Privacy Policy

Effective Date: April 15, 2026  •  Version: 2026-04-27

This Privacy Policy explains how NightCurrent Labs LLC ("NightCurrent," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit nightcurrentlabs.com, create an account, use our mobile application, communicate with us, or use our products and services.

NightCurrent Labs LLC  •  16192 Coastal Highway, Lewes, DE 19958  •  legal@nightcurrentlabs.com

---

1. Scope

This Privacy Policy applies to our website, cloud services, dashboards, messaging tools, mobile application (iOS and Android), customer support interactions, and related business activities.

Embeddable widget. NightCurrent provides an embeddable chat and contact-form widget that our business customers ("Customers") may deploy on their own websites. When a visitor to a Customer's website submits information through that widget, NightCurrent receives and processes that information as a service provider on behalf of the Customer. The Customer's own privacy notice governs their use of visitor data; this Policy describes how NightCurrent handles it as a processor.

This Policy does not apply to third-party websites or services operated independently of NightCurrent that we do not control.

2. Information We Collect

Information you provide directly:

• name, company name, title, email address, phone number, billing address, and service address;
• account credentials and profile information;
• the content of inbound and outbound SMS messages and widget chat conversations;
• customer support communications;
• form submissions, chat messages, uploaded content, prompts, and workflow settings;
• payment and transaction information (typically processed by a payment provider); and
• any other information you choose to provide.

Information we collect automatically:

• IP address, device identifiers, browser type, operating system, referring URLs, and approximate location derived from IP;
• usage data such as pages viewed, clicks, session timing, and feature interactions;
• log data, diagnostics, and security event information; and
• cookies and similar technologies as described below.

Information collected through the mobile application:

• Push notification token. When you register for push notifications in the mobile app, we collect the device's Expo push token (a unique device identifier issued by Apple or Google through Expo's notification infrastructure). This token is stored on our servers and used solely to deliver notifications about new leads, appointment requests, and suggested follow-up actions relevant to your account. You can unregister at any time by signing out of the app or disabling notifications in your device settings.
• Device information. We collect basic device characteristics such as device type, operating system version, and whether the device is a physical device (vs. a simulator), used to ensure notification delivery and diagnose compatibility issues.
• App session and usage data. We may collect data about how the mobile app is used — screens visited, features accessed, and session timing — to improve the app experience. This data is not sold or used for advertising.
• Crash and diagnostic reports. If the app encounters an error, diagnostic information (such as error messages and stack traces) may be logged to identify and fix bugs. These logs do not include the content of your messages or your customers' personal information.

Information we receive from third parties:

• authentication providers, hosting providers, analytics vendors, payment providers, AI providers, telephony providers, and other integration partners;
• publicly available business information; and
• information provided by your employer or account administrator if your account is provisioned through a business customer.

3. How We Use Information

We may use personal information to:

• provide, operate, secure, and maintain our services;
• authenticate users and manage accounts;
• process transactions and send administrative messages;
• respond to support requests and communicate with you;
• review, process, and route messages and workflows;
• generate analytics, diagnostics, logs, and reports;
• prevent fraud, abuse, unauthorized use, or security incidents;
• improve our products, models, automations, and user experience;
• comply with legal obligations and enforce our agreements; and
• send marketing communications where permitted by law and subject to your choices.

4. How We Disclose Information

We may disclose personal information:

• to service providers and subprocessors that help us host, operate, secure, analyze, or support our services;
• to communications providers (such as Plivo, Twilio, or Vonage) when SMS messages are transmitted through our systems;
• to AI model providers — specifically: (a) the content of inbound SMS messages and widget chat conversations is transmitted to an AI provider (currently Anthropic) to generate automated replies; and (b) when the Suggested Follow-Ups feature is used, lead context including names, contact status, recent message summaries, and appointment information may be transmitted to Anthropic to generate follow-up recommendations. In both cases, the text of messages and lead context processed through the platform may be processed by Anthropic's systems under Anthropic's data use policies. AI-generated outputs are recommendations only and should be reviewed before use;
• to professional advisers, auditors, insurers, or financing partners under appropriate safeguards;
• in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar transaction; and
• when required by law, regulation, legal process, or to protect rights, safety, security, or property.

