Privacy Policy

Last Updated: March 1, 2026

1. Introduction

NotAI ("we," "our," or "us") provides human verification and AI detection services. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our services, including our Text Input Monitor (SDK) and Behavior Tracker Pixel.

For our customers (website operators who integrate NotAI): Your use of our Services is governed by our Terms of Service and, where applicable, a Data Processing Agreement (DPA). You are the data controller for end-user data collected through our Services; NotAI acts as a data processor on your behalf.

For end users of websites that use NotAI: The website operator is the data controller responsible for how your data is collected and used. NotAI processes data solely on their behalf and according to their instructions. Please refer to the website operator's own privacy policy for information about their data practices.

2. Information We Collect

2.1 Text Input Monitor Data

When website operators integrate our Text Input Monitor SDK, we collect:

  • Keystroke timing data: The timing and sequence of keystrokes (not the content itself)
  • Typing patterns: Pause durations, typing speed variations, correction patterns
  • Session metadata: Browser type, session duration, timestamp
  • Authorship indicators: Copy/paste events, text source attribution
  • IP addresses: Used transiently for session matching on authenticated platforms (e.g., LMS integrations). Full IP addresses are truncated at the CDN edge via data localization controls and are not stored in application logs or databases.

2.2 Behavior Tracker Data

Our Behavior Tracker Pixel collects:

  • Mouse movement patterns: Cursor trajectory, click patterns, scroll behavior
  • Navigation behavior: Page transitions, timing between actions
  • Browser characteristics: User agent, viewport size, language settings
  • Session identifiers: Anonymous session tokens (no personal identifiers)
  • IP addresses: Used transiently for session matching on authenticated platforms. Full IP addresses are truncated at the CDN edge via data localization controls and are not stored in application logs or databases.

2.3 Account Information

When you create a NotAI account, we collect:

  • Email address
  • Region preference (US or EU)
  • Organization name (if provided)
  • Billing information (processed by Stripe)

2.4 Institution-Provided Identity Data

When an educational institution integrates NotAI through LTI (Learning Tools Interoperability) launches or webhook integrations, we may receive limited identity information provided by the institution, including:

  • Student names: As supplied by the institution's learning management system (e.g., Canvas LMS) during an LTI launch
  • User IDs: Institution-assigned identifiers used to match behavioral data to the correct student

This data originates entirely from the institution's systems and is used solely to display authorship-verification results to authorized instructors and administrators within the NotAI dashboard. NotAI does not independently collect student email addresses or contact information.

3. How We Use Your Information

We use the collected information to:

  • Distinguish human behavior from AI-generated or bot activity
  • Provide authorship verification and analysis
  • Generate aggregated usage statistics for our customers
  • Improve our detection algorithms using aggregated, de-identified behavioral patterns derived from usage across our customer base. This process uses only statistical distributions and signal data (e.g., typing cadence ranges, common bot navigation signatures) that cannot be traced back to any individual person, student, or institution. No names, submission content, or institution-specific identifiable data are used for algorithm improvement.
  • Provide customer support
  • Process payments and manage subscriptions

Automated Processing

Our Services use automated analysis of text input patterns and browsing behavior to classify traffic as human or non-human. These classifications may be used by our customers to restrict access to their websites or to flag submissions for further review. NotAI acts as a data processor performing this analysis on behalf of our customers (the data controllers).

Human review requirement: NotAI's outputs are designed as decision-support tools, not autonomous decision-makers. Our system produces confidence scores and flags that are intended to be reviewed by a qualified human (such as an instructor or administrator) before any consequential action—such as grade adjustment, academic integrity proceedings, or access restriction—is taken against a data subject. NotAI does not make final determinations on its own.

Under GDPR Article 22, data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Website operators using our Services are responsible for ensuring appropriate safeguards, including the right to obtain human review from the controller. End users who believe they have been incorrectly classified should contact the website operator directly.

