Privacy Policy

Effective date: December 19, 2025 Last updated: January 13, 2026

This Privacy Policy explains how NopeNet, LLC ("NopeNet", "NOPE", "we", "us", or "our") collects, uses, and protects information in connection with our websites and API services.

1. About NopeNet

Legal entity: NopeNet, LLC Registered address: 382 NE 191st St, PMB 775891, Miami, Florida 33179-3899 US Website: https://nope.net Contact email: [email protected]

NopeNet is an early-stage startup. Our services are currently intended for business customers established in the United States. We do not yet offer:

GDPR-compliant Data Processing Agreements,
EU/UK representatives,
Standard Contractual Clauses for international transfers,
HIPAA Business Associate Agreements.

If you require any of the above, NOPE may not be the right fit at this time. See Section 17 for more information.

2. What We Do

We provide a business-to-business (B2B) developer API for safety and risk signalling in conversation data.

Our direct customers are businesses and developers ("Customers"), not the end-users of their platforms.

When a Customer integrates the NOPE API:

Their system sends conversation text and associated metadata to our API.
We route that text to large language model (LLM) providers and related infrastructure.
We return structured risk signals, matched crisis resources, and optional response templates.
We do not store raw conversation text in our application database for long-term use (such as user profiling or analytics).

If you are an end-user of a Customer's platform (for example, a chat app that uses NOPE), your primary privacy relationship is with that platform. This Policy explains our limited role.

3. Our Role: Controller vs. Processor

Customer account data For data about our direct Customers (e.g., account details, billing identifiers), we act as a data controller. We decide how and why this data is used, within the scope described in this Policy.
End-user conversation data For conversation text and associated metadata sent to our API by Customers, we act as a processor/service provider. Customers decide what to send us and why; we process it only to provide our services to them.
Aggregated and anonymized data Where we create aggregated, de-identified data from processing activities (e.g., aggregate classification volumes, error rates, model performance metrics), we may use such data as a controller for service improvement, research, and reporting purposes. This data cannot be used to identify any individual End User.

4. Information We Collect and Store

Terminology note: Throughout this Policy, "Input Data" and "conversation content" are used interchangeably to refer to text, messages, and associated metadata submitted to our API for classification. Our Terms of Service provides formal definitions for these and other terms.

4.1 Information We Store in Our Systems

These categories are stored in our own database and application systems:

Data Type	Examples	Purpose
Customer account	Email address, optional name/organization	Account management, support, communication
Authentication	Hashed passwords, session tokens	Secure login and session management
API credentials	Hashed API keys, key names, creation dates	Authenticate and manage API access
Usage metrics	Evaluation counts, timestamps, rate-limit events	Operations, billing, abuse detection
Support communications	Emails or messages sent to us	Responding to questions and support requests

Raw end-user conversation text is not written to our application database.

4.2 Information We Process but Do Not Store

These categories are processed to provide the service but are not written to our application database:

Data Type	How We Handle It
Conversation content (messages)	Processed in memory and routed to LLM providers for classification, then returned to the Customer. Conversation content is not written to our application database. Our system architecture processes Input Data transiently without persisting it to durable storage.
Risk assessment results	Generated and returned to the Customer. We store classification metadata (severity, domains, flags) but not the underlying content. We do not maintain a per-end-user risk history database.
Customer-supplied identifiers	IDs or references that a Customer includes so they can join results back to their own systems. These are passed through in responses and not stored by us.

Important limitation:

Like most cloud services, our infrastructure and service providers (for example, hosting, networking, and LLM providers) may generate technical logs that include elements of the above data (for example, IP addresses, timestamps, and request metadata) for a limited period for security, abuse monitoring, and debugging. We describe this further in Section 6.

