Security & Privacy
How Klarinotte keeps your data safe and private.
The short version: Your notes are yours. They're stored locally on your device. When you use sync, your data is end-to-end encrypted before it leaves your device — we cannot read it. We don't track you, profile you, or sell your data.
Local-First Storage
By default, all your data lives exclusively on your device in the browser's IndexedDB — a local database that never leaves your machine:
- Notes, folders, tags, bookmarks, and settings.
- Attachments (images, files).
- Semantic search models and OCR processing run entirely on-device.
We have no access to your locally stored data. If you clear your browser data, local data may be lost — we recommend using the sync feature or maintaining backups via export.
End-to-End Encryption
If you create an account and enable sync, your data is encrypted on your device before upload using AES-256-GCM. The encryption key is derived from your password and never leaves your device.
- We cannot read your notes or attachments — ever.
- Our server operators cannot decrypt your data.
- If you lose your password, we cannot recover your data — there is no backdoor.
Zero-Knowledge Architecture
Our servers store only encrypted blobs — your notes and attachments in encrypted form that we cannot read. The sync protocol uses encrypted metadata (timestamps, device identifiers, sync IDs) needed for synchronization. Your account email and a hashed password derivative are stored for authentication — never your plaintext password.
On-Device AI
Both OCR and semantic search are powered by AI models that run entirely in your browser:
- OCR uses a local OCR model — no images are sent to any server.
- Semantic Search uses a local embedding model — no text or queries leave your device.
What We Do NOT Collect
- The content of your notes
- Your search queries (full-text or semantic)
- Your tags, folder names, or organizational structure
- Your images, attachments, or OCR-extracted text
- Usage analytics, page views, click tracking, or behavioral data
- Third-party tracking cookies or advertising identifiers
Your Rights
- Export your data at any time, in full, in standard Markdown format with attachments.
- Delete your data — locally by clearing browser storage; from servers by deleting your account.
- Use without an account — sync is optional. The full app works without any server connection.
For the complete legal privacy policy, see our Privacy Policy page.