Last Updated: December 5, 2025
1. Introduction and Scope
This Privacy Policy ("Policy") describes how NDEX-AI LLC ("Company," "we," "us," or "our") collects, uses, shares, and protects personal information through our applications, websites, and services (collectively, "Services"). This Policy applies to all users and visitors of our Services, regardless of their location.
This Policy is designed to be transparent about our data practices and to comply with applicable privacy laws, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), California Online Privacy Protection Act (CalOPPA), and the General Data Protection Regulation (GDPR).
Jurisdiction Note: While this Policy emphasizes compliance with California and European regulations, we apply these privacy principles to all users globally to ensure consistent protection of personal information.
2. Personal Information We Collect
2.1 Information Collected Directly from Users
We collect the following categories of personal information directly from you when you use our Services:
2.1.1 Account and Contact Information
Email address – Collected during account registration, service inquiries, and communication preferences
Social media profile information – Collected when you choose to connect your account to third-party platforms such as Facebook, Twitter, or other social
authentication services. This may include your public profile name, profile picture, and verified social account identifier
2.1.2 Device-Based Information
Camera and photographic data – Collected when you upload, capture, or share
images or videos through our Services. This includes metadata associated with such media (timestamps, device type, etc.)
2.1.3 Payment Information
Payment processor data – We collect payment method information through
third-party payment processors when you purchase products or services. Payment
methods include:
o Apple Store In-App Payments
o Google Play In-App Payments
o Credit card information (processed through secure payment gateways)
o Cryptocurrency payment identifiers and transaction data
Note: We do not directly store full credit card numbers or sensitive payment authentication data. Payment processing is handled by PCI-DSS compliant third-party service providers.
2.2 Information Collected Automatically
2.2.1 Analytics and Tracking Data
We use Google Analytics and Firebase to collect information about how you interact with our
Services, including:
Device type, operating system, and browser type
Pages visited, features accessed, and time spent on pages
Clickstream data and user engagement patterns
IP address and approximate geolocation (city/country level)
Referral source and landing pages
User behavior flows and conversion events
2.2.2 Cookie and Similar Technologies
We use cookies, web beacons, pixel tags, and similar tracking technologies to:
Remember user preferences and session information
Track campaign performance and conversion attribution
Enable remarketing across platforms (Google Ads, Facebook, Twitter, LinkedIn)
Understand user preferences for customization purposes
2.3 Information from Third Parties
We may receive personal information from:
Third-party authentication providers (Facebook, Twitter)
Payment processors (Apple, Google, cryptocurrency platforms)
Remarketing partners (Google, Facebook, Twitter, LinkedIn)
Service providers and data analytics platforms
Email service providers (Mailchimp, GetResponse)
3. Legal Basis for Processing Personal Information
3.1 GDPR Legal Bases (For European Users)
Under the GDPR (Article 6), our processing of personal information is based on the following lawful bases:
3.1.1 Consent (Article 6(1)(a))
We rely on your explicit consent to process:
Social media profile information (through social sign-in)
Email communications (through opt-in preferences)
Cookie and tracking data (via cookie consent banners)
3.1.2 Contract Performance (Article 6(1)(b))
We process personal information necessary to fulfill our contractual obligations:
Email address and payment information to process purchases
Account data necessary to provide Services
3.1.3 Legal Obligation (Article 6(1)(c))
We process certain personal information to comply with legal requirements:
Payment and transaction records for tax and financial regulatory compliance
Data retention for regulatory audits and investigations
3.1.4 Legitimate Interests (Article 6(1)(f))
We rely on legitimate business interests to process:
Analytics data to improve Service functionality and user experience
Remarketing data to deliver relevant marketing messages
Fraud detection and security purposes
Customer service and support inquiries
Balancing Test: Our legitimate interests are carefully balanced against your rights and freedoms. We do not process sensitive personal data for remarketing without additional safeguards and consent mechanisms.
