N
NOPE

Privacy Policy

Effective date: December 6, 2025
Last updated: December 6, 2025

This Privacy Policy explains how NopeNet, LLC (“NopeNet”, “NOPE”, “we”, “us”, or “our”) collects, uses, and protects information in connection with our websites and API services.

1. About NopeNet

Legal entity: NopeNet, LLC
Registered address: 1111B S Governors Ave STE 90911, Dover, DE 19904, United States
Website: https://nope.net
Contact email: hello@nope.net

NopeNet is an early-stage startup. Our services are currently intended for business customers established in the United States. We do not yet offer:

  • GDPR-compliant Data Processing Agreements,
  • EU/UK representatives,
  • Standard Contractual Clauses for international transfers.

If you require any of the above, NOPE may not be the right fit at this time.

2. What We Do

We provide a business-to-business (B2B) developer API for safety and risk signalling in conversation data.

Our direct customers are businesses and developers (“Customers”), not the end-users of their platforms.

When a Customer integrates the NOPE API:

  1. Their system sends conversation text and associated metadata to our API.
  2. We route that text to large language model (LLM) providers and related infrastructure.
  3. We return structured risk signals, matched crisis resources, and optional response templates.
  4. We do not store raw conversation text in our application database for long-term use (such as user profiling or analytics).

If you are an end-user of a Customer’s platform (for example, a chat app that uses NOPE), your primary privacy relationship is with that platform. This Policy explains our limited role.

3. Our Role: Controller vs. Processor

  • Customer account data
    For data about our direct Customers (e.g., account details, billing identifiers), we act as a data controller. We decide how and why this data is used, within the scope described in this Policy.

  • End-user conversation data
    For conversation text and associated metadata sent to our API by Customers, we act as a processor/service provider. Customers decide what to send us and why; we process it only to provide our services to them.

4. Information We Collect and Store

4.1 Information We Store in Our Systems

These categories are stored in our own database and application systems:

Data Type Examples Purpose
Customer account Email address, optional name/organization Account management, support, communication
Authentication Hashed passwords, session tokens Secure login and session management
API credentials Hashed API keys, key names, creation dates Authenticate and manage API access
Usage metrics Evaluation counts, timestamps, rate-limit events Operations, billing, abuse detection
Support communications Emails or messages sent to us Responding to questions and support requests

We do not deliberately store raw end-user conversation text in our application database.

4.2 Information We Process but Do Not Intentionally Store Long-Term

These categories are processed in order to provide the service, but we design our systems so they are not retained in our application database for long-term use:

Data Type How We Handle It
Conversation content (messages) Processed in memory and via our LLM providers to generate risk assessments, then returned to the Customer. We do not intentionally store full conversation content in our application database.
Risk assessment results Generated and returned to the Customer. We may temporarily buffer results in transit or short-term caches but do not maintain a per-end-user risk history database.
Customer-supplied identifiers IDs or references that a Customer includes so they can join results back to their own systems. These are passed through in responses and not stored long-term by us.

Important limitation:

Like most cloud services, our infrastructure and service providers (for example, hosting, networking, and LLM providers) may generate technical logs that include elements of the above data (for example, IP addresses, timestamps, and request metadata) for a limited period for security, abuse monitoring, and debugging. We describe this further in “Operational Logs & Service Providers” below.

4.3 What We Do Not Intend to Collect or Use

We do not intend to deliberately collect, store, or build profiles based on:

  • End-users’ names, emails, or contact information (unless a Customer explicitly includes them in conversation text or metadata),
  • Per-end-user behavioral profiles,
  • Long-term per-conversation risk histories.

If a Customer chooses to send personal information inside conversation text, that is controlled by the Customer. We ask Customers not to include more personal information than is necessary for their use case.

5. How We Use Information

5.1 For Customer Data (Controller Role)

We use Customer account and usage data to:

  • Provide, maintain, and improve the NOPE API and related services,
  • Authenticate Customer accounts and API keys,
  • Enforce usage limits and billing,
  • Detect, investigate, and prevent abuse and security incidents,
  • Communicate with Customers about service updates, downtime, and security notices.

