This Privacy Policy describes how KnotCMS ("we", "us", "our"), operated from India, collects, uses, stores, and shares personal data when you visit https://knotcms.com, use https://app.knotcms.com, or otherwise interact with our Notion-to-Framer CMS sync service (the "Service").
We process personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and applicable rules thereunder, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, where applicable.
1. Data fiduciary and contact
For the purposes of the DPDP Act, KnotCMS acts as the Data Fiduciary for personal data collected through the Service. For privacy-related requests or grievances, contact us at [email protected].
2. Personal data we collect
Depending on how you use the Service, we may collect the following categories of data:
Account and identity data
- Email address and name from Google Sign-In
- Google account identifier used to authenticate your session
- Subscription status, plan type, and billing-related identifiers
Service and configuration data
- Notion workspace connection tokens (stored encrypted) and selected database metadata
- Field mappings between Notion properties and Framer CMS fields
- Framer project identifiers, collection names, and Server API credentials (stored encrypted)
- Sync logs, project status, error messages, and usage counters (e.g. sync quota)
Technical and usage data
- IP address, browser type, device information, and approximate location derived from IP
- Session cookies and authentication tokens
- Server logs, timestamps, and diagnostic information needed to operate and secure the Service
Payment data
Paid subscriptions are processed by our Merchant of Record, Polar. We do not store full payment card numbers. Polar may collect billing name, email, payment method details, transaction history, and tax information as needed to process payments and issue invoices.
3. How we use your data
We use personal data to:
- Provide, operate, and maintain the Service, including Notion-to-Framer sync
- Authenticate you and manage your account and entitlements
- Process subscriptions, invoices, and billing enquiries
- Send service-related communications (e.g. sync failures, account notices)
- Monitor usage, prevent abuse, enforce rate limits, and improve reliability
- Comply with legal obligations and respond to lawful requests
We do not sell your personal data. We do not use your Notion content or Framer CMS data for advertising or unrelated profiling.
4. Legal basis and consent
Under the DPDP Act, we process personal data based on your consent (for example, when you sign in with Google or connect Notion), performance of a contract (providing the Service you subscribed to), and our legitimate interests in securing and improving the Service, balanced against your rights.
You may withdraw consent for optional processing where applicable by contacting us. Withdrawal may limit certain features (for example, disconnecting Notion will stop automated sync).
5. Third-party services and processors
We use trusted third parties to operate the Service, including:
- Google — user authentication (Google OAuth)
- Notion — source content and webhook notifications
- Framer — destination CMS via the Framer Server API
- Polar — subscription billing and customer portal
- Cloudflare — hosting, edge compute, and database infrastructure
These providers act as data processors or independent controllers for their respective services. Their handling of data is governed by their own privacy policies. Where required, we enter into appropriate data processing arrangements with processors handling personal data on our behalf.
6. Cross-border transfers
Your data may be processed on servers located outside India (for example, on Cloudflare's global network or on infrastructure used by Notion, Framer, Google, or Polar). Where personal data is transferred outside India, we take steps reasonably required under applicable law, including ensuring that recipients offer adequate protection or that permitted transfer mechanisms are in place.
7. Data retention
We retain personal data only for as long as necessary to provide the Service, meet legal and accounting obligations, resolve disputes, and enforce our agreements. When you delete a project or close your account, we delete or anonymise associated data within a reasonable period, except where retention is required by law (for example, tax or billing records).
8. Security
We implement reasonable technical and organisational safeguards, including encryption of sensitive credentials at rest, signed session cookies, access controls, and secure transport (HTTPS). No method of transmission or storage is completely secure; we cannot guarantee absolute security.
9. Your rights under Indian law
Subject to applicable law, including the DPDP Act, you may have the right to:
- Access personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request erasure of personal data, subject to legal exceptions
- Withdraw consent for processing that relies on consent
- Nominate another individual to exercise your rights in the event of death or incapacity
- Lodge a grievance with us, and where applicable, with the Data Protection Board of India
To exercise these rights, email [email protected]. We may need to verify your identity before responding.
10. Children's data
The Service is intended for users aged 18 and above. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will take steps to delete it.
11. Cookies
We use essential cookies and similar technologies to keep you signed in and operate the Service. We do not use non-essential advertising cookies on the marketing site. You can control cookies through your browser settings; disabling essential cookies may prevent you from using the app.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the latest version. Material changes will be communicated via the Service or by email where appropriate. Continued use after changes constitutes acceptance of the updated policy.
13. Grievance officer
In accordance with applicable Indian law, you may contact our grievance officer for privacy concerns:
- Email: [email protected]
- Response time: we aim to acknowledge grievances within 7 business days and resolve them within 30 days, or as required by law.