Skip to content
BeNoted

Privacy policy

Your data, treated with care.

Last updated: May 9, 2026

At Be Noted (benotednow.com) we believe privacy is the foundation of any support community. This policy explains, plainly, what data we process, why, for how long, with whom we share it, and your rights over it. It is written in line with the EU GDPR (2016/679), the UK GDPR/DPA 2018, and the California CCPA/CPRA where applicable.

1. Data controller

The data controller is Be Noted (benotednow.com). For any privacy-related matter you can email [email protected].

2. What we collect

Account data: email, hashed password (bcrypt). Profile data: display name, username, bio, pronouns, focus areas, language, optional avatar. User-generated content: posts, comments, reactions, private messages, mood logs, journal entries, moderation reports. Technical data: IP address, browser type, system language, and strictly necessary session cookies. We do not collect medical data and we do not assign you any clinical diagnosis.

3. Legal bases and purposes

Performance of a contract (Art. 6.1.b GDPR): authentication, service provision, messaging, toolkit (mood, journal, AI companion). Legitimate interest (Art. 6.1.f GDPR): security, abuse prevention, moderation, aggregate analytics to improve the product. Consent (Art. 6.1.a GDPR): optional communications, non-essential cookies (if any in the future). Legal obligation (Art. 6.1.c GDPR): minimum log retention to respond to lawful requests.

4. Who sees what

Your journal and mood logs are strictly private — only you see them. Your posts and comments are seen by other members (with your name, or anonymously — you choose). Moderators can see reported content and, in safety cases, anonymous identities. Never for any other purpose. We never sell personal data and we don't share it with third parties for advertising.

5. Processors and sub-processors

To run the service we rely on processors who act on our behalf: • Hosting and database (servers in the EU). • AI provider for the Companion (messages are sent encrypted; not used to train models). • Payment provider (Stripe Payments Europe, Ltd.) for the Be Noted + subscription. • Transactional email provider for confirmations and support. All are bound by data processing agreements per Art. 28 GDPR.

6. Retention

We keep your data while your account is active. If you close your account we delete your profile and content within 30 days, except data we must retain by legal obligation (security logs: 12 months; billing data: up to 6 years per tax rules).

7. Your rights

You can exercise at any time your rights of access, rectification, erasure, objection, restriction of processing and portability, and withdraw consent. Write to [email protected] indicating the right you want to exercise; we respond within 30 days. You have the right to lodge a complaint with your supervisory authority (e.g., Information Commissioner's Office in the UK, AEPD in Spain, your state's Attorney General in the US).

8. Security

Passwords are hashed with bcrypt (factor 12). Sessions are signed JWT HS256 sent over HttpOnly + Secure + SameSite=Lax cookies. The database lives on access-restricted servers with IP allow-listing and 2FA; backups are encrypted at rest. All traffic uses TLS 1.2 or higher.

9. Children

Be Noted is intended for users aged 16 and over. If we discover an account belonging to a minor without verifiable parental authorisation, we will close it.

10. Changes to this policy

If we change this policy we'll notify you by email and inside the app at least 14 days before any material change takes effect.

11. Contact

For anything related to your data, write to [email protected]. We respond within 7 working days.