Privacy Policy

Last updated: March 4, 2026

NoTyp ("we," "us," or "our") values your privacy. This Privacy Policy explains what information we collect, how we use it, when we share it, and the choices you have when you use the NoTyp desktop application, website (notyp.com), web dashboard (app.notyp.com), and related services (collectively, the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address — used to create and secure your account, help you recover access, and send essential service notices
• Password — stored only as a one-way bcrypt hash ($2b$, cost factor 12); we do not store or have access to your plaintext password

1.2 Usage Data

When you use the Service, we automatically collect:

• AI usage metrics — such as the model used, token counts (input and output), estimated cost per request, and response latency. We use this information for billing, usage-limit enforcement, capacity planning, and product improvement.
• Session information — such as device name, IP address, and session timestamps. Session tokens are stored in our database only as SHA-256 hashes; we do not store raw session tokens.
• Web search queries — if you use premium web search features, we log queries on a per-user basis for billing, abuse prevention, and service analytics.

1.3 AI Conversations

Your conversations with the AI are handled as follows:

• Local chat history — conversation logs are saved locally on your device at ~/.notyp/chats/. They remain on your machine and are not uploaded to our servers unless you explicitly enable a server-side sync feature.
• AI request proxying — your messages are routed through our API server (api.notyp.com) to third-party AI providers for processing. We do not persistently store the full content of those messages on our servers; they are forwarded in real time through a streaming proxy.

1.4 Local Data (Desktop App)

The desktop application stores the following data locally on your device:

• Application settings (~/.notyp/settings.json)
• Authentication token (~/.notyp/auth.json)
• Chat history files (~/.notyp/chats/)
• MicroApps you create (~/Documents/NoTyp_Data/Apps/)

This data remains on your device unless you remove it. You can delete the ~/.notyp/ directory at any time.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate you and manage your account
• Process your AI requests through third-party providers
• Administer billing and enforce usage limits tied to your subscription
• Detect, prevent, and investigate abuse, fraud, and security incidents
• Send important service communications, including account, billing, and security notices
• Respond to your support inquiries

3. Third-Party AI Providers

Depending on your subscription tier and service configuration, NoTyp may route your AI requests through the following third-party providers:

• Anthropic (Claude models) — Privacy Policy
• OpenAI (GPT models) — Privacy Policy
• DeepSeek — Privacy Policy
• OpenRouter — Privacy Policy
• Alibaba Cloud (DashScope) — Privacy Policy

Your messages are sent to these providers in real time for processing. Each provider applies its own privacy practices, terms, and retention rules. We choose the provider based on your subscription tier and configuration; you do not contract with these providers through NoTyp directly.

You do not need to supply your own API keys. NoTyp manages provider API keys on the backend, encrypts them with AES-256-GCM, and stores them securely on our servers. Raw keys are not exposed to client applications.

4. Data Security

We use a combination of technical and organizational measures designed to protect your information, including:

• Encryption at rest — AI provider API keys are encrypted with AES-256-GCM. The encryption key is stored separately from the database on the server filesystem.
• Password hashing — all passwords are hashed using bcrypt with a cost factor of 12.
• Token security — session tokens are hashed with SHA-256 before being written to the database. Raw tokens exist only on your device and in transit over HTTPS.
• Transport security — all communication between your device and our servers uses HTTPS/TLS encryption.
• CORS restrictions — our API only accepts requests from authorized origins (notyp.com, app.notyp.com, and the desktop application).
• Rate limiting — per-user sliding window rate limits protect against abuse.
• Parameterized queries — all database queries use parameterized statements to prevent SQL injection.

No system can be guaranteed to be completely secure, but we work to reduce risk and improve our safeguards over time.

5. Data Retention

• Account data — retained while your account is active, unless a longer retention period is required by law or for legitimate business purposes. You may request deletion at any time.
• Session tokens — expire after 30 days and are automatically purged.
• Usage logs — retained for billing reconciliation, service analytics, abuse prevention, and operational troubleshooting. Aggregated data may be kept longer; per-request logs are generally retained for up to 12 months.
• Local data — retained on your device until you delete it. We have no access to your local files.

6. Your Rights

Depending on where you live, you may have the right to:

• Access your personal data — for example, by viewing account information and usage details through the dashboard at app.notyp.com.
• Request deletion of your account and associated server-side data — by contacting hello@notyp.com or using an in-product deletion option if available.
• Delete local data — by removing the ~/.notyp/ directory from your device at any time.
• Export local data — your local chat history is stored in JSON format and can be copied from your device.
• Opt out of screen awareness — by turning off the "Screen awareness" setting so the app no longer queries your open windows and applications.

7. Screen Awareness

When the "Screen awareness" setting is enabled (on by default), the desktop app performs a lightweight check to determine which applications and Office documents are currently open on your screen. This information is:

• Included in the AI's system prompt so it can better understand your current workflow
• Processed locally on your device, then included with the AI request sent through our proxy
• Not stored by us as a separate server-side dataset

You can disable this feature at any time in Settings.

8. Cookies and Tracking

The NoTyp desktop application does not use cookies or third-party advertising trackers. The web dashboard (app.notyp.com) uses session-based authentication only and does not use advertising cookies.

9. Children's Privacy

NoTyp is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn that a child has provided us with personal data, we will take reasonable steps to delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version on this page and revise the "Last updated" date. Your continued use of the Service after those changes take effect means you accept the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at:

Email: hello@notyp.com