Privacy

Plain-English
privacy.

What we collect, why we collect it, and how to delete everything. Written so a person can read it, not just a lawyer.

Effective
1 June 2026
Last updated
17 May 2026

tl;dr

When you save a page, Notabe fetches it once, generates a summary and a vector embedding, and deletes the cached page text 24 hours later. Embeddings and summaries persist as part of your bookmark. AI processing happens at Google (Gemini) and Anthropic (Claude) under their commercial API terms — they don't keep your inputs, and we don't opt into training. We use iCloud for sync. No ads, no resale, no third-party trackers in the app.

Who we are

Notabe is operated by Alican Basak, based in Istanbul. Contact: hello@notabe.app. We are the data controller for everything described below.

What we collect

Your account

When you sign in with Apple, we receive an opaque Apple user ID and (if you allowed it) a private relay email address. We do not see your real name or your real email. We store the Apple user ID, the relay email (if provided), the date you joined, and your subscription state.

Your bookmarks

Every bookmark you save consists of a URL, a title, an optional note, tags, a saved-at timestamp, and an optional star/highlight flag. This is the core of the product. Stored in our Supabase Postgres database until you delete the bookmark or your account.

Page content (24-hour cache)

When you save a bookmark, our backend fetches the page once, stores a copy of the readable text on private server storage, and uses it to generate an AI summary and a vector embedding. The cached page text is automatically deleted after 24 hours. The summary and the embedding persist as part of the bookmark.

Embeddings

A vector embedding is a list of numbers that represents the meaning of the bookmark's content. We use embeddings to power semantic search ("find that thing about Roman aqueducts"). Embeddings are derived from your data and are treated as your data. They are deleted when you delete the bookmark.

Summaries and tags

When you (or auto-tag, if enabled) generate a three-sentence summary or a tag suggestion, we send the page text to Google's Gemini API (see Sub-processors) and store the result. Summaries and tags are part of the bookmark.

Subscription state

If you upgrade, we receive billing state from Apple via RevenueCat: which plan, when it started, when it renews, whether it's active. We do not see your card number, billing address, or Apple ID email. Apple handles payment; we handle access.

Aggregate analytics

We track product events: app opened, bookmark saved, search performed, summary generated, paywall shown, upgrade completed. We never send URLs, titles, tags, summary text, page content, or any content you save. Events are pseudonymous (a random user ID, not your Apple ID).

What we do not collect

  • We do not see your real name or email unless you write to us.
  • We do not access your iCloud, contacts, calendar, photos, or any file on your device beyond what you explicitly save.
  • We do not track you across other apps or websites.
  • We do not have advertising partners.
  • We do not sell, rent, or share your data with anyone for marketing.
  • We do not use your bookmarks, page content, summaries, or embeddings to train any AI model — neither ours nor a third party's.

How AI features work

When you use auto-tag, the three-sentence summary, semantic search, resurfacing, or collection suggestions, we send the necessary inputs to Google (Gemini API) or Anthropic (Claude API) — the choice is per-feature. Both providers are contractually obligated under their commercial API terms not to retain your inputs after processing and not to train on them. We do not opt into any training programs. After the model responds, we store only the outputs (summary text, suggested tags, suggested collection names) and a vector embedding generated via Voyage AI.

You can disable AI features in Settings → Privacy → Disable AI processing. With this on, your bookmarks are saved as URL + title + your manual notes only. No page content is fetched, no summary is generated, no embedding is created. Newly saved bookmarks are found by their title, tags, and notes rather than by AI-ranked meaning.

Domain blocklist

You can list domains that Notabe must never process with AI. These domains are also excluded from page-content fetching entirely; only the URL and your manual notes are stored. Default suggestions on first launch include common banking, healthcare, and government domains. Edit anytime under Settings → Privacy → Domain blocklist.

Sub-processors

We use the following companies to run Notabe. Each is contractually bound to handle your data only as we direct.

  • Apple — Sign in with Apple, App Store, push notifications. Receives Apple user ID and subscription receipts.
  • Supabase — API hosting (Edge Functions on Deno), Postgres database, object storage for the 24-hour page snapshot cache. Receives bookmarks, embeddings, summaries; page snapshots with 24-hour TTL.
  • Google — AI processing (Gemini API) for summaries, auto-tags, tag normalization, highlights. Page text and bookmark titles for AI calls only; not retained.
  • Anthropic — AI processing (Claude API) for collection-name generation. US. Cluster bookmark titles for naming calls only; not retained.
  • Voyage AI — Embedding generation. US. Page text for embedding only; not retained per their terms.
  • RevenueCat — Subscription state. US. Apple user ID and subscription status.
  • Vercelnotabe.app landing site and legal pages. Public content only.

We will update this list before adding a new sub-processor.

Where your data lives

Our Postgres database and the snapshot storage bucket both live in our Supabase project. AI processing (Google, Anthropic, Voyage) happens in the United States; we transmit data under standard contractual clauses (SCCs) for GDPR, with retention not permitted at the processor.

Deleting your data

In the app: Settings → Account → Delete Account. We erase everything within 30 days. We can also do it manually if you email hello@notabe.app.

Your rights (GDPR, KVKK, CCPA, LGPD)

You have the right to access, correct, export, and delete your data. Reach out at hello@notabe.app and we'll handle it within 30 days.

Children

Notabe is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have, please email us and we will delete the account.

Changes to this policy

We post material changes here. The effective date at the top moves; the substance always matches.

Contact

For privacy questions: hello@notabe.app.