We're a bootstrapped team of 4 four and we've been building our personal crm app for over a year. As the original founder and CEO, I've been waiting for this day for a loooong time!
I finally love my own app and use it on a daily basis (hopefully you will too).
We've already launched a long time ago but today we're launching a new feature: Note taking, straight from your inbox.
We email you before every meeting with all the notes you've taken about the person you're going to meet and you simply have to reply to the email to log a note! Making it the easiest way to build your database of notes about your contacts.
I know that there are tons of people who tried to build a personal CRM and that everyone has his opinion on how the "right" personal crm should work.
Personally, we've decided that:
- it should be fully automated (sync with calendar and email)
- super simple to use (no complex and clunky interface)
- it should be magic (our app tells you who you're losing touch with based on your data)
And you? What are you looking for in a personal crm?
Landing Page seems interesting but just a word of advice as a constructive criticism hopefully. A Show HN must allow for us to be able to signup or use the app immediately and it looks like we cannot do that right now since it requires onboarding due to gmail limitations.
I read it as referring to unfinished products that doesn't yet exist. What if you're making a Google Calendar extension? Wouldn't that be allowed as a Show HN?
Hey! It is immediately accessible, sorry for this not being clear!
The note taking app within email is free and directly accessible, there are multiple calls to action on the page but here is a shortcut to get started: https://calendar.nat.app
Our paying/main app (the personal crm app that tells you who you're losing touch with) is on a request-only basis because it works with Gmail and we're limited in the number of users we can onboard for now.
I strongly disagree with your tag line. I think the only way such note taking should be is open source and completely private, otherwise a) you're locked in and b) you risk sensitive info leaking.
> Your Gmail data is only used by machines. Our team won't read or access any of your email data unless you explicitly ask for it (for support for ex.)
"Won't" means nothing. The word you're looking for is "can't"
> By default, we don't share any data with third parties. The only exception to this rule is Mixpanel, our analytics apps, which receives information about how you use our app only.
Yeeaaaaah your privacy policy directly states that if you're acquired or go out of business, user data will be transferred or sold.
> As required by Google, the authentification tokens we use to retrieve your Gmail data are safely encrypted in our database.
"We do what is required" isn't convincing me you take privacy seriously, and...encrypted how? A password in the database server's config file?
> Access to production environments is limited to authorized team members only.
And....who are authorized team members? "Authorized team members" could mean "the entire engineering and QA teams, plus the marketing intern collecting demographic data reports."
Your statement doesn't distinguish between user data and the production environment as a whole, it doesn't commit to strictly keeping access to production AND user data to the bare minimum required.
> We use the industry-standard 256-bit encryption with SSL.
...like everyone else? This does not inspire faith that your company has exemplary network security if you think this is worth mentioning.
> Key passwords are updated on a quarterly basis to reduce risks.
You think quarterly password rotation is a noteworthy, or even effective, security practice? You're using passwords as your sole authentication for employees? O_o
You make no mention of your policies with regards to law enforcement. Do you commit to only releasing data when served with a warrant or subpoena, or can Officer Bob call you up and explain how he's investigating a Really Bad Person and you'll hand over their data? Seems the answer is yes, you will:
> "Nat discloses potentially personally-identifying and personally-identifying information only in response to a subpoena, court order or other governmental request, or when Nat believes in good faith that disclosure is reasonably necessary to protect the property or rights of Nat, third parties or the public at large."
What country is your organization incorporated in? What country is user data kept in and thus what laws is it subject to? Is the data stored in the cloud? A server in your uncle's basement?
You make no mention of systems to assure only a minimum number of designated employees have the access they need when they need it. IE a support team member cannot access a customer's data unless there is an open case verified as initiated by the customer.
You make no mention of how data or whether data is encrypted; it seems only gmail auth tokens are?
You should be using hardware token 2FA for critical employee access and 2FA everywhere else...not rotating passwords quarterly. You should be using vaults for every password used in production. All access should be logged and audited by an outside party.
It's of course fine to make the case for privacy and security in a product like this, but please do it without snark and especially without being an internet asshole. Those things are destructive of the ecosystem here, and the ecosystem is more important than any particular thread or product.
I'm sure you wouldn't litter in a city park or dump motor oil into a lake, so please don't do the analogical things on HN.
