1. The short version.
Annote is a tool for capturing website feedback. It captures nothing until you start a session. When you do, sensitive data is redacted inside your browser before anything is sent to us. We don't sell your data, we don't use third-party advertising or analytics trackers in the product, and we use a small number of trusted service providers to run the Service.
2. Information we collect.
Account information: when you create an account, we collect your name, email address, and (if you sign in with Google) basic Google profile information. Authentication and account data are handled through Google Firebase.
Workspace and content you create: workspaces, sessions, tickets, comments, tags, and any text you write in the Service.
Captured feedback data: when you run a capture session, Annote records, for the page you're reviewing: console logs, network request metadata and bodies, a record of your interactions (clicks, navigation, field edits — never the text you type into your own page's fields), a screenshot of the visible browser tab, and, if you use voice, an audio recording of your microphone. This data is redacted in your browser before transmission — see Section 4.
Billing information: if you purchase a paid plan, payment is processed by Stripe. We do not store full card numbers; Stripe handles payment data under its own terms.
Basic operational data: we keep limited logs needed to operate and secure the Service.
3. What we do NOT collect.
Annote runs on four browser permissions and does not request access to your browsing history, your cookies, or a webRequest interception permission. Outside of an active capture session, the extension does not collect page data. Annote does not record the text users type into form fields. We do not embed third-party advertising or product-analytics tracking SDKs in the Service.
4. Redaction before transmission.
As feedback is captured, Annote automatically replaces sensitive patterns — including authentication tokens, email addresses, card-like numbers, phone numbers, API keys, and Authorization and Cookie headers — with placeholders, and strips sensitive request headers, before the data leaves your browser. Password, hidden, and payment field values are never captured. You can additionally mark elements on your own pages to exclude or mask them. Important limits, stated plainly: redaction does not alter the screenshot image, and privacy markers do not redact network data. See our Security overview for full detail.
5. How we use information.
To provide and operate the Service; to generate AI ticket structuring and diagnosis; to transcribe voice notes; to process payments; to send transactional and (with your consent where required) product-update emails; to secure the Service and prevent abuse; and to comply with law.
6. Service providers (sub-processors).
We share data only with providers that help us run the Service: OpenAI (AI ticket structuring/diagnosis and voice transcription), Google Firebase (authentication and data storage), Stripe (billing), Resend (transactional email), and Vercel (hosting). Captured text and voice audio are sent to OpenAI to produce tickets and transcriptions.
7. AI processing.
Captured feedback text and voice recordings are processed by OpenAI to structure tickets and produce diagnoses. AI output may be inaccurate and is labeled "review before acting"; you are responsible for verifying it.
8. Data retention.
We retain your account and content data for as long as your account is active and as needed to provide the Service. When you delete content, a session, or your account, it is removed from our active systems promptly and from routine backups within 90 days. You can delete tickets, sessions, your workspace, and your account from within the Service.
9. Your rights.
Depending on where you live, you may have rights to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing. To exercise any of these rights, contact us at help@annote.ai and we will respond as required by applicable law.
10. International transfers, children, security.
Your data may be processed in the United States and in other countries where we or our service providers operate. Where required by law, we rely on appropriate safeguards for such international transfers. The Service is not directed to anyone under 16, and we do not knowingly collect personal data from anyone under 16. We use reasonable technical and organizational measures to protect data; no method is perfectly secure.
11. Changes & contact.
We'll update this policy as the Service evolves and revise the date above. Questions: help@annote.ai, North Needle LLC, 1001 S. Main St. STE 600, Kalispell, MT 59901, USA.