Privacy Policy

1.1 Notes and Vault Content

Your notes, attachments, and all vault content are stored exclusively on your device or on storage you control (e.g., your own WebDAV server or a local folder synced by a third-party cloud client). Oceanoax never receives, stores, or has access to your notes or vault content. Note: if you choose to use cloud-based AI features (see Section 1.4), the content you submit to those services will be transmitted to the third-party AI provider you configured — this is initiated by you and is not controlled by Oceanoax.

1.2 License Activation Data (Direct purchases only)

When you activate a Pro license obtained through a direct purchase (LemonSqueezy or activation code), Oaklet Notes transmits the following data to our license validation endpoint (api.oakletnotes.com, hosted on Cloudflare Workers) to validate your license and enforce the device limit: your license key, a pseudonymous device identifier (generated locally, not tied to your identity), your operating system name and version, and the application version. This data is used solely for license management and is not used for advertising or profiling.

Note: This activation flow does not apply to Apple App Store users. App Store subscriptions are validated via Apple's StoreKit receipt verification — no license key is generated, and no data is sent to api.oakletnotes.com for App Store users. See Section 1.3 for details on App Store data handling.

1.3 Payment Information

Payments are processed by one of two providers depending on the channel through which you purchased Oaklet Notes Pro:

• Direct purchases (website): Processed by Lemon Squeezy, LLC ("LemonSqueezy"), our Merchant of Record. LemonSqueezy collects your payment details, billing address, and related transaction information directly. Oceanoax does not receive or store your credit card or payment details. LemonSqueezy's handling of your payment information is governed by LemonSqueezy's Privacy Policy.
• Apple App Store purchases (iOS / macOS App Store): Processed by Apple Inc., acting as the Merchant of Record. Apple collects your payment details, billing information, and Apple ID-linked transaction data directly. Apple transmits to us only a transaction receipt (containing an anonymized transaction identifier, product ID, purchase date, and subscription status) used for entitlement validation within the app. Oceanoax does not receive your name, email, billing address, or payment method through the App Store channel. Apple's handling of your payment information is governed by Apple's Privacy Policy.

1.4 AI Services

Oaklet Notes supports connecting to AI providers (local models or third-party cloud services). Any AI providers you configure are chosen and controlled entirely by you. Oceanoax does not proxy, receive, log, or store any data exchanged between Oaklet Notes and your configured AI provider. When using cloud AI services, your data is subject to that provider's privacy policy.

1.5 Agent API & MCP

The Agent API is a local HTTP server that runs on your device. When used with local tools, all API traffic stays within your local network. The software also supports the Model Context Protocol (MCP), which allows external AI tools to discover and interact with the Agent API. If you connect a cloud-hosted MCP client, vault data may be transmitted over the internet to that client. You are responsible for evaluating the privacy practices of any external tool you connect. Oceanoax does not receive, monitor, or have access to any data processed through the Agent API or MCP.

1.6 Diagnostic and Crash Reports

Oaklet Notes does not collect crash reports or diagnostic data automatically. You may optionally enable diagnostic logging in Settings to help troubleshoot issues. Logs are stored locally on your device and are never sent automatically. You may choose to export and share log files with our support team at your discretion. If you encounter a bug or crash, you may also voluntarily report it through our public issue tracker on GitHub. Any information you submit through GitHub is subject to GitHub's privacy policy.

Apple App Store users: If you installed Oaklet Notes from the Apple App Store and have enabled "Share with App Developers" under Settings → Privacy & Security → Analytics & Improvements on your iOS device (or System Settings → Privacy & Security → Analytics on macOS), Apple may share anonymized crash logs with us through App Store Connect. This data is collected and anonymized by Apple, not by Oaklet Notes, and is controlled entirely by your Apple device settings.

1.7 Communications

If you contact us for support at [email protected], we retain your email address and the content of your messages to respond to your inquiry and improve our support.

We use the information we collect to:

• Validate and manage Pro licenses and enforce device limits;
• Respond to support inquiries;
• Detect and prevent fraudulent license use;
• Comply with applicable legal obligations.

We do not sell your personal information. We do not use your information for behavioral advertising.

