Privacy Policy
Last updated: 14 April 20261. Data Controller
The data controller for personal data processed by Root Notes is the legal entity operating the service ("Root Notes", "we", "us"). For privacy enquiries or to contact the controller, email privacy@rootnotes.me. Root Notes is established in Ireland; we have not appointed a Data Protection Officer and have not appointed an Article 27 EU representative because the controller is EU-established.
2. Information We Collect
We collect different types of information depending on how you use Root Notes: Account Information — When you create an account, we collect your email address and password (stored as a hash by Firebase Authentication; we never see the plaintext). If you log in with Google, we also receive your name and profile photo from your Google account. We also store a username (auto-generated from your email), your app preferences and settings, and device sync information (device identifier, name, platform, first-registered timestamp, and last-sync time) for cross-device access. Billing Information — If you subscribe to a paid plan, payment is processed by Stripe in one of EUR, USD, or GBP (selected automatically or by you at checkout). We store your subscription status and plan tier in our database. We do not store your payment card details — these are handled entirely by Stripe. Musical Content — Projects, chord progressions, audio recordings, lyrics, and ideas you create within Root Notes. Community Content — If you submit feedback or feature requests on the community feedback board, your display name, submission title, and description are stored and visible to other logged-in users. We also send an email notification of new submissions to our internal review address via our transactional-email provider (see §5). Location (optional) — If you grant geolocation permission on the Ideas page, we send your approximate latitude and longitude plus a language hint (localityLanguage=en) to BigDataCloud's reverse-geocoding API to resolve a human-readable place name. Your IP address is implicitly visible to BigDataCloud as part of the request. We store the resolved place name and the coordinates alongside the idea you create. You can dismiss the geolocation banner at any time; location is never collected without an explicit browser permission prompt. Usage Data — We collect analytics events such as page views, feature usage, and user interactions to understand how the app is used. This data is collected via Google Analytics 4 (GA4), loaded through the gtag.js loader hosted on googletagmanager.com using a Firebase measurement ID. Technical Data — Error reports, performance metrics, and session replay data (on error sessions only) are collected via Sentry to help us identify and fix issues.
3. How We Use Your Information
We use the information we collect to: • Provide and operate the Root Notes service • Sync your projects and content across devices when you are logged in • Process payments and manage subscriptions via Stripe • Send transactional emails (password reset, email verification) and important service updates. We do not send marketing emails and do not operate a marketing email programme. • Improve the app through usage analytics • Identify and fix errors and performance issues via Sentry • Moderate community submissions and respond to abuse reports
4. Data Storage & Retention
Root Notes follows a local-first approach. Your musical content is always stored locally on your device using IndexedDB. When you log in, your content is also synced to the cloud using Google Firestore and Firebase Storage. This allows you to access your projects across devices. Retention. Account data and synced content are retained while your account is active. Items you delete from within Root Notes are moved to trash and permanently purged from the cloud after 30 days, including any associated audio files in Firebase Storage (a scheduled job runs this purge daily). Account deletion. When you delete your account from settings, we cascade-delete all of your cloud data in a single server-side operation: Firestore documents (projects, chord progressions, musical ideas, audio notes, folders, labels, username reservation, device-sync records, and the user profile), Firebase Storage objects under your user prefix, and your Firebase Authentication record. If you have an active paid subscription, we set it to cancel at the end of the current billing period so you keep access you have already paid for, and delete the Stripe customer record. Stripe retains payment and invoicing records separately for up to seven years to meet tax and accounting obligations. Provider-level retention. Google Analytics 4 retains user-level data for up to 14 months before aggregation (subject to our GA4 property configuration). Sentry retains error events and session replays per the retention period of our Sentry plan (typically between 30 and 90 days). If you use Root Notes without an account, your data remains entirely on your device and is never transmitted to our servers.
