Last updated: November 25, 2023

The NetNubby Service is sensitive to your privacy concerns and is committed to protecting the data you entrust to us. This policy describes how we define, collect and use that data—because you should know.

I. STRONG TLS PROTECTION:
Site and platform network connections are safeguarded by a Trusted, Domain Validated TLS (formerly SSL) Certificate. Our security protocols protect your connection against common attacks like SLOTH, HeartBleed and others. Additionally, our servers are configured to permit HTTPS connections only, never insecure HTTP. This makes your visits safer and reduces the risk of someone eavesdropping on your network traffic.

II. ACCOUNT CREATION:
When you choose to register an account, the following identifiers will be associated with you for as long as your account remains active:

1) MONIKER
This is a self-descriptive label you are required to create. It can be almost anything. Cosmetically, it is used to communicate your identity on the network. Since it can be over 20 characters long and may contain special Unicode characters, you should be as expressive as possible. As the primary network identifier, your moniker must be unique. This is what others will use to search for you (and you cannot prevent this). Your moniker is not system generated data and is considered Personal Identifiable Information (PII).

2) EMAIL
You are required to supply an existing valid email address which we use to separate your account from all others. It must be unique on the platform. In the event of issues with your activity, we will contact you at this address. Various administrative notices will be sent here, as well. Further, should you request a password reset or wish to report compromised credentials, this is the identifier you will use. You are required to receive communications from us at this address as a condition of maintaining an account, but you are not required to receive communications at this address from other parties using the platform. As a unique identifier, others may use this to search for you on the network (for example, if a business account wishes to send you a Calendar Note). You may prohibit this kind of search (which may, in turn, prevent you from enjoying certain platform features). Your email address is not system generated data and is considered to be PII.

3) USERNAME
You are required to supply a username which we use to identify your account. It must be unique on the platform. Your username forms 50% of your account credentials and should always be safeguarded. Never share it with anyone. Unlike other social media services, it is never used to identify you with others on the network. Your username is not system generated data and is considered to be PII.

4) PASSPHRASE
You are required to create a passphrase which we use to secure your account. (Technically, a passphrase is not a password. A passphrase is a collection of terms, not a single word.) Your passphrase together with your username comprise 100% of the authentication details of your account. Never share your passphrase with anyone, including us. We will never ask for it. Once created, your passphrase is the only identifier stored in our database in hashed form. We are unable to decrypt it, read it or guess it. If you need a reset, you can always create a new encrypted passphrase. The passphrase is not system generated data and is considered PII.

The combination of your username and passphrase (which uniquely identifies you internally on our network) is considered PII.

5) FORMATTED NAME
This is a combination of the given name and surname you are required to supply. We use this to address you in formal communications using your email address. It is never used to identify you with others on the network. Your formatted name is not system generated data and is considered PII.

6) CUSTOMER RELATION MANAGER (CRM) ID
This is a non-sequential identifier that is unique across the platform. It is used to facilitate all your network activity. It is not shared with you or others except in an anonymized manner (for example, when composing an Exclusive Note). The CRM ID is system generated data and is not PII.

III. COLLECTION OF PERSONAL IDENTIFIABLE INFORMATION (PII):
When you use the NetNubby service your moniker, email, username, passphrase and formatted name are collected by us. All of this information is data that you voluntarily provide or create in order to register an account and use the service, and is considered PII.

IV. COLLECTION OF USAGE DATA:
Usage data is collected automatically when using our service. Data is only collected when accessing our service through a device that supports desktop browsing software. This data includes information such as your Internet Protocol (IP) address; browser name and version; the URL of the pages on which you read and post Notes; as well as the time and date of such network activity.

Please be advised we may inadvertently receive additional information about your device via the multitude of details exposed by your browser. Such details include web headers, user agent, browser plugin details, time zone, screen size and color depth, list of system fonts installed, language settings and much more. This information is transmitted by default when JavaScript is enabled. You may prevent much of this data from being sent by disabling JavaScript in your browser, but this choice is impractical as most websites and online services require JavaScript to function. Our platform is no exception—JavaScript must be enabled to use our service.

When you (attempt to) access our platform by or through a mobile device, no usage data is collected unless the device supports desktop browsing software. This is because our service does not yet support a mobile platform.

V. TRACKING TECHNOLOGIES:
We use neither cookies (session, persistent, essential or otherwise) nor similar tracking technologies to monitor your activity on our service or to store certain information. Further, mechanisms such as beacons, tags, pixels, scripts and browser databases (IndexedDB or Web SQL) normally used by other social media to collect and analyze your information and your activity are not employed by our service.

