Privacy Policy

1.1 Notes and Vault Content

Your notes, attachments, and all vault content are stored exclusively on your device or on storage you control (e.g., your own WebDAV server or a local folder synced by a third-party cloud client). Oceanoax never receives, stores, or has access to your notes or vault content. Note: if you choose to use cloud-based AI features (see Section 1.4), the content you submit to those services will be transmitted to the third-party AI provider you configured — this is initiated by you and is not controlled by Oceanoax.

1.2 License Activation Data

When you activate a Pro license, we (or our licensing infrastructure) collect the following to validate your license and enforce the device limit: your license key, a pseudonymous device identifier (generated locally, not tied to your identity), your operating system name and version, and the application version. This data is used solely for license management and is not used for advertising or profiling.

1.3 Payment Information

All payments are processed by Paddle.com Market Limited ("Paddle"), our Merchant of Record. When you purchase a Pro license, Paddle collects your payment details, billing address, and related transaction information directly. Oceanoax does not receive or store your credit card or payment details. Paddle's handling of your payment information is governed by Paddle's Privacy Policy.

1.4 AI Services

Oaklet Notes supports connecting to AI providers (local models or third-party cloud services). Any AI providers you configure are chosen and controlled entirely by you. Oceanoax does not proxy, receive, log, or store any data exchanged between Oaklet Notes and your configured AI provider. When using cloud AI services, your data is subject to that provider's privacy policy.

1.5 Agent API & MCP

The Agent API is a local HTTP server that runs on your device. When used with local tools, all API traffic stays within your local network. The software also supports the Model Context Protocol (MCP), which allows external AI tools to discover and interact with the Agent API. If you connect a cloud-hosted MCP client, vault data may be transmitted over the internet to that client. You are responsible for evaluating the privacy practices of any external tool you connect. Oceanoax does not receive, monitor, or have access to any data processed through the Agent API or MCP.

1.6 Diagnostic and Crash Reports

Oaklet Notes does not collect crash reports or diagnostic data automatically. If you encounter a bug or crash, you may voluntarily report it through our public issue tracker on GitHub. Any information you submit through GitHub is subject to GitHub's privacy policy and is submitted at your own discretion.

1.7 Communications

If you contact us for support at support@oakletnotes.com, we retain your email address and the content of your messages to respond to your inquiry and improve our support.

We use the information we collect to:

• Validate and manage Pro licenses and enforce device limits;
• Respond to support inquiries;
• Detect and prevent fraudulent license use;
• Comply with applicable legal obligations.

We do not sell your personal information. We do not use your information for behavioral advertising.

We do not sell, rent, or share your personal information with third parties except as follows:

• Paddle: As our Merchant of Record, Paddle processes payments and issues receipts. Paddle may receive your license key and transaction information.
• Legal requirements: We may disclose information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights or the safety of others.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you of any such change.

License activation records are retained for the duration of your license and for up to three (3) years thereafter for fraud prevention and legal compliance purposes. Support communications are retained for up to two (2) years. You may request deletion of your data by contacting us at support@oakletnotes.com, subject to any legal retention obligations.

5.1 U.S. State Privacy Rights (CCPA/CPRA and Other State Laws)

If you are a resident of California, Virginia, Colorado, Connecticut, or another U.S. state with applicable privacy legislation, you may have the following rights:

• Right to know what personal information we collect, its sources, and purposes;
• Right to request deletion of your personal information;
• Right to correct inaccurate personal information;
• Right to data portability;
• Right to opt out of the sale or sharing of personal information;
• Right to limit use of sensitive personal information;
• Right to non-discrimination for exercising your rights.

We do not sell or share your personal information as defined under the CCPA/CPRA or any other applicable state privacy law. We do not collect sensitive personal information as defined by the CPRA.

Categories of personal information collected in the preceding 12 months:

• Identifiers: license key, pseudonymous device identifier, email address (support only). Source: you / your device. Purpose: license management, support.
• Commercial information: purchase and transaction records. Source: Paddle (our Merchant of Record). Purpose: license fulfillment.
• Internet/electronic activity: operating system, app version (collected during license activation only). Source: your device. Purpose: license validation, compatibility.

To exercise your rights, contact support@oakletnotes.com. We will respond within the timeframes required by applicable law.

5.2 Canadian Residents (PIPEDA)

If you are a Canadian resident, you have the right to: access the personal information we hold about you, request correction of inaccurate information, withdraw your consent to data processing, and challenge our compliance with PIPEDA. We collect personal information only for the purposes identified in this policy, with your implied consent (for license activation) or express consent (for support communications). To exercise these rights or file a complaint, contact us at the address below.

5.3 EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, the following applies:

Lawful bases for processing:

• License activation data: performance of a contract (Art. 6(1)(b));
• Fraud prevention: legitimate interest (Art. 6(1)(f));
• Support communications: legitimate interest (Art. 6(1)(f));
• Legal compliance: legal obligation (Art. 6(1)(c)).

Your rights: You have the right to access, rectify, erase, or restrict processing of your personal data, to data portability, to object to processing based on legitimate interest, to withdraw consent where consent is the basis, and to lodge a complaint with your local supervisory authority.

International data transfers: Oceanoax LLC is based in the United States. Personal data from EEA/UK residents may be transferred to the U.S. for processing. We rely on the EU-U.S. Data Privacy Framework (where applicable) or Standard Contractual Clauses (SCCs) as the transfer mechanism. Paddle processes payment data under its own Data Processing Agreement and transfer mechanisms.

Data breach notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.

We do not engage in automated decision-making or profiling with legal or similarly significant effects. Contact us to exercise any of the above rights.

We implement appropriate technical and organizational measures to protect the limited personal data we hold against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure.

Oaklet Notes is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Effective Date" at the top of this page and, where appropriate, through an in-app notice. Your continued use of Oaklet Notes after such changes constitutes your acceptance of the updated policy.

If you have any questions or requests regarding this Privacy Policy, please contact: