no909 privacy policy
Privacy Policy

How no909 handles privacy.

This Privacy Policy explains what information no909 may collect, how it is used, and the choices you have when using our website, login pages, and AI chat interface.

Company: no909 Last updated: July 2, 2026 Applies to no909.com Privacy contact: contact@no909.com

Overview

no909 is designed as a private AI interface for people who want a clean, focused place to interact with AI. This policy describes how 'no909' handles information when you visit the website, sign in, use the chat interface, or interact with related pages such as subscriptions, enterprise information, legal notices, and support content.

Our goal is to keep data practices understandable. We try to collect the information needed to operate the service, protect accounts, preserve chat history when that feature is enabled, troubleshoot errors, and improve the reliability of the system. We do not write this policy to hide behind vague language. When a feature stores data, this page explains the reason.

no909 currently uses a PHP frontend, a PHP-authenticated API layer, an SQLite database for users and chat history, and a Python AI backend that sends prompts to the configured model endpoint. The exact privacy behavior can depend on how the server is deployed and which AI model provider is connected.

no909 is AI and can make mistakes. Do not enter sensitive personal, financial, medical, legal, or confidential business information unless you are sure the system is configured for that use.
Plain-language principle 'no909' should only keep information that has a clear product, security, legal, or operational purpose.
Current storage model Accounts, conversations, and messages may be stored in the server-side SQLite database at the configured deployment location.

Information we collect

The information no909 collects depends on how you use the service and how the server is configured. Some information is provided directly by you. Other information is generated automatically when the application runs.

Information you provide

  • Account information, such as username, display name, role, and password credentials.
  • Chat prompts, instructions, uploaded text, or other content you type into the AI interface.
  • Feedback, support requests, business inquiries, or contact details you choose to provide.
  • Settings or preferences that may be added later, such as model choice, theme, memory settings, or workspace preferences.

Information created by using no909

  • AI-generated responses associated with your conversations.
  • Conversation titles, timestamps, and message order.
  • Session information used to keep you signed in.
  • Basic activity records, such as when a conversation was created or updated.

Technical and server information

  • IP address, request path, browser type, user agent, referrer, and timestamps that may appear in web server logs.
  • Backend diagnostic information, such as errors from PHP, Python, Nginx, PHP-FPM, or the AI model endpoint.
  • Security-related events, such as failed login attempts, suspicious requests, or rate-limit events if those controls are enabled.
  • Deployment information, such as which local or remote model endpoint is configured.

We do not intentionally collect sensitive categories of information unless a user voluntarily enters that information into the service. Because 'no909' is a general AI interface, users control much of the content submitted to it.

For questions about what information is collected or to request clarification about a specific category of data, contact contact@no909.com.

How we use information

no909 uses information to make the service work, keep accounts secure, provide AI responses, maintain chat history, and improve reliability. More specifically, we may use information for the following purposes:

  • Authenticate users, maintain sessions, and prevent unauthorized access.
  • Send prompts and conversation context to the configured AI backend so the model can generate a response.
  • Store conversation history so users can return to previous chats.
  • Show recent conversations in the sidebar and keep messages in the correct order.
  • Debug application errors, backend failures, database problems, and model connection issues.
  • Protect the service from abuse, spam, automated misuse, and attempts to bypass access controls.
  • Improve page design, performance, reliability, and product workflow.
  • Comply with applicable laws, enforce terms, and respond to valid legal or security requests.

We may also use aggregated or de-identified information to understand how the product is used. For example, we may count how many conversations were created or how often backend errors occur. We should not use aggregated analytics to identify individual users.

Business and product inquiries that are not privacy-specific may be routed to info@no909.com. Privacy-specific requests should use contact@no909.com so they can be reviewed under the correct process.

Accounts and login

Access to the no909 chat interface is controlled by user accounts. Account records may include username, display name, role, active/inactive status, creation time, update time, and a password hash. no909 does not store plaintext passwords when using the provided account system.

Password handling

Passwords are processed using PHP password hashing functions. When you sign in, the submitted password is compared against the stored hash. The original password should not be recoverable from the database.

Session handling

After successful login, 'no909' stores session values that identify the user for the current browser session. These values are used by pages like chat.php, chat_api.php, and chat_data.php to confirm that the user is authorized.

Roles and account status

The account system supports roles and active status. A disabled account should not be able to sign in. Roles can be used later for admin panels, enterprise controls, model access, billing, or workspace permissions.

