Privacy Policy

1. Who is the data controller?

For the purposes of UK GDPR and the Data Protection Act 2018, Lewis Hadden (trading as Sidenote) is the data controller for personal data collected through the Sidenote browser extension and web dashboard.

2. What we collect

Account data

Your email address, used to authenticate via magic link, and the timestamps of your account creation, trial start, and subscription state changes.

Document content

When you use Sidenote on a document — whether a PDF, web article, Confluence page, or upload — we extract its text in your browser, send it to our backend, and store the processed text and vector embeddings so we can answer questions and produce summaries about it. You choose between two retention modes per document:

• Store (default): the document content is retained so you can re-open and re-query it later. Cached across users — if another user ingests the same file, neither of you re-pays for indexing.
• Discard: the document content is processed transiently and not retained beyond the current session.

Usage data

The number of API calls you make, the AI models invoked, and the token counts per call. This is used to enforce free-tier limits and bill Pro subscribers. We do not log document content in usage records.

Payment data

If you upgrade to Pro, payment processing is handled by Stripe. We never see or store your card number, expiry, or CVC. Stripe shares with us a customer reference, your last four digits (for display), and your subscription status.

Cookies

The web dashboard sets a single first-party browser-storage entry to keep you signed in. The browser extension stores its session in chrome.storage.local. We do not set advertising cookies, tracking cookies, or third-party analytics cookies.

3. How we use your data

• To authenticate you and keep you signed in
• To process documents you submit and answer your questions about them
• To enforce free-tier limits and bill Pro subscriptions
• To send service emails (magic links, billing receipts, trial reminders)
• To diagnose errors and improve the product

4. Lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

• Contract (Art. 6(1)(b)): processing necessary to provide the service you signed up for — authenticating, indexing your documents, answering your questions, and billing.
• Legitimate interest (Art. 6(1)(f)): aggregate, non- identifying telemetry to keep the service running and improve it.
• Legal obligation (Art. 6(1)(c)): retaining limited financial records as required by UK tax law.

5. Sub-processors

Sidenote relies on the following processors. Each is contractually bound to process data only on our instructions and to maintain appropriate security:

• Supabase (database + authentication) — eu-west-2 (London), UK. Used to store account, document, and chat history data.
• Anthropic (Claude language models) — used to generate summaries, chat answers, explanations, and glossary entries. Anthropic does not train its models on our API traffic.
• Voyage AI (text embeddings) — used to convert document chunks into vectors for retrieval. Voyage does not train on API traffic.
• Stripe — payment processing and billing portal.
• Resend — transactional email delivery (magic links, receipts, trial reminders).
• Vercel — hosting for the web dashboard and marketing site.

6. International transfers

Anthropic, Voyage AI, Stripe, Resend, and Vercel may process data outside the UK, primarily in the United States or European Union. Where this happens, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or the UK's Adequacy Regulations as appropriate.

7. AI model training

We do not train AI models on your documents or your conversations with Sidenote. Anthropic and Voyage operate with no-training defaults on the API tiers we use, and we do not fine-tune models on user content.

8. Retention

• Account data: retained while your account is open. Deleted within 30 days of account closure.
• Document content (Store mode): retained while your account is open or until you delete the document, whichever is sooner.
• Document content (Discard mode): not retained beyond the session.
• Chat history: retained while your account is open. You can delete individual conversations from the sidebar.
• Usage records: retained for 24 months for billing reconciliation.
• Payment records: retained for 7 years to comply with UK tax law.

9. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you (Article 15)
• Have inaccurate data corrected (Article 16)
• Have your data erased (Article 17)
• Restrict or object to certain processing (Articles 18 and 21)
• Receive a portable copy of your data (Article 20)
• Withdraw consent at any time, where consent is the lawful basis

To exercise any of these rights, email support@getsidenote.app. We will respond within one calendar month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

10. Security

Document content is encrypted at rest in the Supabase database. Network traffic between your browser and our servers is encrypted in transit (TLS). Database access is restricted to service-role credentials and protected by row-level security policies that scope each user's data to their own account.

11. Children

Sidenote is not intended for users under 16. We do not knowingly collect personal data from anyone under 16.

12. Changes to this policy

We may update this Privacy Policy from time to time. The “last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated via email to active accounts.

13. Contact

Questions about this Privacy Policy or how Sidenote handles your data — email support@getsidenote.app.