Last Updated: December 12, 2025

1. Introduction

Waterglass UK Limited ("Notehouse," "we," "us," or "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our case management platform (the "Service").

Notehouse provides case management and note-taking software designed to help professionals—such as legal counsellors, social workers, and healthcare providers—capture, organise, and manage documentation about their clients.

Company Information:

• Company Name: Waterglass UK Limited
• Company Number: 16104448
• Registered Address: 21 Ellis Street, London, SW1X 9AL, United Kingdom
• Contact Email: support@getnotehouse.com

2. Scope and Applicability

This Privacy Policy applies to personal data we collect from our customers ("Customers")—the organisations and individuals who subscribe to and use the Service. It also describes our role as a data processor when Customers use the Service to manage information about their own clients ("End-Clients").

Important distinction:

• Customer Data: Information our Customers input into the Service about their End-Clients (such as case notes, records, and potentially Protected Health Information). Notehouse processes this data on behalf of Customers and acts as a data processor.
• Account Data: Information about our Customers themselves (such as name, email, and billing information). Notehouse acts as a data controller for this data.

If you are an End-Client whose information is managed through our Service by one of our Customers, please contact that Customer directly regarding your personal data. Notehouse processes such data only on behalf of, and under the instructions of, our Customers.

3. Data We Collect

3.1 Account Data (Data Controller)

When you create an account and subscribe to the Service, we collect:

• Identity Information: Name, email address, organisation name
• Payment Information: Billing details processed securely through Stripe. We do not store complete payment card numbers on our servers.

3.2 Usage Data (Data Controller)

We automatically collect certain technical and usage information when you use the Service:

• Device Information: IP address (processed transiently for security and service delivery purposes; IP addresses are not retained or used for analytics for users in the UK and EEA), browser type, device type, operating system
• Usage Information: Pages visited, features used, session duration, interactions with the Service
• Analytics: We use Mixpanel to collect product analytics to improve the Service

3.3 Customer Data (Data Processor)

Customers may input, upload, or store various types of data through the Service, including case notes, records, and documentation about their End-Clients. This Customer Data may include personal data, sensitive personal data, and Protected Health Information (PHI) as defined under applicable laws.

Notehouse processes Customer Data solely on behalf of, and under the instructions of, our Customers. Customers are the data controllers for Customer Data and are responsible for ensuring they have appropriate legal bases and consents to process such data.

4. How We Use Your Data

4.1 Account and Usage Data

We use Account Data and Usage Data for the following purposes:

• Service Delivery: To provide, maintain, and operate the Service
• Account Management: To create and manage your account, process payments, and communicate with you about your subscription
• Service Improvement: To analyse usage patterns, diagnose technical issues, and improve the Service
• Communications: To send you service-related notices, updates, and informational communications
• Security: To detect, prevent, and respond to fraud, abuse, and security incidents
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

4.2 Customer Data

We process Customer Data solely to provide the Service to our Customers. We do not access, use, or disclose Customer Data except as necessary to provide the Service, for technical support or security maintenance, or as required by law. Customer Data is encrypted at rest and in transit.

5. Legal Bases for Processing (GDPR)

Under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), we rely on the following legal bases for processing personal data:

• Contract Performance (Article 6(1)(b)): Processing Account Data is necessary to perform our contract with you and provide the Service.
• Legitimate Interests (Article 6(1)(f)): Processing Usage Data for analytics, service improvement, and security is based on our legitimate interests, where such processing is permitted under applicable cookie and electronic communications laws.
• Legal Obligation (Article 6(1)(c)): We may process data as required to comply with applicable laws and regulations.
• Processor Relationship (Article 28): We process Customer Data as a data processor on behalf of our Customers, who are the data controllers.

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your data in the following circumstances:

6.1 Service Providers (Subprocessors)

We engage trusted third-party service providers to help us operate the Service. These providers are contractually bound to protect your data and may only use it for the purposes we specify:

• Amazon Web Services (AWS): Cloud infrastructure and hosting (US East region, HIPAA-compliant)
• Stripe: Payment processing
• Mailchimp: Email communications
• Mixpanel: Product analytics
• HelpScout: Customer support

6.2 Legal Requirements

We may disclose your data if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

7. International Data Transfers

Customer Data is stored on servers located in the United States (AWS US East region). As a UK-based company serving international customers, we transfer personal data outside the UK and European Economic Area (EEA).

For transfers to countries not deemed to provide adequate protection, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission and UK Information Commissioner's Office. Our subprocessors maintain appropriate data transfer mechanisms.

