Privacy Policy

Last updated: 2026-02-01

1. Introduction

This Privacy Policy explains how awisoft s. r. o. (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the Nexnote mobile application and related services (collectively, the “Service”).

We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Slovak and EU data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

awisoft s. r. o. IČO: 53 765 753 Registered office: Agátová 821/29, 951 35 Veľké Zálužie, Slovak Republic Contact email: support@nexnote.io

We have not appointed a Data Protection Officer as we do not meet the thresholds set out in GDPR Art. 37. For any questions or requests regarding your personal data, please contact us at the email address above.

3. Data We Collect

3.1 Account Information

When you create an account, we collect:

Email address
Display name
Profile information provided via your authentication provider (e.g., Google)
Account creation and last login timestamps

3.2 Meeting Data

When you use the Service, we store:

Meeting titles, dates, and notes
Audio recordings uploaded for transcription
Audio recordings stored in cloud storage (only when you opt in, either globally via Settings or per-recording before starting a session)
Transcripts generated from audio recordings
AI-generated summaries, action items, key decisions, and key points
Comments added to meetings
Bookmarks and favorites

3.3 Team and Collaboration Data

Team names, membership, and roles
Invitation records
Share link metadata (access level, expiration, password hash, view counts)

3.4 Usage Data

Transcription usage (duration per billing period)
Storage usage
Feature usage counts (e.g., share links created, exports generated)
Subscription tier and purchased add-on packs

3.5 Device Information

A randomly generated unique device identifier (UUID), created by the app on first launch and used to track anonymous usage before account creation. This is not the Android Advertising ID or any hardware identifier.
Timestamps of first and last activity

3.6 Feedback Data

Meeting quality ratings
Issue reports and comments submitted through the feedback feature

3.7 Analytics and Crash Data

When you opt in to analytics (via the in-app consent dialog), we collect:

Analytics events: Anonymous usage patterns such as screens visited, features used, and session duration (via Firebase Analytics)
Crash reports: Application crash logs including stack traces, device model, operating system version, and app state at the time of the crash (via Firebase Crashlytics)

You can opt out of analytics and crash reporting at any time via Settings > Privacy > Analytics & Crash Reports. Opting out stops all future data collection but does not delete previously collected data.

3.8 Technical Data

Authentication tokens (managed by Firebase Authentication)
Sync metadata (timestamps, version numbers for conflict resolution)
Remote configuration data (feature flags and app behavior settings fetched from Firebase Remote Config)

4. Purpose of Processing

We process your personal data for the following purposes:

Purpose	Legal Basis (GDPR Art. 6)
Providing the Service (account management, meeting storage, sync)	Performance of contract (Art. 6(1)(b))
Audio transcription and AI-powered analysis	Performance of contract (Art. 6(1)(b))
Subscription management and billing	Performance of contract (Art. 6(1)(b))
Usage tracking and quota enforcement	Legitimate interest (Art. 6(1)(f))
Analytics and crash reporting	Consent (Art. 6(1)(a)) — collected only when you opt in via the in-app consent dialog
Remote configuration (feature flags, app behavior)	Legitimate interest (Art. 6(1)(f)) — necessary to deliver and update the Service
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))
Responding to support requests	Legitimate interest (Art. 6(1)(f))

Where processing is based on consent, you may withdraw your consent at any time via Settings > Privacy > Analytics & Crash Reports. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Where processing is based on legitimate interest, we have conducted a balancing assessment and determined that our interests do not override your rights. You have the right to object to such processing (see Section 8.6).

5. Third-Party Data Processors

We use the following third-party services to process your data:

5.1 Google Firebase — Core Services

Services used: Firestore (database), Firebase Authentication (user accounts), Firebase Cloud Storage (file storage)
Data processed: Account information, meeting data, audio files, authentication tokens
Data location: EU/EEA (Google Cloud europe-west1 region)
Privacy policy: https://firebase.google.com/support/privacy

5.2 Google Firebase — Analytics and Crashlytics

Services used: Firebase Analytics (usage analytics), Firebase Crashlytics (crash reporting)
Data processed: Anonymous usage events, session data, crash logs, device model, OS version, app state
Data location: United States (with appropriate safeguards — see Section 7)
Privacy policy: https://firebase.google.com/support/privacy
Note: This data is only collected when you opt in via the analytics consent dialog. You can opt out at any time in Settings.

5.3 Google Firebase — Remote Config

Services used: Firebase Remote Config (feature flags and app configuration)
Data processed: Firebase installation ID, IP address (used for geo-targeting and throttling, not stored), app version
Data location: United States (with appropriate safeguards — see Section 7)
Privacy policy: https://firebase.google.com/support/privacy

5.4 Firebase AI Logic (Google Gemini)

Services used: Audio transcription, summary generation, action item extraction
Data processed: Audio recordings, generated transcripts
Data path: Audio data is sent from the app via the Firebase AI Logic SDK to Google’s Gemini model, processed in the EU/EEA (Google Cloud europe-west1 region)
Privacy policy: https://cloud.google.com/vertex-ai/docs/generalized/data-governance
Note: Audio data is processed in real-time and is not retained by Google for model training. Processing is governed by the Google Cloud Data Processing Terms.

5.5 RevenueCat

Services used: Subscription and in-app purchase management
Data processed: User identifier, subscription status, purchase history
Data location: United States, protected by Standard Contractual Clauses (SCCs) and RevenueCat’s compliance with the EU-U.S. Data Privacy Framework (DPF)
Privacy policy: https://www.revenuecat.com/privacy

5.6 Google Cloud Run

Services used: Backend application hosting
Data processed: All data transmitted to/from the Service backend
Data location: EU/EEA (Google Cloud europe-west1 region)

6. Data Retention

Data Type	Retention Period
Account data	Retained until account deletion
Meeting data (active)	Retained until deleted by user or account deletion
Meeting data (soft-deleted)	Retained for 30 days after deletion, then permanently removed
Audio recordings (cloud)	Retained until deleted by user (per-meeting or bulk via Settings > Sync & Storage), or account deletion. Deleting cloud audio does not affect local recordings or meeting notes.
Audio recordings (local)	Stored on your device; retained until deleted by user or app uninstall
Share link data	Retained until the link is revoked by the user, the associated meeting is deleted, or account deletion. Expired links become inaccessible but the underlying metadata is retained until meeting or account deletion.
Usage records	Retained until account deletion
Export files	Available for download for 24 hours after generation, then permanently deleted
Feedback data	Retained until account deletion
Device usage data	Retained until account deletion or until the device data is linked to an account
Analytics data	Retained by Firebase Analytics for 14 months, then automatically deleted
Crash data	Retained by Firebase Crashlytics for 90 days, then automatically deleted

When you delete your account, all associated data is permanently removed within 30 days. Soft-deleted meetings are cleaned up automatically by a background process.

7. Data Transfers

Your data is primarily processed within the European Union / European Economic Area (EU/EEA), specifically in Google Cloud’s europe-west1 region (Belgium).

Where data is transferred outside the EU/EEA, such transfers are protected by:

Processor	Transfer Destination	Safeguard
Firebase Analytics	United States	Google’s Standard Contractual Clauses (SCCs) per the Google Cloud Data Processing Terms
Firebase Crashlytics	United States	Google’s Standard Contractual Clauses (SCCs) per the Google Cloud Data Processing Terms
Firebase Remote Config	United States	Google’s Standard Contractual Clauses (SCCs) per the Google Cloud Data Processing Terms
RevenueCat	United States	Standard Contractual Clauses (SCCs) and EU-U.S. Data Privacy Framework (DPF)

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.

How to exercise: Use the in-app data export feature (Settings > Account > Export My Data) or email support@nexnote.io with the subject “Data Access Request”.

8.2 Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data.

How to exercise: Update your profile information directly in the app, or email support@nexnote.io.

8.3 Right to Erasure (Art. 17)

You have the right to request deletion of your personal data.

How to exercise: Use the in-app account deletion feature (Settings > Account > Delete Account) or email support@nexnote.io with the subject “Account Deletion Request”. See our Account Deletion page for more details.

You can also selectively delete cloud audio files without deleting your account or meeting data:

Per-meeting: Open a meeting > Actions menu > Delete cloud audio
Bulk: Settings > Sync & Storage > Delete all cloud audio

8.4 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON).

How to exercise: Use the in-app data export feature (Settings > Account > Export My Data) for an immediate download, or email support@nexnote.io with the subject “Data Export Request”.

8.5 Right to Restriction of Processing (Art. 18)

You have the right to request restriction of processing in certain circumstances.

How to exercise: Email support@nexnote.io with the subject “Data Processing Restriction Request”.

8.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interest. This includes the right to object to usage tracking and quota enforcement (Section 4).

How to exercise: Email support@nexnote.io with the subject “Data Processing Objection”.

Where processing is based on consent (analytics and crash reporting), you may withdraw consent at any time via Settings > Privacy > Analytics & Crash Reports. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In the Slovak Republic, the relevant authority is:

Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic) Hraničná 12, 820 07 Bratislava 27 Website: https://dataprotection.gov.sk

9. Automated Decision-Making

The Service uses AI to automatically generate transcripts, summaries, action items, key decisions, and key points from your audio recordings. This processing is performed to deliver the core functionality of the Service and does not produce legal effects or similarly significant effects on you.

AI-generated content is presented as suggestions for your review. You can edit, delete, or disregard any AI-generated output. No automated decisions are made regarding your account status, access, or rights based on AI outputs.

Quota enforcement (e.g., blocking transcription when monthly limits are reached) is based on simple usage counting, not profiling or automated decision-making in the sense of GDPR Art. 22.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
Encryption at rest: Data stored in Firebase Firestore and Cloud Storage is encrypted at rest using Google-managed encryption keys.
Authentication: Firebase Authentication with industry-standard JWT tokens.
Access control: Role-based access control for team features (owner, admin, editor, viewer).
Share link security: Optional password protection and expiration dates for shared content.
User control over analytics: Analytics and crash reporting are opt-in, with a clear consent dialog and toggle in Settings.
Infrastructure security: Google Cloud Platform’s security infrastructure, including physical security, network security, and regular audits.

11. Children’s Privacy

The Service is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us at support@nexnote.io and we will promptly delete such data.

12. Cookies and Local Storage

The Nexnote mobile application does not use cookies. The application stores data locally on your device for offline access and sync purposes. This local data includes:

Cached meeting data for offline viewing
Authentication session information
App preferences and settings

The Nexnote website (nexnote.io) uses:

localStorage: Language preference and theme preference (light/dark mode). No personal data is stored.
Essential cookies: Firebase Hosting may set a cookie (__session) for essential website functionality.

No third-party tracking cookies are used on the website. No advertising cookies are used.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

Update the “Last updated” date at the top of this document
Notify users through the app (via an in-app notification or prompt)
Post the updated policy on our website

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acknowledgment of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

awisoft s. r. o. IČO: 53 765 753 Registered office: Agátová 821/29, 951 35 Veľké Zálužie, Slovak Republic Email: support@nexnote.io

We aim to respond to all data protection requests within 30 days, as required by the GDPR.