Privacy Policy

1. Who we are

Thinkerbell Labs Pvt. Ltd., headquartered in Bengaluru, Karnataka, India, is the data fiduciary (DPDP Act) and data controller (GDPR) responsible for the personal data processed through Chalk.

2. What we collect

We collect only the data we need to operate Chalk. The categories are:

2.1 Account data

• Email address (required).
• Optional display name.
• If you sign in with email: we send a short-lived one-time code or magic link to your address. Only cryptographic hashes of login tokens are stored in our database until you sign in or they expire (typically 10–15 minutes).
• If you sign in with Google: your Google account ID and email returned by Google OAuth. On browsers we do not yet trust, we may send a one-time verification code to your email before completing sign-in.
• Legacy password (existing accounts only): if your account was created before password sign-up was removed, a bcrypt hash with a cost factor of 12 may be stored. We never store or have access to the plaintext password. New accounts cannot set a password.
• Role (USER or ADMIN) and account creation timestamp.
• Transactional email delivery: your email address is sent to our SMTP provider (for example Mailgun) solely to deliver sign-in codes, magic links, Google verification codes, or (for legacy accounts) password-reset messages. We do not use your email for marketing.
• A record of the Privacy Policy and Terms of Service version you accepted, with a timestamp.

2.2 Notes and folders

• The title, content, BRF formatting metadata, and timestamps of notes that you create on the Chalk web app or that sync from your paired Tactera device.
• Folders (collections) that you create to organise your notes.

2.3 Library imports

• File metadata for books you import to your Tactera (filename, size, SHA-256 hash, source: local upload or Google Drive).
• The book file itself is stored temporarily in encrypted object storage (Amazon S3) so that your Tactera can download it. After your device confirms receipt, or after 7 days of non-download (whichever is first), the binary is deleted and only the metadata record remains.

2.4 Device data

• A device identifier (UID) assigned to your paired Tactera, the pairing timestamp, and a per-device token used to authenticate your Tactera to Chalk after pairing is complete.
• Temporary pairing-session data (PINs and session identifiers) while you link a device. Completed pairing sessions are deleted from our servers after your Tactera retrieves its device token, or when the session expires.
• Heartbeat telemetry: timestamp of the last contact, battery percentage, charging state, and power status. This is sent only when your Tactera has network connectivity and is used to display online/battery status on your Chalk dashboard. We store only the latest values on your device record; we do not keep a historical heartbeat log.

2.5 Google Drive integration data (only if you connect it)

• Your Google Drive email address and an OAuth refresh token. The refresh token is encrypted with AES-256-GCM before it is stored in our database. We do not store your Google password.
• The file IDs of items you have imported or exported through Chalk so that subsequent syncs can update them in place.
• The Google scopes Chalk requests are openid, userinfo.email, and drive.file only. Under this scope, Chalk can access files that Chalk created on your Drive, and files you explicitly choose through the Google Picker or an equivalent in-app file selection flow (.txt, .brf, .epub). Chalk does not request the restricted drive.readonly scope and therefore does not read your entire Drive library.

2.6 Cookies and session storage

Chalk uses only strictly necessary cookies. We do not use analytics, advertising, or tracking cookies.

3. Why we use the data (purposes and lawful bases)

4. Who we share it with (sub-processors)

Chalk uses a small number of vendors who process personal data on our behalf under written data-processing terms. The current list is published at /sub-processors. We do not sell personal data and we do not share it for cross-context behavioural advertising. We will share data with law-enforcement only in response to a valid legal order and only to the minimum extent required.

5. International transfers

Our database and hosting may be in regions that differ from yours (for example, India, or a cloud region you select for MongoDB Atlas). When personal data leaves the EU/EEA we rely on the European Commission's Standard Contractual Clauses with the receiving sub-processor. See /sub-processors for the current list.

6. How long we keep it (retention)

7. Your rights

Regardless of where you live, you can exercise the following rights by emailing contactus@thinkerbelllabs.com. You can update your display name and disconnect Google Drive from account settings.

• Access and portability: request a copy of your notes, folders, library metadata, and device pairings (we will provide it in a reasonable machine-readable format).
• Erasure: request permanent deletion of your account and all associated data.
• Correction: update your display name in account settings, or contact us to correct other details.
• Withdraw consent: disconnect Google Drive at any time from account settings.
• Object / restrict processing (where GDPR applies).
• Opt out of sale or sharing (where CCPA/CPRA applies). Chalk does not sell or share personal data; the option remains available by request.
• Lodge a complaint with a supervisory authority (e.g. your local Data Protection Authority in the EU, the Data Protection Board of India, or the California Privacy Protection Agency).

We aim to respond within 30 days. If we need longer (for example because the request is complex) we will tell you within that window.

8. Security

• All traffic is encrypted in transit using TLS 1.2 or higher.
• Web sessions use HMAC-SHA256 signed JWTs in an HttpOnly cookie (chalk-session). Mobile clients may store the same token locally and send it in an Authorization: Bearer header.
• Legacy account passwords (if any) are stored only as bcrypt hashes with a cost factor of 12. You can reset a forgotten password at /forgot; a successful reset invalidates your existing sign-in sessions.
• Short-lived data such as rate-limit counters and session-version cache entries may be held in Redis with automatic expiry. Redis does not store your notes, files, or full session payloads.
• Google Drive refresh tokens are encrypted at the application layer using AES-256-GCM before they are written to the database.
• Database encryption at rest is provided by your hosting environment (for example, an encrypted volume for self-hosted MongoDB, or MongoDB Atlas on an M10+ cluster). Operators must enable authentication and encryption for their chosen deployment; see our deployment guide for production hardening steps.
• The device-to-server channel is authenticated with a shared device secret and a per-device token issued during pairing. Temporary pairing data is removed after use.
• We follow the principle of least privilege for staff access to production data. When administrative tools that read user content are in use, we will log those access events. The current admin interface is limited and may not yet record every administrative action.

No system is perfectly secure. If we discover a personal-data breach we will notify affected users and competent authorities in line with applicable law (within 72 hours where GDPR applies, and without undue delay under the DPDP Act).

9. Children

Chalk is intended for users aged 16 and over. If you are a parent or guardian and believe a child has signed up without consent, contact us and we will delete the account.

10. Changes to this policy

When we change this policy we update the version and “Last updated” date at the top. Material changes are notified by email and require fresh consent at next sign-in.

11. Contact and Grievance Officer

For any privacy question, complaint, or rights request: