Your data, your control.
Last updated: 25 May 2026 (anonymous device identifier and Market Stall loyalty disclosures) · Effective: 12 May 2026
Nifi Ltd ("we", "us", "our") is the data controller for personal data collected through the Nifi Notes website and services at nifinotes.com. We are registered in England and Wales under company number 17127978, with our registered address at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ.
We are registered with the Information Commissioner's Office (ICO) under registration number C1899864.
For data protection queries, contact us at founder@nifinotes.com.
We collect different types of personal data depending on how you interact with Nifi Notes. The table below sets out each category, our lawful basis under UK GDPR, and how long we keep it.
| Data | Lawful basis | Retention |
|---|---|---|
| Account data — email address, hashed password (or Google OAuth token), account creation date | Contract (Article 6(1)(b)) — necessary to provide the account service you requested | Until you delete your account, then within 30 days |
| Tag metadata — tag IDs, types (note/wifi/log), labels you give tags, timestamps, ownership and lock status | Contract — necessary to operate the tag management features | Until you delete the tag or your account |
| Tag content — the encrypted ciphertext of your notes, WiFi credentials, and logbook entries | Contract — necessary to store and serve your tag content | Until you overwrite or delete the tag. Note: tag content is client-side encrypted. For users without cloud key sync, we store only ciphertext and cannot read your content. For signed-in users with cloud key sync enabled (the default), we additionally hold an encrypted copy of your key — see Section 3. |
| Waitlist email — email address submitted via our waitlist forms | Consent (Article 6(1)(a)) — you actively submit your email to hear about our launch | 12 months from submission, or until you ask us to remove it |
| Contact form messages — email address and message text submitted via our contact page | Legitimate interests (Article 6(1)(f)) — to respond to your enquiry | 12 months from the date of the message |
| Bug report data — email address, message text, page URL (the URL fragment is always stripped before transmission to protect any tag encryption key), browser user-agent string, and optionally a JPEG screenshot of the page captured by html2canvas running in your browser before you submit the report | Legitimate interests (Article 6(1)(f)) — to investigate and fix software defects you report | 12 months from the date of the report |
| Stall email opt-in — your email address shared with a Market Stall owner when you choose to opt in | Consent — you explicitly choose to share your email via the opt-in prompt | Until you withdraw consent (toggle off from the stall page or contact us) |
| Stall interaction data — stamp counts, tap timestamps, stall IDs. You can collect loyalty stamps before signing in: in that case the stamps are held against the anonymous device identifier below and merged into your account if and when you sign in. | Contract — necessary to operate the loyalty stamp feature once you have an account. For stamps collected before sign-in, the basis is legitimate interests (Article 6(1)(f)): letting you start collecting without first creating an account. | For signed-in accounts, until you delete your account or the stall owner deletes the stall. Stamps collected anonymously follow the device-identifier retention below if you never sign in. |
| Anonymous device identifier: a random ID generated in your browser (stored locally as nn:vid) and sent with tag taps. It lets us recognise repeat taps from the same device for engagement analytics, and for Market Stalls it holds your loyalty stamps before you sign in so they can be merged into an account you create. It is a first-party identifier, never shared with advertising networks, and you can switch it off (see Section 5). | Legitimate interests (Article 6(1)(f)): to measure repeat engagement and to let you collect loyalty stamps without first creating an account | Up to 12 months from your most recent tap on that device, then deleted. Removed immediately if you clear your browser data or enable Do Not Track. |
| Usage analytics and performance monitoring — page views, device type, browser, country (via Vercel Web Analytics); and Core Web Vitals performance metrics such as load times, responsiveness, and layout stability (via Vercel Speed Insights). We do not intentionally retain full IP addresses in analytics reports; infrastructure providers may process IP addresses transiently for routing and security. | Legitimate interests — to understand how our service is used and improve it, and to monitor and improve site performance | Raw analytics events for 12 months. Aggregated, non-identifying statistics may be retained indefinitely because, once aggregated, they no longer relate to an identifiable person and so do not affect your privacy. |
| Application event log — internal record of events like account creation, tag writes, taps, and stall opt-ins. Includes timestamps and the userId / tagId / stallId involved; does not include tag content or email addresses. | Legitimate interests (Article 6(1)(f)) — operational visibility, abuse detection, and consent audit trail (for stall opt-ins) | Up to 12 months. Entries identifying a user are scrubbed when the user's account is erased. |
| Hosting and authentication provider logs — short-term server logs from Vercel, Clerk, and Upstash (request paths, status codes, user agents, IP addresses) used for routing, rate limiting, and incident response | Legitimate interests (Article 6(1)(f)) — to keep the service available and secure | Provider-managed (typically a few days to ~90 days depending on the provider). Specific entries may be retained longer where needed to investigate a security incident. |
Tag content (notes, WiFi credentials, logbook entries) is encrypted in your browser using AES-256-GCM before it reaches our servers. The encryption key exists in the URL fragment (the part after the # symbol), which is never sent to any server by the browser.
