Privacy Policy for Purry Notes
Effective Date: March 26, 2026
Last Updated: March 26, 2026
Developer: Marat Kinzibulatau
Contact: purrynotes@gmail.com
Website: https://purrynotes.com
1. Introduction
Welcome to Purry Notes (“the App,” “we,” “us,” or “our”). Purry Notes is a secure, privacy-focused mobile notes application developed by Marat Kinzibulatau, based in Poland, European Union.
We are committed to protecting your privacy and the privacy of children who use our App. This Privacy Policy explains what information we collect, how we use it, how we store and protect it, and your rights regarding your data.
This Privacy Policy applies to all users of Purry Notes, including children aged 6 and older. Our App is designed for a mixed audience of children and adults, and we take special care to comply with applicable children’s privacy laws.
By using Purry Notes, you agree to the collection and use of information in accordance with this Privacy Policy. If you are a parent or guardian, please review this policy carefully before allowing your child to use the App.
2. Information We Collect
2.1 Account Information (Collected)
When you create an account using Google Sign-In, Apple Sign-In, or email and password, we receive and store:
| Data | Source | Storage | Required | Purpose |
|---|---|---|---|---|
| Email address | Google/Apple account or user input | Firebase + local cache | Yes | Account identification, login |
| Display name | Google/Apple account | Firebase + local cache | No | Personalization (optional) |
| Profile photo URL | Google/Apple account | Local cache | No | Profile display (optional) |
| User ID | Generated by Firebase Auth | Firebase + local cache | Yes | Unique account identifier |
| Account creation date | System-generated | Firebase + local cache | Yes | Account management |
| Last login date | System-generated | Firebase + local cache | Yes | Account management |
| Onboarding completion | System-generated | Firebase | Yes | App setup tracking |
We also store the following account-related data in Firebase when applicable:
| Data | When Stored | Purpose |
|---|---|---|
| Trial start date | When free trial begins | Trial period management |
| Purchase history | When in-app purchase is made | Subscription/purchase management |
| Password reset tokens | When master password reset is requested | Temporary (expires in 1 hour) |
We do NOT collect: Phone numbers, physical addresses, date of birth, gender, race, ethnicity, political views, religious beliefs, sexual orientation, or any other sensitive demographic information.
2.2 User-Generated Content (Stored Locally on Device)
All notes and content you create are stored locally on your device and are not transmitted to our servers unless you explicitly choose to use optional cloud features. This includes:
- Text notes — titles, body content, rich text formatting
- Audio recordings — voice memos recorded within the App (M4A/AAC format)
- Images — photos captured via camera or selected from gallery
- Doodles/Drawings — hand-drawn sketches created within the App
- Checklists/Tasks — task items with completion status
- Organizational data — spaces (folders), note hierarchy, favorites, archive status
2.3 Device Information (Stored Locally)
We collect limited device information for App functionality:
| Data | What is Collected | Storage | Purpose |
|---|---|---|---|
| Device ID | Android: android.id; iOS: identifierForVendor |
Local (SharedPreferences) | Device identification for backup/restore |
| Device model | Device model name | Local (SharedPreferences) | Display in backup metadata |
We do NOT collect: IMEI, IMSI, SIM serial, Build serial, MAC address, BSSID, SSID, Android Advertising ID (AAID), or any other persistent hardware identifiers prohibited by the Google Play Families Policy.
2.4 App Preferences (Stored Locally)
We store your App settings locally on your device:
- Theme preference (light/dark mode)
- Language preference (English, Russian)
- Currently selected space (folder)
- Animation preferences
- Search history (recent searches, stored locally only)
- Feature tutorial completion status
2.5 Information We Do NOT Collect
- Location data — We do not request or collect any location information
- Contacts — We do not access your contact list
- Calendar — We do not access your calendar
- Browsing history — We do not track web browsing
- Installed apps — We do not scan installed applications
- Analytics/Usage tracking — We do not use any analytics or tracking SDKs
- Advertising identifiers — We do not collect or use advertising IDs
- Crash reports — We do not collect automated crash reports
3. How We Use Your Information
We use the information we collect solely for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Account creation and authentication | Email, name, user ID | Performance of contract; Legitimate interest |
| Providing App functionality | User-generated content, preferences | Performance of contract |
| Local data storage and organization | Notes, spaces, settings | Performance of contract |
| Optional cloud backup (user-initiated) | Notes data (unencrypted by app) | Consent |
| Optional audio transcription (user-initiated) | Audio recordings | Consent |
| Optional text extraction from images (user-initiated) | Image files | Consent |
| In-app purchases and trial management | Purchase history, trial dates | Performance of contract |
| Note encryption | Encryption keys, encrypted content | Performance of contract; Legitimate interest |
| Device identification for backup | Device ID, model | Legitimate interest |
We do NOT use your information for:
- Advertising or marketing
- Profiling or behavioral tracking
- Selling to third parties
- Training AI or machine learning models
- Any purpose other than providing and improving the App
4. Children’s Privacy
Purry Notes is rated for ages 6+ and is available to both children and adults.
