Privacy Policy

Effective date: April 11, 2026

B2 Notes ("we", "us", "our") operates the b2notes.com website and application. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Information We Collect

Account Information

When you register, we collect your email address and a hashed password. We never store your password in plain text. You may optionally upload a profile avatar.

Notes & Content

We store the content you create — notes, kanban boards, mind maps, drawings, calendar events, and associated metadata (titles, tags, folders, links). This data is stored on our servers to provide the service.

Encrypted Notes (Vault)

When you use the encryption vault, your note content is encrypted client-side using XChaCha20-Poly1305 before it leaves your browser. We store only the encrypted blob. We cannot read, decrypt, or recover encrypted note content — this is a zero-knowledge architecture. If you lose your vault password, encrypted notes cannot be recovered.

Activity Data

We log user actions (e.g., creating, editing, or deleting items) to power the dashboard activity heatmap and recent activity feed. Duplicate actions within 5 minutes are throttled.

File Uploads

Uploaded files (images, audio recordings, avatars) are stored on our servers in user-specific directories. Uploaded files are accessible only to the authenticated user who uploaded them.

Spotify Integration

If you connect your Spotify account, we store your Spotify access token and refresh token in your user settings to maintain the connection. We do not store your Spotify password. You can disconnect at any time, which deletes the stored tokens.

2. How We Use Your Information

• Provide the service — store, sync, and display your notes and content across your devices
• Authentication — verify your identity when you log in
• Two-Factor Authentication — send one-time verification codes to your email when unlocking the encryption vault
• Activity features — power the dashboard heatmap, recent activity, and calendar views
• Theme & settings — remember your preferences across sessions

3. Cookies & Sessions

We use a session cookie to keep you logged in. This cookie contains only a session identifier — no personal data. We also store UI preferences (panel widths, folder collapse states) in your browser's localStorage. We do not use third-party tracking cookies or analytics services.

4. Third-Party Services

• Google Fonts — We load fonts from fonts.googleapis.com. Google may log font requests per their Privacy Policy.
• Spotify — If you connect Spotify, playback uses the Spotify Web Playback SDK. Spotify's use of your data is governed by the Spotify Privacy Policy.
• CDN Libraries — Static JavaScript libraries loaded from CDNs with no data collection.

5. Data Security

• All connections use HTTPS
• Passwords are hashed using bcrypt (12 salt rounds)
• CSRF protection on all API endpoints
• Rate limiting on login and registration
• Content Security Policy (CSP) headers
• Encrypted notes use client-side XChaCha20-Poly1305 with Argon2id key derivation

6. Data Retention

Your data is retained as long as your account is active. Deleted notes are soft-deleted (moved to Trash) and can be restored. Permanently deleting a note removes it from the database. Contact us to request full account deletion.

7. Your Rights

• Access & Export — Export any note as HTML, Markdown, PDF, or plain text
• Correction — Edit your content and profile at any time
• Deletion — Delete individual notes or request full account deletion
• Disconnect — Disconnect third-party integrations at any time

8. Children's Privacy

B2 Notes is not directed at children under 13. We do not knowingly collect information from children under 13.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date.

10. Contact

Questions about this Privacy Policy:
scott.hamilton.solutions@gmail.com