK / EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or equivalent adequacy mechanisms.

8. Retention

Notes that live on your device are kept until you delete them. When sync is enabled, the encrypted blobs are kept until you delete them or delete your account. When you request deletion of your sync account, we begin a 30-day grace period during which the account is frozen and the data is held pending deletion. If you sign back into the App within those 30 days, the deletion is automatically cancelled. After 30 days, your account and all data linked to it are permanently and irreversibly deleted — including from our backups.

9. Your Rights

Subject to UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data erased ("right to be forgotten").
• Restrict or object to certain processing.
• Request data portability (export your notes to Markdown or PDF).
• Withdraw consent at any time — for example by turning sync off.
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email moc.yhevif@olleh . Account and data deletion are also available directly from inside the App, and step-by-step instructions live on a dedicated Delete your Notora account page.

10. Children

The App is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Security

We use reasonable technical and organisational measures to protect your data, including end-to-end encryption for sync, HTTPS for all network traffic, row-level security on our database so you can only access your own data, hashed authentication secrets, and the principle of least privilege for our systems. No method of transmission or storage is fully secure, however, and we cannot guarantee absolute security. Because sync is end-to-end encrypted, we cannot recover Your Content if you lose your password and recovery information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available at this URL with the updated date at the top. Material changes will be communicated in the App where reasonable.

13. Contact

For privacy-related questions, write to moc.yhevif@olleh .