3.2 CCPA and CPRA Legal Categories
Under the CCPA (as amended by the CPRA), we disclose the following categories of personal information collection and use:
Category A: Identifiers
Email addresses, social media identifiers, IP addresses
Category B: Commercial Information
Purchase history, payment method information, transaction records
Category C: Biometric Information (if applicable)
Photographs uploaded by users (stored as digital files)
Category D: Internet or Network Activity
Browsing history, clickstream data, search history within Services
Analytics from Google Analytics and Firebase
Category E: Geolocation Data
Approximate location derived from IP address
Precise geolocation (only if explicitly enabled by user on device)
Category F: Professional Information (if applicable)
Information provided in professional profiles or business accounts
Our processing is based on the following purposes:
Providing, improving, and supporting our Services
Processing transactions and payments
Marketing, advertising, and customer analytics
Fraud detection and security
Legal compliance and regulatory obligations
Responding to law enforcement requests
4. How We Use Personal Information
We use personal information for the following purposes:
4.1 Service Delivery and Support
Creating and managing user accounts
Processing and fulfilling purchases
Providing customer support and technical assistance
Sending transactional emails (order confirmations, password resets, policy updates)
4.2 Communication and Marketing
Sending promotional emails, newsletters, and marketing communications (only with opt-in consent)
• Responding to inquiries and requests
• Conducting surveys and gathering feedback
Notifying you of updates, changes, or new features Opt-Out Rights: You may unsubscribe from marketing communications at any time by clicking the "unsubscribe" link in any email or by contacting us directly.
4.3 Analytics, Research, and Improvement
Analyzing user behavior to improve Service functionality
• Conducting A/B testing and user experience research
• Aggregating anonymized data for internal analytics
• Identifying trends and patterns in Service usage
4.4 Advertising and Remarketing
Displaying targeted advertisements based on browsing history and interests • Measuring campaign effectiveness and conversion rates
• Creating audience segments for marketing purposes
• Retargeting users through Google Ads, Facebook, Twitter, and LinkedIn
4.5 Security and Fraud Prevention
Detecting, investigating, and preventing fraudulent transactions • Protecting against unauthorized access and data breaches • Verifying user identity and authenticating accounts
• Monitoring for security threats and vulnerabilities
4.6 Legal Compliance
Responding to lawful government requests and legal processes
• Establishing, exercising, or defending legal claims
• Complying with applicable laws, regulations, and regulatory obligations • Maintaining records for audit and compliance purposes
5. Data Sharing and Disclosure
5.1 Third-Party Service Providers
We share personal information with service providers who assist us in operating our Services:
Email Services: Mailchimp, GetResponse Email addresses, communication preferences
Analytics: Google Analytics, Firebase | Browsing behavior, device information, user engagement
Payment Processing: Apple, Google, Cryptocurrency platforms, Credit card processors | Payment method, transaction amount, user ID (not full card data)
Authentication: Facebook, Twitter, Social media profiles, verified identifiers
Advertising/Remarketing: Google Ads, Facebook, Twitter, | Browsing history, user interests, demographic data
Hosting and Infrastructure: Cloud service providers, User account data, uploaded content, transaction logs
Data Processing Agreements: All service providers are contractually bound to process personal information only as necessary to provide services, maintain confidentiality, and implement appropriate security measures. We conduct due diligence on all providers to ensure CPRA, GDPR, and CalOPPA compliance.
5.2 Legal Obligations and Law Enforcement
We may disclose personal information when:
Required by law, court order, subpoena, or legal process
Responding to lawful government or regulatory requests
Protecting the safety, rights, or property of NDEX-AI LLC, users, or the public
Investigating potential violations of our Terms of Service
Detecting, preventing, or addressing fraud, security, or technical issues
5.3 Business Transfers
If NDEX-AI LLC is involved in a merger, acquisition, bankruptcy, receivership, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice to users before a change of control occurs, unless prohibited by law.
5.4 Consent-Based Sharing
We do not share personal information with third parties for their marketing purposes without your explicit consent. If you provide consent for such sharing, you may withdraw it at any time by contacting us.