We do not sell Customer personal information or use it for third-party advertising.

5.2 For End-User Data (Processor/Service Provider Role)

When processing conversation text and associated metadata for Customers, we use it to:

  • Generate risk signals and assessments,
  • Match appropriate crisis resources,
  • Provide optional response templates or structured outputs,
  • Monitor for abuse and misuse of our service.

We do not:

  • Use end-user data for our own marketing,
  • Build advertising profiles,
  • Train our own models directly on Customer conversation content.

Where our LLM providers offer controls to disable model training on API data, we configure our integrations with those controls enabled for Customer traffic, or use providers whose APIs are not trained on Customer data by default. Customers should review the privacy documentation of any third-party providers they request us to use.

6. Service Providers and Operational Logs

We rely on third-party service providers (“Subprocessors”) to host and operate our services. These providers may generate and retain operational logs that can include IP addresses, timestamps, and request metadata for security, abuse monitoring, performance, and reliability.

Key categories of providers in our stack include:

  • Hosting and edge infrastructure (e.g., Netlify)
    Used to host our API and websites. These services typically log HTTP requests, including IP addresses and browser/user-agent details, for a limited period for security and performance monitoring.

  • Database and authentication (e.g., Supabase)
    Used to store our application data and manage authentication. These providers may log access events and operational metadata. We rely on their security certifications (for example, SOC 2 Type II) where applicable.

  • LLM routing and providers (e.g., OpenRouter and model providers such as OpenAI, Anthropic, and Google)
    Used to analyze conversation text and generate risk assessments. Each provider has its own data handling and retention policies. Many retain API logs for a limited period (for example, up to around 30 days) for abuse monitoring and security, and some offer configurations or tiers with shorter retention or zero-data-retention modes. We configure our accounts to avoid prompt logging where possible and to disable model training on API data where such controls exist.

We do not control the exact log retention periods or geographies of all Subprocessors. We select mainstream providers with documented security practices and seek to minimize the amount of personal information exposed to them.

We do not sell personal information. We do not share personal information for advertising purposes.

7. Data Security

We implement reasonable technical and organizational measures designed to protect information, including:

  • HTTPS/TLS encryption for data in transit,
  • Hashed passwords and API keys,
  • Access controls and least-privilege principles,
  • Row-level security in our database where appropriate,
  • A service design that avoids storing raw sensitive content in our own long-term data stores.

We are a small early-stage company and do not currently hold SOC 2, ISO 27001, or similar certifications ourselves. We rely on certified infrastructure providers (such as Supabase and other major cloud services) for core hosting and storage, and we will strengthen our own controls as we grow.

No security program is perfect. We cannot guarantee absolute security.

8. Data Retention

Our retention approach is:

Data Category Retention Approach
Customer accounts Stored while the account is active. Deleted or anonymized after closure, subject to legal or accounting requirements.
API keys Stored until revoked or the associated account is closed.
Usage statistics Retained while the account is active and for a reasonable period afterward for accounting, security, and historical usage records.
Conversation content Not stored long-term in our application database. May exist briefly in memory, transient caches, or provider logs as described above.
Provider and infrastructure logs Retained according to each provider’s own policies (typically days to a few weeks, and in some cases up to around 30 days or more for security and compliance).

When we no longer need information for the purposes described in this Policy and are not legally required to retain it, we aim to delete or anonymize it.

9. HIPAA / Health Information

NOPE is not currently designed or represented as compliant with the US Health Insurance Portability and Accountability Act (HIPAA).

  • We do not sign Business Associate Agreements (BAAs) at this time.
  • Our services are not intended for use with Protected Health Information (PHI) as defined by HIPAA.

Customers must not send PHI to our services unless and until we explicitly state otherwise in a separate written agreement.

10. Your Rights and Choices

10.1 If You Are a NOPE Customer

If you have an account with us, you can:

  • Access your basic account information via the dashboard,
  • Update or delete certain account details,
  • Revoke or rotate API keys,
  • Close your account (which will trigger deletion or anonymization of associated data subject to our retention needs).