Device-local mode (anonymous users and signed-in users who opt out of cloud key sync): The encryption key is stored only on your device (in browser local storage). We store only ciphertext and cannot read your tag content under any circumstances. We cannot recover your content if you lose the tag URL or clear your browser data.
Cloud key sync (default for signed-in accounts): When you are signed in, your encryption key is also stored on our servers in AES-256-GCM encrypted form, secured using a key we derive from your account identity. This allows you to access your content from any signed-in device. We hold the technical capability to decrypt your content in this mode, though we do not do so except as required by law or upon your own request for recovery assistance. Your content itself remains encrypted at rest; only the key-encryption key is server-held.
Tag labels and account metadata (email, timestamps, tag types) are not encrypted at rest and are readable by us for the purposes of operating the service.
Market Stall content is stored in plain (unencrypted) JSON on our servers. This includes the stall template (name, location, social links, loyalty card), any Live mode overlay (personalised messages and receipt images sellers prepare for the next customer), and the snapshot we save of what each customer tapped. This is a deliberate trade-off: it lets us provide remote support to sellers (helping them fix layouts, recover broken stalls, troubleshoot loyalty cards), which we have found is more valuable than encryption for this feature. If you tap a Market Stall as a customer, the content of that stall — including any personalised message and receipt — is readable by us. If that matters to you, prefer signed-in note tags or anonymous tag writes, which remain end-to-end encrypted.
Live mode receipts uploaded by sellers travel to our servers over HTTPS and are stored on the Vercel + Upstash infrastructure that runs the platform. They are not encrypted at rest beyond what those providers apply by default. A Live mode overlay is single-shot — as soon as the next customer taps the linked Nifi Note, the overlay is consumed and deleted from the live store; a copy survives only inside that one customer's snapshot record.
This section was updated in May 2026 to reflect the addition of cloud key sync for signed-in accounts and the introduction of Market Stall + Live mode. If you have an account, we recommend reviewing this section.
We do not sell your personal data. We share data only with the following categories of processor, each bound by data processing agreements:
| Processor | Purpose | Location |
|---|---|---|
| Clerk (clerk.com) | Authentication, account management | United States |
| Vercel (vercel.com) | Website hosting, serverless functions, analytics | United States / EU edge |
| Upstash (upstash.com) | Tag data storage (Redis) | EU (Ireland) |
| Google (Google Workspace, Apps Script) | Waitlist email storage, business email | EU / United States |
| Resend (resend.com) | Transactional email delivery (contact form) | United States |
Several of our processors operate infrastructure in the United States or the wider EU, so some personal data may be processed outside the UK. Where personal data leaves the UK, we rely on one or more of the following safeguards, as applicable to each provider: the UK's adequacy regulations (where the destination country is covered), the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or equivalent contractual protections. We also apply organisational safeguards: written data processing terms with each provider, minimising the personal data that is transferred, and choosing providers with established UK GDPR compliance programmes. Each of the processors listed above maintains their own UK GDPR-compliant data processing terms.
If you opt in to share your email with a Market Stall owner, we record your consent with a timestamp, your account identifier, and the stall ID. We retain this consent record so we can demonstrate the basis for processing if asked and so the stall owner only ever sees opt-ins that are currently active. The stall owner does not see your email address inside the platform today — we are building an in-platform mailing tool that lets them send messages to their opted-in customers without ever holding the underlying email addresses themselves.
What stall owners may do with your email. After you opt in, stall owners may use the in-platform mailing tool (when launched) to send you communications you would reasonably expect from opting in to that stall — typically loyalty schemes, offers, promotions, and related communications about their stall. They should not use the tool for anything you did not opt in to.
Our role. Nifi Notes is the data controller for the opt-in record and for the planned in-platform mailing tool. Because email addresses do not leave the platform under the current design, the controller-to-controller handover that existed in a previous version of Nifi Notes (where stall owners could download an opted-in customer list as a CSV) no longer applies. We may revisit this if we add an export feature in future; if we do, we will update this Policy first.
Vendor obligations. Stall owners remain independently responsible for the content of any messages they send through the platform and for complying with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), including the rules on direct marketing and unsubscribe handling. They agree to our Terms of Service, which include acceptable-use commitments around customer data.
Withdrawing your consent. You can toggle the opt-in off from the stall page in Tags, or contact us, at any time. Withdrawal stops future messages immediately. It does not retroactively delete messages already sent.
