This Privacy Policy (this “Policy”) describes how Nota America, Inc. (the “Company,” “we,” “our,” or “us”) collects, uses, discloses, retains, and otherwise processes Personal Information in connection with ForgeCat, the Agent Hub, and any related websites, applications, APIs, software, content, features, and services made available by the Company (collectively, the “Service”). Capitalized terms not defined in this Policy have the meanings given in our Terms of Service. For the purposes of this Policy, the term “Personal Information” shall have the same meaning as the term “Personal Data” as used in our Terms of Service.

This Policy is incorporated into the Terms of Service pursuant to Section 12 (Privacy) of those Terms. By using the Service, you acknowledge that you have read and understood this Policy.

1. Scope

This Policy applies to Personal Information that the Company collects and processes about Users in connection with the Service. This Policy does not apply to:

• Personal Information collected or processed directly by Host Environment operators (e.g., ChatGPT, Gemini, Claude) or other third-party services, which is governed by those third parties’ privacy policies.
• Data generated, collected, or processed in connection with your use of an Agent Profile within a Host Environment that is not under our control.
• Websites, services, or platforms operated by parties other than the Company.

2. Personal Information We Collect

We may collect the Personal Information reasonably necessary to operate the Service. The categories of Personal Information we collect, and — for information received via GitHub OAuth — the specific fields we store and use, are described below.

GitHub OAuth is the sole method of Member authentication. We do not collect passwords, government-issued identifiers, or precise geolocation data. We may receive limited billing and transaction information (for example, billing contact details and subscription status) from our third-party payment processor, but we do not directly collect or store full payment card numbers or similar highly sensitive payment information. Consistent with Section 3.1 of the Terms of Service, we do not knowingly collect Personal Information from children under thirteen (13) years of age.

3. How We Collect Your Personal Information

• Information directly from You. We collect your Personal Information that you provide directly to us, including:
  • information transmitted to us via GitHub OAuth (managed via Supabase) when you consent to the connection during sign-up or login;
  • Agent Profiles and other Member Content you post;
  • information you submit when contacting us or making a rights request;
  • information you submit when you communicate with us by email, chat, or other channels, including customer support inquiries, feedback, and survey responses;
  • information you provide when you register for, attend, or participate in event, survey, or marketing activities; and
  • information you choose to provide to us, including through forms on our Service.
• Information collected automatically. We and our service providers automatically collect certain information when you access or use the Service, such as:
  • device and technical information, including IP address, browser type and version, operating system, device identifiers, language settings, and similar details;
  • usage information, including log and access data, such as timestamps, pages viewed, features used, APIs, and/or administrative tools; and
  • cookies and similar technologies, which we use to authenticate users, maintain sessions, remember preferences and settings, support security, deliver core functionality, and analyze Service usage and performance to improve the Service. You may configure your browser to refuse cookies; however, doing so may impair certain functionality (including the ability to sign in).
• Information received from third parties. We may receive Personal Information about you from:
  • GitHub OAuth, the authentication payload set out in Section 2 above, as an OAuth identity provider. We do not request or receive information that is not necessary for authentication, such as the contents of your private repositories;
  • service providers and contractors that help us provide the Service; and
  • business partners that market, distribute, or integrate our Service.

4. How and Why We Use Your Personal Information

We may use your Personal Information for the following purposes:

• To authenticate Members, manage Accounts, and verify identity;
• To provide, maintain, operate, and improve the Service;
• To associate Agent Profiles with applicable Agent Creator or Member Account;
• To identify Agent Creators (Members) to other Members on Agent Listings, using account-level references such as handle and avatar;
• To support publication, discovery, forking, installation, management, and compatibility workflows across supported Host Environments;
• To monitor usage, analyze performance, and improve functionality of the Service, including providing technical support, troubleshooting, and incident response;
• To personalize and customize your experience across the Service;
• To enforce the Terms of Service and this Policy;
• To detect, prevent, investigate, and respond to fraud, violations, including detection of malicious automation, credential abuse, prompt-injection attacks, malicious code, unauthorized extraction or scraping activity, and other forms of abuse of the Service;
• To develop new features, conduct internal analytics for service improvement, and produce statistics, using de-identified or aggregated data where reasonably practicable;
• To communicate with you about the Service, including responding to inquiries, providing updates and confirmations, sending security or support messages, and notifying you of changes to the Service or to the Terms;
• To send you marketing communications, newsletters, or information about new features, products, or services that may be of interest to you, consistent with your preferences and applicable law;
• To comply with legal obligations, to respond to lawful requests, and to establish, exercise, or defend legal claims; and
• To monitor for activity covered by Section 10.4 of the Terms of Service (Reciprocity in AI Training), on a reasonable and proportionate basis.

