Security

Sign-in via Google OAuth (handled by Supabase). Sessions are stored in secure HTTP-only cookies. Afternote never sees or stores your Google password.

Per-user row-level security (RLS) at the database level. Every query is scoped to your user ID — no user can read or write to another user’s data, even if the application layer had a bug.

When AI features run (chat, note classification, embeddings), relevant note content is sent to a third-party language model provider. Per that provider’s API terms, content sent through the API is not used to train their models. See /privacy for the full vendor list and what each one touches.

afternote is for your own work notes — meeting notes, 1:1s, decisions, todos, the “where did I write that” problem. It is not built for your company’s regulated data, customer PII, pre-IPO material, or anything your security team would need to formally vet a vendor for. If that’s your use case, afternote isn’t the right fit yet — and I’d rather tell you now than have you find out later.

There’s no feature in afternote that lets me read your notes — the app surfaces your content only to you. The honest caveat: running AI on your notes means they’re processed in plain text on the server, so I could query the database directly. Like any hosted app that runs AI on your content, I can’t cryptographically rule that out, and I won’t pretend otherwise. What I commit to: I don’t browse notes, and I’d touch an account’s data only if you ask me to for support or to debug a failure you reported — never otherwise. And I’ve built the accountability ahead of the capability: an append-only access log mirrored to write-once storage I can’t alter or delete, so the day I add any feature that can read note content, every use is recorded immutably from the start.

Supabase handles automated daily backups. Backup data is encrypted at rest. When you delete an account or notes, the live database is updated immediately; backup data ages out on Supabase’s standard retention schedule (~30 days).

Found a security issue? Email hello@afternote.dev with “Security” in the subject. You’ll hear back within 48 hours.

Afternote is an early-access indie product, not a SOC 2-audited enterprise platform. Security is taken seriously and built on industry-standard tools, but there are no external audits, penetration tests, or formal compliance certifications yet. If those matter for your use case, hold off and check back in 6–12 months.