Privacy Policy

Last updated: April 19, 2026
Plain-English notice: NapkinNote is built and run by high school students. We are not lawyers, and this Privacy Policy has not been reviewed by one. We wrote it to describe — honestly and in plain language — what we actually collect and what we do with it. If your school needs a formal policy review before you use the service, please email support@napkinnotes.net.

This policy covers everyone who uses NapkinNote at napkinnotes.net.

1. What we collect

CategoryExamplesWhy we have it
Account info Name, school-domain email, username, hashed password, or Google sign-in ID To log you in and associate you with the right school community
Profile info Profile picture or link, optional bio, optional resume To let classmates see who posted a note
Content you upload Note titles, descriptions, tags, PDFs, images, extracted text, comments This is the service — your notes, shown to your school
Marketplace info Listings, meetup requests, messages about them To run the optional marketplace within your school
Usage + technical data IP address, browser type, pages visited, timestamps, rate-limit counters, audit logs for sensitive actions Security (blocking abuse), debugging, and fraud prevention
Support emails Whatever you send us through Contact or Report Issue To respond to you

We do NOT collect: your school grades, test scores, phone number (unless you put it in a note), location, or anything tracked by advertising networks. We don't run ads.

2. How we use it

  • Run the service: show your notes to the correct school, let you upload and browse, send password-reset and verification emails.
  • Keep the service safe: detect abuse, enforce rate limits, review reported content, investigate security incidents.
  • Improve the service: see which features people use and fix bugs. We use log data for this, not your note content.
  • Communicate with you: reply to support requests, send important account notices. We don't send marketing emails.

3. Who sees your content

  • Classmates at your school: public notes and marketplace listings you post are visible to signed-in users at your school. Private notes stay with you.
  • Your school's administrators: designated NapkinNote admins for your school can view, moderate, and remove content from students at that school.
  • NapkinNote operators: a small number of NapkinNote admins (the students running the platform) have technical access to the database for operations and support. They only access user data when needed to keep the service running or investigate abuse.
  • No one else. We don't sell data, and we don't share it with advertisers, other schools, or data brokers.

4. Third parties that help us run the service

We use these vendors under agreements that restrict how they can use your data:

  • Google Cloud (hosting, database, OAuth sign-in, Vision OCR): runs our servers and lets you sign in with a Google school account. Vision extracts text from scanned pages you upload.
  • Amazon Web Services (S3): stores your uploaded files and thumbnails.
  • Anthropic (Claude): generates batch-upload groupings, tags, and note summaries from the text of notes you upload. Anthropic is contractually prohibited from using submissions to train its models.
  • Email (SMTP via Gmail): sends account, password-reset, and notification emails.
  • Redis: tracks rate limits and short-lived session data.

These providers are in the United States. Your data is transmitted using TLS encryption and stored encrypted at rest where the provider supports it.

5. How long we keep it

  • Account, profile, and notes: kept while your account is active.
  • Audit logs of sensitive actions (password changes, admin alias, deletions): kept up to 12 months.
  • Rate-limit counters and request logs: typically 30 days.
  • Backups: up to 90 days before they roll off.
  • When you delete a note or your account, we delete it from the live service within a reasonable time. Copies may persist in backups until they expire.

6. Your rights and choices

  • See or change your data: edit your profile and notes from your account any time.
  • Delete your account: email support@napkinnotes.net and we will delete your account and associated content. If you are in a jurisdiction with data rights (for example the EU/EEA, UK, or California), you have the right to request access, correction, deletion, or export of your data — use the same email.
  • Opt out of non-essential emails: we don't currently send marketing email. If we ever do, you'll be able to opt out.

7. Security

We do our best to protect the service: passwords are hashed with bcrypt, traffic is served over HTTPS, uploads are validated for type and size, we rate-limit sensitive actions, we sanitize content to prevent XSS, and we log sensitive admin actions. We run automated dependency scans to find known vulnerabilities.

No online service is perfectly secure. If we ever discover a breach affecting your data, we will email affected users and post a notice on the site as quickly as we reasonably can.

8. Students under 13

NapkinNote is intended for students 13 and older. If we learn that someone under 13 created an account, we will delete it. If you are a parent or school administrator and believe a student under 13 has an account, please email support@napkinnotes.net.

9. Cookies and similar tech

We use a small number of functional cookies to keep you signed in, remember CSRF tokens, and remember your login if you tick "remember me." We don't use advertising or tracking cookies.

10. Changes to this policy

When we make a meaningful change to how we handle data, we'll update the "Last updated" date at the top of this page and, for big changes, show a notice on the site for a while. Continuing to use NapkinNote after a change means you accept the updated policy.

11. Contact

For privacy questions or data requests, email support@napkinnotes.net. We read everything.

Read the Terms of Service →