4.3 Sensitive Crisis Content

We recognize that Input Data sent to our API may contain extremely sensitive information, including but not limited to:

Expressions of suicidal ideation or intent
Self-harm disclosures, urges, or planning
Abuse or domestic violence disclosures
Sexual assault or trafficking disclosures
Descriptions of trauma or victimization
Mental health crisis expressions
Threats of violence to self or others
Child safety concerns
Eating disorder content
Substance abuse disclosures

For all Input Data, including sensitive crisis content:

Protection	Implementation
Encryption in transit	All API traffic uses TLS 1.3 encryption
Encryption at rest	Data at rest is encrypted using AES-256 or equivalent
No long-term storage	Conversation content is not stored in our application database
Access controls	Access limited to essential automated systems; human access requires documented justification and is logged
No secondary use	Never sold, never shared for advertising, never used for purposes unrelated to service provision
No profiling	Not used to build profiles of End Users
No model training	Not used to train our own machine learning models
Minimal retention	Transient processing only; see Section 8 for specific retention periods

We do not treat crisis content differently from other Input Data — all Input Data receives the same strong protections. We highlight crisis content here because of its particularly sensitive nature and the importance of transparency about how we handle it.

4.4 What We Do Not Collect or Use

We do not collect, store, or build profiles based on:

End-users' names, emails, or contact information,
Per-end-user behavioral profiles,
Long-term per-conversation risk histories.

If a Customer includes such information in conversation text: That data is handled in accordance with Section 4.2—processed transiently and not written to our application database. We do not extract, index, or profile End User personal information from conversation content.

We ask Customers not to include more personal information than is necessary for their use case.

4.5 Free Tools and Website Features

We provide certain tools on our website at no cost. Here is how we handle data for each:

Compliance Survey (nope.net/compliance-survey):

Aspect	How We Handle It
Survey responses	Processed in your browser only — not sent to our servers
Results	Generated client-side; may be encoded in URL parameters for sharing
Storage	We do not store your survey inputs or results in any database
Analytics	We may collect aggregate page views (e.g., "compliance survey was loaded X times") but not individual responses
URL parameters	If you share a results URL, the parameters are visible to anyone with the link — do not include sensitive business information

Regulation Tracker (nope.net/regs):

Aspect	How We Handle It
Filter selections	May be reflected in URL parameters for bookmarking/sharing
Personal data	None collected — this is a read-only reference database
Analytics	We may collect aggregate page views and popular filter combinations

Documentation (docs.nope.net):

Aspect	How We Handle It
Personal data	None collected beyond standard web server logs
Search queries	May be logged in aggregate for improving documentation

For all free tools: We use privacy-respecting analytics that do not track individual users across sessions or build advertising profiles. We do not use third-party advertising trackers on these pages.

4.6 Safety Audit Services

When you engage our Safety Audit Services (see Terms of Service Section 1.3), we process additional categories of data:

Data Type	How We Handle It	Retention
Statement of Work details	Stored as part of engagement records	Duration of engagement + 3 years
Test scenario files	Provided to you; master copies retained by NopeNet	Indefinitely (our IP)
System response transcripts	Processed for evaluation; stored securely during engagement	Deleted within 90 days of report delivery
Evaluation notes	Internal working notes during assessment	Deleted within 90 days of report delivery
Final audit report	Delivered to you; copy retained by NopeNet	Duration of engagement + 3 years
Aggregate findings	De-identified, aggregate data may be retained	Indefinitely

Important notes on Audit data:

Transcripts may contain sensitive content: AI system responses to crisis scenarios may include sensitive text. We apply the same protections described in Section 4.3 (encryption, access controls, no secondary use)
No End User data: Audit scenarios use synthetic test cases, not real End User conversations
Your Confidential Information: Audit results specific to your system are treated as your Confidential Information per the Terms of Service
Aggregate use: We may use de-identified, aggregate audit findings (e.g., "X% of systems tested fail to detect sudden calm signals") for research and service improvement without identifying your organization. We will only publish aggregate findings that include data from at least 10 audits to prevent indirect identification

4.7 Research Contribution Program

We offer a voluntary research contribution program (nope.net/contribute) where individuals can donate their AI chatbot conversation exports to support AI safety research.