6. California Privacy Laws (CCPA,CPRA, CalOPPA)
6.1 California Consumer Privacy Act (CCPA) and
California Privacy Rights Act (CPRA)
Applicability: This section applies to residents of California and other US jurisdictions with similar laws.
6.1.1 Consumer Rights Under CCPA/CPRA
You have the following rights regarding your personal information:
Right to Know (Access)
You have the right to request what personal information we collect, use, and share about you.
We will provide this information in a portable, machine-readable format within 45 days of receiving a verified request.
Right to Delete
You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information needed to complete a transaction, comply with legal obligations, or enable security functions). We will delete such information within 45 days of verification.
Right to Correct
Under CPRA, you have the right to request correction of inaccurate personal information. We will implement corrections within 45 days of verification.
Right to Opt-Out of Sales or Sharing
Under CCPA, we do not "sell" personal information as defined by the law. However, our use of analytics tools and remarketing services may constitute "sharing" for cross-context behavioral advertising purposes. You have the right to opt-out of such sharing by:
Clicking the "Do Not Sell My Personal Information" link on our website
Submitting an opt-out request through our privacy portal
Calling us at the contact information below
Right to Limit Use of Sensitive Personal Information
Under CPRA, you may limit our use of sensitive personal information (including precise geolocation, health data, biometric information, and financial account information) to purposes necessary to provide Services you requested. We will honor such requests within 45 days.
Right to Non-Discrimination
We will not deny goods or services, charge different prices, or provide different quality of service based on your exercise of CCPA/CPRA rights, unless the difference is reasonably related to the value of the data provided.
6.1.2 How to Exercise Your Rights
To exercise any of the above rights:
Submit a request by email to
Visit for additional assistance
Provide sufficient information to identify your account and verify your identity
We will respond to all verified requests within 45 days. If we require additional information to verify your identity, we will request it within 15 days.
6.1.3 Authorized Agent
You may designate an authorized agent to submit requests on your behalf. We will verify the agent's authority and your identity before processing such requests.
6.1.4 CPRA Data Minimization and Retention
Under CPRA, we implement data minimization practices:
We collect personal information that is reasonably necessary and proportionate to our stated purposes
We retain personal information only as long as necessary to fulfill stated purposes or comply with legal obligations
We do not retain sensitive personal information longer than necessary
Specific retention periods for each data category are outlined in Section 7 below
6.2 California Online Privacy Protection Act
(CalOPPA)
Applicability: This section applies to all California online residents and applies to this website and mobile applications.
6.2.1 Conspicuous Privacy Policy
This Privacy Policy is conspicuously posted and accessible through:
Our website homepage
Our mobile application settings and legal section
6.2.2 Third-Party Information Collection
We disclose that third-party service providers and advertising partners may collect personally identifiable information on our Services:
Third Parties Collecting Information:
Google Analytics and Firebase (analytics and tracking)
Google Ads, Facebook, Twitter, and LinkedIn (remarketing and advertising)
Mailchimp and GetResponse (email communication)
Apple, Google, and payment processors (transaction processing)
Your Choices: You may opt-out of third-party tracking and advertising:
Use your browser's "Do Not Track" signal (see Section 6.2.3 below)
Adjust privacy settings in your device and social media accounts
Click opt-out links in marketing communications
6.2.3 Do Not Track (DNT) Signals
Our Policy on DNT: We recognize when you transmit "Do Not Track" signals through your web browser or mobile device. When such signals are recognized:
We will limit collection of tracking information
We will not engage in remarketing or behavioral advertising to that device
We will honor your preference to minimize tracking while still providing core Services
Browser-Level Controls:
Most browsers allow you to opt-out of tracking through their privacy settings
If you enable DNT, you may see less targeted advertising, but we will continue to
provide Services normally
6.2.4 User Review and Correction Process
CalOPPA requires we inform users if there is a process for them to review and request
changes to personally identifiable information we have collected online.
