Privacy Policy

Last Updated: April 3, 2026

1. Introduction

IS NOT AI LLC, a Delaware limited liability company doing business as "NotAI" ("we," "our," or "us"), provides human verification and AI detection services. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our services, including the NotAI Pixel and the Text Monitor package.

For our customers (website operators who integrate NotAI): Your use of our Services is governed by our Terms of Service and, where applicable, a Data Processing Agreement (DPA). You are the data controller for end-user data collected through our Services; NotAI acts as a data processor on your behalf.

For end users of websites that use NotAI: The website operator is the data controller responsible for how your data is collected and used. NotAI processes data solely on their behalf and according to their instructions. Please refer to the website operator's own privacy policy for information about their data practices.

2. Information We Collect

2.1 Text Monitor Data

When website operators install the Text Monitor package, we collect:

  • Keystroke timing data: The timing and sequence of keystrokes (not the content itself)
  • Typing patterns: Pause durations, typing speed variations, correction patterns
  • Session metadata: Browser type, session duration, timestamp
  • Authorship indicators: Copy/paste events, text source attribution
  • IP addresses: Used transiently for session matching on authenticated platforms (e.g., LMS integrations). Full IP addresses are truncated at the CDN edge via data localization controls and are not stored in application logs or databases.

2.2 NotAI Pixel Data

The NotAI Pixel collects:

  • Mouse movement patterns: Cursor trajectory, click patterns, scroll behavior
  • Navigation behavior: Page transitions, timing between actions
  • Browser characteristics: User agent, viewport size, language settings
  • Session identifiers: Anonymous session tokens (no personal identifiers)
  • IP addresses: Used transiently for session matching on authenticated platforms. Full IP addresses are truncated at the CDN edge via data localization controls and are not stored in application logs or databases.

2.3 Account Information

When you create a NotAI account, we collect:

  • Email address
  • Region preference (US or EU)
  • Organization name (if provided)
  • Billing information (processed by Stripe)

2.4 Institution-Provided Identity Data

When an educational institution integrates NotAI through LTI (Learning Tools Interoperability) launches or webhook integrations, we may receive limited identity information provided by the institution, including:

  • Student names: As supplied by the institution's learning management system (e.g., Canvas LMS) during an LTI launch
  • User IDs: Institution-assigned identifiers used to match behavioral data to the correct student

This data originates entirely from the institution's systems and is used solely to display authorship-verification results to authorized instructors and administrators within the NotAI dashboard. NotAI does not independently collect student email addresses or contact information.

3. How We Use Your Information

We use the collected information to:

  • Distinguish human behavior from AI-generated or bot activity
  • Provide authorship verification and analysis
  • Generate aggregated usage statistics for our customers
  • Improve our detection algorithms using aggregated, de-identified behavioral patterns derived from usage across our customer base. This process uses only statistical distributions and signal data (e.g., typing cadence ranges, common bot navigation signatures) that cannot be traced back to any individual person, student, or institution. No names, submission content, or institution-specific identifiable data are used for algorithm improvement. The anonymization standard that NotAI applies to this data is set out in the Standard for Anonymization and De-identification section below.
  • Provide customer support
  • Process payments and manage subscriptions

Standard for Anonymization and De-identification

Wherever this Privacy Policy or the Terms of Service describes data as "aggregated," "de-identified," or "anonymized," that data meets the standard set out in this section.

Legal standard. NotAI applies an anonymization standard intended to place the resulting data outside the material scope of Article 2 of the GDPR, consistent with Recital 26, which treats data as anonymous only where re-identification of the data subject is not reasonably likely by any means likely to be used by NotAI or by any third party. The same data also meets the three-prong test for "deidentified information" under California Civil Code § 1798.140(h).

Technical process. To meet this standard, NotAI (i) removes direct identifiers before aggregation, including account IDs, student or user IDs supplied by institutions, institution identifiers, IP addresses, session-level unique hashes, names, and email addresses; (ii) reduces quasi-identifiers, including by rounding timestamps to a coarse granularity (typically the hour or the day) and by suppressing time-zone, device-fingerprint, and free-text fields; (iii) aggregates the resulting signal distributions at a minimum population size documented in NotAI's internal data-governance procedures and sufficient, in NotAI's reasonable judgement, to prevent re-identification under the reasonable-likelihood test described above; and (iv) does not combine anonymized data from K–12 or other educational deployments with data from non-educational deployments for cross-product training, consistent with Cal. Bus. & Prof. Code § 22584(e)(2) and 105 ILCS 85/10(a)(4).

Public commitment (CCPA § 1798.140(h)(1)). NotAI publicly commits to maintain and use any data described in this Privacy Policy or the Terms of Service as aggregated, de-identified, or anonymized in that form only, for as long as NotAI retains such data. NotAI will not attempt, and has no commercial motive to attempt, to re-identify any such data.

Contractual flow-down (CCPA § 1798.140(h)(2)-(3)). Any third party to whom NotAI makes aggregated, de-identified, or anonymized data available is contractually obligated (i) not to attempt to re-identify the data, (ii) to maintain the data in de-identified form, and (iii) to impose these same obligations on any onward recipient.

Pseudonymization is not anonymization. Data that has only had direct identifiers replaced with pseudonyms (for example, session identifiers not directly tied to end-user identity) remains "personal data" under Article 4(5) of the GDPR and is not within the scope of this anonymization standard. NotAI processes pseudonymized personal data as a processor on the controller's documented instructions in accordance with the Data Processing Agreement.