You can also contact us at hello@nope.net to:

  • Request a copy of personal information we hold about you,
  • Request correction or deletion of personal information,
  • Ask questions about how we handle data.

We may need to verify your identity before responding to certain requests and may retain some information where required by law or legitimate business needs (e.g., records of billing transactions).

10.2 If You Are an End-User of a Customer’s Platform

If you use a service that integrates NOPE (for example, a chat app that calls our API), your primary relationship and rights (including access, deletion, or objection rights) are with that Customer.

  • We generally cannot identify you directly.
  • We act on the instructions of the Customer when processing your data.

If a Customer asks us to assist with a deletion or access request relating to data we process on their behalf, we will make reasonable efforts to support them, where technically feasible.

11. Cookies and Similar Technologies

  • Dashboard: We may use strictly necessary cookies or similar technologies for authentication, session management, and security. These are required for the service to function.
  • API: Our API itself is stateless and does not rely on cookies.
  • Marketing site: We may use privacy-respecting, non-advertising analytics (for example, aggregated traffic metrics). We do not use third-party advertising cookies or trackers.

12. Children

NOPE is a B2B service directed at organizations and adult professionals, not at children.

We do not knowingly collect information directly from children. Our Customers may use our service in products that involve minors (for example, safeguarding or youth support services). Customers are responsible for complying with applicable laws governing data about children (such as COPPA in the United States) when they use our services.

13. Automated Processing and Human Oversight

Our service uses AI models to analyze text and generate risk signals and other structured outputs. This is automated processing, but in our design:

  • Outputs are signals and tools for Customers,
  • Customers retain responsibility for how they act on those signals,
  • Customers should implement appropriate human oversight and escalation processes.

We do not make automated decisions on individuals that by ourselves create legal or similarly significant effects.

14. Geographic Scope and International Transfers

NopeNet is based in the United States, and our core infrastructure is currently hosted with providers that offer US data centers.

However, some of our Subprocessors may process data in other countries or regions as part of their global cloud infrastructure. By using our services, Customers understand that information may be processed outside the state or country where they are located, in jurisdictions that may have different data protection laws.

We do not currently offer EU/UK-specific data transfer mechanisms such as Standard Contractual Clauses or local EU/UK representatives.

15. US State Privacy Laws

We are aware of comprehensive privacy laws in states such as California (CCPA/CPRA), Virginia, Colorado, Connecticut, and others. As a small early-stage company, we may not meet all statutory thresholds that make these laws directly applicable in every case.

Regardless of thresholds:

  • We do not sell personal information,
  • We do not share personal information for cross-context behavioral advertising,
  • We aim to honor reasonable access, correction, and deletion requests from individuals where we can identify them and have a direct relationship.

When we process personal information on behalf of a Customer, we act as a “service provider” or “processor” under applicable US state privacy laws. We only process such data for the limited business purpose of providing our services to that Customer.

If you are a California resident (or a resident of a state with similar rights) and believe that we process your personal information, you may contact us at hello@nope.net to exercise your rights. In many cases, we’ll refer you to the relevant Customer, who controls your data.

16. Security Incidents and Notifications

If we become aware of a security incident that affects personal information we hold as a controller or processor, we will:

  • Investigate the incident,
  • Take reasonable steps to mitigate harm, and
  • Notify affected Customers without undue delay where required, providing information we can reasonably share to help them meet their own legal or contractual obligations.

Customers are responsible for notifying their own end-users if required by law.

17. Changes to This Policy

We may update this Privacy Policy from time to time.

  • If we make material changes, we will notify Customer account holders by email or by posting a notice on our website or dashboard.
  • The “Last updated” date at the top of this Policy will reflect the latest version.

Continued use of our services after an update becomes effective will mean you accept the revised Policy.

18. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, you can contact us at:

Email: hello@nope.net

Mail:
NopeNet, LLC
1111B S Governors Ave STE 90911
Dover, DE 19904
United States

This Privacy Policy reflects the current practices of an early-stage US-based startup and is not legal advice. You should consult qualified legal counsel for advice on your specific obligations.