I was already put off by the email-centric flow of this (I want to spend less time in my email inbox, not more), but it looks like from this comment that signing up requires me to auth nat.app to read my gmail?
Complete non-starter for me. So many reset flows go through email these days that your primary email is the keys to the kingdom.
I could set up a specific email account on my domain just for nat.app but the whole point of this CRM is that it's in the same flow as the rest of my email, isn't it?
They are using a 3rd party keylogging service on the front-page. Most of these services also use them in the app itself, which isn't what the keyloggers were designed for. I'm at the point now that when I see these tools being used on the front-page I won't even bother with a trial.
Thank you so much for sharing your thoughts on the way we describe our privacy policy. It seems like you created an account just for this, that's really nice! Thanks!
We'll review your comment with the team this week and update our pages accordingly.
But really, we're not trying to pretend something and actually use data is a bad way.
We want to build a long term business that is totally based on trust and we really appreciate comments like yours that show that we still have a long way to go in the way we explain the use of our data.
Thanks again, I'll update this post once we've improved our /privacy page based on your comments.
> we're not trying to pretend something and actually use data is a bad way
When it comes to privacy, people actually want to know that YOU can't be exploited to giving information. If you can access something, what prevents someone from hacking your system and getting our data? That's the point, not your intent. It's that you are an attack vector now. What are you doing to mitigate this?
Gotcha, makes sense. I just wanted to clarify this.
We're really doing everything we can to make sure the data you share with us is safe. Encrypting google access tokens, updating passwords regularly and using 2FA are a few examples.
But then, we're not un-hackable of course. Risk 0 does not exist and that's something every user is and should be aware of.
We don't have the same budget for security as big companies and even they get hacked.
I do not think that we host the kind of data that a hacker would like to acquire. Notes we take are usually pretty low-risk data. This is what protects us the most probably.
The notes I take sometimes contain PII (personally identifying information) about other people, sometimes notes about things I'm investigating for someone that they would be distressed to find had ended up "on the internet", and sometimes commercial secrets (about jobs, clients etc that they share with me under NDA). And I'm just a lowly programmer and dogsbody doing random client work.
Now consider a therapist finds your product useful for their personal notes, and doesn't realise what they are getting into.
> I do not think that we host the kind of data that a hacker would like to acquire
Hackers don't tend to go for data they would find valuable themselves.
They go for data the author of the data finds valuable for themselves (which notes may be by definition), or just as likely, specifically don't want anyone else to read. An example of the former is all those ransomware attacks. An example of the latter is the above link to the private notes blackmail incident.
> I do not think that we host the kind of data that a hacker would like to acquire
Please don't minimize this. You lose trust when you minimize a valid concern.
> Risk 0 does not exist
If someone is willing to educate you on the matter, they might already know such trivial things. Which is why I initially said 'what are you doing to minimize this'. You mentioned some above. I'd encourage you to look into more techniques to minimize it even further. This would build trust with whom you are asking to spend money with you.
Thanks for the feedback! We'll always work on making our app more secure! We can only succeed at building a long lasting business if we're able to build trust with our users.
seems like this user only created a HN account to pull apart the privacy policy statements...
Although good and constructive criticism, it is harsh on a team that is trying to launch something into this world, and scares off other users considering this service. I bet one could go through the privacy statement of a large co like youtube / facebook and nitpick similar issues. Of course it should be aligned, although i think it never is, a privacy statement is definitely not a reflection of how good a product’s security is.
This is a really awful place to show off a product if you don't want honest feedback. If I were launching something new, the post above yours is exactly the kind of potential customer's perspective I'd hope to get.
I am looking for something that integrates with the communication tools I actually use when so get in touch with them, and for me that is not email and calendars ... for me that is chat (WhatsApp)
I take notes on my iPad. I love it because I can type, record audio, sketch, include photos, annotate PDFs, etc... How would your service help someone like me?
What makes us special is that:
- you can write notes from your inbox without having to open a web app or so
- you get those notes in an email before your next meeting
If you care more about being able to draw/record, ... then evernote is a much better option.
I also created my own personal CRM (https://contactcache.com), but my main take was privacy. I believe that the information stored about our business partners or loved ones are really sensitive and therefore I opted for 100 % end-to-end encrypted notes.
