Privacy Policy

How Neemee collects, uses, and protects your personal information.

DRAFT - Legal Review Required

This privacy policy is a draft template for a sole proprietorship and has not been reviewed by a licensed attorney. Before publishing or relying on this document, you should consult with a qualified legal professional to ensure compliance with applicable laws and regulations.
Effective Date: [DATE TO BE DETERMINED AFTER LEGAL REVIEW]

Introduction

Welcome to Neemee. This Privacy Policy explains how Paul Bonneville, operating as a sole proprietorship ("we," "us," or "our"), collects, uses, discloses, and safeguards your personal information when you use the Neemee service (the "Service").

Paul Bonneville is the data controller and owner of Neemee. By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy applies to all users of the Service and describes what information we collect, how we use it, and your rights regarding your personal data.

Information We Collect

Account Information

When you create an account through OAuth authentication (Google or GitHub), we collect:

  • Email address
  • Name (as provided by your OAuth provider)
  • Profile picture (as provided by your OAuth provider)
  • OAuth provider identifier (Google or GitHub user ID)
  • Account creation and last login timestamps

Content Data

When you use the Service to capture and organize information, we store:

  • Notes content (text, markdown, and metadata you save)
  • Notebook names and descriptions
  • Source URLs for web-captured content
  • Custom frontmatter fields and values
  • Tags and organizational information
  • Creation and modification timestamps

MCP (Model Context Protocol) Access Data

When you use Claude Code or other MCP clients to access your Neemee data:

  • API keys generated for MCP authentication
  • OAuth tokens for authorized MCP connections
  • API access logs (timestamps, endpoints accessed)
  • Query patterns and usage frequency

Usage Data

We automatically collect certain information when you use the Service:

  • Device information (browser type, operating system)
  • IP address and general location (city/region level)
  • Pages visited and features used
  • Date and time of access
  • Referring website addresses
  • Error logs and diagnostic data

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain your session, remember your preferences, and analyze how you use the Service. For more details, see the "Cookies & Tracking" section below.

How We Use Information

We use the information we collect for the following purposes:

Service Provision

  • Create and maintain your account
  • Authenticate you when you sign in
  • Store and organize your notes and notebooks
  • Enable content capture from websites via bookmarklet
  • Process and display your saved information
  • Provide search and filtering functionality

MCP Integration

  • Provide secure API access to your data through MCP
  • Enable Claude Code and other MCP clients to query your notes
  • Authenticate and authorize MCP client connections
  • Log API access for security and debugging purposes

Service Improvement

  • Understand how users interact with the Service
  • Identify and fix technical issues
  • Develop new features and functionality
  • Analyze usage patterns to improve performance
  • Conduct internal research and analytics

Communication

  • Send you service-related notifications
  • Respond to your inquiries and support requests
  • Notify you of important changes to the Service or Privacy Policy
  • Send occasional product updates (with your consent)

Legal Compliance

  • Comply with legal obligations and regulatory requirements
  • Enforce our Terms of Service
  • Protect against fraud, abuse, and security threats
  • Defend our legal rights in disputes

Data Storage & Security

Data Storage

Your data is stored in secure cloud infrastructure:

  • Database: PostgreSQL hosted on secure cloud infrastructure with Prisma Accelerate
  • Application hosting: Vercel's global edge network
  • Data residency: United States data centers
  • Backups: Automated daily backups with encryption at rest

Security Measures

We implement industry-standard security measures to protect your personal information:

  • Encryption in transit (TLS/SSL) for all data transmission
  • Encryption at rest for stored data
  • OAuth 2.0 authentication through trusted providers (Google, GitHub)
  • API key authentication for MCP access with secure token generation
  • Regular security audits and vulnerability assessments
  • Access controls and authentication requirements
  • Secure password hashing (where applicable)
  • Monitoring and logging for suspicious activity

Data Breach Response

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law. We maintain an incident response plan to quickly identify, contain, and remediate security incidents.

Third-Party Services

We use the following third-party services to provide and improve the Service. Each service has its own privacy policy governing how they handle your data:

Authentication Services

Clerk / Auth.js

Purpose: User authentication and session management

Data shared: Email address, name, OAuth provider information

Privacy Policy: https://clerk.com/privacy

Google OAuth

Purpose: Third-party authentication option

Data shared: Email address, name, profile picture

Privacy Policy: https://policies.google.com/privacy

GitHub OAuth

Purpose: Third-party authentication option

Data shared: Email address, name, profile picture

Privacy Policy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

Infrastructure & Hosting

Vercel

Purpose: Web application hosting and deployment

Data shared: All service data (as hosting provider)

Privacy Policy: https://vercel.com/legal/privacy-policy

PostgreSQL (Cloud Provider)

Purpose: Database storage and management

Data shared: All user content and account data

Note: Privacy policy varies by cloud provider (Supabase, AWS RDS, etc.)

