NoteTubeNoteTube
Back to Home
Legal

Privacy Policy

Privacy Policy

Effective Date: March 5, 2026

Welcome to NoteTube, an AI-powered learning platform operated by Acasa Labs ("we," "us," or "our"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website at https://notetube.ai, our mobile applications, and all related services (collectively, the "Service").

We are committed to protecting your privacy and handling your data transparently. By using NoteTube, you agree to the practices described in this policy. If you do not agree with this policy, please do not use our Service.

Information We Collect

We collect information in the following categories to provide and improve our Service.

Account Information

When you create an account, we collect:

  • Name and display name provided during registration
  • Email address used for account creation and communication
  • Authentication credentials managed securely through our authentication provider (Supabase Auth)
  • Profile information such as your profile picture (if provided via Google OAuth)
  • Account type (e.g., student, teacher) and subscription tier

You may sign up using Google OAuth or email and password. If you use Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

Uploaded Content

NoteTube allows you to upload and process learning materials. This includes:

  • PDF documents uploaded for study and analysis
  • YouTube video URLs submitted for content extraction
  • Images uploaded for analysis and text extraction
  • Articles linked or pasted for processing
  • Text content entered directly into the platform

All uploaded content is stored in our secure cloud storage and processed to generate study materials for your use.

Generated Study Materials

When you use our AI-powered features, we store the materials generated from your content:

  • Flashcard decks and individual flashcards
  • Quiz sets, questions, and your quiz attempts and responses
  • Summaries and notes
  • Chapter extractions
  • Mind maps
  • Podcast episodes and transcripts
  • AI chat conversations and message history

Usage Data

We collect information about how you interact with the Service, including:

  • Study session data — sessions created, duration, and activity
  • Flashcard review history — spaced repetition scheduling data, review timestamps, and performance metrics
  • Quiz attempt data — scores, time taken, and response patterns
  • Feature usage — which tools you use and how frequently
  • Daily and monthly usage metrics — for subscription limit tracking and billing purposes

Device and Technical Information

We collect technical information at various stages of your use of the Service to maintain security, prevent abuse, and improve your experience.

At registration (collected once):

  • Sign-up IP address — for fraud detection and abuse prevention
  • Sign-up platform and device type — the platform (web, iOS, Android) and device type used to create your account
  • Sign-up operating system and user agent — for security records
  • Sign-up country — derived from your IP address at the time of registration

On each sign-in (updated periodically):

  • IP address — for rate limiting, security monitoring, and detecting unauthorized access
  • Platform, device type, and device brand/model — to optimize the Service for your device
  • Operating system and version — for compatibility and debugging
  • Browser and browser version — for web application compatibility (web users only)
  • App version — for mobile application compatibility (mobile users only)
  • Country — derived from your IP address for local currency display and regional compliance

Persistent identifiers:

  • Device fingerprint — a hashed identifier used solely for detecting multi-account abuse and unauthorized access patterns. This is not used for advertising or cross-site tracking.
  • Timezone and locale — to display dates, times, and interface elements in your preferred format
  • Currency — derived from your detected country, used to display pricing in your local currency

Behavioral signals:

  • Sign-in count — the total number of times you have signed in, used for security anomaly detection

Error monitoring (production only):

  • Sentry error reports — stack traces, browser/OS metadata, and interaction context collected when errors occur
  • Session replay — at a low sample rate (10% of sessions, 100% of sessions with errors), Sentry captures anonymized interaction patterns to help diagnose user-facing bugs. Session replay does not capture document content, passwords, or form inputs.

We collect this information to maintain account security, enforce rate limits, detect unauthorized access, prevent multi-account abuse, and display pricing in your local currency.

Payment Information

When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full payment details on our servers. We receive from Stripe only:

  • Subscription status and plan type
  • Billing cycle dates
  • Transaction identifiers

Contact and Feedback Submissions

When you use our contact form or submit feedback through the Service, we collect:

  • Contact form data — your name, email address, subject, and message content
  • Bot protection data — our contact form is protected by Cloudflare Turnstile, which processes your IP address and browser interaction signals to verify you are not an automated bot
  • Feedback metadata — when you submit feedback, we may collect your browser user agent and the referring page URL to help us understand the context of your feedback

How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service — to create your account, store your uploads, and deliver AI-generated study materials including flashcards, quizzes, summaries, notes, chapters, mind maps, podcasts, and AI chat
  • AI content processing — to send your uploaded content to AI providers for analysis and generation of study materials (see the AI Processing section below)
  • Spaced repetition — to power the SM-2 algorithm for flashcard scheduling based on your review history
  • Payment processing — to manage your subscription, enforce usage limits, and process payments through Stripe
  • Security and abuse prevention — to enforce rate limits, detect fraud, and protect the integrity of our Service
  • Error monitoring — to identify and fix bugs and performance issues using Sentry (production only)
  • Communication — to send you important service updates, respond to support requests, and provide account-related notifications
  • Service improvement — to understand usage patterns and improve features, performance, and user experience
  • Analytics — when you consent, to collect anonymized website usage data via Google Analytics to understand how users navigate the Service and which features are most valuable

We do not sell your personal information to third parties. We do not use your uploaded content for advertising purposes.

