PongoNotes is a private note-taking application operated by PongoNotes and hosted on servers within the European Union. PongoNotes is the data controller for your personal data. If you have questions about your data, please contact us via the Support page.
When you create an account and use PongoNotes, we store:
We do not collect analytics, use advertising trackers, or share any data with third parties.
Your data is used solely to provide the PongoNotes service to you:
Under GDPR Article 6, we process your personal data on the following legal bases:
We do not process personal data based on consent or for any purpose beyond what is described in this policy.
All data is stored on servers operated by PongoNotes and located within the European Union (EU). The server infrastructure is provided by a third-party hosting provider who acts as a data processor under GDPR. They process data only on our instructions and are contractually bound to appropriate security and confidentiality obligations. We take appropriate technical and organizational measures to protect your data against unauthorized access, loss, or destruction.
Your account data and content are retained for as long as your account is active. When you delete your account via Profile → Delete Account, all your notes, attachments, tags, folders, and personal data are permanently removed from the database and file storage. Email logs (internal server records of sent emails) are automatically purged on a rolling 90-day schedule.
PongoNotes sets only strictly necessary cookies:
sessionid — server-side session cookie, required to keep you logged in.csrftoken — Cross-Site Request Forgery protection, required for all form submissions.2fa_trusted — set only if you tick “Remember this device” after a successful two-factor authentication login. Contains a signed, opaque token with no personal data. Expires after the number of days configured by the site administrator.No marketing, analytics, or third-party cookies are used. These cookies do not require consent under GDPR as they are essential for the service to function.
If you are based in the EU/EEA, you have the following rights regarding your personal data:
To exercise any right that cannot be fulfilled through the application itself, please contact us via the Support page.
Passwords are stored as PBKDF2-SHA256 hashes and are never readable in plaintext. All user-authored content — note titles, body text, folder names, tag names, attachment filenames, reminders, comments, and saved searches — is encrypted at rest using AES-256-GCM (authenticated encryption) before being written to the database. File attachments are also encrypted on disk using AES-256-GCM. A stolen database backup alone exposes nothing readable. All forms are protected against Cross-Site Request Forgery (CSRF). Access to other users’ data is prevented at the application level — all queries are scoped to the authenticated user.
Despite these measures, no system is completely immune to security incidents. In the event of a personal data breach, we will notify the competent supervisory authority (IMY) within 72 hours of becoming aware of it, where required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly without undue delay in accordance with GDPR Article 34.
We may update this policy from time to time. Continued use of the service after any change constitutes acceptance of the updated policy.