But we do have to stay on top of things, and the technology we employ is local extension storage (non-synced).

As a browser extension, local storage used by the NetNubby console keeps track of console options and user settings in order to persist them. If we didn’t do this then each time the console closes the state of the console itself, as well as all user settings would be lost. This console storage is kept separate from the storage requirements of other webpages or extensions, and is automatically deleted when the NetNubby service is deinstalled from your device. Because this storage is non-synced, none of the data we store is transmitted over your internet connection en masse or is associated in any way with a Google account (if any).

We also use this local storage to place a randomly created, small footprint token to store the current state of your authentication. This token is deleted at logout.

VI. HOW WE USE YOUR INFORMATION:
We may use your information—
• To provide you personalized content;
• To process and respond to inquiries;
• To improve the quality and usability of our service;
• To alert you to updates, products & services; and
• For the purpose(s) for which you provided it

VII. INFORMATION SHARING WITH THIRD PARTIES:
We do not share your information with anyone, including marketers (we have no marketers). We anticipate forming associations with marketers one day, however, and will amend this policy once we do so.

VIII. CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA):
Our collection and use of children’s personal information is regulated per COPPA at 15 USC §§ 6501 – 6506. While children under the age of 13 may, without their parents’ knowledge or permission submit personal information to us, we’re not interested in it. Thus, we do not knowingly solicit information from children without parental consent, and such information once identified is deleted upon discovery. That said, website visitors under 13 years of age should ask their parent, legal guardian or responsible adult for assistance when using our service, including the creation of an account to be used with adult supervision.

IX. IP ADDRESSES, LOG FILES AND DATA ANALYSIS:
As with any service operator, we analyze visitor logs to constantly improve the value of our service. We log IP addresses that describe the location of your device (or its network) on the Internet. This information is helpful for systems administration and troubleshooting purposes. These practices help us understand traffic patterns and identify potential problems with our service.

X. DO NOT TRACK (DNT) AND GLOBAL PRIVACY CONTROL (GPC):
We do not respond to the outdated DNT signal or to the newer GPC signal. We do not sell or share your personal information with third parties, regardless whether you use a GPC signal to indicate your preferences thereof.

XI. CLARIFYING LAWFUL OVERSEAS USE OF DATA (CLOUD) ACT:
The CLOUD Act, an unreviewed unvetted piece of US legislation that contains far‑reaching privacy‑destroying decrees is a law that permits foreign police to wiretap your communications on our server(s) without a warrant, no matter where in the world our server(s) may be physically located. You should know this law can be used against you and there is nothing we can do to prevent it. Such is the world we live in.

XII. GENERAL DATA PROTECTION REGULATION (GDPR):
Since our service collects PII on visitors, Article 3 of the EU’s GDPR applies to your activity. If you, as an EU user, pursuant to Article 15 Right of Access make inquiry as to what data we hold on you, we will confirm we process the personal data concerning you which is identified in Section III. Accordingly, the Right of Rectification and the Right of Erasure apply.

1) RIGHT OF RECTIFICATION
You may, at any time and without our permission, directly redact and correct any of the PII associated with your account. Since you are the party maintaining the data it is understood that it’s as accurate as you make it.

2) RIGHT OF ERASURE
This is alternatively known as “the right to be forgotten.” We will happily forget about you if you actively terminate your association with us by deregistering your account, or if you neglect your account and it goes dormant and is subsequently deleted. Under these circumstances, there will be no need to request an erasure because your account will no longer exist on our platform.

However, we will never forget you if your account is banned. We keep permanent records supporting our decision to ban an account, especially when law enforcement is involved. This means the right to be forgotten will not apply where processing is necessary for 1) compliance with a legal obligation; or 2) the establishment, exercise or defense of legal claims.

XIII. CALIFORNIA CONSUMER PROTECTION ACT (CCPA):
Your rights and immunities under the CCPA are spelled out on our California Consumer Protection Act page.