What this program is:

A voluntary donation of your own conversation data
Currently limited to ChatGPT exports only
No account or payment required
You receive a free AI Safety Report analyzing your conversations

What we collect:

Data Type	Collected	Discarded
Conversation titles	Yes	—
User messages (text only)	Yes	—
AI responses (text only)	Yes	—
Images and attachments	—	Yes
Audio and video	—	Yes
Code interpreter outputs	—	Yes
Timestamps and metadata	—	Yes
System messages	—	Yes

Your attestations: By contributing, you confirm that:

The data is your own ChatGPT conversation export
You have reviewed it and are comfortable sharing its contents
You understand it will be processed by AI systems

How we store and process contributions:

Aspect	How We Handle It
Storage location	Cloudflare R2 (encrypted at rest)
Processing	Analyzed by LLM providers (primarily OpenAI) via our Oversight system
Access controls	Limited to essential automated systems; human access requires documented justification
Purpose	Internal AI safety research only; improving our detection capabilities
Third-party sharing	None — data stays within NopeNet LLC infrastructure
Retention	6 months from upload, then automatically deleted

AI Safety Report:

When you contribute data, you may request a free AI Safety Report that analyzes your conversations for potentially concerning AI behaviors. This report:

Is generated using our Oversight analysis system
Analyzes a sample of your conversations (not all, for very large exports)
Is stored alongside your contribution and deleted on the same schedule
Can be accessed via a unique URL we provide

What we do NOT do with contributions:

We do not scrub or modify your data for PII — you are responsible for reviewing your export before uploading
We do not share contributions with third parties
We do not use contributions to train our own machine learning models
We do not associate contributions with any identity beyond an IP hash for abuse prevention

Deletion requests:

Contributions are automatically deleted 6 months after upload
To request early deletion, visit nope.net/contact and provide the filename of your original ChatGPT export (e.g., 2024-01-15-conversations.zip)
We will confirm deletion within 30 days of a verified request

Abuse prevention:

We store a truncated hash of your IP address (16 characters of SHA-256) to detect abuse patterns
We do not store your full IP address or associate it with your contribution content
Rate limits apply: 10 uploads per hour per IP address

5. How We Use Information

5.1 For Customer Data (Controller Role)

We use Customer account and usage data to:

Provide, maintain, and improve the NOPE API and related services,
Authenticate Customer accounts and API keys,
Enforce usage limits and billing,
Detect, investigate, and prevent abuse and security incidents,
Communicate with Customers about service updates, downtime, and security notices.

We do not sell Customer personal information or use it for third-party advertising.

5.2 For End-User Data (Processor/Service Provider Role)

When processing conversation text and associated metadata for Customers, we use it to:

Generate risk signals and assessments,
Match appropriate crisis resources,
Provide optional response templates or structured outputs,
Monitor for abuse and misuse of our service.

We do not:

Use end-user data for our own marketing,
Build advertising profiles,
Train our own models directly on Customer conversation content.

Model Training Clarity:

We do not train our own machine learning models on Customer Input Data
We do not use Input Data to fine-tune, improve, or develop proprietary models
Input Data is processed by third-party LLM providers solely to generate classifications
We configure our LLM provider accounts to:
- Disable model training on API inputs where such controls are available
- Use zero-data-retention (ZDR) tiers where available and commercially reasonable
- Minimize data retention in provider logs

Where our LLM providers offer controls to disable model training on API data, we configure our integrations with those controls enabled for Customer traffic, or use providers whose APIs are not trained on Customer data by default. Customers should review the privacy documentation of any third-party providers they request us to use.

6. Service Providers and Operational Logs

We rely on third-party service providers ("Sub-processors") to host and operate our services. These providers may generate and retain operational logs that can include IP addresses, timestamps, and request metadata for security, abuse monitoring, performance, and reliability.