Process for Review and Correction:
Email with your request
Include your account identifier and the information you wish to review or correct
We will provide information or make corrections within 30 days
7. Data Retention
We retain personal information for the duration necessary to provide Services and fulfill the purposes outlined in this Policy.
7.1 Retention Schedule by Data Category
Email Address and Contact Information
Retained while account is active
Deleted within 90 days of account closure or at user request
Exception: Email retained if required for legal proceedings or regulatory compliance
Social Media Profile Information
Retained while authenticated connection is active
Automatically deleted if social account is disconnected
Retained for 30 days after disconnection, then deleted
Payment Information
Credit card data: Not retained by us; processed immediately by payment providers
Transaction records: Retained for 7 years (required by tax and financial regulations)
Payment method identifiers: Retained for 3 years or as needed for dispute resolution
Camera/Image Data
Retained according to user upload and storage settings
Deleted when user deletes files or upon account closure
May be retained longer if required for legal disputes or investigations
Analytics and Tracking Data
Google Analytics: 26 months (standard retention)
Firebase: Retained per Firebase retention policies
Aggregated data: Retained indefinitely (cannot identify individuals)
Email Communications
Transactional emails: Retained for 1 year
Marketing emails: Retained according to email service provider policies; deleted upon
unsubscribe
Support inquiries: Retained for 2 years
Cookie Data
Session cookies: Deleted upon browser closure
Persistent cookies: Retained for up to 2 years
Remarketing pixels: Retained per platform policies (typically 90 to 540 days)
7.2 Post-Deletion Handling
After deletion, residual copies of data may remain in backup and archive systems for up to 90 days but will not be accessible or used for any purpose. Once backup systems are purged, the data is permanently deleted.
8. Data Security
8.1 Security Measures
NDEX-AI LLC implements comprehensive technical, administrative, and physical safeguards to protect personal information:
Technical Safeguards:
Encryption of data in transit (TLS/SSL protocols)
Encryption of sensitive data at rest
Secure authentication mechanisms (password protection, multi-factor authentication)
Regular security audits and vulnerability assessments
Intrusion detection and prevention systems
Firewalls and network segmentation
Administrative Safeguards:
Access controls limiting employee access to personal information
Employee training on data protection and privacy practices
Confidentiality agreements with all personnel
Data breach response and incident management procedures
Regular review of data handling practices
Physical Safeguards:
Secured data centers with restricted access
Environmental controls (fire suppression, climate control)
Video surveillance and badge access systems
Secure disposal of physical records containing personal information
8.2 CPRA Risk Assessment and Data Protection
Audit
Under CPRA requirements, NDEX-AI LLC conducts:
Regular risk assessments evaluating significant risks to consumer privacy and security
Data protection audits by certified independent third parties
Annual compliance certifications submitted to the California Privacy Protection
Agency
Evaluation of processing benefits against potential privacy and security risks
8.3 Data Breach Notification
In the event of a confirmed data breach affecting personal information, NDEX-AI LLC will:
Investigate the breach promptly
Notify affected users without unreasonable delay (generally within 30 days)
Provide notification via email or direct contact
Describe the breach, types of information affected, and remediation steps
Recommend protective measures (password changes, identity monitoring)
Notify regulatory authorities as required by law
Note: We are not obligated to notify users if the breach involves only encrypted data for which we do not retain the encryption key, or data that cannot reasonably be used to identify individuals.
9. Children's Privacy
NDEX-AI LLC does not intentionally collect personal information from children under the age of 13. If we discover that we have collected such information in violation of the Children's Online Privacy Protection Act (COPPA), we will delete it promptly.
Parental Rights: Parents or guardians who believe their child has provided personal information to our Services may contact us immediately at to request deletion.
10. General Data Protection Regulation(GDPR) Rights
10.1 Applicability
This section applies to individuals in the European Union, European Economic Area, and other jurisdictions with equivalent data protection laws.