Automated Processing

Our Services use automated analysis of text input patterns and browsing behavior to classify traffic as human or non-human. These classifications may be used by our customers to restrict access to their websites or to flag submissions for further review. NotAI acts as a data processor performing this analysis on behalf of our customers (the data controllers).

Human review requirement: NotAI's outputs are designed as decision-support tools, not autonomous decision-makers. Our system produces confidence scores and flags that are intended to be reviewed by a qualified human (such as an instructor or administrator) before any consequential action (such as grade adjustment, academic integrity proceedings, or access restriction) is taken against a data subject. NotAI does not make final determinations on its own.

Under GDPR and UK GDPR Article 22, data subjects have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. Following the Court of Justice of the European Union's judgments in SCHUFA Holding (Case C-634/21, 7 December 2023) and Dun & Bradstreet Austria (Case C-203/22, 27 February 2025), the Article 22 prohibition applies not only to strictly automated decision-making but also to the generation of an authorship-probability score or similar output that materially influences a human decision with legal or similarly significant effects (for example, an academic-integrity determination). NotAI's authorship-verification output is designed to inform, and not to replace, a qualified human reviewer at the deploying institution, and each detection result is accompanied by confidence metrics, evidence excerpts, and the signal categories that contributed to the score so that the human reviewer exercises independent judgement. Where an individual's rights under Article 22 are engaged, the controller (typically the deploying institution) is responsible for (i) ensuring meaningful human review that is not merely a rubber stamp, (ii) providing the data subject with meaningful information about the logic involved and a meaningful explanation of the individual decision consistent with Dun & Bradstreet, and (iii) honouring the data subject's right to contest the decision. NotAI supports the controller in meeting these obligations by providing documentation of the detection methodology, per-session evidence, and explanation-on-request tooling through our Data Processing Agreement. End users who believe they have been incorrectly classified should contact the deploying institution in the first instance; NotAI will assist the institution on request.

EU AI Act Transparency (Regulation (EU) 2024/1689)

When the Services are used by an educational or vocational-training deployer for any of the high-risk uses set out in Annex III, point 3 of the EU AI Act (in particular, to evaluate learning outcomes (point 3(b)), to assess the appropriate level of education that an individual will receive or will be able to access (point 3(c)), or to monitor and detect prohibited behaviour of students during tests (point 3(d)), for example in connection with authorship-verification of coursework or examinations), the Services are treated by NotAI as a high-risk AI system. In those deployments, NotAI complies with the transparency obligations under Articles 13 and 26 of the EU AI Act and discloses the following:

  • Intended purpose: NotAI analyzes behavioral telemetry (keystroke timing, mouse movements, navigation patterns) to produce a confidence score indicating whether a text submission was authored by a human or generated by AI. The system is designed to assist, not replace, human judgment in academic integrity decisions.
  • Human oversight: The system is designed so that its outputs are reviewed by a natural person (instructor or administrator) before any decision with legal or similarly significant effects is made. Deploying institutions are responsible for ensuring this human oversight is maintained in practice.
  • Accuracy and limitations: Detection accuracy varies by technique and context. No AI detection system achieves 100% accuracy. False positives (human work flagged as AI) and false negatives (AI work not flagged) can occur. Confidence scores should be treated as one input among several in any decision-making process.
  • Data inputs: The system processes the behavioral and session data described in Sections 2.1, 2.2, and 2.4 of this policy. It does not process the substantive content of student submissions.
  • Logging and traceability: Event logs are maintained for each analysis to support auditability. Retention periods are specified in Section 6.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area or the United Kingdom, the lawful basis depends on NotAI's role in each processing activity.

Processing where NotAI acts as processor (sub-processor): the core authorship-verification and detection service that NotAI performs on behalf of a deploying institution or customer acting as controller. NotAI does not select its own Article 6 basis for this processing. The deploying institution (as controller) identifies the basis, most commonly public interest or official authority (Art. 6(1)(e)) for public educational institutions, contractual necessity (Art. 6(1)(b)) where the institution's terms with the user require verification, or consent (Art. 6(1)(a)) where the institution elects a consent-based route, and NotAI processes only on the institution's documented instructions under a written processor agreement meeting Article 28.

Processing where NotAI acts as controller (limited ancillary activities such as managing the customer's business account with NotAI, billing, security monitoring of NotAI's own infrastructure, and fraud and abuse prevention on NotAI's own platform), we rely on:

  • Contractual necessity (Art. 6(1)(b)): creating and administering the customer account and delivering the Services to which the customer has subscribed.
  • Legal obligation (Art. 6(1)(c)): retaining billing and tax records as required by applicable law.
  • Legitimate interests (Art. 6(1)(f)): maintaining the security, integrity, and availability of NotAI's own platform (including logging of administrative access, anti-fraud controls on the subscription checkout, and operational monitoring), balanced against data subjects' rights via documented legitimate-interests assessments available on request at [email protected]. Algorithm-improvement activities that use only aggregated and fully de-identified statistical patterns meeting the Standard for Anonymization and De-identification set out in Section 3 fall outside the material scope of GDPR Article 2 and are therefore not grounded in Article 6; where that status cannot be assured for a given activity, NotAI either (i) does not proceed or (ii) obtains the data subject's consent or relies on the controller's basis.
  • Consent (Art. 6(1)(a); explicit consent under Art. 9(2)(a) for special category data): for processing where the data subject contracts directly with NotAI and gives free, specific, informed, and unambiguous agreement, including the EEA/Swiss behavioral-signal processing described in Section 13.7. In processor-mode deployments through a controller-institution (for example, a school, university, or employer that is NotAI's controller), the controller's Article 9(2)(g) substantial-public-interest basis or Article 9(2)(j) research/statistics basis governs the Article 9 special-category processing under Section 13.7; consent is not relied upon as the basis in those deployments.

