Privacy Policy

Notez Note Taker & Voice Summary

Superapp Labs Teknoloji A.Ş. — Last Updated: 8 July 2026

This Privacy Policy describes how Superapp Labs Teknoloji A.Ş. ("Superapp Labs", "we", "our", or "us") collects, uses, stores, and shares your information when you use Notez (the "Service" or "app") on iOS and Android.

Superapp Labs processes personal data in accordance with applicable data protection laws, including the Turkish Law on the Protection of Personal Data No. 6698 ("KVKK") and, where applicable, the EU/UK General Data Protection Regulation ("GDPR"). Superapp Labs acts as the Data Controller for the personal data described in this policy.

1. Information We Collect

1.1 Content You Provide

When you use Notez, you may provide:

  • Audio recordings (in-app voice recordings, meeting recordings).
  • Uploaded files and documents (audio files, PDFs, documents, and images attached to notes).
  • Text notes you type or paste into the app.
  • Free-text questions you ask the features.
  • Calendar event metadata for meetings, when you connect a calendar.
  • Support messages and feedback (including feature suggestions and any images you attach to them).

When a note is created, its title, transcript, summary, and related content are processed to power features such as summaries and search.

If you use Notez to record audio, you are responsible for obtaining consent from any individuals being recorded, as required by applicable local laws.

Notez is a general-purpose consumer tool and is not intended for special-category or sensitive data. You should not upload health data or other special-category data (Article 9 GDPR / "sensitive personal data" under KVKK) unless you have a lawful basis and accept responsibility for that use. We are not a HIPAA-covered service.

1.2 Account Information

Notez uses anonymous authentication; we do not require you to create an account with a name or password to use core features. In connection with your use of the Service, we may process:

  • An anonymous user identifier assigned by our authentication provider.
  • Push notification tokens (via Firebase Cloud Messaging), used to deliver notifications you have opted into.
  • OAuth tokens for calendar integrations you connect (Google Calendar, Microsoft Outlook), stored securely server-side.
  • Subscription status and renewal state, mirrored from our payment/subscription processors.
  • Your iOS App Tracking Transparency consent decision (the result, not the prompt content).

1.3 Device and Usage Information

We automatically collect:

  • Device model, operating system version, app version, language, and time zone.
  • Coarse country, derived from your IP address and/or your App Store / Google Play storefront. We do not collect precise location and do not request a location permission.
  • Service usage events: screens viewed, features used, paywall views, conversions, and errors. These power our product analytics and lifecycle notifications.
  • Advertising identifiers (IDFA on iOS only after you grant App Tracking Transparency consent; Android Advertising ID where not opted out at the system level) and anonymous identifiers generated by our SDKs at first launch, used for attribution and analytics.
  • Crash diagnostics (stack traces, device state at crash time).

2. How We Use Your Information

We use your information to:

  • Provide the core product: capture, transcribe, diarize, summarize, translate, and organize your notes and recordings.
  • Run our features: summaries, key points, action items, templates, and translation.
  • Personalize the experience: language preference, default template, and other settings.
  • Communicate with you: important service updates and lifecycle notifications (e.g., reminders, paywall recovery, win-back). You can mute these at the device level.
  • Process payments, validate subscription state, and enforce paywalls.
  • Measure marketing performance and attribute installs.
  • Diagnose crashes, debug issues, and improve product quality.
  • Protect the Service against fraud, abuse, and unauthorized access, and comply with legal obligations.

We do not use your recordings, transcripts, summaries, or content to train models, and our providers are contractually required not to train their models on the content we send them through their commercial APIs.

2.1 Legal Bases (GDPR / KVKK)

Where the GDPR or KVKK applies, we rely on: performance of a contract (providing the core product, subscription management, payments); legitimate interests (product quality, debugging, security, fraud prevention, and processing information about other people contained in your recordings); consent (marketing measurement and advertising identifiers, where required); and legal obligation (compliance with lawful requests). Where we rely on consent, you may withdraw it at any time.

