Privacy Policy

Effective Date: November 14, 2025
Last Updated: November 29, 2025

1. Introduction

Chris Groves ("we," "us," or "our") operates notchrisgroves.com (the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our Site and use our services, including our membership platform.

By using the Site, you consent to the data practices described in this policy. If you do not agree with this policy, please discontinue use of the Site.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide when you:

Create an account: Name, email address
Subscribe to paid membership: Billing information processed through Stripe, Inc. (we do not store credit card numbers)
Subscribe to newsletter: Email address
Post comments: Name, email address, comment content
Contact us: Name, email address, message content

2.2 Automatically Collected Information

When you visit our Site, we automatically collect certain information:

Log Data: IP address, browser type and version, operating system, referring URLs, pages viewed, time and date of visits
Cookies and Tracking: Session cookies for authentication, analytics cookies to understand site usage (see Section 8 for details)
Device Information: Device type, screen resolution, browser language

2.3 Third-Party Information

We may receive information from third-party services:

Stripe, Inc.: Payment confirmation, subscription status, transaction data
Ghost Platform (Ghost Foundation): Hosting and content delivery analytics
Discord (optional, all membership tiers): Username, user ID if you join our community server

3. How We Use Your Information

We use collected information for the following purposes:

Service Delivery: Create and manage your account, process payments, deliver content based on membership tier
Communications: Send newsletters, blog post notifications, membership updates, respond to inquiries
Analytics: Understand how users interact with our Site, improve content and user experience
Legal Compliance: Comply with applicable laws, resolve disputes, enforce our agreements
Security: Detect and prevent fraud, abuse, and security incidents
Marketing (opt-in only): Send promotional communications about new content or features. For EU users, we obtain explicit consent at signup. You may opt-out at any time via the "unsubscribe" link in emails.

For users in the European Economic Area (EEA), our legal basis for processing personal information includes:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide membership services you've requested
Consent (Art. 6(1)(a)): You have given explicit, freely-given consent for newsletter subscriptions and marketing communications, obtained at signup and renewable annually. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Legitimate Interests (Art. 6(1)(f)): Improving our services, analytics, fraud prevention (balanced against your rights via our Legitimate Interest Assessment)
Legal Obligations (Art. 6(1)(c)): Compliance with tax, accounting, and other legal requirements (e.g., IRS 7-year retention under 26 U.S.C. § 6001)

We do not sell, rent, or trade your personal information. We may share information in the following circumstances:

5.1 Service Providers (Third-Party Processors)

We share data with the following third parties under Data Processing Agreements (GDPR Art. 28):

Ghost Foundation (Ghost.org): Content hosting and delivery platform. Data transferred to servers in the United States. Privacy Policy: https://ghost.org/privacy/
Stripe, Inc.: Payment processing for paid memberships. We are the data controller; Stripe is our payment processor. Data shared includes: name, email, billing address, payment method (handled by Stripe - we do not store full card details). Stripe is PCI-DSS Level 1 compliant. Data transferred to servers in the United States and Ireland. You may access Stripe's data directly via your Stripe account. Privacy Policy: https://stripe.com/privacy. Stripe handles PCI compliance, but we remain responsible as data controller under GDPR.
Discord (optional - all membership tiers): Community platform with tiered channel access (Lurker: 4 channels, Contributor: 9 channels, Fellowship: 14 channels). Data shared only if you choose to join our Discord server: email address, username. Discord Terms: https://discord.com/terms. Privacy Policy: https://discord.com/privacy. This is an opt-in service and does not constitute a "sale" under CCPA.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

Valid legal process (subpoena, court order, search warrant)
Protecting our rights, property, or safety
Investigating fraud or security issues
Enforcing our Terms of Service

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred. You will be notified via email at least 30 days before any such transfer, and you may delete your account before the transfer if you do not consent.

6. Data Retention

We retain your personal information for as long as necessary to:

Active accounts: Duration of membership plus retention periods below
Tax and billing records: 7 years from transaction date (required by IRS under 26 U.S.C. § 6001)
Security and fraud logs: 30 days unless required for active investigation
Analytics data: Anonymized after 90 days
Legal disputes: Duration of dispute plus applicable statute of limitations

Account Deletion: Upon account deletion, we will promptly delete or anonymize your personal information within 90 days, except where retention is required by law (e.g., tax records) or for legitimate interests (e.g., fraud prevention for ongoing investigations). We may retain backup copies for up to 90 days for technical reasons (e.g., disaster recovery), after which they are permanently deleted. For GDPR users, see Section 7.3 for your right to erasure.