4.1 How We Handle Children’s Data
The App does not collect age information, does not implement age verification or age gating, and does not distinguish between child and adult users. All users receive the same features, the same data collection, and the same data handling as described in Sections 2 and 3 of this policy.
4.2 Safety by Design
The App is designed to be safe for users of all ages:
- No advertising of any kind
- No behavioral tracking or analytics
- No social features or user-to-user interaction
- No collection of prohibited identifiers (AAID, IMEI, IMSI, SIM serial, Build serial, MAC address, BSSID, SSID)
- No location data collection
- Local-first storage — user-generated content stays on the device unless the user explicitly uses optional cloud features (see Section 6)
5. Data Storage and Security
5.1 Where Your Data is Stored
| Data Type | Storage Location | Encryption |
|---|---|---|
| Notes, spaces, content | Local device (Hive database) | Optional AES-256-GCM |
| App preferences | Local device (SharedPreferences) | No (non-sensitive settings) |
| Encryption keys | Local device (FlutterSecureStorage) | Platform keystore (Android Keystore / iOS Keychain) |
| Account metadata | Firebase (Google Cloud) | TLS in transit, Google encryption at rest |
| Purchase history, trial data | Firebase (Google Cloud) | TLS in transit, Google encryption at rest |
| Large files during transcription/OCR | Firebase Storage (temporary) | TLS in transit, deleted after processing |
| Google Drive backups | Google Drive (user’s account) | TLS in transit, Google Drive at-rest encryption (no additional app-level encryption) |
5.2 Local Encryption
Purry Notes offers optional note-level encryption:
- Algorithm: AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode)
- Key Derivation: PBKDF2-HMAC-SHA256 with 100,000 iterations (OWASP recommended)
- Scope: Individual notes or all notes in a folder can be encrypted with a user-set master password
- Key Storage: Encryption keys are stored in FlutterSecureStorage, which uses the platform’s secure enclave (Android Keystore / iOS Keychain)
- Password Recovery: Optional security questions for master password recovery
5.3 Data in Transit
All network communications use HTTPS/TLS encryption:
- Firebase Authentication — TLS
- Firebase Firestore — TLS
- Firebase Storage — TLS
- Google Drive API — TLS
- ElevenLabs API (via Firebase Cloud Function proxy) — TLS
- Google Cloud Vision API (via Firebase Cloud Function proxy) — TLS
5.4 Security Measures
- Local-first architecture minimizes data exposure
- No storage of note content on our servers (content stays on device unless user explicitly uses Google Drive backup)
- Optional user-controlled encryption for sensitive notes
- Authentication via industry-standard OAuth 2.0 (Google, Apple)
- Firebase security rules restrict data access to authenticated users
- Cloud Function proxy for third-party API calls (API keys never exposed to client)
6. Third-Party Services
We use the following third-party services. Each service has its own privacy policy governing its data practices:
6.1 Firebase (Google LLC)
- Services used: Firebase Authentication, Cloud Firestore, Firebase Storage, Cloud Functions
- Data processed: Email address, user ID, display name, account metadata, purchase history, trial data, onboarding status
- Firebase Storage: Used as temporary storage for large files (over 10 MB) during audio transcription or image text extraction. Files are uploaded, processed, and then deleted. Path:
temp/{userId}/{timestamp}_{fileName} - Cloud Functions (us-central1): Server-side proxy for ElevenLabs transcription API, Google Cloud Vision OCR API, password recovery email sending, and account deletion
- Purpose: User authentication, account management, secure API proxy, temporary file processing