3. How We Share Information

3.1 We Do Not Sell Your Personal Information

We do not sell your personal information, recordings, transcripts, or notes, and we do not use your recordings or notes for advertising. We may share limited identifiers and event metadata with attribution and advertising partners to measure marketing performance; under some US state laws this may qualify as "sharing" for cross-context behavioral advertising (see Section 9).

3.2 Categories of Recipients

  • Sub-processors that help us operate the Service (Section 4).
  • Providers we send your content to in order to deliver features (Section 4.2).
  • People you share notes with, when you initiate that sharing (e.g., a shareable link or export).
  • Legal authorities, when required by law or to protect rights and safety.
  • A successor entity, in the event of a merger, acquisition, or restructuring.

Your recordings, transcripts, and summaries are private and are never shared publicly or used for marketing, except where you choose to export or create a shareable link for a specific note.

4. Sub-Processors

We engage third-party service providers (processors and sub-processors) to deliver the Service. Each processes personal information on our behalf under confidentiality and security obligations.

4.1 Infrastructure, Authentication, and Storage

  • Firebase (Google LLC) anonymous authentication, database, push notifications (FCM), serverless runtime, crash diagnostics, and product analytics.
  • Cloudflare (Cloudflare, Inc.) object storage (R2) for audio recordings, uploaded documents, and generated outputs, with content delivery through Cloudflare's CDN.

4.2 Transcription and Processing

Notez routes your content to trusted third-party providers to deliver transcription, diarization, summarization, and translation. Depending on the feature, we either provide the provider with a secure storage URL from which it fetches the file, or we send the content inline. These providers are contractually barred from training their models on the content we send them through their commercial APIs, or operate as routers and sub-processors for providers that are so barred. Providers may retain request and response logs for a limited period (typically up to 30 days) for abuse monitoring. We will update this policy to reflect material changes in the providers we use.

4.3 Subscription Management and Payments

  • Adapty subscription management, receipt validation, and in-app purchase analytics.
  • Apple App Store / Google Play payment processing for in-app purchases.

4.4 Attribution and Marketing Analytics

  • Firebase Analytics (Google LLC) product and usage analytics.
  • Adjust mobile install attribution and event measurement.
  • Facebook SDK (Meta Platforms, Inc.) install attribution and conversion measurement.

These partners may receive device identifiers (such as IDFA, IDFV, and Android Advertising ID, subject to your platform settings and consent), event names, and install metadata to measure marketing performance.

4.5 Calendar Integrations

  • Google Calendar API when you connect a Google Calendar, we use the Calendar API to read your events on your behalf. We store an OAuth token server-side.
  • Microsoft Graph (Microsoft Corporation) when you connect an Outlook or Microsoft 365 calendar, we use Microsoft Graph to read your events and meeting metadata on your behalf. We store an OAuth token server-side.

We will update this list as we add, remove, or change processors.

5. Google API Services — Limited Use

Notez's use and transfer of information received from Google APIs (including Google Calendar) adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data obtained from Google APIs is used only to provide or improve user-facing features that are prominent in Notez, is not transferred or sold for advertising, market research, or other unrelated purposes, and is not used to train generalized models. Human access to this data occurs only in the limited cases permitted by the policy (such as with your consent, for security, or to comply with law).

6. Data Storage, Encryption, and Retention

6.1 Where Your Data Lives

  • Notes, transcripts, summaries, AI outputs, and metadata are stored in our cloud database (Firebase), scoped to your anonymous user identifier.
  • Audio recordings, uploaded documents, and generated outputs are stored in Cloudflare R2 with delivery through a content delivery network.
  • OAuth tokens for calendar integrations are stored securely, scoped to your account.
  • Subscription state is mirrored from Adapty so paywalls can be enforced.
  • On-device, we keep light client state (onboarding flags, last-selected language, UI state).

6.2 Encryption

Data is encrypted at rest using vendor-managed AES-256, and all traffic uses TLS 1.2 or higher.

