Last updated: August 9, 2022
The NetNubby alternative social media platform is sensitive to your privacy concerns and is committed to protecting the data you entrust to us. This policy describes how we define, collect and use that data—because you should know.
I. STRONG TLS PROTECTION:
Network connections created by the NetNubby console are safeguarded by a Trusted, Domain Validated TLS (formerly SSL) Certificate. Our security protocols protect your connection against common attacks like SLOTH, HeartBleed and others. Additionally, our servers are configured to permit HTTPS connections only, never insecure HTTP. This makes your visits safer and reduces the chances of eavesdropping.
II. CREATION OF ACCOUNT:
When you choose to register a NetNubby account, the following identifiers will be associated with you for as long as your account remains active:
You are required to supply an existing valid email address which we use to separate your account from all others. It must be unique on the platform. We also use this account to contact you in the event of issues with your account activity. Further, should you wish to request a password reset or report compromised credentials, this is the identifier you will use for those purposes. You are required to receive communications from the NetNubby platform at this address as a condition of maintaining an account. An email address is not system generated data and is considered to be Privately Identifiable Information (PII).
You are required to supply a username which we use to identify your account. It must be unique on the platform. Your username forms 50% of your account credentials and should always be safeguarded. Never share it with anyone. Unlike other social media platforms, it is never used to identify you with others on the network. A username is not system generated data and is considered to be PII.
You are required to create a passphrase which we use to secure your account. (Technically, a passphrase is not a password. A passphrase is a collection of terms, not a single word.) Your passphrase together with your username comprise 100% of the authentication details of your account. Never share your passphrase with anyone, including us. We will never ask for it. Once created, your passphrase is the only identifier stored in our database in hashed form. We are unable to decrypt it, read it or guess it. If you need a reset, you can always create a new encrypted passphrase. The passphrase is not system generated data and is considered PII. The combination of username and passphrase (which uniquely identifies you internally on our network) is considered PII.
4) FORMATTED NAME
This is a combination of the given name and surname you are required to supply, but neither are checked for validity. We use this to address you in formal communications using your email address. Unlike other social media platforms, it is never used to identify you with others on the network. The formatted name is not system generated data and is considered PII.
This is a self-descriptive label you are required to create. It can be almost anything. As the primary cosmetic identifier, it is used to communicate your identity on the network. Since it can be over 20 characters long and may contain special Unicode characters, you should be as expressive as possible. As the network identifier, this is what others will use to search for you. Your moniker is not system generated data and is considered PII.
6) CUSTOMER RELATION MANAGER (CRM) ID
This is a non-sequential identifier that is unique across the platform. It is used to facilitate all your network activity. It is not shared with you or others except in an anonymized manner (for example, when composing an Exclusive Note). The CRM ID is system generated data and is not considered to be PII.
III. COLLECTION OF PERSONALLY IDENTIFIABLE INFORMATION (PII):
When you use the NetNubby service your email, username, passphrase, formatted name and moniker are collected by us. All of this information is data that you voluntarily provide in order to register an account and use the service, and is considered PII.
IV. COLLECTION OF USAGE DATA:
Usage data is collected automatically when using our service. Data is only collected when accessing our service through a device that supports desktop browsing software. This data includes information such as your Internet Protocol (IP) address; browser name and version; the URL of the pages on which you read and post Notes, as well as the time and date of such network activity.
When you (attempt to) access our platform by or through a mobile device, no usage data is collected unless the device supports desktop browsing software. This is because our service does not yet support a mobile platform.
V. TRACKING TECHNOLOGIES:
We use neither cookies (session, persistent, essential or otherwise) nor similar tracking technologies to monitor your activity on our service or store certain information. Further, mechanisms such as beacons, tags, scripts and web databases normally used by other social media platforms to collect and analyze information are not employed by our service.
But we do have to stay on top of things, and the technology we employ is local extension storage (non-synced).
As a browser extension, local storage used by the NetNubby console keeps track of console options and user settings in order to persist them. If we didn’t do this then each time the console closes the state of the console itself, as well as all user settings would be lost. This console storage is kept separate from the storage requirements of other webpages or extensions, and is automatically deleted when the NetNubby service is deinstalled from your device. Because this storage is non-synced, none of the data we store is transmitted over your internet connection en masse or is associated in any way with a Google account (if any).
We also use this local storage to place a randomly created, small footprint token to hold the current state of your authentication against the NetNubby service. This token is deleted when 1) you choose to log out, or 2) the console is automatically logged out.
VI. HOW WE USE YOUR INFORMATION:
We may use your information—
- To provide you personalized content;
- To process and respond to inquiries;
- To improve the quality and usability of our service;
- To alert you to updates, special events, announcements, and products & services; and
- For the purpose(s) for which you provided it
VII. INFORMATION SHARING WITH THIRD PARTIES:
We do not share your information with anyone, including marketers (we have no marketers).
VIII. COLLECTION AND USE OF CHILDREN’S PERSONAL INFORMATION:
We do not knowingly solicit information from children without parental consent, and such information once identified is deleted upon discovery. That said, website visitors under 13 years of age should ask their parent, legal guardian or responsible adult for assistance when using our service, including the creation of an account to be used with adult supervision.
IX. IP ADDRESSES, LOG FILES AND DATA ANALYSIS:
As with any service operator, we analyze visitor logs to constantly improve the value of our service. We log IP addresses that describe the location of your device (or its network) on the Internet. This information is helpful for systems administration and troubleshooting purposes. These practices help us understand traffic patterns and identify potential problems with our service.