Account support

If you believe your account was created incorrectly, assigned the wrong role, accessed without authorization, or should be disabled, contact contact@no909.com. For urgent account compromise concerns, use security@no909.com.

AI chat data

When you send a message in no909, the message and relevant conversation context are sent from the PHP frontend to the authenticated PHP API layer, then to the Python AI backend, and then to the configured model endpoint. This is necessary for the AI model to generate a useful response.

If 'no909' is connected to a local model, chat content is processed by that local model endpoint. If no909 is later connected to third-party AI services, those services may process prompts according to their own terms and privacy practices.

What may be included in AI requests

  • Your latest message.
  • Previous messages in the same conversation, when needed for context.
  • System or developer instructions configured by the no909 deployment.
  • Model selection or routing metadata, if multiple models are supported later.

What users should avoid submitting

Unless no909 has been specifically configured and approved for sensitive data, users should avoid submitting passwords, private keys, government identifiers, bank details, medical records, legal secrets, trade secrets, confidential customer records, or information about third parties without permission.

AI output

AI responses may be inaccurate, incomplete, outdated, or inappropriate for a particular use case. Users are responsible for reviewing AI output before relying on it. 'no909' should not be treated as a substitute for professional advice.

Model provider changes

If the deployment changes from a local model to a third-party model provider, the privacy impact may change. In that case, no909 should update this policy or provide notice explaining which provider is used, what content is sent, and whether provider-side retention or training controls apply.

Chat history

no909 may store conversation history in the server-side SQLite database. This allows the sidebar to show recent chats and allows users to reopen previous conversations. Stored history may include conversation ID, user ID, title, message role, message content, creation time, and update time.

Where history is stored

In the current deployment structure, chat history is stored in a SQLite database file on the server. The default project path is storage/no909.sqlite inside the application directory, although server configuration may change this.

How history is separated

Conversations are associated with a user account ID. The application checks the current session before returning conversations or messages. Users should only see conversations that belong to their own account unless administrative tools are later added and explicitly authorized.

Deleting or clearing history

'no909' may provide controls to delete conversations or clear history. Deleting data from the active database may not immediately remove copies from backups, server snapshots, logs, or disaster recovery systems. Backup deletion depends on the retention schedule configured by the server operator.

Administrative access to history

Server administrators may technically have access to database files, backups, logs, and infrastructure. Administrative access should be limited to people who need it for operations, support, legal compliance, security, or incident response. Administrative review of user content should be treated as sensitive.

Cookies and sessions

no909 may use cookies or similar browser storage to keep users signed in, maintain sessions, remember interface state, or support security features. The most important cookie is typically the PHP session cookie, which lets the server recognize that a user has authenticated.

  • Session cookies are used for login state and access control.
  • Browser storage may be used for interface preferences if added later.
  • Security cookies or headers may be added to reduce unauthorized access risk.
  • Analytics cookies are not required for the core chat experience.

You can configure your browser to block or delete cookies. If you block session cookies, login and chat access may not work correctly.

If analytics, advertising, or third-party tracking tools are added later, this policy should be updated to explain those tools clearly before they are used in production.

Sharing and disclosure

no909 does not sell personal information. We may disclose information when needed to operate infrastructure, comply with law, protect rights and safety, investigate abuse, or support a business transfer such as a merger or acquisition.

Service providers and infrastructure

'no909' may rely on hosting providers, server infrastructure, domain providers, security services, database storage, backup tools, AI model providers, email services, or analytics tools. These providers may process information only as needed to provide their services.

Legal and safety reasons

We may disclose information if we believe it is reasonably necessary to comply with applicable law, enforce terms, respond to legal process, investigate abuse, protect the service, prevent harm, or protect the rights and safety of users, no909, or the public.

Business transfers

If no909 is involved in a merger, acquisition, financing, restructuring, sale of assets, or similar transaction, information may be transferred as part of that transaction. If this happens, we would expect the receiving party to handle the information consistently with this policy or provide notice of changes.

Professional confidentiality expectation

Where information is shared with service providers, contractors, or operational partners, no909 expects those parties to handle information with appropriate confidentiality, access control, and security practices.

Retention

no909 keeps information for different periods depending on what it is, why it is used, and what the server operator has configured. Account records may be kept while an account exists. Chat history may be kept until deleted by a user or an administrator. Logs may be kept for security, debugging, or operational needs.

  • Account data may be retained while the account remains active.
  • Inactive accounts may be deactivated before deletion.
  • Chat messages may remain in the database until deleted or purged.
  • Backups may retain deleted data for a limited period.
  • Security logs may be retained where needed to investigate abuse or protect the service.