6.1 Categories of Sub-processors

Category	Purpose	Data Processed
Hosting and edge infrastructure	Host our API and websites, provide CDN and edge compute	HTTP requests, IP addresses, request/response metadata
Database and authentication	Store application data, manage authentication and sessions	Account data, usage metrics, hashed credentials
LLM routing and providers	Analyze conversation text, generate classifications	Input Data (conversation content), classification outputs
Payment processing	Process subscription payments, manage billing	Billing information, payment card tokens (we do not store full card numbers)
Email delivery	Send transactional and security emails	Email addresses, message content
Monitoring and logging	System monitoring, error tracking, performance analytics	System logs, error reports, aggregated metrics

6.2 Current Sub-processors

Sub-processor categories and representative providers:

Category	Purpose	Data Processed	Examples
Hosting/Infrastructure	API hosting, CDN, edge compute	HTTP requests, IP addresses	Cloud platforms, edge networks
Database/Auth	Application data, sessions	Account data, usage metrics	Managed database services
LLM Routing	Route requests to LLM providers	Input Data	OpenRouter (primary router)
LLM Providers	Generate classifications	Input Data	Anthropic, Google, OpenAI
Payment Processing	Subscription billing	Billing info, card tokens	Payment platforms
Email Delivery	Transactional emails	Email addresses	Email delivery services
Error Monitoring	System monitoring, debugging	Error logs, stack traces	Observability platforms

Note on LLM Routing: We use OpenRouter as our primary LLM routing service. OpenRouter receives Input Data to route classification requests to appropriate LLM providers. OpenRouter is itself a sub-processor that handles Input Data before it reaches the final LLM provider. See OpenRouter's privacy policy and data handling documentation (available via link in your dashboard) for details on their data practices.

Current provider details are available:

In your dashboard: Account Settings → Data Processing → Sub-processors
By request: Visit nope.net/contact or email [email protected]

We maintain specific vendor names in the dashboard rather than this policy to ensure you always have current information. The dashboard list is updated when providers change.

We will notify Customers of material changes to our sub-processor list at least 30 days before the change takes effect, via email or dashboard notification. You may object to a new sub-processor by notifying us within that 30-day period; if we cannot accommodate your objection, you may terminate your subscription.

6.3 LLM Provider Data Handling

Our classification service routes Input Data to LLM providers for analysis. Important points:

Our provider selection criteria:

Documented security practices and certifications (SOC 2, ISO 27001 where available)
Data handling policies that support enterprise use cases
API-specific data handling (not consumer chat interfaces)
Ability to configure data retention and training exclusions

Our account configuration:

We configure accounts to disable model training on API inputs where available
We use enterprise or API tiers rather than consumer products
We select providers whose API terms exclude training by default where possible

What we don't control:

Providers may retain logs for limited periods (typically up to 30 days) for abuse monitoring and security
Exact retention periods and processing locations vary by provider
Provider policies may change; we monitor but cannot guarantee specific configurations

Current primary providers (routed via OpenRouter):

Anthropic (Claude models)
Google (Gemini models)
OpenAI (GPT models)

Links to provider privacy policies, data processing terms, and API-specific data handling documentation are available in your dashboard.

6.4 Operational Log Retention

Log Type	Typical Retention	Purpose
API access logs	30 days	Security, abuse detection, debugging
Authentication logs	90 days	Security, fraud prevention
Error logs	14 days	Debugging, service reliability
LLM provider logs	Up to 30 days (provider-dependent)	Provider abuse monitoring, security
Payment logs	7 years	Financial compliance, dispute resolution

We do not control third-party provider retention periods. The periods above are typical and may vary by provider.

6.5 Crisis Resource Data

Our crisis resource matching service (/v1/resources) uses a database of crisis helplines and support services. This data:

Is not personal data — it consists of publicly available information about crisis services (organization names, phone numbers, websites, hours of operation, service descriptions)
Does not include End User data — we do not store which resources were matched to which End Users or which Customer requested them
Is curated by NopeNet from public sources, crisis organization directories, and direct partnerships with crisis organizations
May be cached in Customer systems per their own data handling policies

When we return matched crisis resources in classification responses, we may log:

Resource IDs returned (for aggregate analytics, e.g., "how often is 988 returned")
Country/region of request (for geographic resource matching)

We do not associate resource matches with identifiable End User data.