You may withdraw consent at any time without affecting the lawfulness of prior processing, and you may object to processing based on legitimate interests, by contacting us at [email protected] or by using the opt-out mechanisms described in Section 10.

5. Data Region & Regional Compliance

We maintain strict data region policies:

  • US Region: Data stored on Microsoft Azure infrastructure within the United States
  • EU Region: Data stored on Microsoft Azure infrastructure within the European Union

Important: Your region selection at signup is the default for the life of your account. Primary service data (the behavioral and session data we collect to verify human authorship) is stored and processed exclusively in your selected region, and migration between regions is not a standard feature. Limited migration may be available only in the narrow scenarios set out in Section 3.3 of the Terms of Service (legally binding change of control or corporate reorganisation, subsequent mandatory law, or long-term unavailability of the originally selected region), by separate written agreement. Limited categories of data necessary for ancillary services (such as billing records held by our payment processor, and transactional email metadata held by our email-delivery provider) are processed by subprocessors in the United States regardless of your region selection, as described below.

Content delivery and security services provided by Cloudflare are configured with the Cloudflare Data Localization Suite, which ensures that HTTP traffic inspection, TLS termination, and associated metadata are processed only within the applicable region. This includes Regional Services to constrain where traffic is decrypted and inspected, and Customer Metadata Boundary to keep operational logs and analytics in-region.

For the limited ancillary-service transfers described above, we rely on the following transfer mechanisms:

  • EU-US, UK, and Swiss-US Data Privacy Framework (subprocessor onward transfers only): NotAI is not currently self-certified under the EU-US Data Privacy Framework (adequacy decision of 10 July 2023 under GDPR Article 45), the UK Extension to the EU-US DPF, or the Swiss-US DPF (Swiss Federal Council adequacy decision of 14 August 2024, effective 15 September 2024). Primary transfers to NotAI in the United States are therefore made under the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss Addendum described below. Where a subprocessor located in the United States is itself self-certified under the EU-US DPF, the UK Extension, or the Swiss-US DPF (for example, certain entities among Microsoft, Google LLC, Stripe, Inc., Cloudflare, Inc., or Twilio Inc.; status verifiable at dataprivacyframework.gov), that subprocessor's certification may be relied upon as an adequacy mechanism for the onward transfer from NotAI to that subprocessor in addition to the SCCs. If the EU-US DPF, the UK Extension, or the Swiss-US DPF is suspended, invalidated, or otherwise ceases to provide a valid transfer mechanism (in whole or as to any specific subprocessor), the SCCs already in place for the affected transfers continue to apply without further action required of the customer.
  • Standard Contractual Clauses: For transfers not covered by an adequacy decision (including transfers to Constellix / DigiCert, Inc.), we rely on the European Commission's SCCs adopted by Implementing Decision (EU) 2021/914. Module selection follows the actual data flow and NotAI's role in each flow, and the executed DPA's Section 7.2 and Annex 4 govern the module identification for each customer relationship. Module Two (controller-to-processor) is the primary instrument for the direct customer-controller → NotAI-as-processor flow that characterises NotAI's standard processor engagement under the DPA; consistent with that, the EU SCCs Module Two are deemed executed by the parties on the effective date of the DPA, with the elections and parameters set out in DPA Annex 4. Module Three (processor-to-processor) applies to (i) all onward transfers from NotAI to our US subprocessors, and (ii) the limited circumstances where personal data reaches NotAI through a customer's learning-management platform or other first-tier processor, so NotAI receives the data as sub-processor to that upstream processor rather than directly from the controller. Module Four (processor-to-controller) applies to the reverse flow where NotAI, as processor importer, returns aggregated analytical output or authorship-verification results to the EU customer acting as controller. The executed instrument for each customer identifies the module(s) actually invoked.
  • UK International Data Transfer Addendum: For transfers of UK personal data not covered by the UK Extension to the DPF, we apply the UK International Data Transfer Addendum to the EU SCCs (ICO Version B1.0) together with a Transfer Risk Assessment using the ICO's TRA tool. References in this Policy to the "UK GDPR" mean the UK GDPR as retained in domestic law by the Data Protection Act 2018 and as amended by the Data (Use and Access) Act 2025 (received Royal Assent 19 June 2025), and references to "UK data protection law" mean the UK GDPR so amended together with the Data Protection Act 2018.
  • Swiss Addendum: For transfers originating in Switzerland not covered by the Swiss-US DPF, we apply the EU SCCs as amended in accordance with FDPIC guidance (originally issued 27 August 2021 and as subsequently updated by the FDPIC), treating references to EU law, EU supervisory authorities, and EU Member State courts as references to the revised Swiss Federal Act on Data Protection (nFADP, in force 1 September 2023), the FDPIC, and Swiss courts.
  • Brazil (LGPD): For international transfers of personal data subject to Brazil's Lei Geral de Proteção de Dados (Law No. 13,709/2018, "LGPD"), NotAI executes the standard contractual clauses published by the Autoridade Nacional de Proteção de Dados (ANPD) under Resolution CD/ANPD No. 19/2024 (23 August 2024), which entered into force 23 August 2025, using the clause set that matches the data-flow role (controller-to-processor or processor-to-processor). Where an ANPD adequacy decision or specific authorisation applies, we rely on that mechanism. Generic EU SCCs are not used as a substitute for the ANPD clauses for LGPD-governed transfers.
  • Transfer Impact Assessment: For each US-based subprocessor, NotAI maintains a documented Transfer Impact Assessment evaluating US surveillance laws (including FISA section 702, Executive Order 12333, and the CLOUD Act) and the supplementary technical, contractual, and organisational measures applied (encryption with customer-managed keys, access logging, challenge-of-government-access commitments). Executed SCCs and current TIAs are available on request to [email protected].

