Privacy Policy

Last updated 22 June 2026

overthink.no is a private space for thinking — you write notes, organise them into topics, and work toward closing open loops. What you write is personal, and this policy is a plain-language account of exactly what we collect, why, who else touches it, and the control you have over it.

What we collect

Your email address— the only thing required to sign in. We don't use passwords; you log in with a one-time code sent to your inbox. A display name is derived from your email and can be changed.
The content you write — your notes, topics, thoughts, questions, and decisions. This is yours; we store it so the product works.
Login metadata — for each successful sign-in we record the time, your device/browser (user-agent), and a truncatedIP address. We deliberately drop the last part of the IP at the moment it's recorded, so it can't be tied back to a single address — it's kept only for spotting unusual activity and rough security diagnostics.

How your content is used by AI

When you capture a note, its text is sent to Google's Geminimodel to suggest which topic it belongs to. This means the content of your notes leaves our servers and is processed by Google as part of classification. We don't use your content to train any model, and this feature can be turned off for the deployment. If automatic classification is disabled, your notes are never sent to Google.

Who else processes your data (sub-processors)

We rely on a small set of providers to run the service:

Google (Gemini) — classifies note content into topics, as described above.
Resend — delivers your one-time login codes and account emails.
Neon — hosts the PostgreSQL database where your account and content live.
Vercel — hosts and serves the application.

What operators can see

The people who run overthink.no have an internal dashboard for keeping the service healthy. It shows account and activity metadata — your email, sign-up date, last login, device, truncated IP, and counts of how many notes, topics, and thoughts you have. It does not display the content of your notes. Access to the underlying database is limited to the operators who maintain the system.

How long we keep it

Your content is kept until you delete it or close your account.
Login history is automatically purged after 90 days.
Login codes are short-lived and deleted once used or expired.

Your rights

You're in control of your data. From Settingsyou can export a complete copy of everything in your account as JSON at any time, and permanently delete your account and all of its content. You can also ask us to correct your data. If you're in the EU/UK, these rights are guaranteed under the GDPR, and you also have the right to complain to your local data protection authority. For anything else, email us at privacy@overthink.no.

Security

Sessions are authenticated with signed tokens, and sign-in uses one-time codes rather than reusable passwords. No system is perfectly secure, but we keep the data we hold to the minimum the product needs.

Changes to this policy

If we change what we collect or how we use it, we'll update this page and the date above. Questions about any of this? Reach us at privacy@overthink.no.