6A. Intelligence Adjacent Framework - Privacy Considerations

IMPORTANT NOTICE REGARDING THE INTELLIGENCE ADJACENT FRAMEWORK:

This Site provides documentation, tutorials, and educational content related to the Intelligence Adjacent Framework (the "Framework"), an open-source software system. This section clarifies our privacy practices related to the Framework.

6A.1 Framework = Data Scope

The Intelligence Adjacent Framework is self-hosted software. We do NOT collect, store, process, or have access to ANY data generated by your Framework installation.

What this means:

When you install the Framework on your own infrastructure (computer, VPS, servers), ALL data it processes remains entirely within YOUR control
We do NOT operate the Framework as a hosted service
We do NOT receive telemetry, usage data, error reports, or analytics from your Framework installation
We do NOT have visibility into what you do with the Framework
Your Framework deployment is completely separate from our Site and services

6A.2 What We DO Collect (Site Only)

Our data collection is limited ONLY to this Site (notchrisgroves.com):

Account data: Your name and email if you create a membership account on this Site
Payment data: Billing information if you subscribe to paid membership (processed by Stripe)
Analytics: How you interact with THIS SITE ONLY (pages viewed, time spent, navigation patterns)
Communications: Messages you send us via contact forms or email

We do NOT collect:

Data processed by your Framework installation
AI-generated outputs from your Framework instance
Files, documents, or code analyzed by your Framework
Security testing results from your Framework-orchestrated tools
Credentials, API keys, or configurations in your Framework deployment
Logs or telemetry from your Framework operation

6A.3 Third-Party Services (You Integrate)

The Framework can integrate with numerous third-party services (Anthropic Claude, OpenAI, Ghost CMS, Stripe, Discord, n8n, etc.). YOU control which services to integrate and configure.

Important privacy considerations:

YOU are the data controller for any personal data processed by YOUR Framework installation
Third-party services YOU integrate with have their own privacy policies (e.g., Anthropic, OpenAI, Discord)
We are NOT responsible for third-party data practices when you use the Framework to interact with those services
Data YOU send to third-party APIs via the Framework is governed by THEIR privacy policies, not ours

Your responsibilities:

Review privacy policies of all third-party services you integrate with the Framework
Ensure your Framework deployment complies with applicable data protection laws (GDPR, CCPA, etc.)
Obtain necessary consents if you process personal data using the Framework
Implement appropriate security measures for your Framework installation
Notify affected individuals if your Framework instance experiences a data breach

If you process EU personal data using the Framework, YOU are the data controller and must comply with GDPR independently:

Article 5: Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality
Article 6: Ensure lawful basis for processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests)
Article 13/14: Provide privacy notices to data subjects whose information you process
Article 15-22: Respond to data subject rights requests (access, rectification, erasure, restriction, portability, objection)
Article 32: Implement appropriate technical and organizational security measures
Article 33/34: Report data breaches to supervisory authorities (within 72 hours) and affected individuals (without undue delay)
Article 28: Ensure Data Processing Agreements with third-party services you integrate

We do NOT:

Act as data controller or processor for your Framework installation
Handle GDPR compliance for your Framework deployment
Respond to data subject rights requests related to your Framework use
Report data breaches from your Framework instance
Provide Data Processing Agreements for Framework software (it's self-hosted, not a service)

6A.5 Security Testing Data

If you use the Framework to orchestrate security testing tools (nmap, nuclei, sqlmap, Metasploit, etc.), ALL security testing data remains on YOUR infrastructure.

We do NOT:

Receive copies of vulnerability scan results
Have access to penetration testing reports
Store security findings from your assessments
Process target organization data from your security engagements

Your responsibilities:

Ensure proper written authorization before conducting security testing
Securely store security testing data (encryption at rest and in transit)
Implement access controls for sensitive security findings
Comply with client confidentiality obligations and data protection agreements
Properly dispose of security testing data when no longer needed

6A.6 AI Model Interactions

The Framework can interact with AI models (Anthropic Claude, OpenAI GPT, etc.). Data YOU send to AI models via the Framework is governed by THOSE PROVIDERS' privacy policies, not ours.