10.2 Legal Basis for Processing
As outlined in Section 3.1, our processing of personal information is based on:
Consent – For non-essential services, marketing, and tracking
Contract Performance – To provide Services you request
Legal Obligation – To comply with regulatory requirements
Legitimate Interests – To improve Services, prevent fraud, and conduct business
10.3 GDPR Data Subject Rights
Right to Access (Article 15)
You have the right to request access to personal information we hold about you. We will provide information in a portable, machine-readable format within 30 days.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate or incomplete personal information.
Right to Erasure ("Right to Be Forgotten") (Article 17)
You have the right to request deletion of personal information except where:
Data is necessary to provide contracted Services
Data retention is required by law
We have legitimate interests in retaining the data that override your rights
Right to Restrict Processing (Article 18)
You may request that we limit how we process your personal information pending resolution of disputes or in other circumstances.
Right to Data Portability (Article 20)
You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Right to Object (Article 21)
You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate reasons or legal obligations.
Right to Appeal Automated Decision-Making (Article 22)
If we make decisions based solely on automated processing that have legal or significant effects on you, you have the right to request human review and explanation.
10.4 Exercising GDPR Rights
To exercise any of these rights:
Submit a request to
Include sufficient information to identify yourself
Specify which right(s) you wish to exercise
Provide proof of identity
We will respond within 30 days. If we need additional information, we will request it within that timeframe.
10.5 Data Protection Officer and Contact Information
Data Protection Officer Contact:
For inquiries regarding GDPR compliance and data protection matters, contact:
Email: legal@ndexapp.com
Mail: 138 N Beaudry Ave, Los Angeles, CA 90012, United States
10.6 Complaint Rights
You have the right to lodge a complaint with the relevant data protection authority in your jurisdiction. Contact information for major regulators:
Ireland (EDPB Chair):
Spain (AEPD):
Germany (BfDI):
France (CNIL):
11. International Data Transfers
11.1 Transfer Mechanisms
NDEX-AI LLC operates in the United States and may transfer personal information to US-based service providers and servers. For users in the European Union and EEA:
Data Transfer Mechanisms:
Standard Contractual Clauses (SCCs): We use EU-approved SCCs for data
transfers to non-adequate jurisdictions
Adequacy Decisions: We rely on official EU adequacy determinations where
applicable
Consent: We obtain explicit consent for transfers where required
11.2 Data Localization
While we primarily process data in the United States, some service providers may process data in multiple jurisdictions. You may request information about the specific locations where your data is processed by contacting us.
12. Updates and Changes to This Policy
NDEX-AI LLC may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.
How We Notify You of Changes:
We will post the updated Policy on our website with a new "Last Updated" date
For material changes, we will provide notice through email or a prominent website notice
Continued use of our Services following the update constitutes acceptance of the revised Policy
Your Rights: If you disagree with changes to this Policy, you may:
Opt out of data collection through privacy settings
Request deletion of your data under CCPA/CPRA/GDPR
Discontinue use of our Services
13. Your Privacy Rights and How to Exercise Them
13.1 Summary of Available Rights
Access/Know CCPA, CPRA, GDPR, CalOPPA | Email
Delete/Erasure CCPA, CPRA, GDPR | Email
Correct/Rectify CPRA, GDPR | Email
Opt-Out (Sales/Sharing) CCPA, CPRA, CalOPPA | Website "Do Not Sell" Email
Limit Use (Sensitive Data) CPRA | Email
Data Portability GDPR Email Object to Processing GDPR | Email
Non-Discrimination CCPA, CPRA | Automatic (we do not discriminate)
13.2 Request Submission Process
Step 1: Send a request to
Include your full name, email address, and account identifier (if applicable)
Clearly state which right(s) you wish to exercise
Provide sufficient detail to locate your information
Include proof of identity (driver's license copy, utility bill, etc.)