6.3 Retention

  • Notes, transcripts, summaries, and associated audio/document files remain until you delete the individual note or your data is deleted (Section 6.4). Deleting a note removes its record and associated file; CDN edge caches expire within 24 hours.
  • Cached calendar events are purged after they are no longer needed.
  • Provider request/response logs are retained by each provider under its own policy, typically up to 30 days.
  • Analytics events are retained under each vendor's plan-level retention policy.

6.4 Deletion

You can delete individual notes at any time from within the app, which removes the note record and its associated audio or document file. To request deletion of your data associated with your device/anonymous identifier, contact support@superapplabs.co. We complete erasure across active systems on a 30-day target and from backups on a 90-day target, except where retention is required by applicable law. Canceling a paid subscription is separate from deleting your data and is done through the store where you purchased it.

7. Information About Other People

Some features cause us to process information about people other than you (for example, attendees in a recorded meeting, or speaker names you assign during diarization). We process that information only to deliver the feature you requested, do not market to those individuals, and do not enrich it from other sources. If you appear in a Notez recording or share and want your information removed, contact support@superapplabs.co.

8. Your Rights

Depending on where you live, you may have rights under the GDPR, KVKK, and similar frameworks, including the right to access, correct, delete, port, restrict, or object to the processing of your personal information, and to withdraw consent. If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local supervisory authority; in Türkiye, with the Turkish Personal Data Protection Authority (KVKK Kurumu).

In-app controls: delete individual notes; edit note text to correct inaccuracies; disconnect a calendar (Settings); manage microphone, camera, and photo permissions from your device settings; change iOS App Tracking Transparency consent; and manage push notifications.

Requests via support: for rights without a self-serve path, email support@superapplabs.co from the relevant device/account context. We acknowledge requests within a reasonable period and respond within 30 days. If a request is rejected, we provide a justified explanation.

9. Cookies, Push Notifications, and Third-Party Links

  • Push notifications. We may send notifications related to service updates, reminders, and offers. You can manage or disable them via your device settings.
  • Third-party links. The Service may include links to external services not controlled by Superapp Labs. We are not responsible for their content or practices.
  • US state privacy rights. We do not "sell" personal information as defined under applicable US state laws. We may "share" limited identifiers and event metadata for cross-context behavioral advertising; to opt out, email support@superapplabs.co with the subject "Do Not Sell or Share My Personal Information."

10. International Data Transfers

We are based in Türkiye and operate the Service using cloud regions and sub-processors located in Türkiye, the United States, the European Union, and potentially other countries where our providers operate. When you use Notez from outside these regions, your information will be transferred to and processed in them. Where required, transfers rely on the European Commission's Standard Contractual Clauses or equivalent safeguards built into our sub-processors' data-processing agreements.

11. Children's Privacy

Notez is not directed to children under 13 (or under 16 in jurisdictions where that is the relevant age of consent for data processing). We do not knowingly collect personal information from children under those ages. If you believe a child has provided personal information to us, contact support@superapplabs.co and we will delete it.

12. Security

Superapp Labs applies technical and administrative measures to protect personal data, including encryption in transit and at rest, role-based access control, secure authentication to internal systems, logging, and regular security reviews. In the event of a breach, affected users and the relevant authority will be notified as required by law, and corrective actions will be taken.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the new policy on this page and update the "Last Updated" date. For material changes that affect how your data is processed, we will provide additional notice where required by law. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Information

  • Company Name: Superapp Labs Teknoloji A.Ş.
  • Address: EGS Business Park, D Blok, No: 12, Daire: 251, Yeşilköy Mah., Atatürk Cad., Bakırköy, Istanbul, Türkiye
  • Email: support@superapplabs.co
  • Phone: +90 212 909 17 35

As the company is established in Türkiye, the Turkish data protection law (KVKK) and the Turkish Personal Data Protection Authority apply to our processing, alongside the GDPR and UK GDPR where they apply to EEA and UK users.

© 2026 Superapp Labs Teknoloji A.Ş. All rights reserved.