Overview
no909 is designed as a private AI interface for people who want a clean, focused place to interact with AI. This policy describes how 'no909' handles information when you visit the website, sign in, use the chat interface, or interact with related pages such as subscriptions, enterprise information, legal notices, and support content.
Our goal is to keep data practices understandable. We try to collect the information needed to operate the service, protect accounts, preserve chat history when that feature is enabled, troubleshoot errors, and improve the reliability of the system. We do not write this policy to hide behind vague language. When a feature stores data, this page explains the reason.
no909 currently uses a PHP frontend, a PHP-authenticated API layer, an SQLite database for users and chat history, and a Python AI backend that sends prompts to the configured model endpoint. The exact privacy behavior can depend on how the server is deployed and which AI model provider is connected.
Information we collect
The information no909 collects depends on how you use the service and how the server is configured. Some information is provided directly by you. Other information is generated automatically when the application runs.
Information you provide
- Account information, such as username, display name, role, and password credentials.
- Chat prompts, instructions, uploaded text, or other content you type into the AI interface.
- Feedback, support requests, business inquiries, or contact details you choose to provide.
- Settings or preferences that may be added later, such as model choice, theme, memory settings, or workspace preferences.
Information created by using no909
- AI-generated responses associated with your conversations.
- Conversation titles, timestamps, and message order.
- Session information used to keep you signed in.
- Basic activity records, such as when a conversation was created or updated.
Technical and server information
- IP address, request path, browser type, user agent, referrer, and timestamps that may appear in web server logs.
- Backend diagnostic information, such as errors from PHP, Python, Nginx, PHP-FPM, or the AI model endpoint.
- Security-related events, such as failed login attempts, suspicious requests, or rate-limit events if those controls are enabled.
- Deployment information, such as which local or remote model endpoint is configured.
We do not intentionally collect sensitive categories of information unless a user voluntarily enters that information into the service. Because 'no909' is a general AI interface, users control much of the content submitted to it.
How we use information
no909 uses information to make the service work, keep accounts secure, provide AI responses, maintain chat history, and improve reliability. More specifically, we may use information for the following purposes:
- Authenticate users, maintain sessions, and prevent unauthorized access.
- Send prompts and conversation context to the configured AI backend so the model can generate a response.
- Store conversation history so users can return to previous chats.
- Show recent conversations in the sidebar and keep messages in the correct order.
- Debug application errors, backend failures, database problems, and model connection issues.
- Protect the service from abuse, spam, automated misuse, and attempts to bypass access controls.
- Improve page design, performance, reliability, and product workflow.
- Comply with applicable laws, enforce terms, and respond to valid legal or security requests.
We may also use aggregated or de-identified information to understand how the product is used. For example, we may count how many conversations were created or how often backend errors occur. We should not use aggregated analytics to identify individual users.
Business and product inquiries that are not privacy-specific may be routed to info@no909.com. Privacy-specific requests should use contact@no909.com so they can be reviewed under the correct process.
Accounts and login
Access to the no909 chat interface is controlled by user accounts. Account records may include username, display name, role, active/inactive status, creation time, update time, and a password hash. no909 does not store plaintext passwords when using the provided account system.
Password handling
Passwords are processed using PHP password hashing functions. When you sign in, the submitted password is compared against the stored hash. The original password should not be recoverable from the database.
Session handling
After successful login, 'no909' stores session values that identify the user for the current browser session. These values are used by pages like chat.php, chat_api.php, and chat_data.php to confirm that the user is authorized.
Roles and account status
The account system supports roles and active status. A disabled account should not be able to sign in. Roles can be used later for admin panels, enterprise controls, model access, billing, or workspace permissions.
Account support
If you believe your account was created incorrectly, assigned the wrong role, accessed without authorization, or should be disabled, contact contact@no909.com. For urgent account compromise concerns, use security@no909.com.
AI chat data
When you send a message in no909, the message and relevant conversation context are sent from the PHP frontend to the authenticated PHP API layer, then to the Python AI backend, and then to the configured model endpoint. This is necessary for the AI model to generate a useful response.
If 'no909' is connected to a local model, chat content is processed by that local model endpoint. If no909 is later connected to third-party AI services, those services may process prompts according to their own terms and privacy practices.
What may be included in AI requests
- Your latest message.
- Previous messages in the same conversation, when needed for context.
- System or developer instructions configured by the no909 deployment.
- Model selection or routing metadata, if multiple models are supported later.
What users should avoid submitting
Unless no909 has been specifically configured and approved for sensitive data, users should avoid submitting passwords, private keys, government identifiers, bank details, medical records, legal secrets, trade secrets, confidential customer records, or information about third parties without permission.
AI output
AI responses may be inaccurate, incomplete, outdated, or inappropriate for a particular use case. Users are responsible for reviewing AI output before relying on it. 'no909' should not be treated as a substitute for professional advice.
Model provider changes
If the deployment changes from a local model to a third-party model provider, the privacy impact may change. In that case, no909 should update this policy or provide notice explaining which provider is used, what content is sent, and whether provider-side retention or training controls apply.
Chat history
no909 may store conversation history in the server-side SQLite database. This allows the sidebar to show recent chats and allows users to reopen previous conversations. Stored history may include conversation ID, user ID, title, message role, message content, creation time, and update time.
Where history is stored
In the current deployment structure, chat history is stored in a SQLite database file on the server. The default project path is storage/no909.sqlite inside the application directory, although server configuration may change this.
