PongoNotes

Privacy Policy

PongoNotes — Last updated May 2026

1. Who we are

PongoNotes is a private note-taking application operated by PongoNotes and hosted on servers within the European Union. PongoNotes is the data controller for your personal data. If you have questions about your data, please contact us via the Support page.

2. What data we collect

When you create an account and use PongoNotes, we store:

We do not collect analytics, use advertising trackers, or share any data with third parties.

3. How we use your data

Your data is used solely to provide the PongoNotes service to you:

4. Legal basis for processing

Under GDPR Article 6, we process your personal data on the following legal bases:

We do not process personal data based on consent or for any purpose beyond what is described in this policy.

5. Where your data is stored

All data is stored on servers operated by PongoNotes and located within the European Union (EU). The server infrastructure is provided by a third-party hosting provider who acts as a data processor under GDPR. They process data only on our instructions and are contractually bound to appropriate security and confidentiality obligations. We take appropriate technical and organizational measures to protect your data against unauthorized access, loss, or destruction.

6. Data retention

Your account data and content are retained for as long as your account is active. When you delete your account via Profile → Delete Account, all your notes, attachments, tags, folders, and personal data are permanently removed from the database and file storage. Email logs (internal server records of sent emails) are automatically purged on a rolling 90-day schedule.

7. Cookies

PongoNotes sets only strictly necessary cookies:

No marketing, analytics, or third-party cookies are used. These cookies do not require consent under GDPR as they are essential for the service to function.

8. Your rights (GDPR)

If you are based in the EU/EEA, you have the following rights regarding your personal data:

To exercise any right that cannot be fulfilled through the application itself, please contact us via the Support page.

9. Security

Passwords are stored as PBKDF2-SHA256 hashes and are never readable in plaintext. All user-authored content — note titles, body text, folder names, tag names, attachment filenames, reminders, comments, and saved searches — is encrypted at rest using AES-256-GCM (authenticated encryption) before being written to the database. File attachments are also encrypted on disk using AES-256-GCM. A stolen database backup alone exposes nothing readable. All forms are protected against Cross-Site Request Forgery (CSRF). Access to other users’ data is prevented at the application level — all queries are scoped to the authenticated user.

Despite these measures, no system is completely immune to security incidents. In the event of a personal data breach, we will notify the competent supervisory authority (IMY) within 72 hours of becoming aware of it, where required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly without undue delay in accordance with GDPR Article 34.

10. Changes to this policy

We may update this policy from time to time. Continued use of the service after any change constitutes acceptance of the updated policy.


Terms of Service Back to sign in