notefade
UK privacy notice

Privacy information grounded in the product that actually ships.

This page describes the current `notefade` implementation rather than an aspirational security model. It explains what the service stores, which operational identifiers it uses, and where retention is handled by scheduled cleanup rather than instant erasure.

Operator and contact route

notefade is currently operated directly by the maintainer while the product is in its current hosted form. Privacy and support questions should be sent to the contact route below.

Current contact details

Operator: Lewis Morris. Contact route: lewis@arched.dev.

What the service processes

  • When you create a note, the API stores a sanitized markdown version of the note body on the server.
  • Optional passwords are stored as password hashes and are used to gate unlocking, not to encrypt the note body at rest.
  • Share links include an opaque public token so the recipient can reach the preview, unlock, and read routes.
Operational metadata

Device, IP, and access-event processing

`notefade` uses operational metadata to enforce note policies and keep public note routes from being abused.

  • The service records note ids, event types, counters, and denial reasons in access-event records for operational and debugging purposes.
  • Device-limited notes rely on a browser-side device identifier that is stored locally when possible and sent back to the API on unlock and read requests.
  • Public note routes are rate limited using request IP address as the operational key.
Retention and destruction

Access can stop immediately even when cleanup happens later.

The product blocks expired or destroyed notes right away, but row deletion is a separate scheduled task.

  • Expired notes become inaccessible as soon as the API sees they are past `expires_at`.
  • Destroyed or consumed notes can leave tombstones behind until the scheduled cleanup job removes them.
  • The default destroyed-note retention window in the API configuration is 24 hours unless operators change it.
Your options

User rights and complaint routes

This notice reflects the current operator and route for privacy questions, not a future placeholder version.

  • notefade is currently operated by Lewis Morris, and privacy or support questions can be sent to lewis@arched.dev.
  • People should be able to ask what note and metadata processing applies to them, request correction where appropriate, and raise concerns with the relevant UK supervisory authority if direct resolution fails.
  • This page intentionally avoids end-to-end-encryption or zero-knowledge claims because the current implementation does not provide them.
Complaint route

Unresolved concerns should be raised first through lewis@arched.dev and can then be escalated to the UK Information Commissioner's Office if a user remains unhappy.