I am not working on the app now as I haven't figured out how to make money on it yet. However I will leave this idea here because I think that you guys should consider offering end-to-end encrypted notes (even just as an option for some selected notes).
I had a call with him about this and he clearly explained to me how hard it was to implement and all the compromises you have to make. In our case, as we want to offer the most effortless experience, end-to-end encryption is going to be hard, but we definitely want to get there at some point.
Looks super interesting - would love if the homepage had some kind of demo/screenshot built in. I'd rather not have to click any buttons to see what I'm getting myself into here
I like the landing page a lot (with original header)! For me that quickly added image seems to be out of place and doesn't actually explain the usage of the app. In my opinion the original header was better at expressing a constant feel of the page.
Some feedback for the team:
I read the landing page, and think, "oh this could be interesting, let's try it". Hit the 'write my first note' CTA button. Next question is 'sync your calendar to get started'. No explanation why, and it only seems to accept Google. So I dropped out. Read the landing page again, and still I have no idea why calendar access is mandatory.
What makes our note taking tool special is that we send you an email before every meeting with all the notes you've taken about the person you're about to meet. Then you can simply write a new note by replying to the email.
This is why the calendar integration is required. Hope that makes sense!
Is this the same CRM app which was using key loggers inside the application? I see they are using these keyloggers on the main page. I don't even want to try the registration process.
Edit: Keyloggers which send your data to a third party service.
You are using hotjar, which logs every keystroke from the user if they have JS enabled. Please, please, don't pretend like you "take security very seriously" when it's very clear that you pull stuff like this without even being aware of the implications, or looking it up when someone asks about it.
The dismissiveness in your other comments on this post show, at best, a huge amount of naivety. If you're hiring, make sure your next technical hire is a (rational) security paranoiac.
Demo or bounce. Too many note taking apps. What's your edge?
>You don't need to open a new tab, just reply to the email to take notes.
Why reply to an email when I can just open a new tab in my editor? These both seem to be the same level of effort. Landing page doesn't explain why this solution is better.
> We'll send you an email before your meetings with all the notes you've taken about all the people that are present at the meeting. Automatically figure out who you're losing touch with and reconnect! We have built an algorithm that analyses your email and calendar data to figure this out.
These features seem to be your edge. Give them a spot light with a demo. Maybe a user-flow that showcases these features to give people an idea of why this note taking experience is better for them.
I wonder what this is? My very first impression is a standard boot screen. No details. No screenshots. No idea what makes it special outside of "it works". On the first click, it wants access to my calendar.
No. Mine.
This is flirting. Show me why I should be interested before I bare my soul.
Love the feedback! Because we're actually inside Gmail, it's pretty hard to show screenshots but we tried to describe the way the app works as precisely as possible. We'll add a demo video in the coming days.
Looks interesting. A few initial reactions:
1) I'm assuming I won't be able to use this with my enterprise email? Even if my admin doesn't block my calendar sharing, it seems like I'd be running afoul of our rules by sending notes to some unknown platform.
2) um, what's the name? Is it personal CRM? (that doesn't appear in big font anywhere). nat.app? (I only see that in the url and email addresses). something else?
1) If your admin allows it you're fine. We work with G Suite as well. What concerns do you have? Please check out https://nat.app/privacy to understand how we treat your data, to summarize:
- Your data is never accessed by a human
- We don't share it with any third parties
- Your data is safely stored and sent to you when needed (aka. before your next meeting). That's it.
If you're fine writing down notes into a web app, sending them per email is the same level of safety/security.
2) Its Nat indeed. We were previously called Nat Bot (initially we tried to build a chatbot, but pivoted a bit. Nat it is :)
In the big enterprise world, you don't even get to ask your admin if it's fine. Every answer is a "no" by default unless you have an extremely compelling case. Sharing data outside of the network is a major no-no for certain industries (like mine, which is Financial Services)
> sending them per email is the same level of safety/security.
Not exactly. My company logs every e-mail I send / receive, but not every HTTP request. If we're ever sued, the e-mails may show up in court, but not HTTP.
And if you're ever sued, what happens to the data I e-mailed?