5. How We Disclose Your Personal Information

A. Categories of Recipients

We may disclose your Personal Information to the following categories of recipients or third parties, subject to applicable law:

• Service Providers and Contractors that process Personal Information on the Company’s behalf for business purposes, such as hosting and infrastructure, storage, authentication, analytics and monitoring, customer support, identity verification, security, and fraud prevention, communications, or payment processing;
• Other users of the Service, to the extent information is included in public-facing Agent Profiles, creator attributions, comments, reviews, or other publicly visible fields;
• Professional Advisors, such as lawyers, auditors, insurers, or consultants;
• Competent authorities, regulators, law enforcement, courts, and other third parties where required by law or where reasonably necessary to protect rights, safety, and legal compliance;
• Transaction counterparties in connection with an actual or proposed merger, acquisition, financing, restructuring, sale of assets, bankruptcy, or similar corporate event; and
• Affiliates within the corporate group for internal administrative, operational, and compliance purposes.

B. Categories of Personal Information Disclosed for Business Purpose

In the preceding 12 months, we have disclosed, and we may continue to disclose, the categories of Personal Information identified above to the following categories of recipients for business or operational purposes, subject to applicable law:

Other than the recipients identified in Section 5 (A) above, we do not disclose, share, or sell Personal Information to third parties, except in the following circumstances:

• With your prior, explicit consent to such disclosure;
• To comply with applicable law, legal process (such as a court order, warrant, or subpoena), or a lawful request from a governmental authority;
• To protect the rights, property, or safety of the Company, our Members, or others, including for fraud prevention and security investigations;
• In connection with a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets (as contemplated by Section 25.2 of the Terms of Service). In such case, we will take reasonable steps to ensure that the core principles of this Policy are honored by the successor entity; and
• Where Information has been voluntarily made public through Agent Listings or Public Agent Profiles (such as your GitHub username and avatar), in which case such information will be visible to other Members and to the general public.

6. International Data Transfers

We are headquartered in California, United States, and the Service is operated from the United States. If you access the Service from outside the United States, your Personal Information will be transferred to, stored, and processed in the United States and in other jurisdictions where our service providers operate. By using the Service, you acknowledge that such international transfers may occur.

Where required by applicable law, we will use reasonable efforts to implement appropriate safeguards (such as contractual measures or standard contractual clauses) for international transfers of Personal Information.

7. Legal Grounds for Processing

Where applicable law requires identification of a legal basis for processing, we rely on the following bases:

• Performance of our contract with you (the Terms of Service) and to respond to your requests to use the Service;
• Our legitimate interests in operating, securing, and improving the Service and preventing misuse;
• Compliance with our legal obligations; and
• Your consent, where required (for example, for any optional marketing communications that we may introduce in the future).

8. Retention and Deletion

We retain Personal Information we receive as described in this Policy for as long as you use our Service or as necessary to fulfill the purposes such as providing our Service, resolving disputes, safety and security reasons, and complying with legal obligations and applicable law. How long we retain Personal Information depends on the type of information, how we use it, and in many cases how you configure your settings:

• Information we retain until you delete it: Some of our Service allow you to delete your Personal Information stored in your Account, such as Member Content and Agent Profiles. We retain such Information until you choose to delete it. After deletion, backup copies may be retained for a commercially reasonable and technically necessary period of up to thirty (30) days in accordance with our backup and recovery process. Where Content has been shared or forked or installed by other Members, such copies may persist independently in accordance with Sections 5.4, 6.3, and 6.4 of our Terms of Service.
• Information we delete automatically: In certain cases, we automatically delete Personal Information after a defined retention period based on operational necessity and data minimization principles, including Account and authentication data (GitHub OAuth), Service usage logs, access logs, IP addresses, and session data.
• Information we retain for longer for legitimate business or legal purposes such as security, safety, or fraud and abuse prevention: We may retain certain Information for extended periods where necessary to comply with legal obligations or to protect our Service and users, including abuse and security incident records, inquiry and rights-request records, and information required for legal obligations or dispute resolution.

