Effective Date: August 18, 2025

Last Updated: September 3, 2025

About This Policy

Julia Social, Inc. ("Julia Social," "we," "us," or "our") operates the not.bot mobile application ("App") that

provides digital identity and proof of humanness services, and related websites at julia.social and not.bot

("Website"). This Privacy Policy explains how we collect, use, share, and protect information when you use

our App and Website.

Our Privacy-First Approach: not.bot is designed with privacy at its core. We use advanced cryptographic

techniques to minimize data collection and retention while providing robust identity verification services.

Most of your data never leaves your device, and what we do process is immediately deleted after use.

Information We Collect

During Enrollment

Passport Data Processing: When you enroll in not.bot, you scan your passport using your device's NFC

capability. Your passport's NFC chip contains your photo, legal name, birthdate, gender, and nationality,

all cryptographically signed by your government.

Sent to Inverid: All passport data is transmitted to our third-party verification service, Inverid, to

verify the government's digital signatures

Sent to Julia Social: After verification, only your legal name, birthdate, gender, and nationality are

sent to us

Immediate Deletion: Inverid deletes all passport data within five minutes (typically under two

minutes). Julia Social deletes all passport data within milliseconds after generating cryptographic

proofs

What We Retain: We store only non-identifying cryptographic proofs and blockchain record

information that cannot be used to identify you

Blockchain Records: We create decentralized identifiers (DIDs) as defined by the W3C standard and

store them in blockchain records. These blockchain records have no identifying information aside from

the user's public key(s). The cryptographic secret keys associated with your root identity are stored

exclusively in your iPhone's Secure Enclave and are never shared with us.

During App Usage

Alias Creation: When you create aliases (additional blockchain-based identities), we store blockchain

record information but do not store any association between aliases and your identity. We use multiparty

computation when creating age-related credential claims to ensure our servers cannot determine your

specific age despite the limited range of possible birthdates.

Alias-Identity Association Management: When server operations require verification of an alias's

association with your root identity, the app generates cryptographic proof of this association in real-time.

This proof is used only for the duration of the specific request and is never stored by our servers. Each

subsequent request requiring such verification will generate a new proof.

Subscription Management: When server operations require verification of an active subscription, the

app generates cryptographic proof of subscription status in real-time. This proof is used only for the

duration of the specific request and is never stored by our servers. We do not receive payment

information, receipt data, or your Apple ID from Apple's payment systems.

Sticker Data:

QR Code Stickers: Encrypted presentation data is uploaded to our servers with decryption keys

remaining on your device, ensuring we cannot access the content

JAB Code Stickers: All data is encoded directly in the image with no data sent to our servers

Optional Telemetry: You may choose to share anonymous usage statistics including:

Weekly counts of stickers created and scanned by type

Average and maximum message lengths (only if more than three stickers created weekly)

Average number of credential claims included per sticker

Time spent on app screens and screen access frequency

No personally identifying information is included in telemetry data

Information We Do Not Collect

Camera Usage: While the app accesses your device's camera to scan QR codes and JAB codes, all image

processing occurs entirely on your device. Captured images are never transmitted to Julia Social or stored

on our servers.

Biometric Authentication: The app uses your device's biometric authentication (Face ID, Touch ID) to

verify your identity for sensitive operations such as sticker creation and accessing hidden aliases. You can

choose to use your system passcode instead if preferred. All biometric processing occurs entirely on your

device using Apple's secure authentication systems. No biometric information is ever transmitted to Julia

Social or stored on our servers.

We do not collect:

Device identifiers (UDID, advertising ID)

Device fingerprinting data

IP addresses

Location data

Your Apple ID

Performance analytics beyond optional telemetry

The content of your messages or presentations

Your scanning or creation history

Your contacts within the app

Identifying information in server logs (all server logs are anonymized)

Logs or diagnostic data (unless you choose to share them with us for support)

Crash Reports: In the event of application crashes, we may receive device and operating system

information for debugging purposes, but no information identifying individual users. This crash data is

retained for a maximum of one year.

How We Use Information

We use collected information solely to:

Generate and maintain cryptographic proofs for identity verification

Create and manage blockchain records for your digital identities

Provide customer support when you contact us

Improve our services through optional anonymous telemetry

Comply with legal obligations

Multiparty Computation: We use sophisticated cryptographic techniques that allow us to provide

services without learning sensitive details about your data, including when creating aliases and referral

codes.

