Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Evernote is a cloud based note taking, organisation, and task management application now operated by Bending Spoons S.p.A. (Italy). It enables users to create notes, clip web content, attach files, organise with notebooks and tags, and collaborate on shared content. The platform processes extensive personal data including note contents, images, audio recordings, and file attachments, and transfers data to US based infrastructure.
Evernote is a cloud based note taking, organisation, and task management application. Originally developed by Evernote Corporation in the United States, it was acquired by Bending Spoons S.p.A., an Italian software company, in 2023. Evernote enables users to create rich text notes, clip web pages, attach files and images, record audio, organise content with notebooks and tags, and collaborate through shared notebooks and workspaces. The platform is available as a web application, desktop client (Windows and macOS), and mobile app (iOS and Android). When Evernote widgets or embedded content are used on third party websites, additional privacy considerations arise.
Evernote sets cookies for authentication, session management, user preferences, and analytics. Key cookies include session authentication tokens, CSRF protection tokens, analytics identifiers (Google Analytics and internal analytics), and marketing attribution cookies. The platform collects extensive personal data including note contents (text, images, audio, files), notebook metadata, tag structures, sharing permissions, device information, IP addresses, browser type, and usage patterns. The Evernote Web Clipper browser extension additionally processes the content of web pages that users choose to clip. Third party analytics services integrated into Evernote may set additional cookies from their respective domains.
Evernote raises significant GDPR considerations due to the highly personal and potentially sensitive nature of note content. Users frequently store personal journals, health information, financial records, scanned documents, passwords, and confidential business data. Since the 2023 acquisition by Bending Spoons S.p.A. (Italy), the data controller is now an EU based entity, which simplifies some GDPR obligations. However, core data processing infrastructure remains on Google Cloud Platform in the United States. Bending Spoons provides a privacy policy and terms of service that address GDPR requirements. The company underwent significant workforce changes after the acquisition, which raised concerns among some users and privacy advocates about data stewardship continuity. Organisations should carefully review the current privacy policy and DPA to understand the post acquisition data processing framework.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For individual users, the legal basis for core note taking functionality is typically contract performance (Art. 6(1)(b)). For organisational deployments where Evernote is provided to employees, contract performance or legitimate interest (Art. 6(1)(f)) applies. Analytics cookies and marketing communications require explicit consent (Art. 6(1)(a)). The Evernote Web Clipper processes web page content on user instruction, which is covered by the user''s consent to use the extension. When Evernote content is embedded on external websites, cookie consent under the ePrivacy Directive is required for non essential cookies. Organisations should ensure their privacy notice covers the use of Evernote for storing employee or customer data.
Although Bending Spoons S.p.A. is headquartered in Milan, Italy, Evernote''s data is primarily hosted on Google Cloud Platform infrastructure in the United States. This means personal data stored in Evernote is transferred outside the EEA. Transfers are covered by SCCs incorporated into Evernote''s terms of service and DPA. The EU based controller status of Bending Spoons provides a direct accountability point within the EEA, but does not eliminate the need for transfer safeguards. Organisations should assess the adequacy of these safeguards and document them in their Records of Processing Activities, noting the Google Cloud subprocessor relationship and the US hosting of note data.
To achieve GDPR compliance with Evernote, organisations should take the following steps. First, review Evernote''s current privacy policy and DPA under Bending Spoons ownership. Second, implement an acceptable use policy defining what types of data employees may store in Evernote, particularly prohibiting storage of special category data unless specifically authorised. Third, configure sharing settings to restrict external sharing of notebooks containing personal data. Fourth, establish a data retention policy and regularly review and delete notes containing outdated personal data. Fifth, assess the Web Clipper''s impact on data processing if deployed to employees. Sixth, conduct a DPIA if Evernote is used to store sensitive personal data at scale. Seventh, deploy cookie consent on any website embedding Evernote widgets. Eighth, ensure your privacy notice covers the use of Evernote and the international data transfers involved. Finally, monitor Bending Spoons'' privacy policy updates, as the post acquisition framework may continue to evolve.
Websites using Evernote must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for organisational Evernote deployments due to the sensitive nature of data commonly stored in notes. Key areas to assess include: the volume and sensitivity of note content (which may contain personal data about clients, patients, students, or employees), image and document attachments that may include scanned identity documents or confidential files, web clipper usage that captures third party web content, sharing and collaboration features exposing notes to other users, international data transfers to US based Google Cloud infrastructure, and the change of ownership from Evernote Corporation to Bending Spoons S.p.A. which changed the data processing landscape.
