Privacy Policy

At Nony, protecting your privacy—especially your child's privacy—is our highest priority. This Privacy Policy explains how we collect, use, protect, and share information when you use our Service. We are committed to compliance with: • Children's Online Privacy Protection Act (COPPA) • General Data Protection Regulation (GDPR) • Family Educational Rights and Privacy Act (FERPA) • California Consumer Privacy Act (CCPA) This policy applies to all users of Nony, with special protections for children under 13.

We collect minimal information necessary to provide a safe service: Account Information: • Username and password (encrypted) • Age verification information • Parent/guardian contact information • Emergency contact details Safety Information: • Content submitted for moderation • Communication patterns for threat detection • Device information for security purposes • Location data (general region only, for law enforcement coordination) We DO NOT collect: • Precise location data • Browsing history outside our platform • Personal information for advertising purposes • Unnecessary personal details

We use collected information solely for: Safety and Security: • Pre-moderating all content before delivery • Detecting and preventing harmful behavior • Coordinating with law enforcement when necessary • Maintaining platform security Service Functionality: • Creating and managing user accounts • Facilitating safe communications • Providing parental controls and monitoring • Improving our safety algorithms Legal Compliance: • Responding to legal requests • Protecting rights and safety of users • Complying with applicable laws and regulations

We share information only in limited circumstances: With Parents/Guardians: • Full access to their child's account information • Activity reports and safety notifications • Communication logs and friend connections With Law Enforcement: • When required by law or court order • To prevent imminent harm to a child • To investigate potential crimes against children • Through our automated threat reporting system With Service Providers: • Encrypted data with security and moderation partners • Only information necessary for safety functions • Under strict confidentiality agreements We NEVER: • Sell personal information to third parties • Share data for advertising purposes • Provide information to unauthorized parties

Special protections for children under 13: Parental Consent: • Required before collecting any personal information • Obtained through verified methods • Can be withdrawn at any time Limited Data Collection: • Only information necessary for safety and functionality • No behavioral tracking for advertising • No creation of personal profiles for marketing Parental Rights: • Review all information collected about their child • Request deletion of their child's information • Refuse further collection or use of information • Receive notification of any material changes to this policy Enhanced Security: • Additional encryption for children's data • Stricter access controls • Regular security audits

We implement industry-leading security measures: Technical Safeguards: • 256-bit AES encryption for all data • Secure data centers with physical security • Regular security audits and penetration testing • Multi-factor authentication for staff access Operational Safeguards: • Background checks for all employees • Strict access controls and monitoring • Regular security training for staff • Incident response procedures Data Minimization: • Collect only necessary information • Regular deletion of unnecessary data • Anonymization where possible • Secure disposal of deleted information

We retain information only as long as necessary: Active Accounts: • Account information maintained while account is active • Communication logs kept for safety monitoring • Moderation records retained for pattern analysis Deleted Accounts: • Most information deleted within 30 days • Safety-related information may be retained longer for protection • Anonymized data may be kept for service improvement Legal Requirements: • Information may be retained longer if required by law • Evidence of crimes against children preserved for authorities • Court orders may require extended retention

You have the right to: Access and Control: • Request a copy of your information • Correct inaccurate information • Delete your account and information • Restrict processing of your information For Parents: • Access all information about your child • Request deletion of your child's account • Modify privacy settings and controls • Withdraw consent for data collection For EU Residents (GDPR): • Data portability rights • Right to object to processing • Right to lodge complaints with supervisory authorities • Additional protections under GDPR

Nony operates globally with servers in secure locations: Data Protection: • All international transfers use appropriate safeguards • Compliance with applicable data protection laws • Standard contractual clauses for EU data • Adequacy decisions where available Server Locations: • Primary servers in Germany (GDPR compliant) • Backup servers in secure jurisdictions • No data stored in countries with inadequate protection • Regular review of data transfer practices

We may update this Privacy Policy to reflect changes in our practices or legal requirements: Notification Process: • Email notification to all users • Prominent notice on our website • 30-day notice period for material changes • Special notification for changes affecting children For Children's Information: • Additional parental notification required • Opportunity to withdraw consent • Clear explanation of changes • Option to delete account if disagreeing with changes

For privacy-related questions or concerns: Privacy Team: Email: privacy@nony.cc Phone: [Privacy Hotline] Address: Nony Privacy Team, [Address] Data Protection Officer: Email: dpo@nony.cc For immediate safety concerns, contact local law enforcement.