Journal 2 Note ("we", "us", or "our") operates the Journal 2 Note web application (the "Service"). This Privacy Policy explains what information we collect, why we collect it, how it is used and shared, and the choices you have regarding your information. Please read this policy carefully. By using the Service you agree to the practices described here.

If you have questions, contact us at info@lktechnology.net.

1. Who We Are

Journal 2 Note is operated by LK Tech, LLC, an Indiana limited liability company. If you are located in a jurisdiction that requires a designated data controller or representative, please contact us at the email address listed below.

2. Information We Collect

2.1 Account Information

When you create an account we collect:

• Email address — stored in lowercase; used as your unique login identifier and for account verification messages.
• Password — stored only as a bcrypt hash; we never store your plaintext password.
• Username — optional display name you may choose.
• System access level — an internal role flag (Viewer or Admin) that controls what parts of the Service you can access.
• Email verification timestamp — the date and time your email address was confirmed.

2.2 Log Entries and Transcripts

The core function of the Service is recording time-tracking log entries. When you create an entry, we store the following fields in our database:

• Date and time of the activity
• Duration (raw minutes and billable hours)
• Category, person, client, subject matter, and follow-up action
• Raw transcript text (the verbatim voice or typed input)

Entries are never physically deleted from the database. When you "delete" an entry, its status is set to inactive (soft delete) and it is excluded from all normal queries. If you need permanent removal, contact us directly.

2.3 Voice Audio

If you use the voice dictation feature, your microphone audio is captured in your browser, resampled to 24 kHz 16-bit PCM, and streamed in real time over a secure WebSocket connection directly to OpenAI's Realtime API for transcription. The connection uses an ephemeral token with a 60-second lifetime issued by our server.

We do not store the raw audio on our servers.Only the resulting transcript text is retained. OpenAI's own data handling practices govern what, if anything, OpenAI retains on its infrastructure; please review OpenAI's Privacy Policy.

2.4 Structured Entry Extraction

After transcription (or when you type an entry manually), the free-text transcript is sent to Anthropic's Messages API (model: claude-sonnet-4-6) so that structured fields can be extracted automatically. The text you submit is transmitted to Anthropic's servers for this purpose. Anthropic's own data handling practices govern what, if anything, Anthropic retains; please review Anthropic's Privacy Policy.

2.5 Session and Authentication Data

To keep you logged in we set two cookies:

• sl_session_id — a session identifier with a 24-hour sliding expiry that resets on each authenticated request.
• sl_login_token — a persistent login token with a 30-day TTL, set only when you choose "Remember me". Logging out invalidates only the token on the device you logged out from; other devices remain authenticated.

Session records are stored in our database and include the session ID, associated user ID, creation time, last active time, and expiry.

2.6 Login Attempt Logs

To protect accounts from unauthorized access we log each login attempt, including the requesting IP address, whether the attempt succeeded or failed, and a timestamp. If 10 or more failed attempts are made from the same IP within 15 minutes, further login requests from that IP are temporarily blocked. Login attempt records are never physically deleted.

2.7 Application Event Logs

Our API routes and client-side code log operational events (for example, errors, significant actions) to a database table. These logs include the session ID, an event type string, and a JSON data payload. They are used for debugging and monitoring service health.

2.8 Email

When you register, we send a verification email to confirm your address. When the Resend email service is configured on our deployment, this email is dispatched through Resend's API. When it is not configured, the verification link is written to internal server logs only (typically used in development/staging). Please review Resend's Privacy Policy for their data handling practices.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate your identity and maintain your session
• Parse your voice or typed input into structured time-tracking records
• Send account-related emails (verification, password reset if applicable)
• Detect and prevent fraudulent or abusive activity (brute-force login protection)
• Monitor and debug service health through internal event logs
• Comply with legal obligations

We do not sell your personal information. We do not use your log entries or transcripts for advertising purposes.

4. Sub-processors and Third Parties

We disclose the following sub-processors that may receive your data in the course of providing the Service:

• OpenAI — receives your voice audio stream for real-time transcription. See openai.com/policies/privacy-policy.
• Anthropic — receives your transcript text for structured entry extraction. See anthropic.com/legal/privacy.
• Resend — when configured, dispatches verification and transactional emails on our behalf. See resend.com/legal/privacy-policy.
• Amazon Web Services (AWS) — our infrastructure provider hosts the application server and SQLite database. Their privacy and security practices govern the physical infrastructure. See aws.amazon.com/privacy.

We do not share your data with any other third parties except as required by law.

5. Data Retention

We retain your account information and log entries for as long as your account remains active. Because the Service uses soft deletion, records marked as deleted are retained in the database in an inactive state. If you wish to have your data permanently removed, please contact us and we will process your request.

Login attempt records and session event logs are retained indefinitely for security and debugging purposes, though we may purge them periodically at our discretion.

Session records expire after 24 hours of inactivity or 30 days with persistent login.

6. Security

We implement the following security measures:

• Passwords are hashed using bcrypt before storage; plaintext passwords are never retained.
• Session identifiers and login tokens are opaque random values.
• Voice audio is transmitted directly from your browser to OpenAI via a short-lived (60-second) ephemeral token; audio does not pass through our servers.
• Brute-force login protection limits failed attempts per IP address.
• All database I/O runs in a dedicated worker thread; queries are parameterized to prevent SQL injection.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

7. Your Rights and Choices

Depending on your jurisdiction, you may have rights regarding your personal data, including the right to access, correct, or delete it. To exercise any of these rights, contact us at info@lktechnology.net.

You may export your log entries at any time using the CSV or JSON export features available within the Service.

8. Cookies

We use strictly necessary cookies to operate the Service:

• sl_session_id — required for authentication; expires after 24 hours of inactivity.
• sl_login_token — set only when "Remember me" is selected; expires after 30 days.

We do not use tracking, advertising, or analytics cookies. No third-party cookies are set by our Service.

9. Children's Privacy

The Service is not directed at children under the age of 13 (or a higher age threshold where required by local law). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us so we can delete it.

10. International Data Transfers

Your information may be processed in countries other than your own, including by our sub-processors (OpenAI, Anthropic, and Resend), whose infrastructure may be located in the United States or elsewhere. By using the Service you consent to the transfer of your information to these jurisdictions.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be indicated by an updated "Last Updated" date at the top of this page. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

12. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact:

LK Tech, LLC
info@lktechnology.net