Remote access as transfer. Remote access by authorised NotAI or subprocessor personnel located outside your selected region for support, incident response, or security investigation is treated as a transfer for GDPR Chapter V purposes and is covered by the mechanisms above.

Our current subprocessors are:

  • Microsoft Azure (Microsoft Corporation, USA): Cloud hosting, data storage, and failover CDN (Azure Front Door)
  • Stripe (Stripe, Inc., USA): Payment processing
  • Cloudflare (Cloudflare, Inc., USA): Primary CDN, WAF, and reverse proxy (with Data Localization Suite for regional traffic processing)
  • Constellix (DigiCert, Inc., USA): Primary DNS management (Azure DNS as secondary)
  • Twilio (Twilio Inc., USA): Transactional email delivery (SendGrid)
  • Google (Google LLC, USA): Business email communications

We will notify customers of any changes to this list at least 30 days in advance via email.

6. Data Retention

  • Behavioral data: Retention varies by plan (Starter: 7 days, Pro: 30 days, Enterprise: custom retention period). Data is automatically deleted after the retention period expires.
  • Aggregated statistics: Retained for the duration of your subscription
  • Account information: Retained until account deletion
  • Billing records: Retained as required by law (typically 7 years)

7. Your Rights (GDPR / UK GDPR as amended by DUAA 2025)

If you are a resident of the European Economic Area, the United Kingdom (under the UK GDPR as retained by the Data Protection Act 2018 and amended by the Data (Use and Access) Act 2025), or Switzerland (under the revised Federal Act on Data Protection, in force 1 September 2023), you have the following rights:

  • Right to Access: Request a copy of the data we hold about you
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Portability: Request your data in a machine-readable format
  • Right to Object: Object to processing of your personal data
  • Right to Restrict Processing: Request limitation of processing
  • Right to Lodge a Complaint: Lodge a complaint with your local data protection supervisory authority under GDPR Article 77

To exercise these rights, contact us at [email protected]. We will respond without undue delay and in any event within one month of receipt as required by GDPR Article 12(3). Where a request is particularly complex or where we have received a number of requests from you, that period may be extended by up to two further months in accordance with Article 12(3); in that case we will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: Request what personal information we collect, use, and disclose, the sources from which we collected it, our purposes for collecting it, and the categories of third parties to whom we disclose it. The categories of third parties to whom we disclose personal information are described in Section 5 (subprocessors).
  • Right to Delete: Request deletion of your personal information, subject to statutory exceptions.
  • Right to Correct: Request correction of inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale or Sharing: Opt out of the "sale" or "sharing" of personal information. NotAI does not sell or share personal information as defined under CCPA/CPRA. We honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sale or sharing.
  • Right to Limit Use and Disclosure of Sensitive Personal Information: NotAI processes behavioral signals (keystroke timing, mouse dynamics, and related telemetry) that may constitute "sensitive personal information" under Cal. Civ. Code § 1798.140(ae) to the extent treated as biometric information used to uniquely identify a consumer. Our use of this information is limited to the purposes permitted by Cal. Civ. Code § 1798.121(a), principally providing the Services you or your institution requested. You may request that we limit our use of this information to those permitted purposes by contacting [email protected].
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
  • Right to Appeal: If we deny your request, you may appeal by replying to our decision. We will respond to appeals within 60 days.

How to exercise your rights. Contact us at [email protected] or visit our support page. We will respond within 45 days as required by law, extendable by an additional 45 days with notice for complex requests (Cal. Civ. Code § 1798.130(a)(2)). You may use an authorized agent to submit a request on your behalf; we will verify the agent's authority and, except where a consumer has provided a power of attorney, verify the consumer's identity directly.

Retention. Retention periods for each category of personal information are described in Section 6.

Financial incentives. NotAI does not offer financial incentives or price or service differences in exchange for personal information.

Metrics. If and when NotAI processes the personal information of 100,000 or more California residents in a calendar year, we will publish annual request-response metrics as required by Cal. Civ. Code § 1798.130(a)(5)(B).

Shine the Light (Cal. Civ. Code § 1798.83). California residents may request, once per year, a list of categories of personal information disclosed to third parties for direct-marketing purposes. NotAI does not disclose personal information to third parties for their direct-marketing purposes.

Do Not Track (CalOPPA). NotAI does not track consumers across third-party websites for advertising purposes and does not respond differently to Do Not Track signals because we do not engage in the cross-site tracking the mechanism is designed to limit. We honor the Global Privacy Control signal as described above.

9. Other U.S. State Privacy Rights

If you are a resident of a U.S. state other than California with a comprehensive consumer privacy law, you have rights under that state's law. For California residents, see Section 8.

Standard rights package. Most applicable states grant a consistent package of rights:

  • Access to the personal data we process about you.
  • Deletion of the personal data we hold about you.
  • Correction of inaccurate personal data (most states).
  • Portability: a copy of your personal data in a readily usable format.
  • Opt-out of (i) the sale of personal data, (ii) targeted advertising, and (iii) significant automated decisionmaking (profiling).
  • Opt-in consent before we process sensitive data (in states that require it).
  • Appeal if we deny a rights request.
  • Non-discrimination for exercising these rights.

