Noti (the "Company") complies with the Personal Information Protection Act (개인정보 보호법) and treats your personal data with care. This policy is a document intended to transparently explain what information the Noti service (the "Service") operated by the Company collects, and how it is used, stored, and destroyed.
Overview
The Company collects only the minimum personal data necessary to provide the Service, and destroys it without delay once the purpose of collection has been achieved or upon the user’s request. Content data such as your note contents, events, and to-dos is never used for advertising or AI model training purposes.
Personal data we collect
A. Required items
| Category | Items | When collected |
|---|---|---|
| Account | Email address, nickname, profile image (optional), password (for email sign-up · stored as a hash) | At sign-up |
| Social login identifier | Google account ID (sub), name, profile image URL, email | At Google sign-in |
| Service usage data | Content created by the user, such as notes, events, to-dos, alarms, and attachments | During use of the Service |
| Payment information | Payment method (store-issued receipt ID), payment date/time, payment amount · card numbers and account numbers are not collected | On Pro subscription |
| Device and access info | Device identifier (IDFV/AAID), OS version, app version, IP address, access date/time, access path | Collected automatically |
B. Optional items
| Category | Items | When collected |
|---|---|---|
| Location information | Approximate location (city/district level) | When you consent to weather display |
| Google Calendar data | Event title, time, location, attendees (read-only) | When you consent to connecting Google Calendar |
| Customer inquiries | Email, inquiry content, attachments | When contacting customer support |
Collection methods and purposes
Collection methods: sign-up form, Google OAuth authentication, automatic generation during use of the Service, and customer support inquiry form.
| Purpose | Items used |
|---|---|
| Service provision | Account info, content, device info |
| Google Calendar sync | Google account ID, Google Calendar data |
| Sending notifications | Device identifier, push token |
| Payment and refunds | Payment info, email |
| Location-based weather | Approximate location data |
| Customer support | Email, inquiry content |
| Service improvement (aggregated) | Anonymized usage statistics, crash logs |
| Fulfillment of legal obligations | Payment records, access logs |
Retention and use period
Your personal data is destroyed without delay once the purpose of its collection and use has been achieved. However, information that must be retained for a certain period under the following laws is kept for the corresponding period.
| Item | Retention period | Basis |
|---|---|---|
| Membership and content | Until account withdrawal (backup kept for 30 days after withdrawal → permanently deleted) | User consent |
| Records of contracts or subscription withdrawal | 5 years | Act on Consumer Protection in Electronic Commerce (전자상거래법) |
| Records of payment and supply of goods | 5 years | Act on Consumer Protection in Electronic Commerce (전자상거래법) |
| Records of consumer complaints or dispute handling | 3 years | Act on Consumer Protection in Electronic Commerce (전자상거래법) |
| Access logs | 3 months | Protection of Communications Secrets Act (통신비밀보호법) |
| Records of fraudulent use | 1 year | User protection |
Disclosure to third parties
The Company processes your personal data only within the scope of the purposes specified in this policy, and does not provide it to third parties without your explicit consent. The following cases are exceptions.
- When the user has consented in advance
- When required by an investigative authority in accordance with the procedures and methods prescribed by law, pursuant to the provisions of law or for the purpose of an investigation
- When necessary to prevent an imminent danger to the life, body, or property of the user or a third party
Processing entrustment
The Company entrusts certain tasks necessary for operating the Service to the following processors, and clearly stipulates responsibility for safe processing in the entrustment contracts in accordance with Article 26 of the Personal Information Protection Act (개인정보 보호법).
| Processor | Entrusted task | Overseas transfer |
|---|---|---|
| Amazon Web Services Korea | Cloud infrastructure (data storage and processing) · Seoul region | No (domestic) |
| Google LLC | OAuth authentication, Calendar API, Gemini API, push notifications (FCM) | Yes (USA) |
| Apple Inc. | iOS push notifications (APNs), in-app payments | Yes (USA) |
| Sentry, Inc. | Error log collection and monitoring (excluding personally identifiable information) | Yes (USA) |
| Stripe, Inc. | Web subscription payment processing (web only) | Yes (USA) |
| Channel Corp. | Customer support inquiry handling | No (domestic) |
Overseas transfers
The Company transfers personal data overseas for the following items. Users are informed of the transfer through the consent process at sign-up or when activating the relevant feature.
| Transferee | Destination country | Items transferred | When transferred |
|---|---|---|---|
| Google LLC | USA | Email, calendar data, certain note sentences subject to AI parsing | On API call |
| Apple Inc. | USA | Device identifier, push token | On notification dispatch |
| Sentry, Inc. | USA | Anonymized crash logs, device info | On error occurrence |
Method of transfer: network transmission over HTTPS (TLS 1.2 or higher). Users may refuse the overseas transfer at sign-up or when using the relevant feature; if refused, use of some features may be limited.