7. Data Security

We implement reasonable technical and organizational measures designed to protect information, including:

HTTPS/TLS 1.3 encryption for data in transit,
AES-256 encryption for data at rest,
Hashed passwords and API keys,
Access controls and least-privilege principles,
Row-level security in our database where appropriate,
A service design that avoids storing raw sensitive content in our own long-term data stores.

We rely on certified infrastructure providers (such as Supabase and other major cloud services) for core hosting and storage.

No security program is perfect. We cannot guarantee absolute security.

8. Data Retention

8.1 Retention Schedule

Data Category	Retention Period	Rationale
Customer account data	Duration of account + 3 years	Legal compliance, accounting, dispute resolution
API credentials	Until revoked or account closed	Service functionality
Usage statistics (aggregated)	Duration of account + 2 years	Billing, historical records, dispute resolution
Billing records	7 years from transaction	Tax and accounting requirements
Classification metadata	Duration of account	Audit trails, SB243 compliance support
Conversation content (Input Data)	Not stored; transient processing only	Privacy by design
Transient caches and buffers	Up to 72 hours maximum	Debugging, retry handling, service reliability
Operational logs	14-90 days depending on log type	Security, debugging (see Section 6.4)
LLM provider logs	Up to 30 days (provider-controlled)	Provider security and abuse monitoring
Support communications	Duration of account + 2 years	Support history, dispute resolution
Research contributions	6 months from upload	Voluntary donation program; auto-deleted
Research contribution reports	6 months from upload	Deleted with associated contribution

8.1.1 Classification Metadata — What We Store

For each API request, we store classification results without the underlying content:

What We Store	Example	Purpose
Request metadata	user_id, api_key_id, endpoint, timestamp, latency	Operations, billing
speaker_severity	"moderate", "high", "critical"	Audit trail
risk_types	["suicide", "self_harm"]	Audit trail
risk_subjects	["self", "other"]	Audit trail
resources_shown	true/false	Compliance reporting
suicidal_ideation	true/false	Compliance reporting
self_harm	true/false	Compliance reporting

What We Do NOT Store:

The actual conversation text (Input Data)
The specific words or messages analyzed
End User identifiers (unless Customer includes them)
Per-message content history

This design is privacy-preserving. Our audit trail shows that a crisis was detected and what type, but never what the End User actually said. For SB243 compliance reporting, this is sufficient — regulators need to verify you're detecting and responding to crises, not read the actual conversations.

8.2 Conversation Content Handling

We do not store conversation content (Input Data) in our application database.

Input Data flows through our system as follows:

Receipt — Input Data received via API request
Validation — Request validated, authenticated
Routing — Routed to LLM provider(s) for classification
Processing — Classification generated by LLM provider
Response — Classification results returned to Customer
Purge — Input Data cleared from our application memory

Input Data may temporarily exist in:

Location	Duration	Purpose
Memory buffers	Milliseconds to seconds	Active request processing
Transient caches	Up to 72 hours	Retry handling, temporary buffering
LLM provider systems	Up to 30 days	Provider abuse monitoring, per their policies
Operational logs	Up to 30 days	Truncated/hashed form only; debugging, security

We design our systems to minimize retention of Input Data and do not maintain a queryable database of conversation content. After the transient processing period, we cannot retrieve specific Input Data submissions.

8.3 Deletion Requests

When you close your account or request deletion:

Account data is deleted or anonymized within 30 days
Usage statistics are anonymized (aggregated, de-identified)
API credentials are immediately revoked and subsequently deleted
We will confirm deletion in writing upon request

Limitations on deletion:

We cannot delete data already in third-party provider logs (subject to their retention periods, typically up to 30 days)
Billing records are retained as required by tax and accounting law (typically 7 years)
We cannot delete specific Input Data submissions because we do not store them in a retrievable format—transient caches automatically purge within 72 hours

To request deletion: Visit nope.net/contact, email [email protected], or use the account closure function in your dashboard.