AI Processing

NoteTube uses multiple AI providers to process your uploaded content and generate study materials. This is a core part of how our Service works, and we want to be transparent about it.

How Your Content Is Processed

When you upload a document, video, image, article, or text, the following occurs:

  1. Your content is securely uploaded to our storage infrastructure
  2. Text is extracted from your content (e.g., PDF text extraction, image OCR)
  3. The extracted text is split into smaller segments and sent to AI provider APIs to generate study materials such as flashcards, quizzes, summaries, and more
  4. Text segments are converted into mathematical vector representations (embeddings) for semantic search, enabling the AI chat feature to find relevant context from your documents

AI Providers We Use

We use the following AI providers to process your content:

  • OpenAI — for text generation and embeddings
  • Google Gemini — for text generation
  • Anthropic Claude — for text generation
  • Meta Llama — for text generation
  • Mistral — for text generation

Your content is sent to these providers via their APIs solely for the purpose of generating study materials and providing AI chat functionality within NoteTube.

Important Commitments Regarding AI Processing

  • We do not use your content to train AI models. Your uploaded materials are processed on-demand and are not contributed to any training datasets.
  • AI providers process your content according to their respective API terms of service, which generally prohibit using API inputs for model training. We select providers and configurations that align with data protection best practices.
  • Your content is not shared across users. Each user's content is isolated and processed independently.
  • You choose which content to upload. We only process content that you actively submit to the Service.

Data Storage and Security

We take the security of your data seriously and implement multiple layers of protection.

Infrastructure and Encryption

  • Database and authentication are managed by Supabase, which provides PostgreSQL databases with encryption at rest (AES-256) and in transit (TLS 1.2+)
  • File storage uses Supabase Storage with server-side encryption for all uploaded documents and media
  • Vector embeddings for semantic search are stored in Qdrant, a dedicated vector database, secured with API key authentication
  • Payment data is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of payment security certification
  • All data in transit between your device and our servers is encrypted using HTTPS/TLS

Access Controls

  • Row-level security (RLS) policies are enforced on all database tables, ensuring users can only access their own data
  • API endpoints are protected by authentication middleware
  • Administrative access to infrastructure is restricted and monitored
  • Service-to-service communication uses internal API keys that are never exposed to clients

Caching

We use Redis for temporary caching of certain data to improve performance. Cached data has defined expiration times and is used solely to reduce latency and server load. Sensitive data in cache follows the same access control patterns as our primary database.

Third-Party Services

We rely on the following third-party services to operate NoteTube. Each processes data as described:

| Service | Purpose | Data Shared | |---------|---------|-------------| | Supabase | Authentication, database, file storage | Account data, uploaded content, all application data | | OpenAI | AI text generation and embeddings | Extracted text from uploaded content | | Google (Gemini) | AI text generation | Extracted text from uploaded content | | Anthropic | AI text generation | Extracted text from uploaded content | | Meta (Llama) | AI text generation | Extracted text from uploaded content | | Mistral | AI text generation | Extracted text from uploaded content | | Stripe | Payment processing and subscription management | Email, subscription details, payment method (handled by Stripe directly) | | Sentry | Error tracking and performance monitoring (production only) | Error logs, stack traces, device/browser metadata (no personal content) | | Firebase | Web application hosting | Static assets only; no user data is stored in Firebase | | Google Analytics (GA4) | Website analytics (consent-based, IP anonymized) | Anonymized page views, feature usage events, browser/OS metadata. Only activated with your consent via our cookie consent banner. | | Google AdSense | Contextual ad display on select pages | Google may use cookies for ad serving. Ad personalization is denied by default via Consent Mode v2. | | Cloudflare Turnstile | Bot detection and CAPTCHA verification | IP address, browser signals, interaction patterns | | Resend | Transactional email delivery | Recipient email address and email content | | YouTube Data API | Video metadata retrieval for YouTube sources | YouTube video IDs/URLs; metadata such as title, duration, and thumbnail retrieved | | Supadata | YouTube transcript extraction | YouTube video URLs | | ipapi.co | IP geolocation for currency and country detection | IP address; country code and currency returned |

Each of these services has its own privacy policy, and we encourage you to review them. We select service providers that maintain strong data protection practices and comply with applicable regulations.