In case some entrepreneur gets discouraged by this comment, I'd like to add some personal color (currently building B2B product). The commenter is correct that IT admins take a conservative stance ("no" by default) but that doesn't mean your startup can't break into big enterprise using a bottoms-up motion. Unless the business is in a highly regulated industry, employees will sign up to try the product and, in most cases, won't ask IT for approval.
This is indicative of a broader trend in how software is distributed in the enterprise. Whereas software was traditionally purchased tops-down (i.e. CIO purchasing decision), today's software products are increasingly product-led & bottoms-up (i.e. end user purchasing). Classic examples include Dropbox, Slack and now Notion, Airtable, etc.
Oh ok that makes sense! Yeah in that case, our app might not be the best fit if you're thinking of taking notes that can contain highly sensitive data.
Thanks for sharing! That will definitely impact us if we want to sell to enterprise. But to be honest, we don't plan on going into that direction.
We're bootstrapped, so no big pressure on getting really big. We're super happy to just become a profitable business that our users enjoy, à la Basecamp.
The least interesting 'feature' to me for note taking is a third party cloud-based tool storing and organizing them for me. I'm likely an outlier, because I (a)take notes in text files, (b)maintain complete control over them, and (c)value privacy over convenience.
I realize the cloud is where all the sexy people try and make money today, but...I'm worn out by slight variations on the same old pitch: 'here's a database with a UI, and we'll host the database!'.
Database with UI and CRUD apps are generally OK, because there is still loads of people who cannot do that and they something like that.
What I don't like are "personal productivity applications", because those seem like they are created by people without imagination. Making another TODO app with email remainders, quantified self, CRM's to manage connections with friends and family.
Those kind of apps that are created by "self improvement nerds" for people like them. Problem is those apps never solve any real world issues. Because people who are self improvement nerds would rather build their own system and people who don't care about it won't use it.
For me those apps are in category of self improvement books. Where for most of the people investment in self improvement system quickly goes above return on that investment. Just when you start tweaking your .vimrc and at the end of the day instead of doing work you just played with your settings.
Using such tools and tweaking those will quickly end up in using tool instead of actually living ones life. When you know your uncle Ted does not like you, using system that reminds you about his birthday is not going to change that. You are not going to become millionaire by using some system that "millionaires use". Using Elon Musk time management is not going to make you successful owner of multiple companies if you are working 9-5 drone job.
Interesting to read those points of view. There are really many different ways to look at things... :P
But to me at least, building a CRUD app that makes someone's life 10x better is worth a lot :) (even though our app is much more than just a crud app!)
Even making someone's life 10x better with a simplest of CRUD apps is not in itself a justification for offering a Faustian bargain. Because it's not the CRUD part that's the problem, but the part in which the vendor owns the database and means to access it.
This is indeed feedback we've received a few times. What is different in our case is that we haven't raised any VC money. We don't have any outside pressure and one of the main reasons we're building this app is for ourselves: we just really need such a tool.
I believe notes (personal or professional) should be as protected and as private as it gets. At least e2e with open source clients.
So while I appreciate you mentioning your business and financial aspirations, please remember the time when that, now famous, VR company had a kickstarter. Later - "journey thingie", "we have the same goals", "synergy" etc happened to them at Facebook.
In fact, in the case of WhatsApp a poor cofounder wasn't even able to see what Facebook planned to do with WhatsApp, something almost everybody was able to see with their eyes closed, when they took the billions (happy for them). He is now a respected billionaire born again privacy crusader. Nice guy.
On another note: personally I have been moving my notes to Standard Notes. nv -> nvAlt -> Apple Notes -> Simplenote -> Standard Notes (I wish these guys had native apps).
Bear is a solid app and I wanted to pay but they are not FOSS. I am also keeping an eye on https://github.com/glushchenko/fsnotes (native and promising).
Same, but not even primarily a privacy thing (tho that is a very close second)
I want to be able to access the notes. At all times. If I've got battery power, I should have my notes. Even Evernote screws this up sometimes if you're on a slow (not down) network
I've switched to Joplin myself because it just syncs every so often. My notes aren't hidden behind some bloated app that struggles with high latency and as a bonus my central storage is my NAS over WebDAV (and Tailscale to access it everywhere I have internet access)
In order to sync across devices, I use Standard Notes, which also implements end to end encryption of your data.