You may request information about our data transfer safeguards by contacting us at support@getnotehouse.com.

8. Data Retention

We retain your data for the following periods:

• Account Data: Retained for the duration of your subscription and for 90 days following termination to allow for account reactivation.
• Payment and Billing Records: Retained for 7 years to comply with UK tax and legal requirements.
• Usage and Analytics Data: Retained for 2 years for service improvement purposes.
• Support Correspondence: Retained for 2 years for dispute resolution and service improvement.
• Customer Data: Retained for 90 days following termination of your subscription, after which it is permanently deleted. Customers are responsible for exporting any data they wish to retain before the end of this period.

You may request earlier deletion of your data by contacting support@getnotehouse.com, subject to any legal retention requirements.

9. Your Rights

9.1 Rights Under GDPR (UK and EU)

If you are located in the UK or European Economic Area, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data in certain circumstances.
• Right to Restriction: Request restriction of processing in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time.

To exercise these rights, contact us at support@getnotehouse.com. We will respond to your request typically within 7 days, and no later than 30 days as required by law. We may ask you to verify your identity by confirming your request from the email address associated with your account.

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

9.2 Rights Under CCPA (California)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out of Sale: We do not sell personal information. This right does not apply.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of Personal Information Collected: Identifiers (name, email, IP address); commercial information (subscription details); internet activity (usage data); professional information (organisation name).

To exercise your CCPA rights, contact us at support@getnotehouse.com.

10. Cookies and Tracking Technologies

We use strictly necessary cookies that are essential for the operation and security of the Service, including authentication, session management, and access control. These cookies do not require user consent under applicable law. For any other cookies, we will seek your consent.

We use Mixpanel for product analytics to understand how the Service is used and to improve functionality.

For users located in the United Kingdom and European Economic Area, Mixpanel is configured in a privacy-focused mode that does not collect personal data such as names, email addresses, IP addresses, or other information that directly identifies individual users if so requested. Analytics data for these users is limited to aggregated usage events and technical information.

For users located outside the UK and EEA, Mixpanel may collect additional device or usage information in accordance with applicable local laws. We do not use Mixpanel for advertising, cross-site tracking, or profiling, and analytics data is used solely for internal product improvement purposes.

11. Data Processing Agreement

When you use the Service, Notehouse processes Personal Data on your behalf as a data processor. Our Data Processing Agreement (DPA) sets out the terms under which we process such data. By accepting this Privacy Policy, you also agree to be bound by the DPA.

12. Security

We implement robust technical and organisational measures to protect your data, including:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent standards
• Network firewalls and intrusion detection systems
• Access controls and multi-factor authentication options
• Regular security monitoring and audit logging
• Periodic security assessments and vulnerability testing
• Employee security training and background checks

While we take security seriously, no system is completely secure. We cannot guarantee absolute security of your data.

13. HIPAA Compliance (US Healthcare)

For Customers subject to the Health Insurance Portability and Accountability Act (HIPAA), Notehouse offers a Business Associate Agreement (BAA). If you intend to process Protected Health Information (PHI) through the Service, you must execute a BAA with us before inputting any PHI.

Our infrastructure (AWS US East) is HIPAA-compliant, and we maintain appropriate safeguards as required by the HIPAA Security Rule. To request a BAA, contact info@getnotehouse.com.

14. Children's Privacy

The Service is intended for use by professionals and organisations, not by individuals under 18 years of age. You must be at least 18 years old to create an account. We do not knowingly collect personal information from individuals under 18.

Note: Our Customers may use the Service to manage case information about End-Clients of any age. Such data is processed by Notehouse as a data processor under the instructions of the Customer, who remains the data controller and is responsible for compliance with applicable laws regarding children's data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account at least 7 days before they take effect. Non-material changes may be made at any time and will be reflected by the "Last Updated" date.

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

16. EU Representative

For the purposes of Article 27 of the EU General Data Protection Regulation (EU GDPR), Waterglass UK Limited has appointed the following EU representative:

Waterglass FlexCo
Börseplatz 1/3/6
1010 Vienna, Austria
hi@waterglass.io

Data subjects and supervisory authorities in the European Union may contact the EU representative regarding matters related to the processing of personal data under the EU GDPR.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about our data practices, please contact us:

• Email: support@getnotehouse.com
• Postal Address: Waterglass UK Limited, 21 Ellis Street, London, SW1X 9AL, United Kingdom