PongoNotes

Privacy Policy

PongoNotes

1. Who we are

PongoNotes is a private note-taking application operated by PongoNotes and hosted on servers within the European Union. PongoNotes is the data controller for your personal data. If you have questions about your data, please contact us via the Support page.

2. What data we collect

When you create an account and use PongoNotes, we store:

Account data — username, email address, hashed password, and registration date.
Profile data — optional avatar image and display preferences (theme, view layout, accent colour).
Content data — notes (titles, rich-text content), folders, tags, and file attachments you create.
Technical data — session identifiers stored in server-side sessions and a CSRF cookie. No IP addresses or device fingerprints are stored.
Two-factor authentication data — if you enable 2FA, a TOTP device secret and hashed backup codes are stored in the database. This data is removed when you disable 2FA or delete your account.

We do not collect analytics, use advertising trackers, or share any data with third parties.

3. How we use your data

Your data is used solely to provide the PongoNotes service to you:

Authenticating your login and keeping your session active.
Storing and retrieving your notes, folders, tags, and attachments.
Sending transactional emails (e.g. email verification, storage alerts) if SMTP is configured.

4. Where your data is stored

All data is stored on servers operated by PongoNotes and located within the European Union (EU). We take appropriate technical and organisational measures to protect your data against unauthorised access, loss, or destruction.

5. Data retention

Your account data and content are retained for as long as your account is active. When you delete your account via Profile → Delete Account, all your notes, attachments, tags, folders, and personal data are permanently removed from the database and file storage. Email logs (internal server records of sent emails) are automatically purged on a rolling 90-day schedule.

6. Cookies

PongoNotes sets only strictly necessary cookies:

sessionid — server-side session cookie, required to keep you logged in.
csrftoken — Cross-Site Request Forgery protection, required for all form submissions.
2fa_trusted — set only if you tick “Remember this device” after a successful two-factor authentication login. Contains a signed, opaque token with no personal data. Expires after the number of days configured by the site administrator.

No marketing, analytics, or third-party cookies are used. These cookies do not require consent under GDPR as they are essential for the service to function.

7. Your rights (GDPR)

If you are based in the EU/EEA, you have the following rights regarding your personal data:

Access — request a copy of the data we hold about you.
Portability — export all your notes and data at any time via Profile → Export my data.
Rectification — update your username or email in your profile settings.
Erasure — delete your account and all associated data via Profile → Delete Account.
Restriction & objection — contact us to restrict or object to specific processing.

To exercise any right that cannot be fulfilled through the application itself, please contact us via the Support page.

8. Security

Passwords are stored as bcrypt hashes and are never readable. Note content and attachments are stored on our servers with appropriate access controls in place. All forms are protected against Cross-Site Request Forgery (CSRF). Access to other users’ data is prevented at the application level — all queries are scoped to the authenticated user.

9. Changes to this policy

We may update this policy from time to time. Continued use of the service after any change constitutes acceptance of the updated policy.