EU AI Act Transparency (Regulation (EU) 2024/1689)

NotAI's authorship-verification system is classified as a high-risk AI system under the EU AI Act, Annex III, Category 3 (education and vocational training), because its outputs may influence decisions related to admission, assessment, or the monitoring of student performance. In compliance with the transparency obligations under Articles 13 and 26 of the EU AI Act, we disclose the following:

  • Intended purpose: NotAI analyzes behavioral telemetry (keystroke timing, mouse movements, navigation patterns) to produce a confidence score indicating whether a text submission was authored by a human or generated by AI. The system is designed to assist—not replace—human judgment in academic integrity decisions.
  • Human oversight: The system is designed so that its outputs are reviewed by a natural person (instructor or administrator) before any decision with legal or similarly significant effects is made. Deploying institutions are responsible for ensuring this human oversight is maintained in practice.
  • Accuracy and limitations: Detection accuracy varies by technique and context. No AI detection system achieves 100% accuracy. False positives (human work flagged as AI) and false negatives (AI work not flagged) can occur. Confidence scores should be treated as one input among several in any decision-making process.
  • Data inputs: The system processes the behavioral and session data described in Sections 2.1, 2.2, and 2.4 of this policy. It does not process the substantive content of student submissions.
  • Logging and traceability: Event logs are maintained for each analysis to support auditability. Retention periods are specified in Section 6.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, we process your personal data under the following legal bases:

  • Contractual necessity (Art. 6(1)(b)): Processing account information and providing the Services you have subscribed to
  • Legitimate interests (Art. 6(1)(f)): Improving our detection algorithms and maintaining security of our Services. Algorithm improvement relies exclusively on aggregated, de-identified behavioral patterns—statistical distributions and signal data that cannot be attributed to any identifiable individual or institution. This is comparable to how anti-fraud and anti-spam systems learn from global threat patterns to protect all users. We have assessed that these interests do not override data subjects' rights, given that (a) the data used for algorithm improvement is aggregated and de-identified, (b) we process only pseudonymized behavioral patterns (not personal content) for service delivery, (c) we retain data for limited periods, and (d) we provide opt-out mechanisms. You may object to processing based on legitimate interests by contacting us at [email protected]
  • Legal obligation (Art. 6(1)(c)): Retaining billing records as required by applicable tax and financial regulations
  • Consent (Art. 6(1)(a)): Where our customers have obtained end-user consent for behavioral data collection through their own privacy notices

You may withdraw consent at any time by contacting the website operator or by using the opt-out mechanisms described in Section 9.

5. Data Region & Regional Compliance

We maintain strict data region policies:

  • US Region: Data stored in Azure East US and West US 3 data centers
  • EU Region: Data stored in Azure West Europe and North Europe data centers

Important: Your region selection at signup is permanent. All data remains within your selected region and is never transferred to other regions.

Content delivery and security services provided by Cloudflare are configured with the Cloudflare Data Localization Suite, which ensures that HTTP traffic inspection, TLS termination, and associated metadata are processed only within the applicable region. This includes Regional Services to constrain where traffic is decrypted and inspected, and Customer Metadata Boundary to keep operational logs and analytics in-region.

Where limited data transfers are necessary for ancillary services (such as payment processing or transactional email), we rely on European Commission-approved Standard Contractual Clauses (SCCs) or applicable adequacy decisions under GDPR Article 45. Our current subprocessors are:

  • Microsoft Azure (Microsoft Corporation, USA) — Cloud hosting and data storage
  • Stripe (Stripe, Inc., USA) — Payment processing
  • Cloudflare (Cloudflare, Inc., USA) — Primary CDN, WAF, and reverse proxy (with Data Localization Suite for regional traffic processing)
  • Azure Front Door (Microsoft Corporation, USA) — Failover CDN, WAF, and reverse proxy
  • Constellix (Tiggee LLC, USA) — Primary DNS management (Azure DNS as secondary)
  • Twilio SendGrid (Twilio Inc., USA) — Transactional email delivery
  • Google Workspace (Google LLC, USA) — Business email communications

We will notify customers of any changes to this list at least 30 days in advance via email.

6. Data Retention

  • Behavioral data: Retention varies by plan—Starter: 7 days, Pro: 30 days, Enterprise: custom retention period. Data is automatically deleted after the retention period expires.
  • Aggregated statistics: Retained for the duration of your subscription
  • Account information: Retained until account deletion
  • Billing records: Retained as required by law (typically 7 years)

7. Your Rights (GDPR)

If you are a resident of the European Economic Area, you have the following rights:

  • Right to Access: Request a copy of the data we hold about you
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Portability: Request your data in a machine-readable format
  • Right to Object: Object to processing of your personal data
  • Right to Restrict Processing: Request limitation of processing
  • Right to Lodge a Complaint: Lodge a complaint with your local data protection supervisory authority under GDPR Article 77

To exercise these rights, contact us at [email protected]. We will respond within one month as required by GDPR Article 12.

