PROJECTS+
Daily entries

privacy policy

Last updated: 7 May 2026

the short version

Your writing is encrypted. We will never sell your data or train AI on your words. We may access your content only to assist you with account recovery, at your request. You can export everything and delete your account at any time.

who we are

River Notes is made by The Sound Fuse Limited (trading as River Creative), a company incorporated in New Zealand. When we say "River", "we", "us", or "our", we mean The Sound Fuse Limited (trading as River Creative) and the River Notes application.

Contact us at: hello@rivernotes.app

what we collect

account information

When you create an account, we collect your email address. This is used for authentication, account recovery, and transactional emails (receipts, security notices). We do not send marketing emails unless you explicitly opt in.

your writing

Your note content is encrypted both in transit and at rest. We have no interest in reading your writing and do not access it in the ordinary course of operations.

Account recovery: If you lose access to your account, we may be able to assist you in recovering your notes. This is the only circumstance in which we would access note content, and only at your explicit request.

Shared notes: If you choose to share a note via a public link, the decrypted content of that specific note is stored on our servers to serve the share page. You can revoke any share link at any time, which deletes the plaintext copy.

usage metadata

We collect basic usage metadata to keep the service running: timestamps, device type, word counts and writing metadata, and sync events. This data is not linked to your note content and cannot be used to reconstruct your writing.

payment information

Payments are processed by Stripe, Inc. (a third-party payment processor). When you pay for a subscription, Stripe collects and processes your payment card details, billing address, and related transaction data directly. We do not store your card number or full payment details on our servers. We receive from Stripe only a tokenised record of the transaction (amount, date, plan) for our accounting records.

Stripe's privacy policy governs how they handle your payment data: stripe.com/privacy.

how we use your data

  • To provide and maintain the River Notes service
  • To sync your encrypted notes across your devices
  • To send transactional emails (receipts, security notices, account recovery)
  • To process payments via Stripe
  • To improve the service (using aggregated, anonymised usage data only)

We will never use your writing to train AI models. No, no, no. Your words are yours.

lawful bases for processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following lawful bases:

Processing activityLawful basis
Account creation and authenticationPerformance of contract (Art. 6(1)(b))
Subscription management and billingPerformance of contract (Art. 6(1)(b))
Transactional emailsPerformance of contract (Art. 6(1)(b))
Service improvement (aggregated data)Legitimate interests (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))

who we share data with

We share data only with the services required to operate River Notes:

  • Supabase — database hosting and authentication (EU/US servers)
  • Stripe, Inc. — payment processing (US-based, with global infrastructure)
  • Resend — transactional email delivery

We do not sell, rent, or trade your personal information to third parties. We do not use advertising trackers or third-party analytics services.

international data transfers

Our infrastructure involves services in the United States and European Union. When data is transferred from the EEA or UK to the United States, we rely on:

  • Stripe's Standard Contractual Clauses (SCCs) and their participation in the EU-US Data Privacy Framework
  • Supabase's SCCs with their hosting providers
  • Resend's compliance with applicable international transfer mechanisms

Note content is transferred in encrypted form. Plaintext is only accessible in the limited circumstances described under "your writing" above.

data retention

Your encrypted notes are stored for as long as your account is active. If you delete your account, all associated data (encrypted notes, metadata, account information) is permanently deleted within 30 days. Backups are purged within 90 days.

Payment records are retained for 7 years in accordance with financial record-keeping obligations.

your rights

You can, at any time:

  • Export all your notes to Markdown files
  • Delete your account and all associated data
  • Revoke any shared note links
  • Request a copy of the personal data we hold about you

additional rights for EEA and UK residents (GDPR / UK GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights under the GDPR or UK GDPR:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — correct inaccurate personal data
  • Right to erasure — request deletion of your personal data
  • Right to restrict processing — ask us to pause processing of your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting past processing
  • Right to lodge a complaint — you have the right to lodge a complaint with your local data protection authority

additional rights for New Zealand residents

Under the Privacy Act 2020, you have the right to request access to personal information we hold about you and to request correction of that information.

additional rights for California residents (CCPA / CPRA)

If you are a resident of California, USA, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of your personal information. We do not sell your personal information. Contact us to exercise these rights.

To exercise any of these rights, contact us at hello@rivernotes.app. We will respond within 30 days.

cookies

River Notes does not use third-party tracking cookies. We use session cookies and local storage solely to maintain your authenticated session and application preferences. These are technically necessary for the service to function.

children

River Notes is a quiet writing tool, and we welcome younger writers. The minimum age to create an account is 13. Users under 13 may only use River Notes with the consent of a parent or legal guardian.

If you are located in a jurisdiction where a higher age of digital consent applies (such as certain EU member states), the relevant local age threshold governs.

We do not knowingly collect personal information from children under 13 without parental consent. If you believe a child under 13 has provided us with personal data without consent, please contact us at hello@rivernotes.app and we will delete it promptly.

changes to this policy

We may update this privacy policy from time to time. We will notify you of any material changes by email or through the app at least 30 days before they take effect. Continued use of River Notes after changes constitutes acceptance of the updated policy.

contact

Questions about this privacy policy? Reach us at hello@rivernotes.app or privacy@rivernotes.app.

··
~ the river has a waypricing·privacy·terms·contact
COMPANION
Today's writing
start writing to see your insights appear here...