Privacy Policy

Last updated: 23 March 2026. This policy explains what personal data Notum processes, why we process it, and your rights under GDPR and other applicable privacy laws.

1. Data Controller

The data controller for Notum is the Danish-registered company with CVR 46347315 and registered address Niels Jensens Vej 4, 2. 113, 8000 Aarhus C, Denmark. You can contact us via the Support/Contact page in the app for privacy-related requests.

2. Scope

This Privacy Policy applies to personal data processed through Notum websites, apps, billing flows, and related support/contact channels.

3. Data We Collect

  • Account data: email and authentication identifiers.
  • Learning data: decks, flashcards, labels, folders, and review progress.
  • Technical data: device/browser metadata, logs, and security telemetry.
  • Billing data: plan level, subscription status, and payment transaction references.
  • Communications: support/contact messages and related correspondence.
  • Preferences and consent choices, where applicable.

4. Why We Process Data

  • To provide core service functionality and account access.
  • To maintain security, prevent abuse, and enforce quotas/rate limits.
  • To process subscriptions, billing events, and payment-related support.
  • To respond to support requests and business inquiries.
  • To improve product performance and reliability.
  • To comply with legal obligations.

5. Legal Bases (GDPR Article 6)

  • Article 6(1)(b) (performance of a contract): account creation and login, flashcard study functionality, sync/storage, and paid subscription management.
  • Article 6(1)(f) (legitimate interests): service security, abuse and fraud prevention, incident monitoring, and product reliability improvements.
  • Consent: optional analytics/marketing or non-essential preferences where required.
  • Legal obligation: where laws require processing or retention.

6. US State Privacy Disclosures

Depending on your state, you may have rights to know, access, delete, correct, or port personal information, and to opt out of certain processing. We do not sell personal data for money. If "sharing" for targeted advertising applies, we honor applicable opt-out rights.

7. Data Processors and Sharing

  • Supabase: hosting, database, authentication, and storage infrastructure.
  • Resend: transactional email communication and delivery.
  • Payment processor (Stripe) and related payment settlement providers (including Revolut/Lunar), for billing and subscription operations.
  • We may also disclose data where legally required or to protect rights, safety, and security.

8. International Transfers

Where personal data is transferred internationally, we apply appropriate safeguards such as standard contractual clauses or equivalent transfer mechanisms where required.

9. Retention

We retain personal data only as long as necessary for service delivery, security, legal compliance, and dispute resolution. Retention periods may vary by data type and legal requirement.

10. Security

We use reasonable technical and organizational measures to protect personal data. No system is 100% secure, so we encourage use of strong passwords and secure environments.

11. Your Rights

  • Access, correction, deletion, and export of personal data.
  • Data portability where applicable.
  • Restriction or objection (where applicable) to certain processing.
  • Withdrawal of consent where processing is consent-based.
  • Complaint rights with your local supervisory authority (EU/EEA/UK).

12. Contact and Requests

You can exercise your privacy rights (including access, deletion, and portability requests) by contacting the admin via the Support/Contact page in the app and including "Privacy Request" in your message.