Classroom and Educational Features

NoteTube includes classroom features that allow teachers to share study materials with students and monitor learning progress.

What Teachers Can See

When you join a classroom as a student, the teacher (or classroom administrator) can view:

  • Your display name, email address, and profile picture
  • Assignment completion status — whether you have accessed and engaged with assigned materials
  • Quiz performance — scores, number of attempts, and completion rates for assigned quizzes
  • Flashcard retention — spaced repetition metrics and study session activity for assigned flashcard decks
  • Last active date — when you last interacted with the classroom's materials

Teachers cannot access your private study sessions, personal uploads, or materials from other classrooms.

Student Consent and Control

  • Joining a classroom constitutes your consent to allow the classroom teacher to view your learning progress data as described above.
  • Leaving a classroom revokes the teacher's ongoing access to your future activity. Previously generated reports and historical data from your time in the classroom may be retained for the teacher's records.
  • You can leave any classroom at any time through your account settings.

Teacher Responsibilities

Teachers and classroom administrators agree that they:

  • Have appropriate authority (institutional, parental, or otherwise) to invite students to their classroom
  • Will use student learning data solely for legitimate educational purposes
  • Will comply with applicable student privacy laws, including FERPA (Family Educational Rights and Privacy Act) in the United States and equivalent regulations in other jurisdictions
  • Are responsible for obtaining any required parental consent for students under 18

Institutional Use

For schools, universities, and educational institutions requiring a formal Data Processing Agreement (DPA), please contact us at support@notetube.ai. We are committed to supporting compliance with institutional data privacy requirements.

Public Content

Certain content on NoteTube can be made publicly visible at your discretion.

What Can Be Made Public

  • Flashcard decks and quiz sets can be set to "public" visibility. By default, all content is private.
  • When you make content public, the following becomes visible to anyone (including unregistered visitors): the content itself (flashcards or quiz questions), your display name and profile picture, and aggregate metrics such as view count and clone count.

Guest Access

  • Unregistered visitors may browse a limited selection of public content and clone (copy) public study sessions to try the Service.
  • Guest access is limited and does not include access to AI features or private content.

Your Control Over Public Content

  • You can change any public content back to private at any time. However, copies (clones) made by other users while the content was public will persist independently and are not affected by your visibility change.
  • Important: Do not make content public if it contains copyrighted material you do not have the right to distribute, sensitive personal information, or confidential data.

Cookies and Tracking

Cookies We Use

NoteTube uses the following categories of cookies:

  • Essential cookies — managed by Supabase Auth to maintain your login session. These are required for the Service to function and cannot be disabled while using NoteTube.
  • Preference cookies — to remember your theme preference (light/dark mode) and other interface settings.
  • Analytics cookies (consent-based) — Google Analytics (GA4) cookies are used to collect anonymized usage data about how visitors navigate the Service. These cookies are activated only with your explicit consent via our cookie consent banner. When enabled, GA4 operates with the following privacy protections:
    • Consent Mode v2 is enabled with analytics denied by default until you opt in
    • IP anonymization is enabled
    • Google Signals (cross-device tracking) is disabled
    • Ad personalization signals are denied
    • Cookie expiration is set to 14 months
    • No personal content or document data is sent to Google Analytics
  • Advertising cookies (limited) — Google AdSense may set cookies on select pages to serve contextual advertisements. Ad-related consent defaults are set to denied via Consent Mode v2:
    • ad_storage is denied by default
    • ad_user_data is denied by default
    • ad_personalization is denied by default
    • AdSense operates in contextual mode, meaning ads are based on page content rather than user profiles

What We Do Not Use

  • We do not use social media tracking pixels (Facebook Pixel, Twitter Pixel, etc.)
  • We do not enable Google Signals or cross-device tracking
  • We do not participate in interest-based advertising or retargeting networks
  • We do not sell or share your data with data brokers
  • We do not use your uploaded content or study materials for any advertising or ad-targeting purpose

Consent Management

You can manage your cookie and tracking preferences at any time:

  • Cookie consent banner — presented on your first visit, allowing you to accept or decline non-essential cookies
  • Account privacy settings — registered users can toggle analytics and data collection preferences in their account settings (see "Your Preferences and Controls" below)

Changes to your preferences take effect immediately. Your consent choices are recorded in our consent log for compliance purposes.

Error Monitoring

In production environments, Sentry collects technical error data (stack traces, browser type, OS version) to help us identify and fix issues. Sentry does not track your browsing behavior or collect your uploaded content. Sentry session replay is used at a low sample rate to diagnose user-facing bugs and captures only interaction patterns, not document content.

