not.bot

Privacy Policy

Effective Date: June 12, 2026 Last Updated: June 17, 2026

This Privacy Policy covers the not.bot mobile application ("App"), operated by Julia Social, Inc. ("Julia Social," "we," "us," or "our"). not.bot is available to anyone who can download it from the US App Store or Google Play.

We receive no personal information

not.bot is built so that we never receive personal information about you. We do not have your name, your birthdate, your email address, your payment details, your Apple ID, or your Google account. We have engineered the system so that we cannot obtain this information even if we wanted to. This is enforced by the architecture of the product, not by a promise.

The sections below explain the few things that do happen with data, who handles it, and the choices and rights you have.

What happens at enrollment

You enroll by scanning the NFC chip in your government passport with your phone. The chip holds data signed by your government.

  • Signature verification. The signed passport data is sent to our identity-verification partner, Signicat, which confirms the government's digital signatures are valid. Signicat deletes the passport data within minutes.
  • No facial image, no selfie, no biometrics. We do not read the facial image on the passport chip, we do not take a selfie, and we perform no facial comparison. We hold no biometric data of any kind.
  • What reaches your phone. After the signatures are verified, the cryptographic material used to build your credentials is created and the source data is discarded. Your private keys are generated and held only in your phone's secure hardware, the Secure Enclave on iPhone or the hardware-backed keystore on Android, and are never shared with us.
  • What we keep. We retain only non-identifying cryptographic material and the public blockchain records described below. None of it names you.

What we do not collect

The App uses your phone's camera to scan QR codes and JAB codes, and your phone's biometric authentication (Face ID, Touch ID, or Android fingerprint or face unlock) or passcode to authorize sensitive actions. All of this happens on your device. Camera images and biometric data never leave your phone and are never transmitted to us.

We do not collect:

  • Your name, birthdate, email address, or payment information
  • Biometric data of any kind
  • Device identifiers, advertising IDs, or device fingerprinting data
  • IP addresses
  • Location data
  • Your Apple ID or Google account
  • The content of your messages, signatures, or presentations
  • Your scanning or signing history
  • Your contacts
  • Identifying information in server logs

Apple and Google may collect crash reports through their app platforms under their own privacy practices. We do not request, access, or review them.

How the App uses information

The limited, non-identifying cryptographic material we handle is used only to:

  • Generate and maintain the cryptographic proofs that let you prove you are a verified human
  • Create and manage the public blockchain records for your identities
  • Provide support when you contact us
  • Meet legal obligations

Multi-party computation. When the App creates age-related credentials, it uses multi-party computation across your phone, Julia Social, and Praxis, an independent escrow party. The computation is designed so that neither Julia Social nor Praxis learns your birthdate. We use the same class of cryptography to keep your aliases unlinkable to your identity.

Aliases and unlinkability

You have one root identity and as many per-site aliases as you want. Aliases are unlinkable: two services you use cannot determine that they have interacted with the same person. A single service can recognize you when you return to it, which is what lets you keep an ongoing presence there, and you can choose to make an alias linkable when you want a public identity. We do not store any association between your aliases and your identity. When a service needs to confirm that an alias belongs to a verified human, the App generates that proof in real time and we never store it.

Signatures

When you sign content, the App creates a signature in one of two forms:

  • QR code signatures. The presentation data behind the signature is encrypted on your device and uploaded to our servers, with the decryption keys held only on your phone. We store the encrypted data but cannot read its contents.
  • JAB code signatures. Everything needed to verify the signature is encoded directly in the image. Nothing is sent to our servers.

Subscriptions

When the App needs to confirm you have an active subscription, it generates a cryptographic proof of your subscription status in real time. The proof lasts only for that request and is never stored on our servers.

How we share information

We do not sell or share your personal information, as those terms are defined by the California Consumer Privacy Act and other state privacy laws. We could not do so meaningfully in any case, because we do not hold it.