Retention periods should be reviewed as 'no909' moves from prototype to production. Enterprise deployments may require stricter retention limits, audit logs, or data deletion workflows.

If you need a copy of your data, a deletion review, or clarification about how long a category of information is retained, contact contact@no909.com. Requests may require identity verification before action is taken.

Security

We use reasonable technical and organizational measures to protect no909. No system is perfectly secure, so users should avoid submitting information that they would not want processed by the configured AI service or stored in server logs.

Current protective measures may include

  • Password hashing instead of plaintext password storage.
  • PHP sessions for authenticated access.
  • Server-side ownership checks before returning conversations.
  • Backend AI API bound to localhost rather than directly exposed to the public internet.
  • Nginx and PHP-FPM separation for web serving and PHP execution.
  • File permissions for the application and SQLite storage directory.

Recommended production safeguards

  • Use HTTPS for all public traffic.
  • Use strong passwords and rotate credentials when needed.
  • Restrict server SSH access and disable password login where possible.
  • Back up the SQLite database securely.
  • Monitor application, Nginx, PHP-FPM, Python API, and model logs.
  • Limit access to admin commands and server files.

Security reports

If you believe you found a vulnerability, exposed database, authentication weakness, leaked key, unsafe endpoint, or other security issue, contact security@no909.com. Please include enough detail to reproduce or understand the issue, but do not exploit the issue, access other users' data, or publicly disclose it before no909 has had a reasonable opportunity to respond.

Emergency escalation

For urgent incidents involving active compromise, exposed credentials, data leakage, or immediate risk to users, contact emergency@no909.com. This address should be reserved for time-sensitive security or privacy events.

Your choices

You can choose what you submit to the AI chat, close your browser session, request deletion where applicable, and contact no909 about privacy questions. Browser settings may also let you limit cookies or local storage.

Account choices

  • You may request that your account be deactivated.
  • You may request deletion of account-associated chat history where applicable.
  • You may change your password if password management features are provided or by contacting an administrator.

Chat choices

  • You can choose not to submit sensitive information.
  • You can start a new conversation to separate topics.
  • You can request deletion of conversations if deletion tooling is available.
  • You can copy or export responses manually from the interface.

Browser choices

Browser controls may let you delete cookies, block storage, clear cache, or use private browsing. Some of these choices can affect login, session continuity, and the behavior of the website.

How to make a request

Privacy requests should be sent to contact@no909.com. General product or business questions may be sent to info@no909.com. Security-sensitive requests should be sent to security@no909.com.

Children

no909 is not intended for children. Users should not create accounts for children or submit personal information about children unless the deployment is specifically designed and legally approved for that purpose. If we learn that information from a child has been collected inappropriately, we may delete it or take steps to deactivate the related account.

If you believe a child has provided information to 'no909' without appropriate authorization, contact contact@no909.com so the issue can be reviewed.

Data transfers

'no909' may be hosted on servers located in a country different from where the user lives. If third-party AI providers, hosting providers, analytics providers, or backup services are used, information may be processed in other locations. Data protection laws vary by country.

Where required, no909 should use appropriate safeguards for international data transfers. The exact safeguards depend on the deployment, provider contracts, user location, and applicable legal requirements.

Changes to this policy

no909 may update this Privacy Policy as the product changes. For example, the policy may be updated if 'no909' adds file uploads, voice chat, image generation, long-term memory, team workspaces, billing, analytics, additional model providers, or enterprise administration features.

When changes are significant, no909 should provide a more prominent notice, such as a website notice, account notice, or updated effective date. Continued use of the service after a policy update may mean that the updated policy applies to your use.

Contact

For privacy questions, requests, or concerns, contact contact@no909.com. This is the primary privacy contact for account data, chat history requests, deletion questions, policy questions, and requests to clarify how a particular category of information is handled.

For general business, product, partnership, or non-sensitive operational questions, contact info@no909.com. For vulnerability reports, suspicious activity, authentication issues, exposed data, or other security matters, contact security@no909.com. For urgent, active, or high-impact incidents, contact emergency@no909.com.

When contacting no909, include enough context to help us review the request: your username if applicable, the relevant page or feature, the type of request, and whether the issue involves account access, chat history, security, or legal/privacy rights. Do not send passwords, private keys, payment details, or unnecessary sensitive data by email.

This policy is written to be operationally useful for the current product and professional enough for a public launch. It should still be reviewed by qualified legal counsel before use in a regulated environment, enterprise deployment, or commercial launch involving sensitive data.