Legal

Privacy Policy

NaughtyBot — operated by [Operator entity — TBD].

1. Who we are

NaughtyBot is operated by [Operator entity — TBD] ("we", "us", "our"). This policy explains what personal data we collect, why we collect it, how we use it, and your rights over it.

Contact us at legal@naughtybot.me for any privacy-related enquiries.

1a. Data Protection Officer

Our Data Protection Officer (DPO) can be contacted at dpo@naughtybot.me. The DPO oversees our compliance with the GDPR, UK GDPR, and Australian Privacy Act.

1b. EU and UK representatives

Where the operator is established outside the EEA and the United Kingdom, GDPR Article 27 and UK GDPR Article 27 require designating representatives in the EU and the UK before processing personal data of residents of those regions. NaughtyBot is not currently offered to residents of the EEA, the United Kingdom, Switzerland, or Australia (see the waitlist) — we are appointing representatives ahead of opening service to those regions. Until appointed, queries from EU or UK residents about data we process via the waitlist may be directed to dpo@naughtybot.me.

• EU representative: to be appointed (pending GDPR Art. 27 designation).
• UK representative: to be appointed (pending UK GDPR Art. 27 designation).

2. Data we collect

Waitlist / account registration

• Email address
• Submission timestamp and source (waitlist, signup page)
• Locale, timezone, page path, referrer, and UTM parameters when available
• A hashed, salted source IP for abuse monitoring (not stored in plaintext)

Account and subscription

• Email address and account identifiers
• Subscription status, plan tier, billing history
• Payments are settled in cryptocurrency via our self-hosted BTCPay node — we never store card details

Conversation data

• Messages you send and AI-generated responses, stored to maintain conversation continuity
• Scene state and relationship context used to personalise your experience
• Moderation metadata logged for safety compliance

Technical and analytics

• Pageviews and interaction events via Plausible Analytics (privacy-friendly, no marketing cookies)
• Lambda invocation logs (CloudWatch, operational use)
• CloudFront and S3 access logs, retained 90 days

2a. What we don't collect

We are explicit about data we will never request or store:

• Government-issued ID numbers (passport, driver's licence, tax file number, SSN)
• Biometric data — age verification is handled entirely by Yoti; we receive only a pass/fail result
• Credit or debit card details — we do not accept card payments; all payments are settled in cryptocurrency via our self-hosted BTCPay Server
• Contacts, location data, or device identifiers beyond what is strictly required for the service

If you are ever asked by any website claiming to be NaughtyBot to submit a government ID, SSN, or full card number directly to a form, do not do so — that is not us.

3. How we use your data

• To provide and personalise the NaughtyBot service
• To manage your subscription and process payments
• To detect and prevent abuse, fraud, and policy violations
• To send transactional emails (payment failures, account notices)
• To improve the service through aggregated, anonymised analytics
• To comply with legal obligations

4. Legal bases (GDPR / Australian Privacy Act)

• Contract: processing necessary to provide the service you subscribed to
• Legitimate interests: fraud prevention, service security, analytics
• Consent: marketing communications (opt-in only)
• Legal obligation: compliance with applicable laws

5. Data sharing and sub-processors

We do not sell, rent, or share your personal data for advertising. Sub-processors:

• LunaNode: VPS hosting for our self-hosted BTCPay Server — processes cryptocurrency payment data only (invoice metadata, on-chain BTC and Lightning transactions); does not see chat content
• AWS: cloud infrastructure (Lambda, RDS, DynamoDB, S3, CloudFront) — data processed in us-east-1 (Virginia, USA)
• Plausible Analytics: aggregated, anonymised pageview data only
• Yoti: age verification — receives only the data needed to confirm you are 18+; returns a pass/fail result
• Featherless: AI inference API — processes conversation content to generate responses
• Law enforcement: when required by a valid legal order

6. Data retention

• Waitlist records: 12 months, or until the waitlist closes
• Account data: retained for the duration of your account, plus 12 months after closure
• Conversation data: retained while your account is active; deleted within 30 days of account closure on request
• Billing records: 7 years (legal requirement)
• Access logs: 90 days

7. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Object to or restrict certain processing
• Data portability
• Lodge a complaint with your local data protection authority

To exercise these rights, contact dpo@naughtybot.me. We respond within 30 days.

7a. California (CCPA / CPRA)

• Right to know — categories and specific pieces of personal information collected
• Right to delete — subject to legal retention requirements
• Right to opt-out of sale/sharing — we do not sell or share. See Do Not Sell or Share
• Right to non-discrimination — we will not discriminate against you for exercising these rights

Categories collected: identifiers (email), commercial information (billing history), internet activity (conversation data, analytics), and inferences (moderation metadata).

7b. Canada (PIPEDA)

• We collect, use, and disclose your personal information only with your meaningful consent and for purposes a reasonable person would consider appropriate.
• You may access and request correction of your personal information at any time.
• You may withdraw consent for non-essential processing.
• You may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

8. Adult content

NaughtyBot generates adult content. We treat conversation data as sensitive personal data and apply heightened protections accordingly. Conversation data is encrypted at rest and in transit. We do not use conversation content to train third-party AI models.

8a. EU users — memory & personalisation features

Persistent memory extraction and personalised chat features rely on our AI inference provider (Featherless) processing conversation content. Our DPA with Featherless covering EU personal data under GDPR is currently pending finalisation.

Until the DPA is signed, these features are disabled for users whose IP address resolves to an EU member state (detected via the CloudFront CF-IPCountry header). We store a region code (EU) on your account for this purpose — it is not used for any other processing.

9. Cookies and tracking

We do not use marketing or tracking cookies. Plausible Analytics is cookieless by design. Session state is managed via secure tokens — not advertising cookies.

10. International transfers

Your data is processed on AWS infrastructure in the United States (us-east-1):

• EU: Standard Contractual Clauses (SCCs), supplemented by transfer impact assessments where required
• UK: the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
• Canada: transfers per PIPEDA, ensuring an adequate level of protection

11. Children

The Service is strictly for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has submitted data, contact legal@naughtybot.me immediately.

12. Data breach notification

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR/UK GDPR), or as soon as practicable (Australian Notifiable Data Breaches scheme, PIPEDA).
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
• Document all breaches internally, including facts, effects, and remedial actions taken.

13. EU Digital Services Act (DSA)

Our single point of contact for EU authorities and users is dsa-contact@naughtybot.me. Information about moderation practices including automated decision-making is available on our Transparency page.

14. Changes to this policy

We may update this policy. Material changes will be communicated via email or in-app notice. Continued use of the Service after changes constitutes acceptance.

← Back to NaughtyBot