9. HIPAA / Health Information

NOPE is not currently designed or represented as compliant with the US Health Insurance Portability and Accountability Act (HIPAA).

We do not sign Business Associate Agreements (BAAs) at this time.
Our services are not intended for use with Protected Health Information (PHI) as defined by HIPAA.

Customers must not send PHI to our services unless and until we explicitly state otherwise in a separate written agreement.

See our Terms of Service Section 4.4 for additional requirements regarding health information. Customers who submit PHI in violation of these restrictions do so at their own risk and in breach of their agreement with us.

10. Your Rights and Choices

10.1 If You Are a NOPE Customer

If you have an account with us, you can:

Access your basic account information via the dashboard,
Update or delete certain account details,
Revoke or rotate API keys,
Close your account (which will trigger deletion or anonymization of associated data subject to our retention needs).

You can also contact us at [email protected] or via nope.net/contact to:

Request a copy of personal information we hold about you,
Request correction or deletion of personal information,
Ask questions about how we handle data.

We may need to verify your identity before responding to certain requests and may retain some information where required by law or legitimate business needs (e.g., records of billing transactions).

10.2 If You Are an End-User of a Customer's Platform

If you use a service that integrates NOPE (for example, a chat app that calls our API), your primary relationship and rights (including access, deletion, or objection rights) are with that Customer.

We generally cannot identify you directly.
We act on the instructions of the Customer when processing your data.

If a Customer asks us to assist with a deletion or access request relating to data we process on their behalf, we will make reasonable efforts to support them, where technically feasible.

11. Cookies and Similar Technologies

Dashboard: We may use strictly necessary cookies or similar technologies for authentication, session management, and security. These are required for the service to function.
API: Our API itself is stateless and does not rely on cookies.
Marketing site: We may use privacy-respecting, non-advertising analytics (for example, aggregated traffic metrics). We do not use third-party advertising cookies or trackers.

Do Not Track: Our services do not currently respond to "Do Not Track" browser signals. However, we do not engage in cross-site tracking or behavioral advertising, so Do Not Track signals would not change our data practices.

12. Children

NOPE is a B2B service directed at organizations and adult professionals, not at children.

We do not knowingly collect personal information directly from children under 13. Our Customers may use our service in products that involve minors (for example, school safety platforms, youth mental health services, or safeguarding applications).

Processing data involving children: In such cases:

The Customer is the data controller and responsible for COPPA, FERPA, and other child privacy law compliance
We process such data solely as a service provider under the Customer's instructions
We do not have direct relationships with minor End Users
We do not knowingly collect personal information directly from children under 13
Customers must obtain appropriate consent or have legal basis (such as the "school official" exception) before submitting children's data

See our Terms of Service Section 4.9 for detailed Customer obligations regarding children's data, including COPPA and FERPA requirements for school customers.

13. Automated Processing and Human Oversight

Our service uses AI models to analyze text and generate risk signals and other structured outputs. This is automated processing, but in our design:

Outputs are signals and tools for Customers,
Customers retain responsibility for how they act on those signals,
Customers should implement appropriate human oversight and escalation processes.

We do not make automated decisions on individuals that by ourselves create legal or similarly significant effects.

14. Geographic Scope and International Transfers

NopeNet is based in the United States, and our core infrastructure is currently hosted with providers that offer US data centers.

Primary data locations:

Data Type	Primary Location	Notes
Application database	United States (AWS us-east-1 region)	Account data, usage metrics, classification metadata
Edge processing	Global edge network	Request routing, caching
LLM processing	United States primarily	Some providers may process in other regions

Transfer mechanisms: We currently rely on:

Our sub-processors' compliance certifications and security practices
Contractual protections in our agreements with sub-processors
The fact that our services are designed for US customers processing US data

However, some of our Sub-processors may process data in other countries or regions as part of their global cloud infrastructure. By using our services, Customers understand that information may be processed outside the state or country where they are located, in jurisdictions that may have different data protection laws.

