VelNotes Privacy Policy

Last updated: March 9, 2026

This Privacy Policy explains which categories of personal data are processed through the VelNotes mobile app and velnotes.com, why that data is used, where it may be stored or transferred, and which rights you may exercise. It covers the data-protection framework for core product flows, including note creation, voice recording and transcription, cloud sync, manual backup, and notebook sharing.

1. Data Controller and Scope

VelNotes is the data controller for the processing activities described in this policy. Scope includes the mobile app, marketing and support pages on the website, Firebase-backed application infrastructure, the Google Drive manual backup flow, and Apple StoreKit subscription verification.

2. Categories of Data Processed

2.1 Account and profile data

UID, email address, display name, profile photo URL, sign-in provider, account status fields, and last login timestamps may be processed.

2.2 Device and session security data

Persistent device IDs, active device lists (for premium multi-device policy), FCM token, App Check verification data, request timestamps, IP address, user-agent, and security/abuse prevention logs may be processed. For website analytics, a country code inferred from request headers (and when needed Accept-Language fallback) may be processed for country/region distribution reporting. To preserve the selected website language (Turkish or English), the page may read a language value from the URL and, where preference cookies are allowed, a local on-device preference record; this does not create a separate server-side language profile. Device-local biometric lock checks using Face ID / Touch ID or device passcode fallback are handled by the operating system on the device; VelNotes does not access, store, or transmit biometric template data to its servers.

2.3 Notebook and content data

Notebook/page titles, text, drawing payloads, shapes, stickers, sticky notes, text boxes, PDF background references, cover/theme metadata, and deletion timestamps may be processed. For notebook sharing/collaboration flows, invitation metadata (sender/recipient email, role, optional access duration, invitation status), shared-access lists, and plan-based access-limit status may also be processed. In premium cloud sync flows, metadata may be stored in Firestore and large assets in Firebase Storage. Input preferences such as Finger Writing Mode are stored in on-device settings by default. Where voice features are used, user-approved transcription text may be added to notebook content. Pages captured through camera/document-scanner flows, images imported from the photo library, and image/video exports saved to the photo library at the user's request may also be processed as content data.

2.4 Feature usage and limit data

Usage counters, operation timestamps, and technical status logs may be processed for notebook creation/editing, export, backup/restore, and plan-limit enforcement. These records are used for service continuity, anti-abuse controls, and limit management.

2.5 Subscription and payment verification data

Transaction IDs, product IDs, original transaction IDs, purchase/expiry timestamps, verification environment (production/sandbox), and subscription status metadata may be processed.

2.6 Google Drive backup data

When manual backup is triggered, VelNotes_Backup.json may be created in Google Drive. This payload may include notebook/page data and limited ownership metadata (for example, Google account email) for restore-safety checks. By design, Firebase UID and premium status are not stored inside this backup payload. Encryption is used where available in the backup pipeline.

2.7 Support and contact data

Name, email, optional phone number, message text, and support-status fields may be processed via website contact/support channels. Messages submitted through web contact form may be stored in Firestore under contact_messages. While a request is open or in progress, these records are retained for operational handling; when the request is resolved and technical processing is completed, contact data may be removed from the operational queue.

2.8 Voice recording and transcription data

When voice recording starts, an audio file may be created in app-local recording storage (VoiceRecordings folder, e.g. velnotes_recording_*.m4a). These files may remain in the in-app recording library until deleted by the user; cleanup flows or technical maintenance can remove them when needed. On free tier, a single recording session is limited to 15 minutes; this recording-duration limit does not apply to Premium/Ultra tiers. If the user exports the file to Files, retention is governed by the selected destination. Voice transcription is performed with on-device speech recognition provided by the operating system when supported; on unsupported devices this feature cannot be used. Transcription output is generated automatically and accuracy is not guaranteed; users should review results before use. In the default flow, raw voice files are not uploaded to Firestore/Storage databases.

3. Purposes of Processing

Data is processed to provide account creation and sign-in, notebook creation/editing and recovery flows, sharing invitations and access control, plan-limit enforcement, cloud sync and manual backup operations, subscription verification, notification delivery, anti-abuse and security controls, support handling, and service-quality monitoring.

4. Plan-Based Cloud Processing Scope

On free tier, notebook content is local-first by default; Firebase cloud sync/automatic cloud backup is not provided. On Premium/Ultra tiers, notebook metadata and content assets may be processed in Firestore/Storage as required for cloud features. On both tiers, Google Drive backup is manual and user-initiated.

