Privacy Policy

Last updated: February 20, 2026

1. Who We Are

TwenteNotes.nl is operated by TwenteNotes, based in the Netherlands. We are the data controller responsible for the personal data collected through this Platform.

If you have any questions about how we handle your data, you can reach us at support@twentenotes.nl.

2. What Data We Collect

We collect the following categories of personal data:

Account data

  • Your name (as provided during registration)
  • Your email address
  • Your hashed password (we never store your password in plain text)
  • Whether your student status has been verified

Content you upload

  • PDF files you choose to share on the Platform
  • Metadata associated with your notes (title, course, description)

Usage data

  • Download history (which notes you have accessed)
  • Basic server logs (IP address, browser type, pages visited) for security and diagnostics

Data we do not collect

We do not collect payment information. TwenteNotes is entirely free and no financial transactions take place on the Platform.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To provide the service — creating and managing your account, enabling you to upload and access notes.
  • To verify student status — confirming eligibility based on your email domain (@student.utwente.nl).
  • To communicate with you — sending verification codes, account notifications, and service updates.
  • To keep the Platform secure — detecting abuse, fraud, and unauthorised access.
  • To improve the Platform — understanding how the service is used in aggregate to improve features and performance.

4. Legal Basis for Processing (GDPR)

As a Dutch platform, we process your personal data under the General Data Protection Regulation (GDPR). Our legal bases are:

  • Contract (Article 6(1)(b) GDPR) — processing necessary to provide the service you signed up for (account management, note sharing).
  • Legitimate interests (Article 6(1)(f) GDPR) — keeping the Platform secure and preventing abuse.
  • Consent (Article 6(1)(a) GDPR) — where you have explicitly agreed, such as agreeing to these terms at registration.

5. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data and uploaded content within 30 days, except where we are required to retain certain data for legal or security reasons (for example, server logs may be retained for up to 90 days).

6. Who We Share Your Data With

We do not sell your personal data. We share your data only with the following third-party service providers, who process it on our behalf under data processing agreements:

  • Supabase — cloud database and file storage provider. Your account data and uploaded files are stored on Supabase infrastructure.
  • Resend — email delivery service, used to send verification codes and account notifications.

Your public profile information (display name) and the notes you choose to publish are visible to other registered users of the Platform.

We may disclose your data if required to do so by law, court order, or competent authority.

7. Cookies and Local Storage

TwenteNotes uses the following browser storage mechanisms:

  • Authentication cookie — a secure, HTTP-only cookie containing your session token. This is strictly necessary for the Platform to function and is set when you log in. It expires after 7 days.
  • Local storage — we store a minimal session flag (tn_has_session) to improve page load performance.

We do not use tracking cookies, advertising cookies, or any third-party analytics scripts.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can update or correct your personal data at any time from your account settings.
  • Right to erasure — you can delete your account and all associated data from your account settings page, or by contacting us.
  • Right to restriction of processing — you can ask us to limit how we use your data in certain circumstances.
  • Right to data portability — you can request your data in a structured, machine-readable format.
  • Right to object — you can object to processing based on our legitimate interests.

To exercise any of these rights, contact us at support@twentenotes.nl. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

9. Data Security

We take reasonable technical and organisational measures to protect your personal data, including:

  • Passwords are hashed using bcrypt before storage — we cannot see your password.
  • Authentication tokens are stored in secure, HTTP-only cookies.
  • All data is transmitted over HTTPS.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at support@twentenotes.nl.

10. Children's Privacy

TwenteNotes is intended for users aged 16 and above. We do not knowingly collect personal data from children under 16. If you believe a child has registered on the Platform, please contact us and we will delete the account.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify you by email. Continued use of the Platform after changes are posted constitutes your acceptance of the revised Policy.

12. Contact

For any privacy-related questions or to exercise your rights, contact us at:

TwenteNotes

Email: support@twentenotes.nl

Website: twentenotes.nl