8. Your Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know: Request what personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information we hold about you
  • Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information. NotAI does not sell or share personal information as defined under the CCPA/CPRA. To exercise this right, contact [email protected]
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at [email protected] or visit our support page. We will respond within 45 days as required by law.

9. Opt-Out Mechanisms

End users of websites that implement NotAI can opt out of behavioral analysis:

  • Website operator: Contact the website operator directly to request exclusion from behavioral analysis
  • NotAI support: Contact [email protected] and we will work with the website operator to process your request

NotAI does not use cookies. Our products (Text Input Monitor and Behavior Tracker) use browser localStorage solely for session management—specifically, to maintain a session identifier so that typing or browsing events collected during a single visit can be grouped together. This storage is strictly necessary for the service to function and does not track users across websites or sessions. No third-party tracking pixels or cross-site tracking mechanisms are placed on your website. Under the ePrivacy Directive (Art. 5(3)), we rely on the “strict necessity” exemption for this limited use of local storage. For information about email delivery tracking, see Section 11.

10. Data Security

We implement industry-standard security measures:

  • AES-256 encryption for data at rest using customer-managed keys (CMK) via Azure Key Vault
  • TLS 1.2+ encryption for data in transit (TLS 1.3 enabled where supported)
  • Azure Key Vault for secret management
  • Regular security audits and penetration testing

Breach Notification

In the event of a personal data breach, NotAI will notify affected customers without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. Notification will include the nature of the breach, likely consequences, and measures taken to address it. As a processor, NotAI will assist customers (controllers) in meeting their own notification obligations.

Privacy by Design

NotAI is built on privacy-by-design principles in accordance with GDPR Article 25. We collect only the minimum data necessary for behavioral analysis, use anonymous session tokens rather than personal identifiers, and default to the most privacy-protective settings. Data region selection ensures behavioral data sovereignty from day one.

Personnel Security

Given the sensitivity of the data we process—including student education records protected under FERPA and data from children under 13 subject to COPPA—NotAI maintains rigorous personnel security controls:

  • Background screening: All employees and direct contractors undergo FBI fingerprint-based background checks before being granted access to any systems or data.
  • Security clearance verification: Personnel must complete security clearance card verification as a precondition for accessing production environments, customer data, or internal tools that handle personal information.
  • Privacy and data protection training: All personnel complete comprehensive privacy and data protection training at onboarding and on an annual basis thereafter, covering GDPR, FERPA, COPPA, and CCPA obligations relevant to their role.
  • Confidentiality obligations: All personnel with access to personal data are bound by written confidentiality agreements that survive the termination of their employment or engagement.

11. Third-Party Services

We use the following third-party services (see Section 5 for the full subprocessor list):

  • Microsoft Azure: Cloud infrastructure and data storage
  • Stripe: Payment processing
  • Cloudflare: Primary CDN, WAF, and reverse proxy (with Data Localization Suite for regional traffic processing)
  • Azure Front Door: Failover CDN, WAF, and reverse proxy
  • Constellix: Primary DNS management (Azure DNS as secondary)
  • Twilio SendGrid: Transactional email delivery
  • Google Workspace: Business email communications

Each third party has their own privacy policy governing their use of your data.

Our transactional emails sent via Twilio SendGrid may include a small tracking pixel to confirm delivery. This data is used solely for email deliverability monitoring and is not linked to your NotAI account activity.

12. Children's Privacy & Student Data

12.1 Our Role in Educational Settings

NotAI is used by educational institutions, including K-12 schools, to verify the authenticity of student work. In these settings NotAI acts exclusively as a school service provider and data processor. We process student data only on the institution's behalf, solely for the educational purpose authorized by the school.

12.2 COPPA Compliance (Children Under 13)

We recognize that when K-12 schools deploy NotAI, children under 13 may use the service. Rather than relying on direct parental consent, we operate under the COPPA school-official exception (16 CFR § 312.5(c)(1)), which permits a school or school district to consent on behalf of parents when:

  • The data is collected solely for the use and benefit of the school and for no other commercial purpose;
  • The operator does not disclose student personal information except back to the school or as required by law; and
  • The operator does not use student data for targeted advertising, behavioral profiling for non-educational purposes, or sale to third parties.

