Legal
Application privacy policy
Effective date
July 9, 2026
1. About this policy
The Notakey mobile application (“the App”) is built by Notakey Latvia, SIA (“Notakey”, “we”, “us”) and is used to approve authentication and transaction-signing requests from services that use Notakey. This policy explains what data the App handles and how. It applies alongside our website Privacy Policy.
In most deployments, the App is provided to you by your employer or a service you use (the “Organization”), which configures and controls the Notakey service you are enrolled in. Where that is the case, the Organization is the data controller for your authentication data, and Notakey processes it on the Organization’s behalf. If you have questions about how your data is used, please contact your Organization first.
2. What stays on your device
When you enroll in a service, the App generates a cryptographic key pair on your device. The private key is generated and stored in your device’s secure hardware storage and never leaves your device — it is not transmitted to Notakey or to the service you enrolled with. Only the corresponding public key is shared with the service provider to complete enrollment.
Where the App uses your device’s biometric unlock (e.g. Face ID, Touch ID, or fingerprint) to protect access to the App or to approve a request, that biometric data is handled entirely by your device’s operating system. Notakey does not receive, store, or have access to your biometric data.
3. Information the App collects
- Device and registration data — device model, operating system version, app version, and a push-notification token, so approval requests can be delivered to the right device.
- Enrollment data — depending on how your Organization configured onboarding, this may include your phone number and a one-time code delivered by SMS or WhatsApp, a password verified against your Organization’s directory (e.g. Active Directory or LDAP), a sign-in through your Organization’s OpenID Connect identity provider, or manual approval of your enrollment by your Organization’s administrator.
- Camera access — used only to scan a QR code where that is part of an enrollment or signing flow. The App does not access or store your photos.
- Approval activity — the fact that a request was approved or declined, and when, so the service you enrolled with can verify it. The content of what you approve (e.g. a document) is shown to you by the App but is controlled by the service provider, not stored by Notakey beyond what is needed to deliver the request.
4. Diagnostics and crash reporting
If the App encounters an error, diagnostic information is sent to Sentry (Functional Software, Inc.), our crash-reporting service, so we can find and fix the problem. This typically includes your device model, operating system version, app version, and a technical stack trace describing the error. Crash reports do not include your private keys or the content of your approval requests.
5. Third-party services
The App uses Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android to deliver approval requests, and Sentry for crash reporting (see section 4). These providers receive technical device data (such as a push token or crash diagnostics) but not the content of your approval requests.
6. Data retention
Enrollment and key material stay on your device until you remove the App or un-enroll. Server-side records of approval activity are retained under the control of your Organization, in line with its own policies and our Data Processing Agreement.
7. Security
Private keys are generated and held in your device’s hardware-backed secure storage (e.g. Secure Enclave / StrongBox) and are not exportable. Requests are transmitted encrypted, and each approval is cryptographically signed with your device’s private key so it cannot be replayed or forged.
8. Your rights
If the GDPR applies to you, you have rights to access, correct, restrict, or request erasure of your personal data, and to lodge a complaint with your local data protection authority (in Latvia, the Data State Inspectorate). Because your Organization typically controls your enrollment, please contact them first; you can also reach us at info@notakey.com.
9. Children’s privacy
The App is intended for use by employees and customers of business organizations and is not directed at children under 16.
10. Changes to this policy
We may update this policy from time to time. Material changes will be posted here with an updated effective date.
Contact us
Questions about this App Privacy Policy can be sent to info@notakey.com.