We use the following:
| Name / type | Purpose | Duration |
|---|---|---|
| Clerk session cookie (httpOnly, Secure, SameSite=Lax) | Strictly necessary — keeps you signed in to your account | Session / 7 days |
| IndexedDB (nifi-tags, nifi-templates, nifi-log-profiles) | Strictly necessary — device-local browser storage used to keep your tag registry, templates, and log profiles available on this device. Never sent to our servers unless you sign in and choose to sync. | Until you clear browser data |
| localStorage (nn:me:v1, nn:clerkPubKey:v1, tmpl_default_seeded_v2) | Strictly necessary — device-local browser storage used to cache account state and seed default templates | Until you sign out or clear browser data |
| localStorage (nn:vid) | A first-party anonymous device identifier used to recognise repeat taps for engagement analytics and to hold Market Stall loyalty stamps before you sign in. Not strictly necessary: it is never shared with advertising networks, and you can opt out (we then set nn:noTrack and stop sending it). | Up to 12 months from your most recent tap; removed when you clear browser data |
| localStorage (nn:noTrack) | Records your choice to opt out of the anonymous device identifier above, so we remember not to track this device | Until you clear browser data |
| Vercel Analytics | Privacy-friendly, cookieless page view analytics. We do not intentionally retain full IP addresses in analytics reports; infrastructure providers may process IP addresses transiently for routing and security. | N/A (no cookies set) |
| Vercel Speed Insights | Cookieless performance monitoring. Collects Core Web Vitals scores (largest contentful paint, interaction to next paint, cumulative layout shift, time to first byte, first contentful paint) and page path to help us measure and improve site performance. No personal identifiers are collected and no device-level cookies or storage are set. | N/A (no cookies set) |
Cookies and PECR. The Privacy and Electronic Communications Regulations (PECR) require consent for cookies and similar storage unless they are strictly necessary to deliver a service the user has requested. The Clerk session cookie and the IndexedDB/localStorage entries listed above (other than nn:vid) all fall into this strictly-necessary category: they exist so the service can keep you signed in, remember your tag list on your device, and avoid showing the same notices twice. Vercel Analytics is cookieless and does not set device identifiers on your browser, so it is treated as consistent with the ICO's analytics-exemption guidance.
The anonymous device identifier (nn:vid) is a first-party, non-advertising identifier rather than a strictly-necessary one. We rely on it under our legitimate interest in measuring repeat engagement and in providing pre-sign-in loyalty stamps; we keep it to first-party use, never share it with advertising networks, and provide a Do Not Track opt-out that removes it and stops further collection. If our use of this identifier changes, we will review whether explicit consent is required and update this Policy first.
We do not use advertising cookies or third-party tracking cookies, and we do not share device identifiers with advertising networks. If we ever introduce non-essential cookies, we'll surface a cookie banner and only set them after you've given consent.
Under UK GDPR, you have the right to:
Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — ask us to delete your data ("right to be forgotten"). To erase your account, email us from the address linked to your account and we will run our erasure process. This removes your user record, your tag list and labels, your stall participation records, your snapshots, and any tags you had locked are unlocked (their ciphertext remains on our servers but is unreadable without the encryption key, as set out in Section 3). Your userId is also scrubbed from our internal event log. We aim to complete erasure within 30 days of a verified request, as required by UK GDPR.
Restriction — ask us to limit how we process your data.
Portability — receive your data in a structured, machine-readable format. You can export your tags from the Tags page at any time.
Object — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent (waitlist, stall opt-in), you can withdraw at any time. For waitlist removal, email us. For stall opt-in, toggle it off from the stall page in Tags.
To exercise any right, email founder@nifinotes.com.
How we handle your request. To protect your data we may ask you to verify your identity before we act on a rights request — for example by replying from the email address associated with your account, or by providing details only the account holder would know. We aim to respond within one calendar month; UK GDPR allows us to extend this by up to two further months for complex or numerous requests, in which case we will tell you why within the first month. We may refuse, or charge a reasonable fee for, requests that are manifestly unfounded or excessive (especially if they are repetitive). We may also apply UK GDPR exemptions where they apply — for example where another person's privacy would be affected, where the data is needed to establish, exercise, or defend legal claims, or where disclosure would compromise an ongoing security investigation. If we cannot identify you in our records, we may be unable to act on the request.
Automated decisions and profiling. We do not carry out automated decision-making that produces legal or similarly significant effects on you, and we do not profile you for advertising. Usage analytics are used in aggregate for product improvement only.
If you are unsatisfied with our response, you may lodge a complaint with the Information Commissioner's Office (ICO).
Technical controls. AES-256-GCM client-side encryption of free-note tag content (end-to-end for device-local mode; vault-backed key for signed-in cross-device mode — see Section 3); HTTPS on all connections; httpOnly/Secure session cookies; timing-safe token comparison to prevent side-channel attacks; access controls on our infrastructure. Market Stall content (template, Live overlay, snapshots) is intentionally stored as plain JSON server-side; see Section 3 for why and what that means.
Organisational controls. Access to production systems is limited to authorised people on a least-privilege basis. We conduct basic due diligence on processors before onboarding them and rely on providers with published UK GDPR compliance programmes. We periodically review our access lists and security posture, and we keep written data processing terms in place with each processor.
No system is perfectly secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay, as required by Articles 33 and 34 of UK GDPR.
Nifi Notes is not intended for children. We do not knowingly collect personal data from children, and in particular we do not knowingly collect personal data from children under 13 — the age at which a child can give their own consent to information society services in the UK under Article 8 of UK GDPR. If you are a parent or guardian and you believe a child has provided us with personal data, please contact us and we will delete it promptly.
We may update this privacy policy from time to time. If we make material changes, we will notify you by email (if you have an account) or by a prominent notice on our website. The "last updated" date at the top of this page indicates when the policy was last revised.
Nifi Ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ
Email: founder@nifinotes.com
ICO registration: C1899864