Universal opt-out (Global Privacy Control). We honor the GPC browser signal as a universal opt-out of sale of personal data and targeted advertising in every state that recognizes universal opt-out signals, including California, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, and Rhode Island.

Applicable state laws.

StateStatuteEffectiveNotable variations
CaliforniaCCPA / CPRA (Cal. Civ. Code § 1798.100 et seq.)Jan 2020; CPRA Jan 2023See Section 8.
VirginiaVCDPA (Va. Code § 59.1-575 et seq.)Jan 2023Standard package; no universal opt-out requirement.
ColoradoCPA (Colo. Rev. Stat. § 6-1-1301 et seq.)Jul 2023Universal opt-out required; 45-day appeal window.
ConnecticutCTDPA (Conn. Gen. Stat. § 42-515 et seq.)Jul 2023Universal opt-out required.
UtahUCPA (Utah Code § 13-61-101 et seq.)Dec 2023No right to correct; no right to appeal; sensitive-data notice only.
TexasTDPSA (Tex. Bus. & Com. Code § 541 et seq.)Jul 2024Universal opt-out required; no private right of action.
OregonOCPA (Or. Rev. Stat. § 646A.570 et seq.)Jul 2024Right to a list of specific third parties that received personal data.
MontanaMCDPA (Mont. Code § 30-14-2801 et seq.)Oct 2024Universal opt-out required.
IowaICDPA (Iowa Code Ch. 715D)Jan 2025No right to correct; no right to appeal; limited opt-out.
DelawareDPDPA (Del. Code Tit. 6 Ch. 12D)Jan 2025Universal opt-out required; lower applicability threshold.
New HampshireN.H. Rev. Stat. Ch. 507-HJan 2025Universal opt-out required.
New JerseyNJDPA (N.J. Stat. § 56:8-166.4 et seq.)Jan 2025Universal opt-out required; expanded financial-information definition.
NebraskaNebraska Data Privacy ActJan 2025Texas-style model; universal opt-out required.
TennesseeTIPAJul 2025Affirmative NIST Privacy Framework defense available.
MinnesotaMCDPAJul 2025Right to question profiling decisions and obtain reviewer explanation.
MarylandMODPAOct 2025Strictest: data minimization required; no sale of sensitive data even with consent.
IndianaICDPAJan 2026Standard package.
KentuckyKCDPAJan 2026Standard package.
Rhode IslandRIDTPPAJan 2026Universal opt-out required.

How to exercise your rights. Contact [email protected] or visit our support page. We will respond within 45 days, or the statutory period applicable to your state (typically 45 or 60 days), with an extension available for complex requests as permitted by law. If we deny a request in whole or in part, you may appeal by replying to our decision; we will respond to appeals within the period required by your state's law.

Data protection assessments. Where required by state law, NotAI conducts documented data protection assessments before engaging in processing that presents a heightened risk of harm, including targeted advertising, sale of personal data, processing sensitive data, and profiling that produces legal or similarly significant effects. NotAI does not engage in sale of personal data or targeted advertising.

Strongest applicable regime. Where multiple state laws apply to you, NotAI applies the strongest applicable regime to your request.

10. Opt-Out Mechanisms

End users of websites that implement NotAI can opt out of behavioral analysis:

  • Website operator: Contact the website operator directly to request exclusion from behavioral analysis
  • NotAI support: Contact [email protected] and we will work with the website operator to process your request

NotAI does not use cookies. Our products (the Text Monitor package and the NotAI Pixel) use browser localStorage solely for session management, specifically to maintain a session identifier so that typing or browsing events collected during a single visit can be grouped together. This storage is limited to what is needed to deliver the authorship-verification service the user (through the deploying institution) has requested, does not track users across websites, and is not used for any analytics, advertising, audience measurement, or profiling purpose. No third-party tracking pixels or cross-site tracking mechanisms are placed on your website. For the EEA and United Kingdom, NotAI does not unilaterally rely on the “strictly necessary” exemption in Article 5(3) of Directive 2002/58/EC as the lawful basis for this storage; consistent with European Data Protection Board Guidelines 2/2023 on the technical scope of Article 5(3), the deploying institution (as the controller of the end-user relationship) is responsible for obtaining the user's prior informed consent where required by national implementing law. Where the institution has a lawful route to rely on the “strictly necessary for the provision of the service explicitly requested by the subscriber or user” ground (for example, because the verification service itself is what the user has requested through institutional onboarding), the session-identifier storage falls within that ground. For information about email delivery tracking, see Section 12.

11. Data Security

We implement industry-standard security measures:

  • AES-256 encryption for data at rest using customer-managed keys (CMK) via Azure Key Vault
  • TLS 1.2+ encryption for data in transit (TLS 1.3 enabled where supported)
  • Azure Key Vault for secret management
  • Regular security reviews and penetration testing

Breach Notification

In the event of a personal data breach, NotAI will notify affected customers without undue delay and, for breaches engaging the GDPR or UK GDPR, no later than 72 hours after becoming aware of the breach (GDPR and UK GDPR Article 33). For breaches engaging the revised Swiss Federal Act on Data Protection, NotAI notifies affected customers as soon as possible in accordance with Article 24 nFADP, which does not impose a fixed 72-hour clock but requires notification at the earliest practicable time. For deployments at Illinois K–12 educational institutions, NotAI's notification to the affected school under this paragraph is intended to satisfy the operator's obligation to notify the affected school within thirty (30) calendar days of determining that a breach of covered information has occurred under the Illinois Student Online Personal Protection Act, 105 ILCS 85/20(b). Notification will include the nature of the breach, likely consequences, and measures taken to address it.