5. Third-Party Services
We use the following third-party services (each is a processor or independent controller): Firebase (by Google LLC) — Authentication, Firestore database, Firebase Storage, and Firebase Analytics (GA4). Firebase Authentication sends transactional emails on our behalf (password reset, email verification). Transfers to the United States rely on Google's EU–US Data Privacy Framework certification and Standard Contractual Clauses. See Google's Privacy Policy. Google tag (gtag.js) (by Google LLC) — loads the Google Analytics 4 tag. Loads scripts from googletagmanager.com and may set cookies on that domain. This is a direct gtag.js integration, not a Google Tag Manager container. See Google's Privacy Policy. Sentry (by Functional Software, Inc.) — Error tracking, performance monitoring, and session replay captured only on sessions where an error is recorded. Transfers to the United States rely on Standard Contractual Clauses. See Sentry's Privacy Policy. Google Sign-In — OAuth-based authentication. Governed by Google's Privacy Policy. Stripe (by Stripe Payments Europe, Ltd. / Stripe, Inc.) — Payment processing for paid plans. We share your email address with Stripe to create a billing account. Stripe handles all payment card information directly. Transfers to the United States rely on Stripe's EU–US Data Privacy Framework certification and Standard Contractual Clauses. See Stripe's Privacy Policy. BigDataCloud (Australia-based) — Reverse-geocoding of optional location coordinates you provide via the Ideas feature. Transfers outside the EEA rely on Standard Contractual Clauses (Australia has no EU adequacy decision). See BigDataCloud's Privacy Policy. ImprovMX (SMTP relay, US-based) — Server-side transactional email relay used by our backend to send a notification to our internal review address when a user submits community feedback. The email contains the submitter's display name, the feedback title, type, description, and a timestamp. Transfers to the United States rely on Standard Contractual Clauses. Vercel (by Vercel Inc., US-based) — Hosting and edge compute for the web app. Vercel's edge also supplies an IP-derived country code (x-vercel-ip-country) that our server uses at /api/locale to suggest a British / American spelling preference and a default checkout currency on the upgrade page. Transfers to the United States rely on Standard Contractual Clauses. See Vercel's Privacy Policy. Gravatar (by Automattic Inc., US-based) — When you open your account page we display an avatar from Gravatar, keyed on a hash of your account email address. Loading the image discloses your browser's IP address to Gravatar. Transfers to the United States rely on Standard Contractual Clauses. See Automattic's Privacy Policy. We do not sell or share your personal information with third parties for advertising purposes. Our processors process your content only to deliver the service; to the extent set out in their data-processing terms, they do not use your content to train generative-AI or machine-learning models, and where a processor offers an AI-training opt-out we exercise it.
6. Cookies & Tracking
Root Notes and its third-party services use cookies and similar technologies for authentication, analytics, and error monitoring. Google Analytics 4 is loaded via gtag.js on page load; we do not currently run a cookie-consent banner, so non-essential cookies are set when you visit the site. You can control analytics cookies through your browser settings or by opting out via Google's tools (see the Cookie Policy). To object to analytics processing, email privacy@rootnotes.me.
7. International Data Transfers
Firebase (Google), gtag.js (Google), Sentry, Stripe, Vercel, ImprovMX, and Gravatar (Automattic) are primarily US-based. BigDataCloud is based in Australia. When we transfer your personal data outside the EEA, we rely on the safeguards in Article 46 of the GDPR — typically the European Commission's Standard Contractual Clauses, plus each provider's EU–US Data Privacy Framework certification where applicable (Google, Stripe, Sentry). For transfers from the United Kingdom we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs. We keep transfers to the minimum necessary to operate the service.
8. Data Security
We take reasonable technical and organisational measures to protect your data: • All traffic between your device and our services is encrypted in transit using TLS • Access to cloud-stored content is restricted by Firestore and Firebase Storage security rules scoped to your authenticated user ID • Credentials are handled by Firebase Authentication; we never see your password in plaintext • Error reports are scrubbed of obvious personal data before they reach Sentry • We do not store payment card details — card data is handled entirely by Stripe No system is perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@rootnotes.me.
9. Your Rights
You have the right to: • Delete your account from your account settings — this cascade-deletes all of your cloud data (see §4) • Export individual projects and chord progressions as MIDI, WAV, or audio stems • Clear local data through your browser's storage settings • Opt out of analytics by using browser-level cookie controls or Google's opt-out tools Under the GDPR / UK GDPR you also have the rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. We do not make any decisions about you by solely automated means and do not carry out profiling that produces legal or similarly significant effects, so the right relating to automated individual decision-making under Article 22 does not apply. Exercising these rights is free of charge. We aim to respond within 30 days (extendable by up to two further months for complex requests, as permitted under Article 12(3) GDPR). To make a request, email privacy@rootnotes.me from the address on your account.
10. Legal Bases (EEA / UK)
If you are located in the EEA or the United Kingdom, we process your personal data under the following legal bases: • Contractual necessity — for account creation, content storage, subscription processing, and providing the Root Notes service • Legitimate interest — for product analytics, for error monitoring and session replay via Sentry, for moderating community submissions, and for operational transactional email via ImprovMX. You have the right to object to processing based on legitimate interest (see §9) • Consent — for optional geolocation on the Ideas page (granted via browser permission prompt) • Legal obligation — for retaining billing records as required by tax and accounting law You may lodge a complaint with your local supervisory authority. In Ireland that authority is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28 — dataprotection.ie.
11. California Residents (CCPA / CPRA)
We do not sell or share your personal information, including sensitive personal information, as defined under the CCPA/CPRA. California residents have the right to know what personal information we collect, to request correction of inaccurate information, to request deletion, to limit the use of sensitive personal information, and to opt out of any future sale or sharing. We do not use personal information for cross-context behavioural advertising. To exercise these rights, contact us at privacy@rootnotes.me.
12. Children's Privacy
Root Notes is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. In the EEA and the United Kingdom, where consent is the legal basis for processing, the digital-services age of consent is 16 (this is the threshold in Ireland and a number of other Member States). Users under 16 in those regions may only use the service if a parent or legal guardian has given verifiable consent on their behalf before an account is created. If you believe a child has provided us with personal information, please contact us so we can delete it.
13. Changes to This Policy
We may update this policy from time to time. We will notify users of significant changes through the application or, where possible, via email. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact
For privacy-related questions, reach out to us at privacy@rootnotes.me.