Key privacy considerations:

Anthropic Claude: Commercial API data is NOT used for training. See: anthropic.com/privacy
OpenAI: API data retention policies vary by plan. See: openai.com/privacy
Local/self-hosted models: Data remains entirely within your control

Best practices for Framework + AI:

Do NOT send personal data, credentials, or sensitive information to AI models unless you've reviewed their privacy policies and data handling practices
Use local/self-hosted AI models for sensitive data processing when possible
Implement data anonymization/pseudonymization before sending to cloud AI services
Review AI provider data retention policies and configure appropriate retention settings

6A.7 No Data Visibility

To be absolutely clear: We have ZERO visibility into your Framework deployment.

We do NOT know:

What you use the Framework for
What data you process with it
Which third-party services you integrate
What AI prompts or outputs you generate
What security testing you perform
What files, documents, or code you analyze
Whether your deployment complies with data protection laws

Privacy boundary:

This Site (notchrisgroves.com): We collect data per Sections 2-5 above (account, payment, analytics)
Your Framework installation: We collect NOTHING. You are entirely responsible for privacy compliance.

6A.8 Framework Updates & Privacy

The Framework does NOT have auto-update or telemetry features.

Updates are manual (you pull new versions from GitHub)
No "phone home" functionality
No crash reports or error telemetry sent to us
No usage analytics transmitted to us

If we add telemetry features in the future (e.g., opt-in crash reporting), we will:

Make it completely optional (opt-in, not opt-out)
Document exactly what data is collected
Update this Privacy Policy accordingly
Obtain your explicit consent before any telemetry activation

6A.9 Framework = Data Sovereignty

The Framework gives YOU complete data sovereignty.

Benefits:

Full control: All data stays within your infrastructure
Choose your jurisdiction: Host the Framework wherever you want (US, EU, on-premises, etc.)
Select your services: Choose which third-party APIs to integrate (or use none)
Data residency compliance: Easier compliance with regional data laws (GDPR, CCPA, etc.)
No vendor lock-in: Your data never lives in our systems

Risks YOU assume:

Data protection compliance: YOU must ensure GDPR/CCPA/etc. compliance for your deployment
Security: YOU must secure your Framework instance (encryption, access controls, patching)
Data breaches: YOU must detect, respond to, and report any breaches from your deployment
Third-party risks: YOU must evaluate privacy implications of services you integrate

SUMMARY: We do NOT collect, process, or have access to any data from your Framework installation. You are solely responsible for privacy compliance in your Framework deployment.

7. Your Privacy Rights

7.1 All Users

Regardless of location, you have the following rights:

Access: Request a copy of your personal data (contact: legal@notchrisgroves.com)
Correction: Update or correct inaccurate information via account settings
Deletion: Request deletion of your account and personal data (subject to legal retention requirements)
Opt-Out: Unsubscribe from marketing emails via the "unsubscribe" link in each email
Data Portability: Receive your data in CSV or JSON format

To exercise rights: Email legal@notchrisgroves.com with your account email and specific request. We respond within 30 days.

7.2 California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), you have additional rights:

Right to Know: Request disclosure of categories and specific pieces of personal information collected in the last 12 months
Right to Delete: Request deletion of personal information (subject to exceptions for legal compliance, fraud prevention, etc.)
Right to Opt-Out of Sale: We do not sell personal information. We honor Global Privacy Control (GPC) signals.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights (no denial of service, different prices, or reduced quality)
Authorized Agent: You may designate an authorized agent to make requests on your behalf (requires written authorization)

CCPA Response Time: We respond to verified requests within 45 days (may extend by 45 days if necessary, with notice).

California "Shine the Light" Law: Under Cal. Civ. Code § 1798.83, you may request information about disclosure of personal information to third parties for direct marketing. We do not share data for third-party marketing.

If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR:

Right to Access (Art. 15): Obtain confirmation of processing and a copy of your data
Right to Rectification (Art. 16): Correct inaccurate personal data
Right to Erasure/Right to be Forgotten (Art. 17): Request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful
Right to Restrict Processing (Art. 18): Limit processing in certain circumstances (e.g., while accuracy is contested)
Right to Data Portability (Art. 20): Receive data in a structured, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting prior lawful processing
Right to Lodge Complaint (Art. 77): File a complaint with your local data protection authority (e.g., supervisory authority in your EU member state)

GDPR Response Time: We respond to requests within 30 days (may extend by 60 days for complex requests, with explanation).

Data Protection Officer Contact: For GDPR inquiries, contact legal@notchrisgroves.com (designated representative for EU users).

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

Essential Cookies (Strictly Necessary): Required for authentication, site functionality, and security. These cannot be disabled without affecting site operation.
Analytics Cookies (Performance): Ghost analytics to understand site usage. Data is anonymized after 90 days. You may opt-out via browser settings.
Preference Cookies (Functionality): Remember your settings and preferences (e.g., dark mode).