We do not sell, rent, or share your personal information with third parties except as described below.

3.1 Sub-processors

We use the following sub-processors to operate Oaklet Notes. Each processes only the minimum data necessary for its stated purpose.

We maintain Data Processing Agreements (DPAs) with each sub-processor where required by applicable law. We will update this table if we add new sub-processors, and where required, provide advance notice.

3.2 Other Disclosures

We may also disclose your information in the following circumstances:

• Legal requirements: We may disclose information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights or the safety of others.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you of any such change.

License activation records are retained for the duration of your license and for up to three (3) years thereafter for fraud prevention and legal compliance purposes. Support communications are retained for up to two (2) years. You may request deletion of your data by contacting us at [email protected], subject to any legal retention obligations.

5.1 U.S. State Privacy Rights (CCPA/CPRA and Other State Laws)

If you are a resident of California, Virginia, Colorado, Connecticut, or another U.S. state with applicable privacy legislation, you may have the following rights:

• Right to know what personal information we collect, its sources, and purposes;
• Right to request deletion of your personal information;
• Right to correct inaccurate personal information;
• Right to data portability;
• Right to opt out of the sale or sharing of personal information;
• Right to limit use of sensitive personal information;
• Right to non-discrimination for exercising your rights.

We do not sell or share your personal information as defined under the CCPA/CPRA or any other applicable state privacy law. We do not collect sensitive personal information as defined by the CPRA.

Categories of personal information collected in the preceding 12 months:

• Identifiers: license key (direct purchases only), pseudonymous device identifier (direct purchases only), email address (support only). Source: you / your device. Purpose: license management, support.
• Commercial information: purchase and transaction records. Source: LemonSqueezy (direct purchases) or Apple Inc. (App Store purchases), each acting as our respective Merchant of Record. Purpose: license fulfillment, subscription validation.
• Apple App Store transaction data (App Store users only): purchase receipt, transaction ID, product ID, purchase date, subscription status. Source: Apple Inc. via StoreKit. Purpose: subscription entitlement validation.
• Internet/electronic activity: operating system, app version (collected during license activation only — direct purchases). Source: your device. Purpose: license validation, compatibility.

To exercise your rights, contact [email protected]. We will respond within the timeframes required by applicable law.

5.2 Canadian Residents (PIPEDA)

If you are a Canadian resident, you have the right to: access the personal information we hold about you, request correction of inaccurate information, withdraw your consent to data processing, and challenge our compliance with PIPEDA. We collect personal information only for the purposes identified in this policy, with your implied consent (for license activation) or express consent (for support communications). To exercise these rights or file a complaint, contact us at the address below.

5.3 EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, the following applies:

Lawful bases for processing:

• License activation data: performance of a contract (Art. 6(1)(b));
• Fraud prevention: legitimate interest (Art. 6(1)(f));
• Support communications: legitimate interest (Art. 6(1)(f));
• Legal compliance: legal obligation (Art. 6(1)(c)).

Your rights: You have the right to access, rectify, erase, or restrict processing of your personal data, to data portability, to object to processing based on legitimate interest, to withdraw consent where consent is the basis, and to lodge a complaint with your local supervisory authority.

International data transfers: Oceanoax LLC is based in the United States. Personal data from EEA/UK residents may be transferred to the U.S. for processing. We rely on the EU-U.S. Data Privacy Framework (where applicable) or Standard Contractual Clauses (SCCs) as the transfer mechanism. Our sub-processors maintain their own transfer safeguards: LemonSqueezy processes payment data under its Data Processing Agreement; Cloudflare processes license data under its Customer DPA with Standard Contractual Clauses.

Data breach notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.

We do not engage in automated decision-making or profiling with legal or similarly significant effects. Contact us to exercise any of the above rights.

We implement appropriate technical and organizational measures to protect the limited personal data we hold against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure.

Oaklet Notes is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Effective Date" at the top of this page and, where appropriate, through an in-app notice. Your continued use of Oaklet Notes after such changes constitutes your acceptance of the updated policy.

If you have any questions or requests regarding this Privacy Policy, please contact: