DenimNotes is a professional B2B tool for the textile supply chain. We collect only what we need to run the service. We never sell your data. Your captures, notes, prices, and supplier relationships are yours. Connected parties see only what you explicitly share. Your price field is never visible to any supplier or garment maker — this is an architectural constraint, not a setting. AI features process only the structure of your data, never its contents. You can export or delete everything at any time.
DenimNotes is operated by Esipick LLC, a limited liability company registered in the State of Ohio, United States. For users in the European Union, EEA, and United Kingdom, Esipick LLC acts as the data controller for personal data processed through the DenimNotes platform.
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing and operating the Platform | Account data, content, usage data | Contract performance |
| OCR hang tag scanning | Photographs you capture | Contract performance |
| AI search (schema-only — see Section 12) | Data schema only, not content | Contract performance |
| AI Chat (schema-only — see Section 12) | Data schema only, not content | Contract performance |
| Voice note transcription | Audio file (on explicit request only) | Consent |
| Collaboration — sending invitations | Invitee email address | Legitimate interest |
| In-app threads and messaging | Messages, pinned fabric references | Contract performance |
| Push and email notifications | Push tokens, notification preferences | Contract performance / Consent |
| PDF and CSV export | Content you select for export | Contract performance |
| Customer support | Account data and relevant content | Legitimate interest |
| Security, fraud prevention, abuse detection | IP, usage patterns, device data | Legitimate interest |
| Product analytics (anonymised) | Anonymised usage data | Legitimate interest |
| Billing and subscriptions | Email, subscription tier, billing history | Contract performance |
| Legal compliance and dispute resolution | As required by applicable law | Legal obligation |
DenimNotes connects Buyers, Suppliers, and Garment Makers. This section defines precisely what each party can and cannot see when workspaces are connected. These boundaries are architectural — enforced at the database query level, not as permission toggles.
What a Supplier can never see: the buyer's price per metre, Private notes, captures from other suppliers, brand-internal budget information, or sub-brand tags.
What a Garment Maker can never see: the fabric price the buyer paid per metre, Private notes, the supplier's buyer list or other relationships, or drop reasons beyond "Dropped" (the reason is internal to the buyer).
Each workspace is isolated at the database level. Connecting Workspace A to Workspace B creates a bilateral relationship scoped to those two workspaces only. Neither party can see the other's relationships with third parties. This cannot be overridden by any user role or permission setting.
Either party may disconnect at any time from workspace settings. On disconnection, the other party's access to your shared data is revoked immediately. Data already received and potentially exported by the other party before disconnection cannot be retroactively deleted on their systems. Treat shared data as potentially retained by the receiving party after disconnection.
Every text note and every voice note has an individual Private/Shared toggle. The default for all new notes is Private. Switching a note to Shared makes it visible to connected workspaces. Switching it back to Private revokes that visibility going forward, but does not retroactively delete the note from the other party's view if they have already read it.
For EU/EEA and UK users, we rely on the following legal bases under GDPR Article 6:
As described in Section 5. All sharing is at your explicit direction.
We engage third-party processors under written data processing agreements. Current categories:
| Provider | Purpose | Location | DPA |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage (photographs, voice notes, exports) | US (AWS infrastructure; EU region available and used for EU data) | Available at supabase.com/privacy — execute before EU launch |
| Resend, Inc. | Transactional email delivery — invitations, notifications, account emails | US | Available at resend.com/legal/dpa — execute before EU launch |
| Apple (APNs) | iOS push notification delivery | US | Governed by Apple Developer Agreement; data minimised to push token only |
| Google (FCM) | Android push notification delivery | US | Governed by Google API Terms; data minimised to push token only |
DenimNotes uses only four processors: Supabase, Resend, Apple APNs, and Google FCM. We do not currently use third-party AI providers, analytics platforms, payment processors, or error monitoring services that process personal data. AI features, OCR, and voice transcription are handled on-device or within our own application logic on Supabase infrastructure. When paid subscriptions are introduced, a payment processor will be added to this table.
Processors are not permitted to use your data for any purpose other than providing services to us. The complete sub-processor list above reflects all processors currently used. We will update this table and notify users 30 days in advance before adding any new processor that handles personal data.
We may disclose data to courts, regulators, or law enforcement where required by law. Where legally permitted, we will notify you before complying.
In a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before data becomes subject to a different privacy policy.