For a breach affecting U.S. residents, the customer as controller is responsible for any notification required to affected individuals, state attorneys general, state police, and consumer reporting agencies under applicable state law. The customer's deadlines under those laws may be shorter than the GDPR's 72-hour supervisory-authority clock. For example, 30 days to affected individuals under Florida Statutes § 501.171, Colorado Revised Statutes § 6-1-716, Washington Revised Code § 19.255.010, and Maine Revised Statutes tit. 10 § 1348; 60 days under Texas Business & Commerce Code § 521.053; and "most expedient time possible and without unreasonable delay" under California Civil Code § 1798.82, Illinois 815 ILCS 530/10, Massachusetts General Laws ch. 93H § 3, and the New York SHIELD Act (N.Y. Gen. Bus. Law § 899-aa and § 899-bb). As a processor, NotAI will provide reasonable assistance to customers (controllers) in meeting their own notification obligations under the applicable law, consistent with Article 28(3)(f) of the GDPR and with the Data Processing Agreement.

Privacy by Design

NotAI is built on privacy-by-design principles in accordance with GDPR Article 25. We collect only the minimum data necessary for behavioral analysis, use anonymous session tokens rather than personal identifiers, and default to the most privacy-protective settings. Data region selection ensures behavioral data sovereignty from day one.

Audit and Attestations

NotAI maintains its own SOC 2 Type II attestation, refreshed annually. The attestation report is available under NDA on request to [email protected]. The Microsoft Azure SOC 2 Type II attestation covering the underlying hosting layer is referenced separately in DPA Annex 2.

Personnel Security

Given the sensitivity of the data we process, including student education records protected under FERPA and data from children under 13 subject to COPPA, NotAI maintains rigorous personnel security controls:

  • Background screening: All NotAI employees and direct contractors with direct access to customer personal data on or via the production Services have undergone a fingerprint-based criminal-history check, which includes a search of the U.S. Federal Bureau of Investigation Next Generation Identification ("NGI") database conducted through Arizona's fingerprint clearance card program under A.R.S. § 41-1758.01 et seq. (for personnel resident in Arizona) or a comparable state-authorized program (for personnel resident elsewhere), prior to being granted such access. This requirement does not apply to professional service providers (such as outside accountants, attorneys, auditors, and similar advisers) who are bound by applicable professional-conduct confidentiality obligations and whose limited access to personal data, if any, is incidental to the provision of their professional services to NotAI rather than processing of customer personal data on NotAI's behalf in the provision of the Services; such providers are not subprocessors and are subject to written confidentiality agreements appropriate to the engagement. Subprocessor personnel are subject to the background-screening requirements set out in the applicable subprocessor agreement, as described in Section 5.
  • Privacy and data protection training: All personnel complete comprehensive privacy and data protection training at onboarding and on an annual basis thereafter, covering GDPR, FERPA, COPPA, and CCPA obligations relevant to their role.
  • Confidentiality obligations: All personnel with access to personal data are bound by written confidentiality agreements that survive the termination of their employment or engagement.

12. Third-Party Services

We use the following third-party services (see Section 5 for the full subprocessor list):

  • Microsoft Azure: Cloud infrastructure, data storage, and failover CDN (Azure Front Door)
  • Stripe: Payment processing
  • Cloudflare: Primary CDN, WAF, and reverse proxy (with Data Localization Suite for regional traffic processing)
  • Constellix: Primary DNS management (Azure DNS as secondary)
  • Twilio: Transactional email delivery (SendGrid)
  • Google: Business email communications

Each third party has their own privacy policy governing their use of your data.

Our transactional emails sent via Twilio (SendGrid) may include a small tracking pixel that records delivery and open events (timestamp and requesting IP address). This data is used solely for email deliverability monitoring, is retained for a limited period, and is not linked to your NotAI account activity, on-site behavioral data, or any advertising system. The "no cookies / no tracking" statement elsewhere in this policy refers to activity on your website: it does not cover this email-delivery pixel, which only runs when you open a NotAI-sent email in a mail client that loads remote images. You can suppress it by using your mail client's image-blocking setting.

13. Children's Privacy & Student Data

13.1 Our Role in Educational Settings

NotAI is used by educational institutions, including K-12 schools, to verify the authenticity of student work. In these settings NotAI acts exclusively as a school service provider and data processor. We process student data only on the institution's behalf, solely for the educational purpose authorized by the school.

13.2 COPPA Compliance (Children Under 13)

We recognize that when K-12 schools deploy NotAI, children under 13 may use the service. Rather than relying on direct parental consent, we operate under the COPPA school-authorized educational purpose framework, under which a school or school district may consent on behalf of parents when collection is limited to a school-authorized educational purpose and no commercial use. This framework is grounded in 16 CFR Part 312 (as amended by the Final Rule published at 90 Fed. Reg. 16,958 (Apr. 22, 2025), effective 23 June 2025) and the FTC's long-standing guidance in Complying with COPPA: Frequently Asked Questions, Section N (Schools and Educational Service Providers). Under that framework, and consistent with 16 CFR § 312.5(b)(1) (verifiable consent obtained in a manner reasonably calculated, in light of available technology, to ensure the person providing consent is the parent), the school stands in for the parent where:

  • The data is collected for a school-authorized educational purpose and for no commercial purpose other than that educational purpose;
  • The operator does not disclose student personal information except back to the school or as required by law;
  • The operator does not use student data for targeted advertising, behavioral profiling for non-educational purposes, or sale to third parties; and
  • The operator provides the contracting school with the direct notice otherwise required of parents under 16 CFR § 312.4(c), including the categories of information collected, how it will be used, and the school's right to review, direct deletion, and refuse further collection.