How We Share Information

Third-Party Service Providers

Inverid: During enrollment only, your complete passport data is sent to Inverid for signature verification.

Inverid deletes all data within five minutes and does not store passport information after verification

completes.

Amazon Web Services (AWS): We use AWS for cloud infrastructure. Our data stored with AWS is

encrypted at rest using standard AWS encryption services. Encryption keys are managed through Amazon

Secrets Manager. Due to our minimal data collection practices, any potential AWS access to our systems

would have limited impact given the lack of personally identifying information stored.

Galactechs, LLC: Provides blockchain node services. They store only the date and time of requests for

capacity planning and do not log specific user requests or data.

Public Blockchain Nodes: When you choose to verify presentations through public blockchain nodes

(approximately 40,000 available), these third-party nodes may log connection attempts and requests.

However, our system selects different nodes for each session and all connections are anonymous,

preventing any individual node from tracking user activity.

Apple App Store: Payment processing for subscriptions is handled entirely through Apple's systems

according to their privacy practices.

Legal Requirements

We may disclose information when required by law, court order, or government request, or to protect our

rights, property, or safety, or that of our users or others. We will challenge overreaching or inappropriate

requests when legally permissible.

Business Transactions

In the event of a merger, acquisition, or sale of assets, Julia Social's fully anonymized data set may be

transferred as part of that transaction. You will be notified via our website of any such change in

ownership.

No Sale of Personal Information

We do not sell, rent, or trade personal information to third parties for their commercial purposes.

Blockchain and Decentralization

Permanent Records: Blockchain records created through not.bot are permanent and cannot be deleted.

This includes your root identity and any aliases you create. No personally-identifiable information is

stored in the blockchain records.

Public Verification: While blockchain records are permanent, they contain no personally identifying

information. Verification of presentations only requires checking cryptographic signatures against

blockchain records, not accessing any passport data.

User Control: You maintain complete control over what information you choose to share in stickers and

presentations. You select in advance what data each alias can access for sharing.

Your Rights and Choices

Account Management

Account Deactivation: You may deactivate your account at any time, though blockchain records

cannot be deleted

Subscription Cancellation: Cancel your subscription anytime through Apple's App Store

Data Correction: To correct inaccurate information, you must re-enroll with a corrected passport, as

we process only cryptographically signed government data

Privacy Controls

Telemetry: Opt out of telemetry sharing at any time through in-app settings

Alias Privacy: Mark aliases as "hidden" requiring biometric authentication or system passcode to

access

Selective Sharing: Choose what information each alias can share when creating stickers

Real-Time Consent: Biometric authentication or system passcode required for each sticker creation

Data Access Limitations

Due to our privacy-preserving architecture:

No Access Requests: We cannot provide access to cryptographic proofs as they contain no

identifying information

No Data Portability: Personal data is not stored in a portable format

Limited Deletion: While we can deactivate accounts, blockchain records are permanent by design

Children's Privacy

There is no minimum age requirement for using not.bot, as passports are issued to individuals of all ages.

However:

Parental Involvement: Children under 13 should use the app only with parental guidance

Biometric Protections: All sensitive actions require biometric authentication or system passcode

Limited Data Collection: Our minimal data collection practices provide additional protection for

users of all ages

Data Security

Technical Safeguards

Encryption: All data in transit is protected using SSL/TLS encryption

At-Rest Encryption: Data stored on our servers is encrypted using AWS standard encryption services.

Data stored on your device is also encrypted at rest.

Secure Enclave: Cryptographic secret keys are stored exclusively in your iPhone's Secure Enclave

hardware security module

Key Management: Our encryption keys are managed through Amazon Secrets Manager

Immediate Deletion: Passport data is deleted within milliseconds after processing

Incident Response

In the event of a data breach:

Limited Impact: Our architecture ensures that even a complete data breach would have minimal

impact due to lack of stored personal information

Notification: We will post breach notifications on our website at julia.social. Given that only a small

fraction of our users provide email addresses through our website forms, and some non-users also

submit emails, website notification provides the most effective means of reaching our user base.

Transparency: We will provide details about any incident and steps taken to address it

International Considerations

Current Scope: This privacy policy applies only to users who download and use our app through Apple's

U.S. App Store.

Blockchain Access: While blockchain verification may involve international nodes, no personally

identifying information is transmitted during verification processes.