5. Legal Bases

Processing may rely on contractual necessity, legal compliance, legitimate interests in security/fraud prevention, and consent where required (for example, optional cookie categories on the website).

6. Third-Party Services, Sub-processors, and International Transfers

VelNotes uses Apple services (StoreKit and ecosystem identity), Google/Firebase (Auth, Firestore, Storage, Functions, Messaging, App Check), and Google Drive API. Voice transcription does not require transfer to a separate third-party speech provider; it relies on on-device capabilities. Cross-border data transfer may occur through these infrastructure providers.

6.1 Sub-processor List

The following service providers may process personal data on behalf of VelNotes:

Google LLC (Firebase) — Authentication, database (Firestore), file storage (Storage), serverless functions (Cloud Functions), push notifications (FCM), app security (App Check). Location: USA. Processed under Google Cloud Data Processing Addendum (DPA).

Google LLC (Google Drive API) — User-initiated manual backup and restore. Location: USA. Subject to user's Google account terms.

Apple Inc. — Authentication (Apple Sign-In), subscription verification (StoreKit 2), on-device speech recognition (Speech.framework). Location: USA. Processed under the Apple Developer Program License Agreement.

6.2 International Data Transfers

The infrastructure of the above service providers may be located in the USA and other countries. Accordingly, your personal data may be transferred internationally for service delivery purposes. These transfers are safeguarded under GDPR Article 46 through Standard Contractual Clauses (SCCs) and under KVKK Article 9 through explicit consent or transfers to countries providing adequate protection. Google and Apple implement EU Standard Contractual Clauses (SCCs) and operate under their own Data Processing Addenda (DPA).

7. Retention and Deletion

Data is retained only for as long as needed to provide the service safely and to satisfy applicable legal obligations. When retention is no longer necessary, technical deletion, anonymization, or access-removal processes are applied. After an account-deletion request, cloud data enters backend cleanup flows. Items moved to trash are retained for up to 30 days unless the user permanently deletes them earlier; after that period, automatic cleanup flows remove them permanently. Security and anti-abuse logs (including IP address and user-agent) may be kept for limited periods under legitimate-interest and legal-obligation grounds. Support records are removed after resolution once there is no operational need to keep them, although delivery or verification failures may require temporary retention for retry handling. Voice recordings are stored in app-local recording-library storage by default; users can delete them, and cleanup actions may remove them where applicable. If a file is exported by the user, retention depends on the selected destination. Free-tier local notebook data may be lost on uninstall or device loss unless a backup exists. Backup files stored in the user's Google Drive remain under that user's account control and can be manually removed at any time.

8. Cookies and Similar Technologies

velnotes.com uses strictly necessary technical storage and preference mechanisms. Website analytics may include visited-page and country/region distribution measurements; country/region is evaluated via country code inferred from request headers without requesting client geolocation access. Optional categories (preferences/analytics/marketing) are consent-based. See Cookie Policy for details.

9. Security Measures

Security controls include authentication and authorization checks, Firebase security rules, App Check enforcement, rate limiting, abuse-detection logs, verification workflows, notebook-sharing access controls, and on-device Keychain usage. Absolute security over internet transmission cannot be guaranteed.

10. User Rights and Requests

You may request access to your personal data, correction of inaccurate records, deletion, objection to processing, and permission-management actions, including disconnecting Google Drive, closing your account, and managing notification permissions through operating-system settings. Contact: support@velnotes.com.

11. Data Breach Notification Procedure

In the event of a personal data breach, VelNotes follows the procedure below:

72-hour rule: In accordance with GDPR Article 33 and KVKK Article 12/5, if unauthorized access to or processing of personal data is detected, notification will be made to the relevant Data Protection Authority (and where applicable, the relevant EU Supervisory Authority) within 72 hours at most.

User notification: If the breach poses a high risk to users' rights and freedoms, affected users will be notified by email within a reasonable timeframe. The notification will include the nature of the breach, affected data categories, potential consequences, and measures taken or planned.

Contact: If you suspect a data breach, please contact support@velnotes.com.

12. Policy Updates

VelNotes may update this policy when product features, infrastructure providers, or legal requirements change. The updated text becomes effective on the publication date and remains available on the website.