8.2 Managing Cookies

You can control cookies through your browser settings:

Chrome: Settings → Privacy and Security → Cookies
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data

Note: Disabling essential cookies will limit site functionality, including the ability to log in.

Cookie Consent (EU/UK): For EEA/UK visitors, we obtain consent before placing non-essential cookies (ePrivacy Directive compliance). You may withdraw consent at any time.

8.3 Do Not Track

Our Site does not currently respond to "Do Not Track" (DNT) browser signals due to lack of industry standard. However, we honor Global Privacy Control (GPC) signals for CCPA opt-out requests.

For full details on cookies used, see our Cookie Policy: Cookie Policy (coming soon).

9. Data Security

We implement reasonable security measures to protect your personal information:

Encryption in Transit: All data transmissions use HTTPS/TLS 1.3 encryption
Access Controls: Limited access to personal data on a need-to-know basis with role-based permissions
Secure Storage: Data stored on Ghost's secure infrastructure with encryption at rest
Payment Security: PCI-DSS Level 1 compliant payment processing via Stripe (we do not store full payment card details)
Security Audits: Annual security reviews of third-party processors
Breach Notification: In the event of a data breach, we will notify affected users within 72 hours (GDPR Art. 33) or as required by applicable US state laws (e.g., Texas breach notification under Tex. Bus. & Com. Code § 521.053)

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

10. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate (Ghost in the US, Stripe in the US/Ireland). These countries may have different data protection laws than your country of residence.

For EEA/UK/Swiss users, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): We use the European Commission's 2021 Standard Contractual Clauses (Decision 2021/914) with our processors. Transfer Impact Assessments (TIAs) document US surveillance risks and supplementary measures per EDPB Recommendations 01/2020.
EU-US Data Privacy Framework (DPF): Where applicable, we rely on processors with DPF self-certification (adopted July 2023, replacing invalidated Privacy Shield). Verify DPF status at: https://www.dataprivacyframework.gov/
UK Extension to SCCs: For UK users, we use the UK International Data Transfer Addendum
Swiss SCCs: For Swiss users, we comply with Swiss Federal Data Protection Act requirements

Geographic Limitations: If you are outside the United States, please be aware that your data will be transferred to the US. By using our Site, you consent to this transfer.

11. Children's Privacy

Our Site is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

COPPA Compliance: Our service is not directed at children under 13 years of age (Children's Online Privacy Protection Act, 15 U.S.C. § 6501). We do not knowingly collect information from anyone under 13. If we become aware that we have collected personal information from a child under 13, we will delete such information immediately.

If you believe we have collected information from a child under 18, please contact us at legal@notchrisgroves.com and we will promptly delete it.

12. Third-Party Links

Our Site may contain links to third-party websites (e.g., GitHub, Twitter, LinkedIn). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

This Privacy Policy applies only to information collected by notchrisgroves.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. Changes will be posted on this page with an updated "Last Updated" date.

For material changes, we will notify you by:

Email to registered members at least 30 days before the effective date
Prominent notice on the Site homepage
For GDPR users, obtaining fresh consent if required by law

Continued use of the Site after the effective date of changes constitutes acceptance of the updated policy. If you do not agree, please discontinue use and delete your account.

14. Contact Information

For questions, concerns, or to exercise your privacy rights, contact us at:

Chris Groves
Website: https://notchrisgroves.com/contact/
Response Time: Within 30 days of request

For specific privacy inquiries:

GDPR requests: legal@notchrisgroves.com (EU Representative)
CCPA requests: legal@notchrisgroves.com
Data deletion/access: legal@notchrisgroves.com
General privacy questions: legal@notchrisgroves.com

15. Governing Law

This Privacy Policy is governed by the laws of the State of Texas and the United States, without regard to conflict of law provisions.

For international users, GDPR extraterritorial provisions (Art. 3) apply where we offer services to EU data subjects.

By using notchrisgroves.com, you consent to the data practices described in this Privacy Policy.

This Privacy Policy complies with:

US federal law and FTC guidelines (Section 5 of the FTC Act)
Texas state law (Texas Business and Commerce Code)
California Consumer Privacy Act (CCPA/CPRA) - Cal. Civ. Code § 1798.100 et seq.
European General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
Children's Online Privacy Protection Act (COPPA) - 15 U.S.C. § 6501
California Automatic Renewal Law - Cal. Bus. & Prof. Code § 17600 et seq.

Last Reviewed: November 29, 2025