Esipick LLC is based in the United States (Pakistan). When we transfer personal data from the European Union/EEA, United Kingdom, or Switzerland to the United States, we rely on the following safeguards:
Copies of applicable transfer safeguards are available on request at info@esipick.com.
| Data category | Retention period | Rationale |
|---|---|---|
| Account and profile data | Duration of account + 30 days | Service delivery; grace period for recovery |
| Captures, notes, voice notes, photographs | Duration of account + 30 days | Service delivery |
| Chat threads and messages | Duration of account + 30 days | Note: messages sent to connected workspaces may be retained by that party |
| Development pipeline data | Duration of account + 30 days | Service delivery; drop data has long-term value to users |
| Billing and payment records | 7 years from transaction | Legal and tax obligations |
| Security and access logs | 12 months rolling | Security incident investigation |
| Anonymised usage analytics | Indefinite | Product improvement (no longer personal data) |
| Backup copies | Up to 90 days from deletion | Business continuity; deletion requests are fully effective within 90 days |
| Legal hold data | Duration of proceeding + applicable limitation period | Legal obligation |
Account deletion removes your personal data from active systems within 30 days and from all backup systems within 90 days. Anonymised and aggregated data derived from your usage is not deleted as it no longer constitutes personal data.
Contact info@esipick.com to exercise any of the following rights. We will respond within 30 days and may verify your identity before processing your request.
California residents have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act. Submit requests to info@esipick.com — response within 45 days.
DenimNotes uses AI for three functions. In every case, your actual fabric data never leaves our infrastructure:
Audio files are sent to a speech-to-text provider only when you explicitly request transcription for a specific recording. See Section 13 for full detail.
We do not use automated decision-making, including profiling, to make decisions about you that produce legal or similarly significant effects (GDPR Art. 22). All status decisions, development approvals, and commercial choices are made by human users.
We do not use your User Content — captures, notes, prices, voice recordings, supplier names, or development data — to train any AI model, internal or external, without your explicit prior written consent. If AI training features are introduced in future, they will be explicitly opt-in.
Voice notes are a core feature of DenimNotes. Each voice note you record is treated as follows:
DenimNotes Phase 2 introduces in-app collaboration including workspace connections, threads, and chat. The following additional privacy considerations apply:
When @Denim AI is invoked in a thread that includes a supplier participant, the AI feature is restricted. It can answer questions about the shared fabric specification only. It cannot surface the buyer's price, private notes, or any data from outside the shared scope. This is enforced architecturally — not as a guideline.
When you invite a supplier to connect, we store a connection record including both workspace IDs, the status, access level, the date the invitation was created, and the date it was accepted. This record persists until the connection is dissolved.
Garment Makers use DenimNotes to track development requests through the following stages: Development Request → Prototype → Salesman Sample (SMS) → Fit Sample → Bulk Production or Dropped.
The following privacy rules apply to development pipeline data:
DenimNotes processes data that may constitute trade secrets, confidential business information, or commercially sensitive intelligence — including supplier pricing, development decisions, vendor selection criteria, and buyer-supplier relationships.
| Type | Purpose | Duration | Optional? |
|---|---|---|---|
| Strictly necessary | Authentication, session management, security | Session / 30 days | No — required for service |
| Functional | Preferences (theme, language, last workspace) | 1 year | Yes — via cookie settings |
| Analytics | Anonymised usage patterns | Up to 2 years | Yes — via cookie settings |
| Performance | Error monitoring, load performance | Session | Yes — via cookie settings |
We do not use advertising cookies or third-party tracking cookies. Our cookie banner, shown on first visit to the web app, allows you to accept, reject, or customise non-essential cookies. You can change preferences at any time via Cookie Settings in the app.
For full details of our security practices, see the DenimNotes Security Policy at denimnotes.app/security. Key measures include:
In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected users without undue delay if the risk is high (GDPR Art. 34). Contact info@esipick.com to report a security concern.
DenimNotes is a professional B2B platform for individuals 18 and over. We do not knowingly collect personal data from anyone under 18. If we learn that we hold such data, we will delete it promptly. Contact info@esipick.com if you believe a minor's data has been collected.
Material changes will be notified by email to your registered address and by in-app notice with at least 30 days' advance notice. Changes requiring your consent will be presented for explicit agreement before taking effect. Previous versions are available on request.