Privacy Policy

1. Introduction

Original Note ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure incident documentation platform.

Data Controller: Original Note Ltd (Company No. 17115726, registered in England & Wales)
Contact: [email protected]

2. Information We Collect

2.1 Account Information

When you register, we collect:

• Username and email address
• First name and last name
• Organization information
• Password (stored as a secure hash)

2.2 Incident Data

When you create incident reports, we collect:

• Incident descriptions and details
• Timestamped photographs
• Voice recordings
• GPS location data
• IP addresses (for audit purposes)

2.3 Technical Data

We automatically collect:

• IP addresses
• Browser type and version
• Device information
• Usage patterns and access logs

3. How We Use Your Information

We process your personal data for the following purposes:

• Service Provision: To provide and maintain our incident documentation platform
• Account Management: To manage your account and provide customer support
• Billing: To process payments and manage subscriptions
• Compliance: To comply with legal obligations and maintain audit trails
• Security: To protect against fraud and ensure platform security
• Improvement: To improve our services (using anonymized data)

Legal Basis: We process your data based on:

• Contract performance (providing the service you've subscribed to)
• Legitimate interests (security, fraud prevention, service improvement)
• Legal obligations (compliance with data protection laws)

4. Data Storage and Location

All data is stored in the European Union (Germany) to ensure compliance with GDPR and UK data protection regulations.

Infrastructure: Our platform infrastructure is hosted on OVH Cloud in their Germany data centre.

Data Storage: We use AWS Services located in Germany for secure data storage. We have data processing agreements in place with both OVH Cloud and AWS.

Data Retention: We retain your data according to your subscription plan:

• Starter: 365 days (1 year)
• Professional: Up to 2,555 days (7 years)
• Enterprise: Up to 3,650 days (10 years)

After the retention period expires, data is automatically deleted in accordance with our data retention policy.

5. Third-Party Services

5.1 OVH Cloud (Infrastructure)

We use OVH Cloud for our platform infrastructure, hosted in their Germany data centre. All infrastructure services are located in the European Union. We have a data processing agreement in place with OVH Cloud.

5.2 AWS Services (Data Storage)

We use AWS Services located in Germany for secure data storage. AWS is GDPR compliant and we have a data processing agreement in place. All data stored with AWS remains within the European Union.

5.3 Scaleway (AI Processing)

We use Scaleway for AI processing services. All Scaleway services used are located in the European Union. We have a data processing agreement in place with Scaleway.

AI Processing: Before sending data to Scaleway AI for quality checks, we strip all personally identifiable information (PII) from the content. Only anonymized incident descriptions are processed by AI services.

5.4 Stripe (Payment Processing)

We use Stripe for payment processing. Stripe is GDPR compliant and processes payment data in accordance with PCI DSS standards. We do not store credit card information on our servers.

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your account and all associated data (subject to legal obligations to retain certain records)
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent where processing is based on consent

How to Exercise Your Rights

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Right to Erasure — Process

To request deletion of your account and associated data, email [email protected] with the subject line "Data Erasure Request". Include your registered email address and username. We will confirm deletion within 30 days. Note that we may be required to retain certain records (e.g. billing records) for legal or regulatory reasons, and incident data within your subscription retention period may be subject to your organisation's own legal obligations.

Right to Data Portability — Process

To request a copy of your personal data in a structured, machine-readable format, email [email protected] with the subject line "Data Portability Request". We will provide your account data and incident records within 30 days.

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data in accordance with UK GDPR. You can contact the ICO at ico.org.uk or by calling 0303 123 1113.

7. Cookies

We use the following types of cookies:

• Essential Cookies: Required for the platform to function (session management, authentication, CSRF protection). These are set without requiring your consent as they are strictly necessary for the service to operate.
• Analytics Cookies: We use Google Analytics (GA4) to understand how visitors use our website. These cookies are only set if you choose "Accept all" when prompted. Analytics data is used to improve our service and is subject to Google's privacy policy. No analytics cookies are set if you choose "Essential only".

You can manage your cookie preference at any time through your browser settings, or by clearing your localStorage data. Declining analytics cookies does not affect platform functionality.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest
• Regular security audits and updates
• Access controls and authentication
• HMAC-SHA256 cryptographic hashing for incident integrity

9. Data Breaches

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay.

10. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

11. Personal Data in Incident Reports

When you use Original Note to document incidents, you may record personal data about third parties — individuals involved in incidents, witnesses, or members of the public. In relation to that third-party personal data:

• You (or your organisation) are the data controller responsible for that personal data under UK GDPR and the Data Protection Act 2018.
• Original Note acts as your data processor, storing and processing that data only on your instructions as part of providing the service.
• You are responsible for ensuring you have a lawful basis for recording that personal data, that individuals are informed their data may be captured in incident reports (e.g. through your own privacy notices), and that your use complies with applicable data protection law.
• Our obligations as data processor — including the technical and organisational security measures we apply — are set out in these policies and incorporated into our Terms of Service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: [email protected]
Data Protection Inquiries: [email protected]