KuroNotes

Privacy Policy

Last updated: 2026-07-03

This English page is a courtesy translation of the Japanese original, which remains authoritative. See the Japanese version.

1. Basic policy — we can't read it

KuroNotes is an end-to-end encrypted (E2EE) note-taking app. The text and images in your notes are encrypted on your device before they're ever sent to the server. The key needed to decrypt them (the master key) is derived from your passkey on-device, and is never stored on the server. As a result, it is technically impossible for us, our infrastructure provider, or any third party to read the contents of your notes (zero-knowledge).

2. Information we collect

We store only the minimum metadata needed to provide the service.

  • Account information: user ID, email address (optional, used for login recovery), passkey public key
  • Encrypted data: ciphertext blobs (note bodies and images) and their sync metadata (size, updated time, ETag). We cannot decrypt the contents
  • Contract information: plan status, contract expiry, store-purchase entitlement status (the price and payment details themselves are held by the App Store / Google Play)
  • Device information: push notification tokens (used only as a wake-up signal for sync)

We do not collect the plaintext of note titles, bodies, or images. We do not collect data for behavioral tracking or advertising purposes.

3. Purpose of use

  • Syncing and backing up between devices (while remaining ciphertext)
  • Authentication (passkeys) and login recovery (email)
  • Contract and storage-quota management
  • Preventing abuse (e.g. detecting anomalous authentication activity)

4. Third-party disclosure and outsourcing

We do not disclose stored information to third parties except where required by law. Our infrastructure runs on Cloudflare (servers and storage), but only ciphertext and metadata are ever stored there. Even if we received a disclosure request, we hold no decryption key, so we are unable to disclose the contents of your notes.

5. Data retention and deletion (end-of-life)

After a contract ends, encrypted data and account information are automatically and permanently deleted from the server once a set retention period has passed. This is intentional design (end-of-life handling). Once deleted, data cannot be recovered by any means.

6. If you lose your key

If you lose every passkey and your recovery code, recovering your login by email will not let you decrypt your data. We are unable to decrypt it either. This limitation is the trade-off of zero-knowledge design — please understand this before you rely on the service.

7. Changes and contact

If we revise this policy, we will announce it on this page. For inquiries, please contact us (kuro.boo).

© 2026 Kuro.Boo All Rights Reserved.  ·  KuroNotes v0.2.4