Privacy policy
Last updated: 3 July 2026
Jotpile is operated by Refleksion · Planlægning · Handling (Reflection · Planning · Action) (CVR-no. DK45818659), the data controller for the information collected when you use the service. We collect only what we need to run the product.
What we store
- Email and display name from your account
- The notes, notebooks, tags, and images you create
- MCP tokens you generate (hashed - we never see the plain token after creation)
- Technical usage data needed to run the service (IP address, browser). Your theme and preferences live in your browser's local storage, not in third-party cookies.
Why
To deliver the service, send the reminders you ask for, and improve the product. We do not sell your data and do not share it with third parties for marketing.
Legal basis
We process your personal data on the following GDPR bases:
- Performance of a contract (Art. 6(1)(b)): delivering the service and account creation.
- Legitimate interest (Art. 6(1)(f)): security, fraud prevention, and product improvement.
- Consent (Art. 6(1)(a)): optional push notifications - always revocable.
- Legal obligation (Art. 6(1)(c)): accounting and tax law compliance.
Where your data is stored
Your notes, images, and account data are stored in the European Union. The database and authentication run on Supabase in Ireland (eu-west-1), and image files are stored in Cloudflare R2's EU jurisdiction. Requests are processed by Cloudflare Workers at the edge location nearest you.
Sub-processors
We use the following sub-processors to run Jotpile:
- Supabase - database, authentication, and file metadata (hosted in the EU, Ireland)
- Cloudflare - application hosting (Workers) and image storage (R2, EU jurisdiction)
When you connect Jotpile to an AI assistant via MCP (Claude, ChatGPT, or others), that assistant accesses your note data on your behalf. We do not control what those services do with the data they receive - see the respective provider's privacy policy.
Retention
- Account and profile data: while your account is active, plus 90 days after deletion.
- Notes, notebooks, images: while your account is active. Trashed notes are soft-deleted for 30 days, then purged.
- Support correspondence: up to 24 months after last contact.
Security
- TLS / HTTPS on all connections.
- Encryption at rest of the database with our cloud provider.
- Row-Level Security in the database - users can only access their own data.
- Hashed passwords and secure session handling.
- Personal access tokens stored as SHA-256 hashes - the plain token is shown to you once at creation and never again.
- Continuous monitoring and dependency updates.
If we ever experience a breach posing a risk to your rights, we will notify the Danish Data Protection Authority within 72 hours and you without undue delay.
Your rights
Under GDPR you have the right of access, rectification, erasure, restriction, data portability, and objection. You can export your notes or delete your account and all its data at any time from Settings -> Data, or by writing to inbox@jotpile.app. You also have the right to complain to the Danish Data Protection Authority (datatilsynet.dk).
Cookies
We use only first-party storage strictly necessary to run the service (authentication session and a theme preference). We do not set marketing or third-party tracking cookies.
Contact
Refleksion · Planlægning · Handling (Reflection · Planning · Action) - CVR-no. DK45818659. Privacy questions: inbox@jotpile.app.