Privacy policy

Last updated: May 2026. Version 1.0.

Notewell is operated by Kanavulabs, a sole proprietorship based in Erode, Tamil Nadu, India. This policy explains what personal data we process, why, how long we keep it, who we share it with, and the rights you have under the Digital Personal Data Protection Act, 2023 (the “DPDP Act”).

1. Who is the Data Fiduciary?

Kanavulabs is the Data Fiduciary for Notewell. You (the signed-in user) are the Data Principal. For any data-protection question, contact privacy@notewell.in.

2. What we collect

• Account data: name, email, profile photo from Google when you sign in via Google OAuth.
• Workspace data: your professional title, brand color, logo, default language, phone number — only the fields you enter during onboarding.
• Meeting audio: audio you choose to record from Google Meet via the Notewell Chrome extension. This is a mix of the meeting tab audio and your microphone, captured locally by the extension and uploaded to Notewell servers.
• Derived data: transcripts, summaries (executive summary, action items, decisions, next steps, key questions), suggested titles. Generated from your audio by the AI providers listed in §4.
• Delivery data: recipient names, phone numbers, and email addresses you enter when sending a follow-up; delivery status (sent / delivered / read / failed).
• Operational logs: timestamps, IP addresses, user-agent strings, error reports — for security and debugging. Retained 30 days.
• Cookies: a single first-party session cookie set by Better-Auth after sign-in. No third-party tracking cookies.

3. Why we collect it (lawful purposes)

• To provide the meeting transcription + summary service you signed up for.
• To deliver summaries on WhatsApp and email to the recipients you designate.
• To enforce free-tier limits (5 meetings/month) and prevent abuse.
• To investigate security incidents and bugs.
• To meet our legal and tax obligations.

Processing is based on your explicit consent (DPDP §6), which you provide during onboarding and can withdraw at any time by deleting your account.

4. Sub-processors

To deliver the service, your data is transmitted to these third parties:

• Groq, Inc. (USA) — speech-to-text (Whisper Large V3) and large-language-model summarization (Llama 3.3 70B).
• Deepgram, Inc. (USA) — fallback speech-to-text.
• Sarvam AI (India) — Indic-language speech-to-text when you select Tamil / Hindi / Kannada / Tanglish / etc.
• Anthropic, PBC (USA) — fallback large-language-model summarization (Claude Haiku).
• Resend (USA) — email delivery.
• Meta Platforms, Inc. (USA / Ireland) — WhatsApp Business Cloud API for WhatsApp delivery (via our own KanavuWA service).
• Hostinger (Lithuania / India) — VPS where Notewell servers and your audio files are stored.
• Cloudflare (USA) — DNS only.
• PostHog (USA) — anonymized product analytics (optional, off by default in v1).
• Sentry (USA) — error monitoring.

Our agreements with each sub-processor restrict them to processing your data only as needed to provide the service.

5. International transfer

Several sub-processors are located outside India (primarily USA). Where required, we rely on standard contractual terms with each provider. By using Notewell you consent to this transfer for the purposes described in §3.

6. Retention

• Audio files: deleted automatically 30 days after meeting upload, or immediately after transcription if you enabled Privacy mode.
• Transcripts and summaries: kept for the lifetime of your account so you can search and resend them. Deleted when you delete the meeting or your account.
• Delivery records: kept for 1 year for audit + compliance.
• Operational logs: 30 days.
• Backups: nightly encrypted Postgres dumps, 14-day rotation.

7. Your rights (DPDP §11–15)

• Right to access + export — download all data Notewell holds about you in JSON via Settings → Export my data.
• Right to correction — edit your name, title, brand, and any summary directly in the app.
• Right to erasure — delete a single meeting, or your entire account, from Settings. Account deletion cascades to all meetings, transcripts, summaries, deliveries, and audio files. We retain only the minimum audit-log entry required to prove deletion happened.
• Right to withdraw consent — equivalent to account deletion; processing stops immediately.
• Right to grievance — write to privacy@notewell.in. We respond within 7 working days. Unsatisfied? Escalate to the Data Protection Board of India (dpdpa.gov.in).

8. Security

• Audio files stored on encrypted disk; API keys encrypted at rest with AES-256-GCM.
• All transport is HTTPS / TLS 1.2+.
• Database access restricted to localhost; no public Postgres port.
• Sessions stored as HttpOnly + Secure cookies, rotated on sign-in.

No security is absolute. If we suffer a personal-data breach affecting you, we notify the Data Protection Board and you within 72 hours (DPDP §8(6)).

9. Children

Notewell is not directed at users under 18. We do not knowingly process personal data of minors.

10. Changes

If we materially change this policy we will increment the version, post the new policy here, and ask you to re-consent on next sign-in. The current version is shown at the top of this page.

11. Contact

Kanavulabs
Erode, Tamil Nadu, India
privacy@notewell.in · hello@notewell.in

See also: Terms of service.