When you delete Personal Information, we follow a deletion process designed to ensure that the Information is securely removed from our systems or retained only in de-identified or anonymized form, as appropriate.

Due to the nature of our systems, copies of Personal Information may temporarily remain in backup systems. These copies are securely protected and are deleted in accordance with our backup cycles.

9. Security Measures

We implement commercially reasonable and appropriate administrative, technical, and physical safeguards designed to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the internet or method of electronic storage is fully secure or error free. Therefore, consistent with Section 19 of the Terms of Service, we cannot guarantee absolute security.

10. Your Rights under CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), and the regulations issued by the California Privacy Protection Agency (CPPA), subject to applicable exceptions.

You may submit a request by emailing forgecat@nota.ai. We will verify your identity using reasonable methods consistent with applicable law and will respond within forty-five (45) days of receipt, with the possibility of one additional forty-five (45) day extension where reasonably necessary. You may use an authorized agent to submit a request on your behalf; we may require proof of the agent’s authority.

Notice regarding “Sale” and “Sharing”: As of the Effective Date of this Policy, and in the preceding twelve (12) months, we have not “sold” Personal Information for monetary or other valuable consideration, and we have not “shared” Personal Information for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA. If this changes, we will update this Policy in advance and provide an opt-out mechanism.

11. California “Shine the Light” Rights

Under California Civil Code § 1798.83, California residents may request information about the categories of Personal Information we have disclosed to third parties for those third parties’ direct marketing purposes during the preceding calendar year, and the names and addresses of those third parties. We do not currently disclose Personal Information to third parties for their direct marketing purposes. Requests may be sent to forgecat@nota.ai.

12. Minors

Pursuant to Section 3.1 of the Terms of Service, the Service is not directed to children under thirteen (13), and we do not knowingly collect Personal Information from such children. If we learn that we have collected Personal Information from a child under thirteen (13), we will promptly delete it. Parents or legal guardians who believe that a child’s information has been collected may contact us at forgecat@nota.ai.

If you are over thirteen (13) but under the age of majority in your jurisdiction, the collection and processing of your Personal Information, as well as your use of the Service, are conditioned upon the involvement and consent of your parent or legal guardian, in accordance with Section 3.1 of the Terms of Service.

In addition, under California Business and Professions Code § 22581, registered Members who are California residents under the age of eighteen (18) may request removal of content they have posted. We will take reasonable steps to honor such requests; however, removal may not be possible for content that is outside our control, such as forks created by other Members that persist independently.

13. “Do Not Track” Signals

There is currently no industry-standard mechanism for responding to “Do Not Track” (DNT) signals, and the Service does not respond to DNT signals. We use reasonable efforts to honor technical opt-out signals recognized under California law (such as the Global Privacy Control, or GPC) to the extent required by applicable law.

14. Automated Decision-Making

We do not currently engage in automated decision-making that produces legal or similarly significant effects on Members. Certain features of the Service (such as search, ranking, recommendations, and abuse detection) may involve algorithmic processing. If we introduce automated decision-making subject to specific legal requirements in the future, we will provide the notices and opt-out rights required by applicable law.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes to the Service, applicable law, or our operations. If we make a material change, we will provide reasonable notice by posting the updated Policy on the Platform or by other means. The updated Policy will take effect on the date stated, and your continued use of the Service after that date constitutes your acknowledgment of the updated Policy.

16. Contact Us

If you have questions or comments about this Policy, or if you wish to exercise any of your rights, please contact us at:

Nota America, Inc.

Plug and Play Tech Center, 440 N Wolfe Rd, Sunnyvale, CA 94085, United States

Email: forgecat@nota.ai