Privacy Policy | AnnotaMark

Your privacy matters. This Privacy Policy explains what data AnnotaMark ("we," "us," "our") collects, how we use it, how we protect it, and what rights you have. It applies to the AnnotaMark website at annotamark.com (the "Website"), the AnnotaMark Chrome browser extension (the "Extension"), and all related services (collectively, the "Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data We Collect

1.1 Account Data

When you sign in using Google OAuth, we receive and store:

Data	Source	Purpose
Full name	Google account	Display name in the dashboard
Email address	Google account	Account identification, billing, and communications
Profile picture URL	Google account	Avatar display in the dashboard

We do not receive or store your Google password. Authentication is handled entirely by Google's OAuth 2.0 service.

When you use the Extension while signed in, requests to annotamark.com may include your existing authentication session cookie so we can verify your account, subscription status, and cloud sync access. These authentication cookies are sent only to AnnotaMark API endpoints.

1.2 Annotation Data

When you use the Extension or Website, we may store:

Annotations: Highlights, drawings, shapes, sticky notes, text annotations, and other visual markup you create on web pages.
Whiteboards: Drawings, shapes, text, and other content you create on whiteboards.
Page metadata: The URL and page title of web pages you annotate, used to organize annotations in the dashboard.
Annotation settings: Your tool preferences, colors, and configuration choices.

Important: On the free plan, annotation data is stored locally in your browser. On the Premium plan with cloud sync enabled, annotation data is transmitted to and stored on our servers.

1.3 Billing Data

When you subscribe to a paid plan, our payment processor, Dodo Payments, collects payment method details, billing address, and transaction history.

We do not store your full payment card details. All payment information is processed and stored by Dodo Payments in accordance with PCI DSS standards. We receive only a customer identifier and subscription status from Dodo Payments.

1.4 Technical Data

We automatically collect limited technical data when you use the Service:

Server logs: IP address, browser type, operating system, request timestamps, and HTTP referrer.
Error reports: Technical error information when something goes wrong, used solely for debugging.

1.5 Data We Do Not Collect

We want to be clear about what we do not do:

We do not track your general browsing activity. The Extension checks tab URLs only for explicit AnnotaMark launch markers and processes page content only when you use annotation tools.
We do not sell your personal data to third parties.
We do not use your data for advertising or ad targeting.
We do not use your annotation content to train machine learning models.
We do not collect keystroke data, form inputs, or passwords from web pages.
We do not use third-party analytics trackers, advertising pixels, or social media tracking scripts.

2. How We Use Your Data

We use the data we collect for the following purposes:

Purpose	Legal Basis (GDPR)
Providing and operating the Service	Performance of contract (Art. 6(1)(b))
Storing and syncing your annotations and whiteboards	Performance of contract (Art. 6(1)(b))
Processing payments and managing subscriptions	Performance of contract (Art. 6(1)(b))
Sending transactional emails such as billing receipts and account notices	Performance of contract (Art. 6(1)(b))
Diagnosing and fixing technical issues	Legitimate interest (Art. 6(1)(f))
Improving the Service based on usage patterns	Legitimate interest (Art. 6(1)(f))
Complying with legal obligations	Legal obligation (Art. 6(1)(c))
Protecting against fraud and abuse	Legitimate interest (Art. 6(1)(f))

We do not use your data for marketing, profiling, or automated decision-making.

3. Data Storage and Security

3.1 Where Your Data Is Stored

Account data and annotation metadata: Stored in our application database, hosted on secure servers.
Annotation and whiteboard files: Stored on Cloudflare R2, a globally distributed object storage service.
Payment data: Stored by Dodo Payments on their secure, PCI-compliant infrastructure.

3.2 How We Protect Your Data

We implement the following security measures:

Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher (HTTPS).
Encryption at rest: Stored data is encrypted using industry-standard encryption.
Access controls: Access to production systems is restricted to authorized personnel with a legitimate need.
Security headers: We implement HSTS, Content Security Policy, X-Frame-Options, and other HTTP security headers.
Regular updates: Dependencies and infrastructure are regularly patched and updated.

3.3 Data Breach Notification

In the event of a data breach that is likely to affect your rights and freedoms, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

4. Data Sharing

We share your data only with the following third-party service providers, and only to the extent necessary to provide the Service:

Provider	Data Shared	Purpose
Google (OAuth)	Authentication tokens	Account sign-in
Dodo Payments	Email, customer ID, subscription data	Payment processing and billing
Cloudflare	Annotation and whiteboard files	Cloud storage (R2) and content delivery

We do not share, sell, rent, or trade your personal data with third parties for marketing, advertising, or any other purpose beyond providing the Service.