NotAI satisfies all three conditions. In school contexts, we collect only the behavioral and session data described in Sections 2.1 and 2.2 above, along with limited institution-provided identity data as described in Section 2.4, use it exclusively for authorship verification as directed by the institution, and never use student data for advertising, profiling, or sale.

12.3 FERPA Compliance

When an educational institution subject to the Family Educational Rights and Privacy Act (FERPA) deploys NotAI, we function as a school official with a legitimate educational interest under 34 CFR § 99.31(a)(1). Our Data Processing Agreement with each institution establishes direct institutional control over how student education records are processed and ensures that:

  • We access only the data necessary to provide the contracted authorship-verification service;
  • We do not re-disclose education records except as directed by the institution or required by law;
  • We comply with the institution's record-retention and deletion instructions.

12.4 State Student Privacy Laws

We are committed to compliance with state student data privacy statutes, including but not limited to:

  • California SOPIPA (Bus. & Prof. Code § 22584): We do not use student data to target advertising, create profiles for non-educational purposes, or sell student information.
  • New York Education Law 2-d: We enter into Data Privacy and Security Agreements as required and limit use to the contracted educational purpose.
  • Illinois SOPPA (105 ILCS 85/): We do not sell, share for targeted advertising, or use student data for non-educational purposes.

We support the Student Data Privacy Agreement (SDPA) published by the Student Data Privacy Consortium (A4L/SDPC) and will execute the applicable SDPA or state-specific addenda upon request. Our DPA, SDPA, and related trust documentation are available at trust.isnotai.com.

12.5 Data Practices in School Contexts

When processing student data, NotAI applies the following additional safeguards:

  • No advertising: Student data is never used for targeted advertising or marketing of any kind.
  • No sale of data: We do not sell, rent, or trade student data to any third party.
  • No behavioral profiling: Student behavioral data is used solely for authorship verification—never for behavioral profiling, predictive analytics, or non-educational purposes. Separately, aggregated and de-identified statistical patterns (such as typing cadence distributions and common bot navigation signatures) that are not traceable to any individual student, user, or institution may be incorporated into NotAI's global detection algorithms to improve accuracy for all customers. This aggregation process strips all identifying information before analysis, does not constitute profiling of individual students, and is consistent with the COPPA school-official exception, FERPA, and applicable state student privacy laws described in Sections 12.2 through 12.4.
  • No persistent student profiles: We do not build longitudinal profiles that follow students across institutions or after they leave the deploying institution.
  • Data minimization: In school contexts, we collect the behavioral telemetry described in Sections 2.1 and 2.2 along with limited identity information—such as student names and user IDs—provided by the institution through LTI launches or webhook integrations (see Section 2.4). This identity data is used solely to enable instructors and administrators to associate authorship-verification results with the correct student within the NotAI dashboard. We do not independently collect student email addresses or contact information; all identity linkage originates from the institution's systems.

12.6 Deletion & Parental Rights

Educational institutions may request deletion of all student data associated with their account at any time by contacting [email protected]. We will process deletion requests within 30 days. Parents or guardians who wish to review, correct, or delete their child's data should contact their child's school, which may then direct us to take the appropriate action.

If you believe we have collected personal information from a child without appropriate institutional authorization, please contact us immediately at [email protected] and we will promptly investigate and delete the data if confirmed.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by email to the address associated with your account at least 30 days before the changes take effect, and by posting the updated policy on this page with a revised "Last Updated" date. Non-material changes (such as formatting or clarifications that do not affect your rights) may take effect immediately upon posting.

14. Contact Us

If you have questions about this Privacy Policy, please contact us:

  • Email: [email protected]
  • Mail: IsNotAI LLC, 7340 E Main St, Suite 203, Scottsdale, AZ 85251
  • EU Representative (GDPR Art. 27): Proctorio GmbH (a sister company of IsNotAI), Lindleystraße 8A, 60314 Frankfurt am Main, Germany. Email: [email protected]
  • Data Protection Officer: UBG mbH, Im Breitspiel 210, 69126 Heidelberg, Germany. Tel: 069/6530006-23. Email: [email protected]
  • Support: Contact Support