There's a self-hosted open source version. And there's a paid version to host on their servers, which I've used for a few years now and have never had an issue with.
If you like the plain text format (with option to use Markdown), you might like it. For me, the benefit is when I have random things throughout the day I realize I need to do. I add it to my phone, and I then immediately have it on all of my Linux and Mac desktops and laptops. I also live in the mountains and frequently take notes while out of cell/wifi service and syncing has still been great.
I share your lack of interest in using this specific product because I also prefer something closer to plain text notes that I manage for things like this, but I do think this is a more interesting service than just "a database with a UI".
The automatic reminders to read and type notes via emails solves a problem that I expect many people have with taking these kinds of notes: remembering to write them after meetings and remembering to read them before meetings.
Unfortunately not a service for privacy-conscious people, since it heavily depends on google services.
The site itself makes 57 third party requests to 13 different sites.
How does it compare with monicahq.com ? its another personal crm, open source they tout themselves as rolodex of personal contacts. Congratulations on launching !
Thanks for the question! Monica has been around for a while and well known so we appreciate the comparison.
Monica is fully manual. You have to add every interaction manually and open their web app if you want to add a note. We're much more integrated and proactive: you'll receive an email before every meeting with all the notes about the person you'll meet in that meeting for example.
Our main app also tells you who you're losing touch with based on your data. Monica is really a sexy database, we add some "magic" on top of that.
I love the idea of resurfacing notes before meetings where they are relevant. Feels like there's a lot of software out there based on improving our note-taking, but very little that focuses on how we use our notes. Very cool.
This looks neat, will keep an eye on this! Good luck with the Google Security Assessment. The first one takes quite a bit of time to cover all the bases, but the future ones are much easier once familiar with the process.
Thanks! Yeah for now we're waiting to get more paying customers and then we'll pay for the security assessment ourselves (or get an Angel investor), probably in January.
But 20k is a steep price :/ especially for a bootstrapped company like us.
Some might say Google is trying to prevent small companies to innovate upon Gmail...
Out of curiosity, where'd you get the $20k estimate? Their docs [1] give a $15-75k range, but I haven't contacted either of the two companies actually authorized to do the audits yet and details about the process are a bit scarce.
Either way - it's a huge chunk of change. Would be happier if it were on the lower end of that price range for sure.
It's tough. I see where they're coming from not wanting people to access people's emails without being properly vetted. At least it's an additional "badge" you can display on the security side of things.
Don't forget to budget in the fact that it's annual...
Yeah! We saw that! But as you said, we're looking forward to it as a way to bullet-proof our security.
It's a valid concern and getting vetted by a security company will be a huge plus!
Especially given the privacy concerns raised by other comments.
Just to clarify for readers, to use our note taking app, you only need to sync your calendar. Syncing gmail is only requires to use our paying personal CRM app as we use this data to find out who you're losing touch with (but we only access metadata, we can't read your emails).
Just for information, our servers & database are getting hot and starting to break which might lead to some in-app emails not getting delivered! Too many users are signing up :P
We've upgraded our services. Everything should be running smoothly again. Please email tech@nat.app if you have any issues or if anything seems like it's not working!
Wait what? :P No AI involved on the note taking aspect. You have to sync your calendar data in order for us to know when you have a meeting :) Hope that makes sense!
Our main personal crm syncs with Gmail and uses an AI in order to find out who you're losing touch if that's what you mean.
It is what I mean, but might not be as dangerous as I initially assumed. If it is just for identifying contacts and the AI is just generating information instead of acting on it.
We're a bootstrapped team of 4 four and we've been building our personal crm app for over a year. As the original founder and CEO, I've been waiting for this day for a loooong time! I finally love my own app and use it on a daily basis (hopefully you will too).
We've already launched a long time ago but today we're launching a new feature: Note taking, straight from your inbox.
We email you before every meeting with all the notes you've taken about the person you're going to meet and you simply have to reply to the email to log a note! Making it the easiest way to build your database of notes about your contacts.
I know that there are tons of people who tried to build a personal CRM and that everyone has his opinion on how the "right" personal crm should work.
Personally, we've decided that: - it should be fully automated (sync with calendar and email) - super simple to use (no complex and clunky interface) - it should be magic (our app tells you who you're losing touch with based on your data)
And you? What are you looking for in a personal crm?