NottoAIBack

Privacy Policy

Last updated: April 13, 2026

1. Introduction

NottoAI ("we", "us", "our") operates the website nottoai.com and the NottoAI application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

2. Information We Collect

We collect information in the following ways:

  • Account Information: When you create an account, we collect your email address, name, and profile image via our authentication provider (Clerk).
  • Conversation Data: Messages you send and receive through the Service are stored to provide conversation history. You can delete your conversations at any time.
  • Payment Information: Payment processing is handled by Stripe. We do not store your credit card details. We store your Stripe customer ID and subscription status.
  • API Keys (BYOK): If you provide your own API keys, they are encrypted using AES-256 encryption before storage and are never stored in plain text.
  • Usage Data: We track credit usage, message counts, and model selections to manage your subscription and improve the Service.

3. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To process transactions and manage subscriptions
  • To send important service-related communications
  • To enforce our terms of service
  • To detect and prevent fraud or abuse

4. Third-Party Services

We use the following third-party services to operate:

  • Clerk — Authentication and user management
  • Stripe — Payment processing
  • Supabase — Database and data storage
  • OpenRouter — AI model API routing

Your messages are sent to third-party AI providers (OpenAI, Anthropic, Google, etc.) for processing. Please refer to their respective privacy policies for how they handle data.

5. Data Retention

We retain your data for as long as your account is active. You can request deletion of your account and all associated data by contacting us at [email protected]. Upon account deletion, your data will be permanently removed within 30 days.

6. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest, CSRF protection, and encrypted API key storage. However, no method of transmission over the Internet is 100% secure.

7. Your Rights

  • Access and download your personal data
  • Correct inaccurate information
  • Delete your account and data
  • Object to data processing
  • Export your conversation history

8. Cookies

We use essential cookies for authentication and CSRF protection. We use a privacy-friendly analytics tool that does not use cookies for tracking. We do not use advertising cookies.

9. Children's Privacy

The Service is not intended for users under the age of 13. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at [email protected].