We work with a small number of service providers:

  • Signicat verifies passport signatures during enrollment and deletes the data within minutes.
  • Amazon Web Services (AWS) hosts our infrastructure and stores our non-identifying data, encrypted at rest.
  • Galactechs, LLC provides blockchain node services. It may log the time of a request for capacity planning, never the content. When you verify a signature through public blockchain nodes, of which there are approximately 30,000 as of June 2026, the App connects through different nodes across sessions so that no single operator can track you.
  • Apple and Google process subscription payments through the App Store and Google Play under their own privacy practices. We never receive your payment details, receipt data, Apple ID, or Google account.

Legal process. We may disclose information when required by law or valid legal process, or to protect our rights or the safety of others. We will challenge requests that are overbroad or improper where the law permits. Because we hold no information that identifies you, there is little we are able to produce.

Business transfers. If Julia Social is involved in a merger, acquisition, or sale of assets, our non-identifying data may transfer as part of that transaction. We will post notice of any change of ownership on our website.

Blockchain records

We create decentralized identifiers (DIDs), following the W3C standard, and store them in public blockchain records. These records contain public keys and cryptographic proof references. They do not contain your name, birthdate, passport data, or any other plaintext attribute about you.

Blockchain records are permanent and cannot be deleted or modified. This includes your root identity and every alias. Verifying a not.bot signature requires only checking cryptographic signatures against these public records; it never requires access to passport data, because we do not have any.

Your privacy rights

California residents, and residents of other states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and Texas), have rights to know what personal information a business holds about them, to delete it, to correct it, to opt out of its sale or sharing, to limit the use of sensitive personal information, and not to be discriminated against for exercising these rights.

Our architecture changes what these rights mean in practice, because we hold no information that identifies you:

  • Right to know / access. We can describe the categories of cryptographic material we handle (set out in this policy), but we hold no personal information tied to you to return.
  • Right to delete and correct. We have no identifying personal information on our servers to delete or correct. To change the demographic data in your credentials, re-enroll with a corrected passport, since we work only from cryptographically signed government data. Blockchain records are permanent by design and contain no personal information. Deleting the App removes it from your device and ends your use of not.bot; your blockchain records remain, because they are permanent and identify no one.
  • Right to opt out of sale or sharing. We do not sell or share personal information, so there is nothing to opt out of.
  • Right to limit sensitive personal information. We do not collect or use sensitive personal information.
  • Non-discrimination. We will never deny you service or charge you differently for exercising any privacy right.

You can also opt out of the optional anonymous telemetry described below at any time in the App's settings.

Optional telemetry

You may choose to share anonymous usage statistics: weekly counts of signatures created and scanned by type, the average and maximum length of your messages (only when you create more than three signatures in a week), the average number of credential claims included per signature, and the time spent on app screens and how often each is opened. This is off unless you turn it on, contains no information that identifies you, and can be turned off at any time in settings.

Children

There is no minimum age to use not.bot, because passports are issued to people of all ages. not.bot is a general-audience product and is not directed to children. We do not knowingly collect personal information from children, and our minimal-collection design means we collect almost nothing from anyone. We do not ask for or hold a user's age.

Data security

  • Cryptographic secret keys are held only in your phone's secure hardware, the Secure Enclave on iPhone or the hardware-backed keystore on Android, and never reach us.
  • Data in transit is protected with TLS encryption. Data on your device and the limited data on our servers are encrypted at rest.
  • Because we hold no information that identifies you, even a complete breach of our systems would expose no personal data about our users.

Data retention

  • Cryptographic proofs: retained while needed to keep the service working.
  • Blockchain records: permanent by design; they contain no personal information.
  • Anonymous telemetry: retained in aggregate form only, if you opt in.
  • Support emails: deleted when the request is resolved.

Support

When you email us for help, we keep your message and your email address and delete both when the request is resolved. We may ask you for an access log recorded by the App, which can include App Store or Google Play transaction identifiers and blockchain record identifiers but contains no personal information or signature content. Reach us at [email protected] for support and [email protected] for feature requests.

Updates to this policy

We may update this policy to reflect changes in our practices or the law. We will post updates here with a new effective date and announce significant changes on our website. Your continued use of the App after an update takes effect means you accept the revised policy.

Contact

Julia Social, Inc. 300 Peachtree St NE, Ste CS2-3299 Atlanta, Georgia 30308

Data Protection Officer: Ken Griggs Email: [email protected] Website: https://julia.social

For support, visit https://not.bot