Website Privacy Practices

Our website at julia.social and not.bot follows the same privacy-first principles as our mobile application:

No Cookies: Our website uses no cookies or tracking technologies.

Cloudflare Services: We use Cloudflare as a reverse proxy service on their Pro service tier, which provides

us with aggregate traffic statistics but does not provide information about specific connections or

individual visitors.

Email Collection: Our website includes two optional forms:

Newsletter Signup: Users may voluntarily provide their email address to subscribe to our newsletter

Referral Code Waitlist: Users may voluntarily provide their email address to join a waitlist for referral

codes to access not.bot

For both forms, we collect and store only:

The submitted email address

The date and time the email was submitted

No other information is logged or collected

Merchandise Store

Separate Service: Our website includes a link to a merchandise store hosted by Shopify with order

fulfillment by Printful. This merchandise store operates as a separate service with its own terms of service

and privacy policies.

Third-Party Data Handling: When you purchase merchandise, you provide personal information

(including name, address, and payment information) directly to Shopify and Printful. These companies

may use tracking technologies such as cookies and have their own data collection and retention

practices.

Julia Social Access: Julia Social staff may access purchaser information on Shopify and Printful platforms

solely to address merchandise-related customer complaints submitted via email. Julia Social does not

capture or store this purchaser information in our own systems.

No User Linking: There is no mechanism to associate not.bot app users with merchandise store

purchasers. No data is shared between the app and the merchandise platforms.

and Printful's respective privacy policies for information about their data practices.

Support and Enhancement Requests

Email Support: Users may contact us at support@julia.social for support requests or better@julia.social

for enhancement requests. When you email us, we retain your email address and any information you

voluntarily provide in your messages.

Additional Information: During support interactions, you may voluntarily provide additional

information. We encourage users not to provide personal identifying information beyond their email

address. We may request an access log recorded by the app, which may include Apple App Store

transaction identifiers and blockchain record identifiers, but contains no personal information or sticker

content details.

Data Handling: All correspondence and related materials (including any access logs, stickers, or

identifiers submitted) are stored in our support email system. Access is limited to Julia Social support

staff.

Retention and Deletion: All emails and materials related to support requests are manually deleted upon

resolution of the request. We may create internal reports based on support interactions that contain no

identifying information.

Data Retention

Cryptographic Proofs: Retained indefinitely to maintain service functionality

Blockchain Records: Permanent and cannot be deleted

QR Code Data: Retained indefinitely

Telemetry Data: Retained indefinitely in anonymous, aggregated form

Support Communications: Retained for a maximum of one calendar year

Website Form Data: Email addresses and submission timestamps from newsletter signups and

referral code waitlist submissions are retained until removal is requested by the owner of the email

address

Crash Reports: Device and operating system information from application crashes is retained for a

maximum of one year

Subscription Tiers and Data Handling

Service Tiers

Free: Up to 5 aliases, JAB code stickers only

Pro: Unlimited aliases, QR code stickers, one Reserved Name

Verified Creator: All Pro features plus additional Reserved Names and Verified Creator badges

Subscription Changes

Cancellation: No refunds available; users may cancel anytime

Downgrades: Verified Creator badges may be revoked upon downgrade, but aliases and Reserved

Names are never revoked

Payment Processing: All payment processing handled through Apple App Store according to their

terms and privacy practices

Contact Information

Julia Social, Inc.

300 Peachtree St NE, Ste CS2-3299

Atlanta, Georgia 30308

Data Protection Officer: Ken Griggs

Email: legal@julia.social

Website: https://julia.social

For technical support or general inquiries, please visit https://not.bot

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal

requirements, or other factors. When we make changes:

Notification: Updates will be announced on our website at julia.social

Effective Date: The updated policy will include a new effective date

Material Changes: Significant changes will be prominently displayed on our website

Continued Use: Your continued use of the app after policy updates constitutes acceptance of the

revised policy

Additional Resources

Educational Materials: Learn more about our privacy-preserving technology at https://not.bot

W3C Standards: Our implementation follows W3C standards for Decentralized Identifiers (DIDs) and

Verifiable Credentials

Open Source: Technical documentation and implementation details are available on our website

This privacy policy is designed to be transparent about our data practices while highlighting the privacy-

preserving nature of not.bot's architecture. If you have questions about this policy or our practices, please