- Server location: Google Cloud infrastructure
- Privacy Policy: https://firebase.google.com/support/privacy
- Google’s Privacy Policy: https://policies.google.com/privacy
6.2 Google Sign-In (Google LLC)
- Data received: Email, display name, profile photo URL
- Purpose: User authentication
- Privacy Policy: https://policies.google.com/privacy
6.3 Apple Sign-In (Apple Inc.)
- Data received: Email (may be relay address), full name
- Purpose: User authentication
- Privacy Policy: https://www.apple.com/legal/privacy/
6.4 ElevenLabs (ElevenLabs Inc.)
- Data sent: Audio recording file (only when user explicitly requests transcription)
- Purpose: Speech-to-text transcription
- When used: Only when user taps the “Transcribe” button
- Data retention by ElevenLabs: Subject to ElevenLabs’ privacy policy
- Privacy Policy: https://elevenlabs.io/privacy-policy
6.5 Google Drive API (Google LLC)
- Data sent: Unencrypted backup file (JSON) containing notes data, and media files (only when user explicitly initiates backup)
- Purpose: Cloud backup and restore
- Storage scope: App-specific hidden folder (
appDataFolder) — not visible in user’s regular Google Drive interface - When used: Only when user explicitly initiates backup; available on Android and iOS only
- Privacy Policy: https://policies.google.com/privacy
6.6 Google Cloud Vision API (Google LLC)
- Data sent: Image file (only when user explicitly requests text extraction from an image)
- Purpose: Optical Character Recognition (OCR) — extracting text from images
- When used: Only when user taps the text extraction button on an image
- Integration: Via Firebase Cloud Function proxy (API keys are stored server-side, never exposed to the client)
- Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
6.7 No Analytics or Advertising Services
We do not use:
- Google Analytics, Firebase Analytics, or any analytics SDK
- Google Ads, AdMob, or any advertising SDK
- Crashlytics or any crash reporting SDK
- Any user behavior tracking service
- Any A/B testing platform
7. Data Sharing
7.1 We Do Not Sell Your Data
We do not sell, rent, lease, or trade your personal information to any third party, for any purpose, under any circumstances.
7.2 We Do Not Share Data for Advertising
We do not share your data with advertisers, data brokers, or marketing companies.
7.3 Limited Data Sharing
Your data is shared with third parties only in the following circumstances, all of which require your explicit action:
| Scenario | Data Shared | Third Party | User Action Required |
|---|---|---|---|
| Sign-in with Google | OAuth tokens | User taps “Sign in with Google” | |
| Sign-in with Apple | OAuth tokens | Apple | User taps “Sign in with Apple” |
| Audio transcription | Audio file | ElevenLabs (via Cloud Function) | User taps “Transcribe” button |
| Text extraction from image | Image file | Google Cloud Vision (via Cloud Function) | User taps text extraction button |
| Google Drive backup | Unencrypted backup data (notes + media) | Google Drive | User initiates backup |
| Export/Share notes | Exported file | User-chosen recipient | User taps “Export” and selects share target |
7.4 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal process, such as a court order, government request, or applicable regulation.
8. Data Retention
| Data Type | Retention Period | How to Delete |
|---|---|---|
| Local notes and content | Until you delete them or uninstall the App | Delete notes individually, clear archive, or uninstall |
| Account metadata (Firebase) | Until you delete your account | Use “Delete Account” in Account settings |
| Purchase history (Firebase) | Until you delete your account | Use “Delete Account” in Account settings |
| App preferences | Until you uninstall the App | Uninstall the App or clear App data |
| Google Drive backups | Deleted automatically when you delete your account (for Google users); otherwise until you manually delete | Account deletion or manual removal |
| Temporary files in Firebase Storage | Deleted immediately after processing | Automatic cleanup |
| Audio files processed by ElevenLabs | Subject to ElevenLabs’ retention policy | Contact ElevenLabs directly |
| Images processed by Google Cloud Vision | Subject to Google’s retention policy | Processed ephemerally via Cloud Function |
| Password reset tokens (Firebase) | Expire after 1 hour | Automatic expiration |
We do not retain any data beyond what is necessary for the App’s functionality. When you delete your account, we delete all associated data from Firebase immediately, including your Google Drive backup (for Google users).
9. Your Rights
9.1 Rights Under GDPR (European Economic Area Users)
As a user in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access | Request a copy of your personal data | Use the App’s Export feature or email us |
| Right to Rectification | Correct inaccurate personal data | Email us at purrynotes@gmail.com |
| Right to Erasure | Request deletion of your personal data | Delete your account in App settings or email us |
| Right to Restriction | Restrict processing of your data | Email us at purrynotes@gmail.com |
| Right to Data Portability | Receive your data in a structured format | Use the App’s Export feature (HTML) |
| Right to Object | Object to processing based on legitimate interest | Email us at purrynotes@gmail.com |
| Right to Withdraw Consent | Withdraw consent for optional features | Disable backup/transcription in App settings |
Data Controller: Marat Kinzibulatau, Poland, European Union
Contact: purrynotes@gmail.com
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) in Poland or with the supervisory authority in your country of residence.
