I have a privacy concern question that I would like to clarify. With personal notes being some of the closest things to me, I feel quite strongly about privacy around them.
We will collect personal information through appropriate methods for the following purposes
We may entrust the whole or part of the personal information it collected to outsourcing entities to the extent required to achieve the purpose of use
What is contained within the scope of this personal information? I want to be able to fully understand what is shared, what is not.
- Is it the first name, last name, email provided in account settings.
- Is this note contents?
- Note titles?
- Tag names?
- Folder names?
- Linked websites from within notes?
My understanding from other posts in this forum is that data is encrypted at rest, but not encrypted in transit. I presume that HTTPS is used for encryption in transit between client and server?
The data encryption & decryption always happen on the Inkdrop servers.
So when encrypting/decrypting, the servers have to look into your data in plaintext.
First, your notes are not encrypted with your password directly.
Inkdrop generates an encryption key and it’s encrypted with your password while stored on disk.
So your encryption key itself won’t be changed if you change your password. Just re-encrypting the encryption key.
With this is it correct to state that it is not possible for you, or any authorities, third party, hacker, etc, to read the data of my notes, tags, folders, etc, since they are encrypted at rest with a strong cipher and key:salt pair?
and is difficult to obtain your consent
What is defined as difficult? You only have my email address, does that qualify as difficult, or is there a time period of response? What would that be?
it is necessary for cooperating with a national or local authority or an entity entrusted by it in executing the affairs prescribed by laws and ordinances
In which country? I am a UK citizen, according to Twitter you live in Tokyo, so is this in reference to Japanese authorities, or UK, or both? I wouldn’t expect UK to have any enforcement to you as a resident of Japan. My concern is if a country not either of those makes a request, such as the largest country in the west, that I don’t feel comfortable having my information shared with.
This also relates to which country the data is actually stored in. I presume it’s built in AWS or something similar, so understanding if the regions selected available are EU, would make me more comfortable. Since you’re in Japan, you may have selected a region closer to home.