Notes9 Data Terms & Privacy Notice

1. Purpose of this pilot

Notes9 is running a limited pilot to evaluate a research workflow tool for creating and organising lab notes, protocols, and literature-linked research records.

This pilot is a beta evaluation. It is not intended for clinical care, patient management, or regulated GMP/GLP recordkeeping.

2. Pilot restrictions (what you must NOT upload)

To keep the pilot low-risk and appropriate for early-stage testing, you agree not to upload or store in Notes9 during the pilot:

• Patient data or any data derived from clinical records
• Special category personal data (e.g., health data about identifiable individuals, genetic/biometric identifiers, ethnicity, religion, etc.)
• Payment card data
• Highly sensitive organisational information classified as confidential/restricted (e.g., secrets, security designs, credentials, export-controlled data)
• Any content you do not have the right to process or share

If you are unsure whether data is allowed, treat it as disallowed and contact your organisation data administrator.

3. Roles: who is Controller / Processor

For research content you upload (“Customer Content”), the organisation or your lab/institute/company or firm typically determines why and how that content is processed. In that case:

• The organisation/university/Insitute/lab/company is the Data Controller
• Notes9 is the Data Processor, processing Customer Content only on documented instructions from the Controller

For account and service administration data (e.g., login email, basic usage logs), Notes9 may act as a Data Controller to operate the service.

4. What data we collect

4.1 Account & admin data (service operation)

• Name and email address (for accounts)
• Organisation/department (if provided)
• Authentication and access logs (e.g., sign-in time, device/browser metadata)
• Basic support communications (messages you send to us)

4.2 Customer Content (research content you upload)

• Notes, protocols, experiment metadata
• Attachments you upload (files, images, tables)
• Links/annotations to papers or internal references

4.3 What we do NOT want in the pilot

See Section 2 (disallowed data). We also strongly discourage storing direct identifiers about third parties.

5. How we use data (and lawful basis)

5.1 Account & admin data

We use account/admin data to:

• provide access to the pilot service
• maintain security, prevent abuse, and troubleshoot
• communicate essential service messages

Lawful basis typically includes performance of a contract (providing the service) and legitimate interests (security and service improvement).

5.2 Customer Content

We process Customer Content to provide the features you use (storage, retrieval, collaboration, search, and optional AI functions if enabled by your pilot admin).

6. AI features (pilot-safe version)

If AI features are enabled for your pilot:

• Customer Content may be processed to generate outputs (summaries, suggestions, structured fields).
• We do not use Customer Content to train general-purpose models unless the Controller explicitly opts in in writing.
• We will maintain a list of sub-processors used for AI or hosting and will provide it to the University on request (and/or publish it).
• If your pilot requires that no content leaves a specific region or that no third-party AI processors are used, Notes9 will configure the pilot accordingly (where technically feasible) and document the configuration.

7. Security measures (baseline commitments for the pilot)

During the pilot, Notes9 will implement reasonable technical and organisational measures, including:

• access limited to authorised personnel on a need-to-know basis
• encryption of data in transit using modern TLS
• separation of customer environments where applicable
• logging and monitoring aimed at detecting unauthorised access or malicious behaviour
• vulnerability management and patching processes prioritised by risk

8. Incident management and notification

If we become aware of a suspected or confirmed security incident affecting University data in the pilot, we will:

• notify the University pilot owner without undue delay, and
• provide available details on scope, data affected, containment steps, and recommended actions

Where the Organisation requires rapid notification for incidents, we will work to meet those timelines and coordinate with the nominated security contacts.

9. Data retention and deletion

Customer Content is retained only for the pilot period or if a user wants to delete their account of Notes9, unless the organisation/user requests an extension in writing.

At pilot completion or termination, Notes9 will, upon instruction:

• return Customer Content in a reasonable export format, and/or
• securely delete Customer Content from active systems within 14 days of account deletion.

Backups (if used) will be overwritten/expired on a rolling basis within 28 days

10. Sub-processors and where data is processed

Notes9 may use vetted service providers (e.g., hosting, logging, email). We will provide a current sub-processor list on request.

Data location (pilot): USA / UK / EU region
If data is transferred outside the USA/UK/EU, we will use appropriate safeguards (e.g., contractual protections) and disclose this to the Controller.

11. Your responsibilities

You agree to:

• follow the Pilot Restrictions (Section 2)
• use strong passwords and enable MFA (if offered)
• promptly report suspected account compromise to admin@notes9.com
• ensure you have rights/permissions to upload the content you upload

12. Individual rights and how requests are handled

Because the organisation is typically the Controller for Customer Content:

• requests to access/erase/rectify Customer Content should usually be directed to your organisational contact
• Notes9 will assist the Controller to respond to valid requests where applicable

13. Confidentiality

We treat Customer Content as confidential and do not disclose it to third parties except:

• to sub-processors needed to deliver the service
• where required by law
• with the Controller’s instructions/consent

14. Changes to these terms

We may update these Pilot Terms to reflect pilot learnings or security requirements. If changes materially affect data handling, we will notify the organisations's owner.

15. Contact and complaints

Privacy: admin@notes9.com
Security: admin@notes9.com

Organisational users may also raise concerns through their Organisational channels.