EU/UK customers: We do not currently offer Standard Contractual Clauses (SCCs) or other EU/UK-approved transfer mechanisms. We do not have EU or UK representative appointments. Customers subject to GDPR should not use our services for processing EU/EEA personal data until we offer appropriate compliance documentation.

15. US State Privacy Laws

We are aware of comprehensive privacy laws in states such as California (CCPA/CPRA), Virginia, Colorado, Connecticut, and others. As a small early-stage company, we may not meet all statutory thresholds that make these laws directly applicable in every case.

Regardless of thresholds:

We do not sell personal information,
We do not share personal information for cross-context behavioral advertising,
We aim to honor reasonable access, correction, and deletion requests from individuals where we can identify them and have a direct relationship.

When we process personal information on behalf of a Customer, we act as a "service provider" or "processor" under applicable US state privacy laws. We only process such data for the limited business purpose of providing our services to that Customer.

15.1 California Consumer Privacy Act (CCPA/CPRA) Disclosures

For California residents, we provide the following disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Categories of Personal Information Collected (past 12 months):

Category (per CCPA)	Examples	Collected?	Source
A. Identifiers	Email address, name, IP address, account ID	Yes	Directly from Customers
B. Customer records	Billing name, address, payment information	Yes	Directly from Customers
F. Internet activity	API usage logs, access times, features used	Yes	Automatically collected
G. Geolocation	Approximate location derived from IP address	Incidentally	Automatically collected
I. Professional information	Company name, job title, industry	If provided	Directly from Customers
K. Inferences	Account risk scores, usage patterns	Limited	Derived from above
Sensitive PI: Mental health	Content indicating mental health status (via Input Data)	Processed, not stored	From Customers (End User content)

Categories NOT Collected: C (Protected characteristics), D (Commercial information beyond billing), E (Biometric), H (Sensory data), J (Education information)

Business Purposes for Collection:

Providing the NOPE classification service
Processing payments and maintaining accounts
Security, fraud prevention, and abuse detection
Service improvement and debugging
Legal compliance

Categories Disclosed for Business Purposes (past 12 months):

Category	Recipients	Purpose
A. Identifiers	Hosting providers, payment processor	Service operation, billing
B. Customer records	Payment processor	Payment processing
F. Internet activity	Hosting providers, monitoring tools	Service operation, security
Sensitive PI (Input Data)	LLM providers	Classification processing

We Do NOT:

Sell personal information (as defined by CCPA)
Share personal information for cross-context behavioral advertising
Use or disclose sensitive personal information for purposes other than service provision (no profiling, no advertising)
Retain personal information longer than reasonably necessary

Your California Privacy Rights:

Right	Description	How to Exercise
Know	Request what PI we collect, use, and disclose	nope.net/contact, [email protected], or dashboard
Access	Obtain a copy of your PI	nope.net/contact, [email protected], or dashboard
Delete	Request deletion of your PI	nope.net/contact, [email protected], or dashboard
Correct	Correct inaccurate PI	nope.net/contact, [email protected], or dashboard
Opt-out of sale/sharing	N/A — we don't sell or share	Not applicable
Limit sensitive PI use	Limit use to service provision	Already limited by default
Non-discrimination	Not be discriminated against for exercising rights	Automatic

Verification: We will verify your identity before responding to access, deletion, or correction requests. For account holders, we verify via your account email. For others, we may require additional information.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We require: (1) your signed authorization, and (2) verification of your identity.

Response Timing: We will respond to verifiable requests within 45 days. We may extend this by an additional 45 days if reasonably necessary, with notice.

