Privacy policy · last updated May 2026

Privacy, plainly.

Cnoté processes personal data on behalf of schools under GDPR Article 28 and Swiss nDSG Article 9. EU data residency. No US transfers. No training on customer data.

1. Who we are

Cnoté is a school-parent communication service operated from Switzerland. For the purposes of GDPR, Cnoté acts as a data processor on behalf of schools (the data controllers). Schools determine the purposes and means of processing personal data; Cnoté processes data only on the school's documented instructions.

Contact: get@cestnote.ch

2. Roles and responsibilities

Your school is the data controller. The school decides which data is shared with Cnoté, which parents are enrolled, and when the service is terminated.

Cnoté is the data processor. We process email metadata, calendar events, and parent contact data only on the school's behalf, only for the purpose of delivering school-parent communication via WhatsApp.

This relationship is formalised in a Data Processing Agreement (DPA) signed between Cnoté and each school before any data processing begins. The DPA complies with GDPR Article 28 and Swiss nDSG Article 9.

3. What data we collect

Data provided by the school

  • Parent names and WhatsApp numbers — used to deliver school communications via WhatsApp
  • Child first names and year group — used to personalise communications per child
  • Read-only access to the school's Gmail inbox — granted through Google's standard secure log-in flow (OAuth tokens), so no passwords are ever shared with Cnoté and the school can revoke access from its Google Workspace admin console at any time

Data we generate through processing

  • Email metadata and summaries — subject, sender, received date, AI-generated summary of content. We process email summaries to the extent needed to generate useful notifications.
  • Calendar event data — event titles, dates, and descriptions from the school's Google Calendar
  • WhatsApp message records — inbound and outbound messages between Cnoté and parents (for digest delivery and conversation history)
  • Digest and notification delivery records — timestamps of messages sent, for idempotency and audit

Data we collect from this website

  • Demo request submissions — name, email, role, school name, and message when you complete the contact form. Used only to respond to your inquiry. Retained for 3 years.
  • Server logs — IP addresses and user-agent strings in standard server access logs. Retained for 90 days.

4. What we do not collect — and never train on

  • Full email body content (we process summaries only)
  • Analytics cookies or third-party tracking pixels
  • Payment card data (billing handled by a third-party provider)
  • Data not explicitly needed to deliver the service

We do not use personal data processed through Cnoté to train AI models. AI calls (to large language models — the family of AI behind tools like ChatGPT, hosted by us exclusively in European data centres) use school email content only at the moment of inference, and never feed AI training pipelines. This is contractually guaranteed with our AI vendors and audited annually.

5. Legal basis for processing

For school data (parents, children, emails): Processing is carried out on the basis of the school's legitimate interest in communicating with families, and under the DPA where Cnoté acts as processor.

For website contact form submissions: Consent (you choose to submit the form).

6. Where we store data — and where AI inference runs

All personal data is stored on servers located in France (EU), operated by OVH Cloud (a European cloud-services provider). AI work runs on European large language models accessed via OpenRouter (a platform that lets us route requests to specific EU-resident AI models). No personal data is transferred to the United States or to any country outside the European Economic Area or Switzerland without adequate safeguards.

7. How long we keep data

  • Parent contact data — retained for the duration of the school contract plus 90 days for backup, then deleted.
  • Email and calendar data — retained for 3 years from receipt, then deleted.
  • WhatsApp message records — retained for 3 years, then deleted.
  • Website contact form data — retained for 3 years, then deleted.
  • Server logs — retained for 90 days.

8. Your rights

Under GDPR and Swiss nDSG, you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data (the "right to be forgotten")
  • Portability — request your data in a machine-readable format
  • Objection — object to processing based on legitimate interest
  • Restriction — request that processing be restricted while a dispute is resolved

For data held on behalf of a school, please contact your school directly — they are the data controller. For data held directly by Cnoté (website contact data), email get@cestnote.ch. We respond within 30 days.

9. Data Processing Agreement

Schools are provided with a GDPR Article 28 / Swiss nDSG Article 9 DPA before any data processing begins. The DPA is available on request — write to get@cestnote.ch.

10. Contact

For privacy-related questions, data access requests, or to request the DPA:

Cnoté
Switzerland
get@cestnote.ch

You have the right to lodge a complaint with your national data protection authority. In Switzerland: FDPIC (Federal Data Protection and Information Commissioner).