NotAI satisfies each condition. In school contexts, we collect only the behavioral and session data described in Sections 2.1 and 2.2 above, along with limited institution-provided identity data as described in Section 2.4; we use it exclusively for authorship verification as directed by the institution; we never use student data for advertising, profiling, or sale; and we provide each contracting school with the § 312.4(c) direct notice at contract execution. We note that the FTC's 2025 Final Rule declined to codify a standalone school-authorization subsection proposed in the 2024 NPRM, and the framework above therefore rests on 16 CFR Part 312 generally (including § 312.5(b)(1)) as interpreted in the FTC FAQ rather than a dedicated subsection.

13.3 FERPA Compliance

When an educational institution subject to the Family Educational Rights and Privacy Act (FERPA) deploys NotAI, we function as a school official with a legitimate educational interest under 34 CFR § 99.31(a)(1). Our Data Processing Agreement with each institution ensures that:

  • NotAI is under the direct control of the institution with respect to the use and maintenance of education records, as required by 34 CFR § 99.31(a)(1)(i)(B)(1);
  • We access only the data necessary to provide the contracted authorship-verification service, and our use is limited to the purposes for which the disclosure was made (34 CFR § 99.31(a)(1)(i)(B)(2));
  • We will not redisclose personally identifiable information from education records to any third party except as permitted under 34 CFR § 99.33, and then only on documented instructions from the institution;
  • Parents and eligible students exercising rights under 34 CFR §§ 99.10 and 99.20 (inspection, review, and amendment of education records) should contact the deploying institution, which will direct NotAI accordingly; we assist the institution in meeting the 45-day response window;
  • Institutional audit and inspection rights are preserved through the DPA;
  • We comply with the institution's record-retention and deletion instructions.

13.4 State Student Privacy Laws

We are committed to compliance with state student data privacy statutes, including but not limited to:

  • California SOPIPA (Bus. & Prof. Code § 22584): We do not use student data to target advertising, create profiles for non-educational purposes, or sell student information.
  • New York Education Law 2-d: We enter into Data Privacy and Security Agreements as required and limit use to the contracted educational purpose. For New York State educational agency contracts, NotAI appends the Parents' Bill of Rights for Data Privacy and Security and supplemental information required by 8 NYCRR § 121.3 to every agreement. The current Parents' Bill of Rights is published here.
  • Illinois SOPPA (105 ILCS 85/): We do not sell, share for targeted advertising, or use student data for non-educational purposes.

We support the Student Data Privacy Agreement (SDPA) published by the Student Data Privacy Consortium (A4L/SDPC) and will execute the applicable SDPA or state-specific addenda upon request. Our DPA is published at isnotai.com/dpa; the SDPA and related trust documentation are available on request to [email protected].

13.5 Data Practices in School Contexts

When processing student data, NotAI applies the following additional safeguards:

  • No advertising: Student data is never used for targeted advertising or marketing of any kind.
  • No sale of data: We do not sell, rent, or trade student data to any third party.
  • No behavioral profiling: Student behavioral data is used solely for authorship verification, never for behavioral profiling, predictive analytics, or non-educational purposes.
  • Narrow, education-only algorithm improvement: Separately, aggregated and de-identified statistical patterns (such as typing cadence distributions and common bot navigation signatures) meeting the Standard for Anonymization and De-identification set out in Section 3 may be used to improve the accuracy of NotAI's educational products. For data originating from K-12 educational deployments, this use is limited to improving NotAI's educational products consistent with Cal. Bus. & Prof. Code § 22584(e)(2) and 105 ILCS 85/10(a)(4) and is not combined with data from non-educational deployments for cross-product training. This process does not constitute profiling of individual students, and is consistent with the COPPA school-authorized educational purpose exception, FERPA, and applicable state student privacy laws described in Sections 13.2 through 13.4.
  • No persistent student profiles: We do not build longitudinal profiles that follow students across institutions or after they leave the deploying institution.
  • Data minimization: In school contexts, we collect the behavioral telemetry described in Sections 2.1 and 2.2 along with limited identity information (such as student names and user IDs) provided by the institution through LTI launches or webhook integrations (see Section 2.4). This identity data is used solely to enable instructors and administrators to associate authorship-verification results with the correct student within the NotAI dashboard. We do not independently collect student email addresses or contact information; all identity linkage originates from the institution's systems.

13.6 Deletion & Parental Rights

Educational institutions may request deletion of all student data associated with their account at any time by contacting [email protected]. We will process deletion requests within 30 days. Parents or guardians who wish to review, correct, or delete their child's data should contact their child's school, which may then direct us to take the appropriate action.

If you believe we have collected personal information from a child without appropriate institutional authorization, please contact us immediately at [email protected] and we will promptly investigate and delete the data if confirmed.

13.7 Behavioral Signals and Biometric Laws

NotAI's Services analyze behavioral signals, specifically the timing and sequence of keystrokes, cursor movement dynamics, scroll and click patterns, and related interaction telemetry. These signals describe how a person interacts with a page; they are not images of a face, fingerprints, voice recordings, retina or iris scans, hand geometry, or DNA.

For these reasons, NotAI takes the position that the behavioral data described in Sections 2.1 and 2.2 does not constitute a "biometric identifier" or "biometric information" under the following statutes:

  • Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/10: NotAI does not capture or store retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and does not derive information from any of the foregoing.
  • Texas Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code § 503.001: NotAI does not capture a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.
  • Washington RCW 19.375.010: NotAI does not enroll a "biometric identifier" (fingerprint, voiceprint, eye retinas, eye irises, or other unique biological patterns or characteristics used to identify a specific individual) in a database.
  • New York City Biometric Identifier Information Law, NYC Admin Code § 22-1201 et seq.: NotAI does not collect "biometric identifier information" as defined therein.