Your rights
Users may exercise the following rights.
- Right to access — Check the status of how your personal data is processed
- Right to rectification/deletion — Correct or delete data when there are errors
- Right to suspension of processing — Request suspension of specific processing
- Withdrawal of consent — Withdraw consent for items you have already consented to
- Right to data portability — Download your personal data being processed in a structured format
You can exercise the rights above directly in the Service at Settings > Account > Data management, or by requesting at seanjr28475@gmail.com. Requests are processed within 10 business days.
Destruction procedures and methods
- Destruction procedure. Information entered by the user is, after the purpose is achieved, moved to a separate database (or a separate file cabinet in the case of paper) and destroyed after being stored for the retention period required by internal policy and applicable law. Personal data moved to a separate database is not used for any purpose other than the purpose of retention, except as required by law.
- Destruction method.
- Electronic files: permanently deleted in an unrecoverable manner (NIST SP 800-88 Clear/Purge standard)
- Paper documents: shredded with a shredder or incinerated
- Dormant accounts. Accounts inactive for one year or more are stored separately in accordance with Article 39-6 of the Personal Information Protection Act (개인정보 보호법), and are destroyed after one year of separate storage.
Security measures
The Company takes the following measures to process your personal data safely.
- Administrative measures — Designation of a data protection officer, regular internal training, and the principle of minimizing access privileges
- Technical measures
- TLS 1.2 or higher encryption on all communication channels
- AES-256 encryption of stored data
- Passwords stored as bcrypt hashes (originals not retained)
- Access logs recorded and retained for 6 months or more
- Operation of intrusion prevention and intrusion detection systems
- Physical measures — Data center access control (AWS Seoul region, ISO 27001 certified)
Cookies and automatic collection
The Company uses the following cookies in its web service.
| Cookie name | Purpose | Retention period |
|---|---|---|
| noti_session | Maintain login session | 30 days |
| noti_csrf | Request forgery prevention (CSRF token) | On session end |
| noti_pref | UI preferences such as theme and language | 1 year |
Users may refuse to store cookies in their browser settings; if refused, some features such as login may be limited. The Company does not use third-party cookies for advertising tracking.
AI features and data processing (smart parsing)
Noti’s smart parsing feature operates in the following two stages.
- Stage 1 — Regular expression processing. About 30 kinds of regular expressions are run directly on the user’s device. Notes are not transmitted to the server.
- Stage 2 — AI fallback (optional). Only for complex natural language not recognized by regular expressions, only that note on a sentence-by-sentence basis is sent to the Google Gemini API.
- Immediately before transmission, identifying information such as email addresses, phone numbers, and resident registration numbers is masked.
- Under our contract with Google, the transmitted content is not used for model training and is discarded after 30 days.
- Users can turn off the AI fallback in Settings > Notes > Smart parsing.
Children's personal data
Noti does not provide its service to children under the age of 14. The Company verifies date of birth at sign-up and blocks registration for those confirmed to be under the age of 14. If it is confirmed that the personal data of a child under the age of 14 has been collected without the consent of a legal guardian, the Company destroys such information without delay.
Data protection officer
The Company designates the following data protection officer and responsible department to protect users’ personal data and to handle complaints and provide remedies related to personal data.
| Category | Name | Position | Contact |
|---|---|---|---|
| Data protection officer | Park Seongha | CISO | seanjr28475@gmail.com |
| Data protection responsible department | Security Team | seanjr28475@gmail.com | |
Remedies for rights violations
To receive relief from personal data infringement, users may apply for dispute resolution or consultation to the agencies below.
- Personal Information Dispute Mediation Committee — 1833-6972 · www.kopico.go.kr
- Privacy Infringement Report Center — 118 (no area code) · privacy.kisa.or.kr
- Supreme Prosecutors’ Office Cyber Investigation Division — 1301 (no area code) · www.spo.go.kr
- National Police Agency Cyber Investigation Bureau — 182 (no area code) · ecrm.police.go.kr
Changes to this policy
This policy may be revised to reflect changes in law or company policy. In the event of a revision, the Company will announce the changes through in-service notices and email at least 7 days before the effective date (30 days before in the case of changes unfavorable to users).
Revision history
| Version | Effective date | Key changes |
|---|---|---|
| v1.3 | 2026-05-26 | Added Gemini API entrustment, codified dormant account policy |
| v1.2 | 2026-01-05 | Expanded overseas transfer item table, added Stripe |
| v1.1 | 2025-09-12 | Added cookie items with the launch of the web PWA service |
| v1.0 | 2025-05-19 | Initial enactment |
This policy takes effect on May 26, 2026. For questions about this policy or the protection of your personal data, please email seanjr28475@gmail.com.