XIV. INFORMATION DISCLOSURE:
Under certain circumstances, our service may be required to disclose your PII if required to do so by law or in response to valid requests by public authorities (for example, a court or a government agency). Our service may disclose your PII in the good faith belief that such action is necessary to—
• Comply with a legal obligation;
• Protect and defend the rights or property of our service;
• Prevent or investigate possible wrongdoing in connection with our service;
• Protect the personal safety of account holders; or
• Protect against legal liability

XV. ANONYMITY, SECURITY, AUTONOMY, HONESTY AND COURTESY:
The current digital climate fosters a great deal of abuse regarding the creation and disclosure of personal identifiers. Even in the face of better privacy laws (such as the GDPR) it still remains a platform’s responsibility to honor its account holders; not just to avoid unnecessary legal action, but to demonstrate tangible respect to those who use the service. It’s the right thing to do.

This is why we endeavor to create and maintain a useful, enjoyable online product that requires as little as possible from you in terms of actual personal information. So while the data you provide is legally defined as PII (which legally requires us to protect it), it doesn’t have to be true.

1) FORMATTED NAME
For example, your formatted name reflects the given name and surname you provide, but it need not correspond to anything on a legal document like a birth certificate or passport. Singularly lacking the motivation to verify what you provide, we use it only as a convenient means to politely address you through official correspondence.

2) EMAIL
As for email, we suggest you create a brand new address used only on our platform (for example, using ProtonMail). This accomplishes two important things. First, in the event of a database breach—hey, it happens—attackers will not be able to match your email account here with an account you use anywhere else. So even if your passphrase was not as strong or as unique as it should be, a breach can’t be used to leverage further access to any of your other online resources. Second, our suggestion to use an email unique to us should be a clarion signal that we’re not going to aggregate your activity here, analyze it, tie it to other online accounts you may have, package it all up and sell it. We’ll leave rampant abuse like that to Facebook, Twitter and others (where your account activity becomes the price of admission).

3) USERNAME
The fact that your username is not disclosed or used to identify you to anyone on the platform should restore your faith in operational security. After all, your username is fully one-half of your account credentials and if an attacker (or the general public) possessed it, all that remains is to identify your passphrase. We’re not comfortable with this level of security anemia embraced by WordPress and others.

That your email is not used as a de facto username should also increase your confidence in account protection. After all, this is your account, not ours, and we believe we have a fiduciary responsibility to secure it for you as best we can.

4) PASSWORD HASH
Speaking of security… in case you’re wondering (and you should be), your passphrase is protected in our database using Argon2, the state-of-the-art hashing function. A hashing function is an irreversible one-way transformation that turns your plaintext passphrase into gibberish, where something like This is my lucky day! becomes 85fd877b0008ce74a1fb9f25ff61c300 (hex-encoded). We don’t use the notoriously weak MD5 hash (like Yahoo! did) and we don’t store unsalted SHA-1 hashes (like LinkedIn did).

There are no legal requirements forcing us to use the strongest available password hashing technology, much less disclose our implementation, but you should know regardless.

5) MONIKER
Your moniker gives you complete autonomy as to how to present yourself. It can be almost anything and again, it doesn’t have to match the details of real life. (We reserve the right to disapprove a moniker based on its contents or appearance.)

6) SECURITY TOKEN
Regarding the security token, please be advised it lasts only for the duration of your login session, is randomly created and cannot be used to attack your account. This is because 1) our service prohibits session replay without authentication; 2) account credentials are not stored in the token; and 3) the token is valid only when used in tandem with your obfuscated CRM ID.

7) IP ADDRESS
Lastly, we don’t need to know your true IP address. Yes, we track and store the IP your device reports, but we do this to provide feedback on your login location history. For example, if you customarily log in from Dayton, Ohio, and your last login showed an IP from Tel Aviv then it’s possible your account has been compromised. Tracking your IP helps us protect you like that. (It’s not foolproof of course, but it’s no different than what most major online gaming platforms do.) For the sake of anonymity, we strongly urge you to hide your local IP from us and others. A reliable Virtual Private Network (VPN) such as ExpressVPN can do this for you.

Here’s our bottom line: We remain fully committed to all legal statutes relating to privacy compliance and data protection, but that’s just a stepping stone. Best practices demand we operate under a set of ethics that exceeds minimum legal mandates. In explaining why we do what we do, hopefully this is made clear.

XVI. APPLICABILITY TO THIRD-PARTY WEBSITES:
Using our platform, you’ll have the opportunity to visit many locations on the internet (third-party websites). This privacy policy does not apply to those sites. They may or may not abide by the spirit of mutual respect we endeavor to foster between us.

XVII. CHANGES TO THIS STATEMENT:
We may occasionally update this policy statement. If we make material changes to it, we may or may not provide any notice of those changes prior to their implementation. Thus, we encourage you to periodically review this page.