We nevertheless apply heightened safeguards to these behavioral signals as if they were sensitive: we use them solely for authorship verification and bot detection, we do not sell or license them, and we retain them only for the retention periods described in Section 6 (7 days on Starter, 30 days on Pro, and the contracted retention period on Enterprise). Aggregated and de-identified statistical patterns derived from behavioral signals may be used to improve detection accuracy as described in Sections 3 and 13.5; these aggregates meet the Standard for Anonymization and De-identification set out in Section 3 and are not a "biometric identifier" or "biometric information" under the statutes above.

EU / EEA: distinct analysis. The position above addresses US biometric-specific statutes. Separately, Regulation (EU) 2024/1689 (the EU AI Act), Article 3(34) and Recital 15, define "biometric categorisation" broadly enough that behavioral patterns used to identify or infer attributes about a specific person may be treated as biometric categorisation under EU law even where those patterns are not captured by the US statutes above. Accordingly, for data subjects in the EEA (and Switzerland, on the equivalent nFADP basis), NotAI treats the behavioral signals described in this Section 13.7 as special category data under GDPR Article 9(1) and processes them on the basis of the data subject's explicit consent under Article 9(2)(a) (for direct B2C use) or on the controller-institution's lawful basis under Article 9(2)(g) or Article 9(2)(j) where NotAI acts as processor. NotAI also complies with its AI-Act obligations as a provider, including transparency under Article 13 and output-marking and user-notification under Article 50, and supports deployer obligations under Article 26(11). Similar concepts in Colorado (C.R.S. § 6-1-1303(4)), Oregon (SB 619 / ORS 646A.578), Maryland (Md. Code Com. Law § 14-4601), and FTC guidance on biometric information may also bring these signals within scope of those state or federal regimes, and NotAI provides the corresponding notices and choices as required.

Where a customer's deployment context brings NotAI's processing within scope of a biometric-specific statute notwithstanding the foregoing (for example, a customer elects to integrate NotAI with a camera-based proctoring workflow operated by another vendor), the customer is responsible for providing any required notices and obtaining any required consents, and NotAI will process that data only on the customer's documented instructions and in accordance with the Data Processing Agreement.

14. AI-Specific Regulation (EU AI Act, Colorado AI Act, and Other Jurisdictions)

The Services are an "AI system" within the meaning of the European Union Artificial Intelligence Act (Regulation (EU) 2024/1689) and a "high-risk artificial intelligence system" within the meaning of the Colorado Artificial Intelligence Act (SB 24-205, codified at C.R.S. § 6-1-1701 et seq.) when used to make, or to be a substantial factor in making, a consequential decision about a natural person. Comparable AI-specific regulation applies or will apply in additional jurisdictions.

NotAI's consolidated AI-transparency disclosures (including the intended purpose of the Services, NotAI's role as developer / provider, the deployer's role and obligations, the training-data summary, known limitations and risks, the risk-management program, incident and regulator notifications, how an individual exercises rights with respect to an automated decision, and a jurisdiction reference table) are published at isnotai.com/ai-transparency and are incorporated into this Privacy Policy by reference.

Nothing in this Section 14 limits the processing disclosures in Sections 1 through 13 of this Privacy Policy, which remain the authoritative description of how NotAI processes personal data in connection with the Services.

15. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by email to the address associated with your account at least 30 days before the changes take effect, and by posting the updated policy on this page with a revised "Last Updated" date. Non-material changes (such as formatting or clarifications that do not affect your rights) may take effect immediately upon posting.

If NotAI undergoes a merger, acquisition, reorganization, statutory conversion (including under 6 Del. C. § 18-214), change of entity form, change of control, or sale of all or substantially all of its assets or equity, this Privacy Policy and our commitments under it continue to govern the processing of your personal data, which may be transferred to or continue under the successor or acquiring entity without requiring new consent. We will notify you of any such change of controller identity by email and by updating this policy.

16. Contact Us

If you have questions about this Privacy Policy, please contact us:

  • Email: [email protected]
  • Mail: IS NOT AI LLC, 7014 E Camelback Rd B100A, Scottsdale, AZ 85251
  • EU Representative (GDPR Art. 27): Proctorio GmbH, Lindleystraße 8A, 60314 Frankfurt am Main, Germany. Email: [email protected]
  • EU Data Protection Officer: UBG mbH, Im Breitspiel 210, 69126 Heidelberg, Germany. Tel: 069/6530006-23. Email: [email protected]
  • UK Representative (UK GDPR Art. 27): Garfield Smith Solicitors Limited, The Exchange Building, 132 Commercial Street, London E1 6NG, United Kingdom. Email: [email protected]
  • UK Data Protection Officer: Garfield Smith Solicitors Limited, The Exchange Building, 132 Commercial Street, London E1 6NG, United Kingdom. Email: [email protected]
  • Support: Contact Support

Mandate of the EU and UK Representatives. Each Representative identified above has been mandated in writing by NotAI under Article 27(3) of the GDPR and Article 27(3) of the UK GDPR (as applicable) and may be addressed, in addition to or instead of NotAI, by supervisory authorities and by data subjects on all issues related to the processing of personal data for the purposes of ensuring compliance with the GDPR or the UK GDPR. Communications received by a Representative are treated as communications received by NotAI for the purposes of the time limits in Articles 12 to 22 of the GDPR and the UK GDPR.