4.1 Legal Disclosure

We may disclose your data if required to do so by law, court order, or government regulation, or if we believe in good faith that disclosure is necessary to:

Comply with a legal obligation.
Protect the rights, property, or safety of AnnotaMark, our users, or the public.
Detect, prevent, or address fraud, security, or technical issues.

5. Data Retention

Data Type	Retention Period
Account data	Retained until you delete your account
Annotation and whiteboard data	Retained until you delete the content or your account
Server logs	Automatically deleted after 90 days
Billing records	Retained for 7 years for tax and legal compliance
Webhook and event logs	Automatically purged after processing

5.1 Account Deletion

When you delete your account:

Your account data, including name, email, and profile picture, is deleted immediately.
Your annotations and whiteboards stored in cloud sync are deleted within 30 days.
Billing records may be retained for up to 7 years for legal and tax compliance.
Server logs containing your IP address are automatically purged within 90 days.

To delete your account, visit your dashboard settings or contact us at support@annotamark.com.

6. Your Rights

6.1 Rights Under GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), you have the following rights:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate personal data.
Right to erasure: Request deletion of your personal data.
Right to restrict processing: Request that we limit how we use your data.
Right to data portability: Request your data in a structured, machine-readable format.
Right to object: Object to our processing of your data based on legitimate interests.
Right to withdraw consent: Withdraw consent at any time where processing is based on consent.
Right to lodge a complaint: File a complaint with your local data protection authority.

6.2 Rights Under CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

Right to know: Request information about the categories and specific pieces of personal data we collect.
Right to delete: Request deletion of your personal data.
Right to opt-out:We do not sell personal data, so this right does not apply. If we ever change this practice, we will provide a "Do Not Sell My Personal Information" option.
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

6.3 Exercising Your Rights

To exercise any of the rights listed above, contact us at support@annotamark.com.

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

7. Cookies and Local Storage

7.1 What We Use

Technology	Purpose	Type
Session cookie	Maintains your authentication session	Essential (required)
Theme preference	Stores your light/dark mode choice	Functional (local storage)
Local annotation data	Stores annotations locally on the free plan	Functional (local storage)

7.2 What We Do Not Use

We do not use advertising cookies.
We do not use third-party tracking cookies.
We do not use analytics cookies such as Google Analytics or Mixpanel.
We do not use social media cookies or pixels.

Because we only use essential and functional cookies, we do not display a cookie consent banner. If we add non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms.

8. The Chrome Extension

8.1 Extension Permissions

The Extension requests the following browser permissions:

Permission	Why It Is Needed
Read and change data on websites you visit	Required to overlay annotation tools on pages you choose to annotate and to open saved annotations from explicit AnnotaMark links.
Storage	Required to store annotation data and preferences locally in your browser.

8.2 Extension Data Practices

The Extension does not run a static content script on every page. It injects the annotation toolbar when you enable it or when a page URL contains an explicit #annotamark launch marker.
The Extension processes web page content only when annotation tools are enabled on a page.
On the free plan, all annotation data stays in your browser's local storage. No data is sent to our servers.
On the Premium plan with cloud sync, annotation data and the URL/title of annotated pages are transmitted to our servers over encrypted connections (HTTPS).
The Extension does not collect browsing history, form data, passwords, or any data from pages you do not annotate.

8.3 Chrome Web Store Compliance

The Extension complies with the Chrome Web Store Developer Program Policies, including the limited use requirements for user data.

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

9. Children's Privacy

The Service is not directed to children under the age of 13, or 16 in the EEA under GDPR. We do not knowingly collect personal data from children under these ages.

If we learn that we have collected personal data from a child under the applicable age, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, contact us at support@annotamark.com.

10. International Data Transfers

Your data may be processed in countries other than your country of residence. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Data processing agreements with our service providers.
Reliance on adequacy decisions where available.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

We will update the "Last Updated" date at the top of this page.
For material changes, we will notify you via email or a prominent notice on the Website at least 14 days before the changes take effect.
Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy, your data, or your rights, contact us at:

Email: support@annotamark.com

For GDPR-related inquiries, you may also contact your local data protection authority.