9.2 Rights Under CCPA (California Users)
California residents have the right to:
- Know what personal information is collected and how it is used
- Request deletion of personal information
- Opt out of the sale of personal information (we do not sell data)
- Non-discrimination for exercising privacy rights
9.3 Children’s Data
Since we do not collect age information or distinguish between child and adult users, all users have the same rights described in Sections 9.1 and 9.2.
9.4 How to Exercise Your Rights
- In-App: Use Export, Delete Account, or settings controls
- Email: Contact purrynotes@gmail.com
- Response time: We will respond within 30 days (or sooner as required by applicable law)
- Verification: We may need to verify your identity before processing requests
10. Account Deletion
You can delete your account and all associated data at any time:
10.1 What Gets Deleted Automatically
When you use the “Delete Account” feature in the App, the following is deleted in sequence:
- Google Drive backup (for Google users) — Your cloud backup and associated media files are deleted first
- Firebase account — Your authentication record, email, and all account metadata are permanently deleted via a server-side Cloud Function
- Firebase Firestore data — Your user document, settings, and purchase history are permanently deleted
- Local Hive data — All locally stored notes, spaces, and content are cleared from the device
- Local cached data — Cached user information is cleared from SharedPreferences
10.2 What You Must Delete Manually
- Exported files — Any files you previously exported or shared remain wherever you saved them
10.3 How to Delete Your Account
- Open Purry Notes
- Go to Account Settings
- Tap Delete Account
- Confirm the deletion
- Your account, server-side data, cloud backup, and local data will be permanently removed
Alternatively, email purrynotes@gmail.com and we will process the deletion within 30 days.
11. International Data Transfers
Your data may be transferred to and processed in countries outside of your country of residence:
| Service | Data Transferred | Server Location | Safeguards |
|---|---|---|---|
| Firebase | Account metadata, purchase data | Google Cloud | Google’s Standard Contractual Clauses, EU-U.S. Data Privacy Framework |
| Google Sign-In | OAuth credentials | Google infrastructure | Google’s Standard Contractual Clauses |
| Apple Sign-In | OAuth credentials | Apple infrastructure | Apple’s Standard Contractual Clauses |
| ElevenLabs | Audio files (when transcribing) | ElevenLabs servers | TLS encryption, user-initiated only |
| Google Cloud Vision | Image files (when extracting text) | Google Cloud | Google’s Standard Contractual Clauses, EU-U.S. Data Privacy Framework |
For transfers from the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-U.S. Data Privacy Framework (where applicable)
- Adequacy decisions by the European Commission (where applicable)
12. Cookies and Tracking Technologies
Purry Notes does not use:
- Cookies
- Web beacons or tracking pixels
- Browser fingerprinting
- Local storage for tracking purposes
- Any tracking technologies
The App uses local storage (Hive, SharedPreferences, FlutterSecureStorage) solely for App functionality and user preferences, not for tracking.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the “Last Updated” date at the top of this policy
- For significant changes, we will update this page and the App store listing
- Continued use of the App after changes constitutes acceptance of the updated policy
- The current version of this Privacy Policy is always available at https://purrynotes.com/privacy-policy
We encourage you to review this Privacy Policy periodically.
14. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | Application |
|---|---|
| Performance of Contract (Art. 6(1)(b)) | Account creation, providing App functionality, local storage, in-app purchases and trial management |
| Legitimate Interest (Art. 6(1)(f)) | Device identification for backup, security measures |
| Consent (Art. 6(1)(a)) | Optional cloud backup, optional audio transcription, optional image text extraction (OCR) |
For optional features (backup, transcription, OCR), you can withdraw consent at any time by simply not using these features. They are always user-initiated and never automatic.
15. Data Protection Officer
Given the nature and scale of our data processing, we have not appointed a formal Data Protection Officer. For all privacy-related inquiries, please contact:
Marat Kinzibulatau
Email: purrynotes@gmail.com
Location: Poland, European Union
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: purrynotes@gmail.com
- Website: https://purrynotes.com
- Response time: Within 30 days
17. Applicable Law
This Privacy Policy is governed by:
- General Data Protection Regulation (GDPR) — European Union
- California Consumer Privacy Act (CCPA) — California, United States
- Google Play Developer Program Policies — Families Policy, Data Safety requirements
- Polish Act on the Protection of Personal Data — Poland
In case of conflict between jurisdictions, the most protective standard applies.
This Privacy Policy was last reviewed and updated on March 26, 2026.