We do not sell personal information in exchange for money. We do not share mobile opt-in data or consent records with third parties for their own marketing or promotional use.

5. Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

• Authentication: a signed cookie stores your session token (JSON Web Token) to keep you signed into your dashboard account. This cookie is required for the dashboard to function and cannot be disabled while you are signed in.
• Widget sessions: when you interact with an embedded widget chat, a session identifier is stored to maintain conversation continuity across messages.
• Preferences and security: we may use additional cookies to remember settings, improve security, and understand usage patterns.

You may be able to control non-essential cookies through your browser settings. Disabling authentication cookies will sign you out of the dashboard.

6. Do Not Track and Cross-Site Tracking

At this time, we do not respond to browser "Do Not Track" signals in a standardized way. We do not knowingly authorize third parties to collect personally identifiable information about your online activities over time and across different websites for their own independent purposes through our website, except as part of analytics, security, or embedded service functionality we use.

7. Data Retention

We retain personal information for as long as reasonably necessary to provide the services; maintain business and tax records; enforce agreements; resolve disputes; satisfy legal obligations; and protect the security and integrity of our systems. Retention periods vary depending on the nature of the information and the context in which it was collected.

8. Security

We maintain a security program that includes reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, destruction, loss, alteration, or disclosure. Our program includes measures such as:

• encryption of data in transit using TLS;
• hashing of passwords and sensitive tokens using one-way functions — we do not store plaintext passwords;
• access controls that limit personnel and system access to data on a need-to-know basis;
• IP-address hashing for audit logs — we do not log raw IP addresses in retention records;
• JWT-based authentication with short expiry and a server-side token blacklist on logout;
• CSRF protection on all state-changing form submissions; and
• logging of security-relevant events for detection and incident response purposes.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials, restricting access to authorized personnel, and promptly notifying us of any suspected compromise.

9. Security Incident Notification

If we confirm a security incident that affects personal information we hold, we will notify affected business customers (account holders) without undue delay and no later than 72 hours after confirmation where required by applicable law. Notification will be sent to the email address on file for the account administrator. We will provide information reasonably necessary to understand the nature of the incident and assist you in meeting your own notification obligations to your customers or regulators.

For questions about our security practices or to report a suspected vulnerability, contact us at legal@nightcurrentlabs.com.

10. Your Choices and Rights

Depending on applicable law and where you live, you may have rights to request access to, correction of, deletion of, or portability of certain personal information, or to object to or limit certain processing. You may also opt out of marketing emails by using the unsubscribe link in the message or by contacting us. To submit a request, contact us at legal@nightcurrentlabs.com. We may need to verify your identity before fulfilling certain requests.

Push notifications. You can disable push notifications at any time by (a) tapping "Register This Device" in the mobile app's Settings screen and toggling off notifications in your device's system settings, (b) signing out of the mobile app (which automatically unregisters your push token), or (c) disabling notifications for NightCurrent Labs in your iOS or Android system Settings.

Account deletion. If you wish to request deletion of your account or your personal data, you may submit a request at /legal/account-deletion or by emailing legal@nightcurrentlabs.com. Business accounts may require administrator verification before data is deleted. Requests affecting data belonging to multiple parties (such as org-wide customer records) will be handled in accordance with our Data Processing Addendum.

11. Children's Privacy

Our services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, contact us so we can review and delete the information where appropriate.

12. International Transfers

If you access the services from outside the United States, you understand that your information may be processed in the United States and other countries where we or our service providers operate.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version on our website, update the Effective Date and Version above, and take any additional steps required by law. The version string (e.g., "2026-04-15") identifies the specific version of this policy that was in effect on that date.

14. Contact Us

Questions, requests, or complaints about this Privacy Policy may be sent to:
NightCurrent Labs LLC  •  16192 Coastal Highway, Lewes, DE 19958
legal@nightcurrentlabs.com