X. DO NOT TRACK (DNT) AND GLOBAL PRIVACY CONTROL (GPC):
We do not respond to the outdated DNT signal or to the newer GPC signal. We do not sell or share your personal information with third parties, regardless whether you use a GPC signal to indicate your preferences thereof.
The CLOUD Act, an unreviewed unvetted piece of US legislation that contains far‑reaching privacy‑destroying decrees is a law that permits foreign police to wiretap your communications on our server(s) without a warrant, no matter where in the world our server(s) may be physically located. You should know this law can be used against you and there is nothing we can do to prevent it. Such is the world we live in.
Since our service collects PII on visitors, Article 3 of the EU’s General Data Protection Regulation applies to your activity. If you, as an EU user, pursuant to Article 15 Right of Access make inquiry as to what data we hold on you, we will confirm we process the personal data concerning you identified in Section III. Accordingly, the Right of Rectification and the Right of Erasure apply.
The NetNubby platform neither 1) generates annual gross revenue in excess of $25 million; 2) derives 50% or more of its annual revenue from selling consumers’ personal information; nor 3) annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households or devices for commercial purposes. If you are a consumer residing in California, this Act does not apply between you and our service because we are not a “business” as defined in that law.
XIV. INFORMATION DISCLOSURE:
Under certain circumstances, our service may be required to disclose your PII if required to do so by law or in response to valid requests by public authorities (for example, a court or a government agency). Our service may disclose your PII in the good faith belief that such action is necessary to—
- Comply with a legal obligation;
- Protect and defend the rights or property of our service;
- Prevent or investigate possible wrongdoing in connection with our service;
- Protect the personal safety of account holders; or
- Protect against legal liability
XV. ANONYMITY, SECURITY, AUTONOMY, HONESTY AND COURTESY:
The current digital climate fosters a great deal of abuse regarding the creation and disclosure of personal identifiers. Even in the face of better privacy laws (such as the GDPR) it still remains a platform’s responsibility to honor its account holders; not just to avoid unnecessary legal action, but to demonstrate tangible respect to those who use its service. It’s the right thing to do.
This is why we endeavor to create and maintain a useful, enjoyable platform that requires as little as possible from you in terms of actual personal information. So while the data you provide is legally defined as PII (which legally requires us to protect it), it doesn’t have to be true.
For example, your formatted name reflects the given name and surname you provide, but it doesn’t have to correspond to anything on a legal document. Singularly lacking the motivation to verify what you provide, we use it only as a convenient means to politely address you through official correspondence.
As for email, we suggest you create a brand new address used only on our platform (for example, using ProtonMail). This accomplishes two important things. First, in the event of a database breach—hey, it happens—attackers will not be able to match your email account here with an account you use anywhere else. So even if your passphrase was not as strong or as unique as it should be, a breach can’t be used to leverage further access to any of your other accounts. Second, our suggestion to use an email unique to us should be a clarion signal that we’re not going to aggregate your activity here, analyze it, tie it to other online accounts you may have, package it all up and sell it. We’ll leave rampant abuse like that to Facebook, Twitter and others (where your account activity becomes the price of admission).
The fact that your username is not disclosed or used to identify you to anyone on the platform should restore your faith in operational security. After all, your username is fully one-half of your account credentials and if an attacker (or the general public) possessed it, all that remains is to identify your passphrase. We’re not comfortable with this level of security anemia embraced by WordPress and others.
That your email is not used as a de facto username should also increase your confidence in account protection. When it comes down to it, this is your account, not ours, and we believe we have a fiduciary responsibility to secure it for you as best we can.
Speaking of security… in case you’re wondering (and you should be), your passphrase is protected in our database using Argon2, the state-of-the-art hashing function. A hashing function is an irreversible one-way transformation that turns your plaintext passphrase into gibberish, where something like This is my lucky day! becomes 85fd877b0008ce74a1fb9f25ff61c300 (hex-encoded). We don’t use the notoriously weak MD5 hash (like Yahoo! did) and we don’t store unsalted SHA-1 hashes (like LinkedIn did).
Your moniker gives you complete autonomy as to how you wish to present yourself. It can be almost anything and again, it doesn’t have to match the details of real life. (You should note we reserve the right to approve a moniker based on its contents and appearance.)
Regarding the security token, please be advised it lasts only for the duration of your login session, is randomly created and cannot be used to attack your account. This is because 1) our service prohibits session replay without authentication; 2) account credentials are not stored in the token; and 3) the token is valid only when used in tandem with your obfuscated CRM ID.
Lastly, we don’t need to know your true IP address. We track (and display) the IP your device reports in order to provide login location history feedback. (For example, if you customarily log in from Dayton, Ohio, and your last login shows an IP from Tel Aviv then it’s very likely your account has been compromised. Tracking your IP helps us show you that.) For the sake of anonymity, we strongly urge you to hide your local IP from us and others. A reliable Virtual Private Network (VPN) such as ExpressVPN can do this for you.
XVI. APPLICABILITY TO THIRD-PARTY WEBSITES:
XVII. CHANGES TO THIS STATEMENT:
We may occasionally update this policy statement. If we make material changes to it, we may or may not provide any notice of those impending changes prior to their implementation. Thus, we encourage you to periodically review this page.