How history is separated
Conversations are associated with a user account ID. The application checks the current session before returning conversations or messages. Users should only see conversations that belong to their own account unless administrative tools are later added and explicitly authorized.
Deleting or clearing history
'no909' may provide controls to delete conversations or clear history. Deleting data from the active database may not immediately remove copies from backups, server snapshots, logs, or disaster recovery systems. Backup deletion depends on the retention schedule configured by the server operator.
Administrative access to history
Server administrators may technically have access to database files, backups, logs, and infrastructure. Administrative access should be limited to people who need it for operations, support, legal compliance, security, or incident response. Administrative review of user content should be treated as sensitive.
Retention
no909 keeps information for different periods depending on what it is, why it is used, and what the server operator has configured. Account records may be kept while an account exists. Chat history may be kept until deleted by a user or an administrator. Logs may be kept for security, debugging, or operational needs.
- Account data may be retained while the account remains active.
- Inactive accounts may be deactivated before deletion.
- Chat messages may remain in the database until deleted or purged.
- Backups may retain deleted data for a limited period.
- Security logs may be retained where needed to investigate abuse or protect the service.
Retention periods should be reviewed as 'no909' moves from prototype to production. Enterprise deployments may require stricter retention limits, audit logs, or data deletion workflows.
If you need a copy of your data, a deletion review, or clarification about how long a category of information is retained, contact contact@no909.com. Requests may require identity verification before action is taken.
Security
We use reasonable technical and organizational measures to protect no909. No system is perfectly secure, so users should avoid submitting information that they would not want processed by the configured AI service or stored in server logs.
Current protective measures may include
- Password hashing instead of plaintext password storage.
- PHP sessions for authenticated access.
- Server-side ownership checks before returning conversations.
- Backend AI API bound to localhost rather than directly exposed to the public internet.
- Nginx and PHP-FPM separation for web serving and PHP execution.
- File permissions for the application and SQLite storage directory.
Recommended production safeguards
- Use HTTPS for all public traffic.
- Use strong passwords and rotate credentials when needed.
- Restrict server SSH access and disable password login where possible.
- Back up the SQLite database securely.
- Monitor application, Nginx, PHP-FPM, Python API, and model logs.
- Limit access to admin commands and server files.
Security reports
If you believe you found a vulnerability, exposed database, authentication weakness, leaked key, unsafe endpoint, or other security issue, contact security@no909.com. Please include enough detail to reproduce or understand the issue, but do not exploit the issue, access other users' data, or publicly disclose it before no909 has had a reasonable opportunity to respond.
Emergency escalation
For urgent incidents involving active compromise, exposed credentials, data leakage, or immediate risk to users, contact emergency@no909.com. This address should be reserved for time-sensitive security or privacy events.
Your choices
You can choose what you submit to the AI chat, close your browser session, request deletion where applicable, and contact no909 about privacy questions. Browser settings may also let you limit cookies or local storage.
Account choices
- You may request that your account be deactivated.
- You may request deletion of account-associated chat history where applicable.
- You may change your password if password management features are provided or by contacting an administrator.
Chat choices
- You can choose not to submit sensitive information.
- You can start a new conversation to separate topics.
- You can request deletion of conversations if deletion tooling is available.
- You can copy or export responses manually from the interface.
Browser choices
Browser controls may let you delete cookies, block storage, clear cache, or use private browsing. Some of these choices can affect login, session continuity, and the behavior of the website.
How to make a request
Privacy requests should be sent to contact@no909.com. General product or business questions may be sent to info@no909.com. Security-sensitive requests should be sent to security@no909.com.
Children
no909 is not intended for children. Users should not create accounts for children or submit personal information about children unless the deployment is specifically designed and legally approved for that purpose. If we learn that information from a child has been collected inappropriately, we may delete it or take steps to deactivate the related account.
If you believe a child has provided information to 'no909' without appropriate authorization, contact contact@no909.com so the issue can be reviewed.
Data transfers
'no909' may be hosted on servers located in a country different from where the user lives. If third-party AI providers, hosting providers, analytics providers, or backup services are used, information may be processed in other locations. Data protection laws vary by country.
Where required, no909 should use appropriate safeguards for international data transfers. The exact safeguards depend on the deployment, provider contracts, user location, and applicable legal requirements.
Changes to this policy
no909 may update this Privacy Policy as the product changes. For example, the policy may be updated if 'no909' adds file uploads, voice chat, image generation, long-term memory, team workspaces, billing, analytics, additional model providers, or enterprise administration features.
When changes are significant, no909 should provide a more prominent notice, such as a website notice, account notice, or updated effective date. Continued use of the service after a policy update may mean that the updated policy applies to your use.
Contact
For privacy questions, requests, or concerns, contact contact@no909.com. This is the primary privacy contact for account data, chat history requests, deletion questions, policy questions, and requests to clarify how a particular category of information is handled.
For general business, product, partnership, or non-sensitive operational questions, contact info@no909.com. For vulnerability reports, suspicious activity, authentication issues, exposed data, or other security matters, contact security@no909.com. For urgent, active, or high-impact incidents, contact emergency@no909.com.
When contacting no909, include enough context to help us review the request: your username if applicable, the relevant page or feature, the type of request, and whether the issue involves account access, chat history, security, or legal/privacy rights. Do not send passwords, private keys, payment details, or unnecessary sensitive data by email.
This policy is written to be operationally useful for the current product and professional enough for a public launch. It should still be reviewed by qualified legal counsel before use in a regulated environment, enterprise deployment, or commercial launch involving sensitive data.