Contact for Privacy Matters:

Web: nope.net/contact
Email: [email protected]
Mail: NopeNet, LLC, 382 NE 191st St, PMB 775891, Miami, FL 33179-3899

California "Shine the Light" (Civil Code § 1798.83): California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

16. Security Incidents and Notifications

16.1 Our Incident Response

If we become aware of a security incident that may affect Customer data, we will:

Investigate the incident promptly to determine scope, cause, and impact
Contain the incident and take steps to prevent further unauthorized access
Assess what data was affected and which Customers are impacted
Remediate vulnerabilities and implement measures to prevent recurrence
Notify affected Customers in accordance with Section 16.2
Document the incident and our response for compliance purposes

16.2 Notification Timeline

Incident Type	Notification Timeline	Method
Confirmed breach of Customer account data	Within 72 hours of confirmation	Email to account owner + dashboard notice
Confirmed breach potentially affecting Input Data	Within 72 hours of confirmation	Email to account owner + dashboard notice
Suspected incident under investigation	Reasonable updates during investigation	Email or dashboard as appropriate
Third-party provider incident affecting our data	Within 72 hours of our learning of impact	Email with provider information
Near-miss or contained incident	Disclosed in next security update	Dashboard or blog

"Confirmation" means we have reasonable certainty that unauthorized access to Customer data occurred, not merely that an attempted attack was detected.

16.3 Notification Content

Security incident notifications will include, to the extent known at the time of notification:

Nature and description of the incident
Approximate date and time of the incident
Categories of data potentially affected
Approximate number of Customers affected
Steps we have taken to contain and remediate the incident
Steps we plan to take going forward
Steps Customers can take to protect themselves (e.g., credential rotation)
Point of contact for questions
Whether law enforcement has been notified

We will provide updates as our investigation progresses and additional information becomes available.

16.4 Customer Responsibilities

Customers are responsible for:

Notifying their own End Users if required by applicable law (we can provide supporting documentation upon request)
Determining whether the incident triggers their own breach notification obligations under CCPA, state breach notification laws, or other applicable law
Implementing any recommended protective measures promptly
Notifying us if they discover a security issue related to our services (see Terms of Service Section 4.7)
Maintaining accurate contact information for security notifications

16.5 Your Obligation to Notify Us

If you discover or suspect any of the following, you must notify us at [email protected] (or via nope.net/contact) within the specified timeframes:

Incident Type	Notification Timeframe
Security incidents (unauthorized access to your NOPE account, API credential compromise, compromise of systems integrating with NOPE)	Within 72 hours of discovery
Harm events (End User harms themselves or others following an interaction using NOPE)	Within 30 days of becoming aware
Security vulnerabilities in the NOPE service	Promptly upon discovery

See Terms of Service Section 4.7 for complete incident notification requirements.

17. Data Processing Agreements

17.1 Current Status

We do not currently offer:

GDPR-compliant Data Processing Agreements (DPAs)
Standard Contractual Clauses (SCCs) for international transfers
EU/UK representative appointments
HIPAA Business Associate Agreements (BAAs)

Our services are currently designed for US-based business customers processing US-based End User data.

17.2 Future Availability

We are developing:

A Data Processing Addendum for customers with CCPA compliance needs
Documentation to support customer compliance programs

If you require a DPA, BAA, or other data processing agreement, please visit nope.net/contact or email [email protected] to discuss your needs and timeline. We may be able to accommodate specific requirements for Enterprise customers.

17.3 Customer Acknowledgment

By using our services, you acknowledge that:

We do not currently offer DPAs, BAAs, or SCCs
You are responsible for determining whether your use case requires such agreements
If you later determine you require compliance documentation we do not offer, your remedy is to discontinue use of the service
We are not liable for your decision to use our services without compliance documentation that may be required for your specific use case
You have appropriate legal basis for any data you submit to us

18. Changes to This Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will notify Customer account holders by email or by posting a notice on our website or dashboard at least 30 days in advance.
The "Last updated" date at the top of this Policy will reflect the latest version.

Continued use of our services after an update becomes effective will mean you accept the revised Policy.

19. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, you can contact us at:

Web: nope.net/contact

Email: [email protected]

Mail: NopeNet, LLC 382 NE 191st St PMB 775891 Miami, Florida 33179-3899 US