Privacy Policy

1. Who we are

This Privacy Policy applies to Layernote ("we", "us", "our") and our services around the Layernote platform (web app, API, widget, embed features, and Figma integration).

Contact: info@layernote.io

2. Who this policy applies to

This policy applies to:

• account users of Layernote;
• guests submitting feedback through shared links;
• visitors using our website, widget, and integrations.

3. Personal data we process

Depending on how you use the service, we may process:

a) Account and profile data

• name, email address, password hash;
• avatar/profile image (if uploaded);
• account and verification status.

b) Workspace and project data

• workspaces, folders, projects, annotations, comments, labels, versions;
• uploaded files (for example images and PDFs), attachments, and screenshots;
• project notes, review state, and task-related metadata.

c) Guest and sharing data

• guest name and email (if provided);
• share tokens and permission settings;
• access logs for shared links (for example IP address, user-agent, timestamp).

d) Authentication and security data

• session and sign-in state;
• access and refresh token data (via cookies);
• technical logs (for example endpoint, error context, user-agent, IP address).

e) Billing and subscription data

• subscription plan, status, billing period, and seat quantity;
• Stripe customer and subscription identifiers;
• invoice-related metadata.

Payment details are processed by Stripe. We do not store full payment card numbers.

f) Integration data

• Figma OAuth token data and Figma profile details (if connected);
• data required for Figma file sync and comments;
• AI comparison input and output (when that feature is used).

g) Widget and embed data

• feedback content (description, type, and page position);
• URL, user-agent, screen dimensions, and timestamp;
• local widget session identifier in browser storage.

4. Why we process data and legal bases (GDPR)

We process personal data to:

• provide and operate the service;
• secure accounts and prevent fraud or abuse;
• support users, maintain reliability, and improve product quality;
• comply with legal obligations;
• communicate account, billing, and security information.

Where required, we rely on contract performance, legal obligation, consent, or legitimate interests.

5. Cookies and local storage

We use, among other things:

• necessary authentication cookies (such as accessToken and refreshToken);
• local/session storage for product functionality and UI preferences;
• session-related storage for widget/embed flows.

Necessary cookies are required to operate the service securely.

6. How we share personal data

We share data only where needed with service providers and processors, such as:

• infrastructure and cloud providers;
• storage providers for files and screenshots (for example AWS S3);
• payment processor (Stripe);
• email delivery provider;
• integration partners (for example Figma);
• AI provider for comparison features (currently Anthropic, if enabled).

We put appropriate contractual safeguards in place where required.

7. International transfers

Depending on your use of the service, data may be processed outside the EEA. Where required, we use appropriate transfer safeguards (for example Standard Contractual Clauses).

8. Data retention

We keep personal data only as long as necessary. Current implementation examples include:

• password reset tokens: up to 1 hour;
• email verification tokens: up to 1 hour;
• email change verification codes: up to 15 minutes;
• refresh sessions: up to 90 days (or earlier on logout/revocation).

Project data, logs, and billing records are retained as needed for service delivery, security, and legal obligations.

9. Security

We use reasonable technical and organizational safeguards, including:

• authentication and access controls;
• security headers and rate limiting;
• encrypted transport (TLS) in production;
• logging and monitoring for incident detection.

No system is completely secure. Report suspected vulnerabilities to support@layernote.io.

10. Your privacy rights

Depending on your location, you may have rights such as:

• access;
• correction;
• deletion;
• restriction;
• objection;
• data portability.

California residents may have additional rights under CCPA/CPRA, including rights to know, delete, correct, limit use of sensitive personal information, and opt out of sale/sharing where applicable.

We do not sell personal data for money. If that changes, we will update this policy and provide legally required choices.

To exercise rights, contact info@layernote.io. We may verify your identity before completing a request.

11. Children

Our service is not directed to children under 16. If you believe a child has provided personal data to us, contact us so we can take appropriate action.

12. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website with the updated date.

13. Complaints

If you have concerns about how we process personal data, contact us first at info@layernote.io. You may also lodge a complaint with your local data protection authority.