Sample consent text
This site uses an embedded Evernote widget that may set cookies and process data on servers operated by Bending Spoons S.p.A. and hosted on Google Cloud infrastructure in the United States. By interacting with this widget, you consent to data processing in accordance with Evernote's privacy policy. You can withdraw your consent at any time through our cookie settings.
Third-party domains contacted
www.evernote.comapp.evernote.comapi.evernote.comcdn.evernote.comaccounts.evernote.comwww.google-analytics.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| en_session | authentication | Session | Maintains the authenticated user session for the Evernote web application and synchronisation. |
| en_csrf_token | security | Session | CSRF protection token for form submissions, note editing, and account management actions. |
| auth | authentication | 1 year | Persistent authentication cookie enabling automatic sign in to the Evernote web client across sessions. |
| _ga | analytics | 2 years | Google Analytics cookie tracking visitor behaviour on the Evernote website for usage analysis and service improvement. |
| _gid | analytics | 24 hours | Google Analytics cookie distinguishing unique visitors to the Evernote website within a 24 hour period. |
| en_prefs | functionality | 1 year | Stores user interface preferences including editor mode, sort order, and display settings. |
| _fbp | marketing | 90 days | Meta Pixel cookie used for advertising attribution and conversion tracking on the Evernote website. |
| en_cookie_consent | functionality | 1 year | Stores the visitor cookie consent preference for the Evernote website. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Evernote sets session authentication cookies, CSRF protection tokens, user preference cookies, and analytics cookies (including Google Analytics). The Evernote website also sets marketing and advertising attribution cookies. Third party analytics services may deposit additional tracking cookies. The Evernote Web Clipper browser extension uses local storage for caching clip settings and authentication state but does not set traditional cookies on visited web pages.
For core note taking functionality used by individuals, consent is not typically required as contract performance provides the legal basis. For organisational deployments, legitimate interest may also apply. However, analytics and marketing cookies on the Evernote website require explicit consent under the ePrivacy Directive. If Evernote widgets are embedded on third party websites, cookie consent is needed. Organisations should ensure employees are informed about Evernote data processing in the internal privacy notice.
Core note taking and synchronisation relies on contract performance (Art. 6(1)(b)). Organisational deployments may also use legitimate interest (Art. 6(1)(f)). Security measures and fraud prevention are covered by legitimate interest. Analytics cookies and marketing communications require consent (Art. 6(1)(a)). If employees store customer or partner data in Evernote notes, the organisation must have an appropriate legal basis for that underlying processing activity as well.
Yes. Although Evernote is now owned by Bending Spoons S.p.A. (Italy), note data is primarily hosted on Google Cloud Platform infrastructure in the United States. International transfers are covered by SCCs in Evernote's terms of service and DPA. The EU based controller status of Bending Spoons provides a direct accountability point within the EEA, but the US hosting means data is subject to potential US government access under the CLOUD Act. Organisations should document these transfers in their Records of Processing Activities.
A DPIA is recommended when Evernote is used organisationally to store sensitive personal data. The highly unstructured nature of note content means users may inadvertently store special category data (health records, financial information, identity documents). Key risk areas include the breadth of data types that can be stored in notes, the Web Clipper's ability to capture web content, sharing features that may expose data, US based data hosting, and the post acquisition changes in data stewardship under Bending Spoons.
Review the current privacy policy and DPA under Bending Spoons. Create an acceptable use policy defining what data types employees may store. Configure sharing restrictions for notebooks containing personal data. Establish data retention policies and regularly purge outdated notes. Assess the Web Clipper's data processing impact. Conduct a DPIA if sensitive data is stored at scale. Deploy cookie consent for embedded Evernote widgets. Update your privacy notice to cover Evernote usage and US data transfers. Monitor Bending Spoons' policy updates.
Privacy focused alternatives include Joplin (open source, end to end encrypted, self hosted sync), Standard Notes (end to end encrypted, zero knowledge architecture), Obsidian (local first with optional encrypted sync), Notesnook (end to end encrypted, open source), and Logseq (open source, local first knowledge management). For organisations, Nextcloud Notes or Outline (self hosted wiki) offer EU hosted or self hosted alternatives with full data control. Each should be evaluated for feature parity and compliance.
If you embed Evernote content on your website, document all cookies set by evernote.com and related domains. List authentication, analytics, and marketing cookies with their names, purposes, and durations. Describe the personal data processed through any embedded widgets. Reference Bending Spoons S.p.A. as the data controller and the SCCs covering US data transfers. Note the Google Cloud subprocessor relationship. Provide clear consent management options and instructions for exercising data subject rights.