Step 2: We will acknowledge receipt within 10 business days
Step 3: We will verify your identity and process your request
Step 4: We will respond with:
Information or actions requested, or
Explanation if we cannot fulfill the request
Grounds for any denial
Response Timeline:
CCPA/CPRA: 45 days from verification
GDPR: 30 days from verification
CalOPPA: 30 days from request
13.3 Authorized Agent Requests
You may designate an authorized agent (including a business or attorney) to submit requests on your behalf. The agent must:
Provide written authorization (notarized power of attorney or similar)
We will verify authorization before processing
14. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your privacy rights, contact us:
By Email: legal@ndexapp.com
By Website: https://www.ndexapp.com/legal/privacy-policy
By Mail:
NDEX-AI LLC
138 N Beaudry Ave
Los Angeles, CA 90012
United States
Response Standard: We will respond to all inquiries within 10 business days. For formal requests under privacy laws (access, deletion, correction), see Section 13 for specific timelines.
15. Additional Notices
15.1 California Residents – Your California Privacy Rights
California residents have specific rights under CCPA, CPRA, and CalOPPA as outlined throughout this Policy. This section provides a concise summary:
Right to Know: Request what personal information we collect, use, and share
Right to Delete: Request deletion of personal information we have collected
Right to Correct: Request correction of inaccurate information
Right to Opt-Out: Opt-out of the sale or sharing of your personal information for
cross-context behavioral advertising
Right to Limit: Limit our use of sensitive personal information
Do Not Sell My Personal Information:
Right to Non-Discrimination: We will not discriminate based on your exercise of privacy rights
To exercise these rights, contact or visit.
15.2 European Union/EEA Residents – Your GDPR Rights
Residents of the EU and EEA have rights under GDPR, including access, rectification, erasure, restriction, portability, objection, and automated decision-making rights outlined in Section 10. You may lodge a complaint with your local data protection authority.
15.3 Cryptocurrency Transactions
If you pay via cryptocurrency:
We retain transaction identifiers and wallet addresses for compliance and dispute resolution
We do not retain cryptocurrency private keys or sensitive authentication information
Transactions may be subject to tax reporting requirements
Cryptocurrency data may be shared with payment processors and regulatory authorities as required by law
15.4 Social Media Integration
When you connect through social platforms (Facebook, Twitter):
We collect verified social identifiers and public profile information
You may disconnect at any time through your account settings
Disconnection deletes our access to that social account going forward
Previously collected data is retained per our retention policy
16. Definitions
Personal Information: Any information that identifies, relates to, or could reasonably be linked with an individual or household.
Sensitive Personal Information (CPRA): Specific categories of personal information including: racial/ethnic origin, religious beliefs, union membership, genetic data, health information, biometric data for identification, precise geolocation, and financial account information.
Legitimate Interest: A legal basis for processing where the benefits to NDEX-AI LLC are not overridden by your rights and freedoms.
Data Controller: Entity that determines the purposes and means of personal data processing (NDEX-AI LLC).
Data Processor: Entity that processes personal data on behalf of the controller (our service providers).
Consent: Freely given, specific, informed, and unambiguous affirmative action indicating your willingness.
Processing: Any operation performed on personal information (collection, recording, use, analysis, transmission, etc.).
17. Governing Law
This Privacy Policy is governed by the laws of the State of California, without regard to its conflict of law provisions. However, privacy rights are interpreted according to applicable privacy laws in your jurisdiction (CCPA, CPRA, CalOPPA, GDPR).
Any disputes arising from this Policy or our privacy practices shall be resolved:
First through good-faith negotiation
Then through arbitration or litigation as permitted by law and our Terms of Service
18. Severability
If any provision of this Privacy Policy is found to be invalid or unenforceable, that provision shall be severed, and the remaining provisions shall remain in full force and effect.
19. Acknowledgment
By accessing and using NDEX-AI LLC's Services, you acknowledge that you have read and understood this Privacy Policy and consent to our collection and use of personal information as described herein.
NDEX LLC
Effective Date: December 5, 2025
For the most current version of this Privacy Policy, visit: https://www.ndexapp.com