AI & MCP Integration

Claude / Anthropic

Purpose: MCP client access to your notes (when you authorize it)

Data shared: Notes content (only when you explicitly query via Claude Code)

Privacy Policy: https://www.anthropic.com/legal/privacy

We do not sell your personal information to third parties. We only share data with these services to the extent necessary to provide and improve the Service.

Your Rights

You have certain rights regarding your personal data. Depending on your location, these rights may be governed by GDPR (Europe), CCPA (California), or other privacy laws.

Access and Portability

  • Right to access your personal data and receive a copy
  • Right to data portability (export your notes in standard formats)
  • Access to account information through your settings page

Correction and Deletion

  • Right to correct inaccurate or incomplete personal data
  • Right to delete your account and all associated data
  • Right to request specific data deletion while keeping your account

Control and Objection

  • Right to object to certain data processing activities
  • Right to restrict processing of your data
  • Right to withdraw consent for optional data uses
  • Right to opt-out of marketing communications

GDPR Rights (EU Residents)

If you are in the European Union, you have additional rights under GDPR:

  • Right to lodge a complaint with your local data protection authority
  • Right to know the legal basis for processing your data
  • Right to automated decision-making protections
  • Right to be forgotten (erasure of your data)

CCPA Rights (California Residents)

If you are a California resident, you have rights under CCPA:

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising CCPA rights

Exercising Your Rights

To exercise any of these rights, please contact us at the email address provided in the "Contact Information" section below. We will respond to your request within 30 days (or as required by applicable law). You may be required to verify your identity before we process your request.

Data Retention & Deletion

Retention Policy

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy. Specific retention periods include:

  • Account data: Retained while your account is active
  • Notes and content: Retained while your account is active
  • API access logs: Retained for 90 days for security purposes
  • Usage analytics: Aggregated and anonymized after 12 months
  • Backup data: Retained for 30 days, then permanently deleted

Account Deletion

When you delete your account:

  • Your account information is immediately marked for deletion
  • All notes, notebooks, and content are permanently deleted within 7 days
  • API keys and MCP access tokens are immediately revoked
  • Backup copies are purged according to our backup retention schedule (30 days)
  • Some anonymized usage statistics may be retained for analytics

Legal Holds

We may retain certain data if required by law, to resolve disputes, enforce our agreements, or for other legitimate business purposes, even after you request deletion. In such cases, we will inform you of the reason and expected retention period.

Cookies & Tracking

What Are Cookies

Cookies are small text files stored on your device that help websites remember information about your visit. We use cookies and similar technologies to maintain your session, remember your preferences, and understand how you use the Service.

Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for the Service to function and cannot be disabled:

  • Authentication session cookies
  • Security and fraud prevention
  • Load balancing and performance

Functional Cookies

These cookies remember your preferences and settings:

  • Theme preference (dark/light mode)
  • Language and region settings
  • UI preferences and customizations

Analytics Cookies

These cookies help us understand how the Service is used:

  • Page views and feature usage
  • Error tracking and diagnostics
  • Performance metrics

Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of the Service. Most browsers allow you to:

  • View and delete cookies
  • Block third-party cookies
  • Block all cookies (may break functionality)
  • Clear cookies when closing your browser

Do Not Track

We currently do not respond to "Do Not Track" (DNT) browser signals, as there is no universally accepted standard for how to interpret or respond to DNT signals.

Children's Privacy

The Service is not intended for use by children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately. We will take steps to delete such information from our systems as quickly as possible.

If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will delete that information promptly.

International Data Transfers

Your personal information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

Data Location

The Service is hosted in the United States, and your data is primarily stored on servers located in the United States. By using the Service, you consent to the transfer of your information to the United States.

Safeguards for International Transfers

When we transfer your data internationally, we implement appropriate safeguards, including:

  • Encryption in transit and at rest
  • Compliance with EU-US and Swiss-US Privacy Shield principles (where applicable)
  • Standard contractual clauses approved by the European Commission
  • Ensuring third-party service providers maintain adequate data protection

Your Rights Under International Law

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under GDPR and equivalent laws. See the "Your Rights" section above for details on how to exercise these rights.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

  • Update the "Effective Date" at the top of this policy
  • Notify you via email if the changes are material
  • Display a prominent notice on the Service
  • Request your consent if required by law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after changes are made constitutes acceptance of those changes.

Material changes will take effect 30 days after notification, or immediately upon acceptance if you provide explicit consent.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Paul Bonneville

Owner & Data Controller, Neemee

Email: paul@paulbonneville.com

For privacy-specific inquiries, please include "Privacy Policy" in your email subject line.

Response Time

We aim to respond to all privacy-related inquiries within 30 days. For urgent matters, please clearly indicate the nature of your request in your email subject line.

Data Protection Authority

If you are in the European Economic Area and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

This privacy policy was last reviewed on [DATE TBD] and requires legal review before publication.

Paul Bonneville operates Neemee as a sole proprietorship. This policy may be updated following consultation with legal counsel.