Data Retention

Active Accounts

While your account is active, we retain all data associated with it, including your uploaded content, generated study materials, chat history, and usage data. This data is necessary to provide the Service and maintain your learning progress (e.g., spaced repetition schedules).

Account Deletion

When you request account deletion:

  • Your account and profile information will be permanently deleted
  • All uploaded content (PDFs, images, articles) will be removed from our storage
  • All generated study materials (flashcards, quizzes, summaries, notes, mind maps, podcasts) will be deleted
  • Chat message history will be deleted
  • Vector embeddings associated with your content will be removed from Qdrant
  • Usage and billing records may be retained in anonymized form for up to 12 months for legal and financial compliance purposes
  • Stripe may retain transaction records independently per their data retention policy

Account deletion is permanent and cannot be reversed. We aim to complete all deletion requests within 30 days.

Cached Data

Temporary cached data (e.g., API response caches, session caches) expires automatically based on predefined time-to-live settings, ranging from 5 minutes to 30 days depending on the data type.

Your Rights

We respect your rights regarding your personal data. Depending on your location, you may have the following rights:

Rights Under GDPR (European Economic Area, UK, Switzerland)

  • Right of Access — You can request a copy of the personal data we hold about you.
  • Right to Rectification — You can request correction of inaccurate or incomplete personal data.
  • Right to Erasure — You can request deletion of your personal data (subject to legal retention requirements).
  • Right to Restrict Processing — You can request that we limit how we use your data.
  • Right to Data Portability — You can request your data in a structured, commonly used, machine-readable format.
  • Right to Object — You can object to our processing of your data in certain circumstances.
  • Right to Withdraw Consent — Where processing is based on consent, you can withdraw consent at any time.

Rights Under CCPA (California Residents)

  • Right to Know — You can request information about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete — You can request deletion of personal information we have collected from you.
  • Right to Opt-Out of Sale — We do not sell your personal information. No opt-out is necessary, but you may still make this request for the record.
  • Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights.

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy inquiries via support@notetube.ai. We will respond to your request within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

You can also manage much of your data directly through the Service:

  • View and edit your profile information in account settings
  • Delete individual study sessions, flashcard decks, quizzes, summaries, notes, and other content
  • Request full account deletion through your account settings or by contacting support

Your Preferences and Controls

You can manage the following privacy and communication preferences in your account settings:

  • Email notifications — control whether you receive service-related email notifications (e.g., study reminders, feature updates)
  • Marketing emails — opt in or out of promotional emails and product announcements
  • Analytics — enable or disable Google Analytics data collection for your sessions. When disabled, no analytics data is collected during your use of the Service.
  • Data collection scope — control the extent of device and usage data we collect beyond what is strictly necessary for security and Service operation

Changes to these preferences are logged in our consent records and take effect immediately. You can update these settings at any time from your account page.

Data Export and Portability

NoteTube supports the following data export capabilities:

  • Flashcard decks — export in JSON, CSV, or Anki-compatible format for use in other study tools
  • Summaries — export in Markdown, PDF, or TXT format
  • Complete data export — for a full export of all your personal data (including profile information, uploaded content metadata, study history, and generated materials), please contact us at support@notetube.ai. We will provide your data in a structured, machine-readable format within 30 days.

Children's Privacy

NoteTube is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to promptly delete that information.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at support@notetube.ai so we can take appropriate action.

For users between the ages of 13 and 18, we recommend that a parent or guardian review this Privacy Policy and supervise the use of NoteTube.

International Data Transfers

NoteTube operates globally, and your data may be processed in countries other than the country in which you reside. Our infrastructure providers, AI services, and other third-party services may process data in the United States, the European Union, and other jurisdictions.

When we transfer data internationally, we take steps to ensure that appropriate safeguards are in place, including:

  • Using service providers that participate in recognized data protection frameworks
  • Relying on Standard Contractual Clauses (SCCs) where applicable
  • Selecting providers that maintain adequate security certifications and compliance programs

By using NoteTube, you acknowledge that your data may be transferred to and processed in jurisdictions that may have different data protection laws than your home country.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes to this policy, we will:

  • Update the "Effective Date" at the top of this page
  • Notify you via email (at the address associated with your account) for significant changes
  • Display a prominent notice within the Service

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of NoteTube after any changes to this policy constitutes your acceptance of the updated terms.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • General inquiries: contact@notetube.ai
  • Privacy and data requests: support@notetube.ai
  • Website: https://notetube.ai

We aim to respond to all inquiries within 5 business days and to resolve privacy-related requests within 30 days as required by applicable law.

For questions about this privacy policy, please contact us at contact@notetube.ai

Privacy Policy - NoteTube Data Protection & User Privacy Information | NoteTube