Privacy Policy

1. Introduction

QUANTUMCAP LTD (Company number 17131047), a company registered in England and Wales with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ ("Company", "we", "us", or "our"), operates the JustHoney.AI website, applications, and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service.

For the purposes of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA) and the EU General Data Protection Regulation (EU GDPR), QUANTUMCAP LTD is the data controller for the personal data we process about you in connection with the Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service. This policy applies to all users, including visitors who do not create an account.

This Privacy Policy should be read alongside our Terms of Service, which govern your overall use of the Service, and our 2257 Compliance Statement, which addresses our approach to adult content and age verification.

2. Information We Collect

We collect information in several ways depending on how you interact with the Service.

2.1 Information you provide directly

• Account Information: When you register, we collect your email address, display name, and password (if you register using email and password) or an authentication token (if you register using a supported OAuth provider — Google or Discord).
• Profile Information: Any optional profile details you choose to provide, such as interests and chat-style preferences selected during onboarding.
• Payment Information: If you purchase a Paid Subscription (Honey or Manuka) or a Nectar credit pack, our payment services provider, Rapyd, collects and processes your payment details (such as card number and billing address) directly on a Rapyd-hosted checkout page. We do not see, store, or process your full payment card number — we receive only a limited transaction record (including the last four digits of the card used, transaction amount, and transaction status).
• Age Verification Data: To unlock NSFW content on the Service, you are required to complete age verification via our age verification provider, Ondato. The method depends on the jurisdiction from which you are accessing the Service, as set out in the Terms of Service (Section 6). Two categories of data may be submitted to Ondato:
  • Facial age estimation: where this method applies, you submit a short facial image to Ondato. Ondato uses that image to estimate your apparent age and returns a pass or fail result to us. If Ondato's estimate does not confidently indicate that you are an adult, you are routed to identity verification (below) as a fallback.
  • Identity verification: where this method applies — either as a fallback to facial age estimation or directly in jurisdictions whose laws require an identity-based check — you submit a government-issued identity document and a short facial image to Ondato. Ondato verifies the authenticity of the document, matches it to the facial image, and returns a pass or fail result to us.
  In each case, the data you submit is processed by Ondato directly, in accordance with Ondato's own terms and privacy policy. We do not receive, store, or process the underlying facial image, identity document, or biometric data; we receive only the pass/fail result, together with a limited technical audit record (such as a timestamp, the verification method used, and an Ondato-issued verification reference).
• Conversation Data: Text messages, prompts, and other content you send to AI companions within the Service.
• Support Communications: Information you provide when contacting us for support, including email messages and any attachments.
• Feedback: Any feedback, suggestions, or reports you submit to us.

2.2 Information collected automatically

• Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.
• Usage Data: Pages visited, features used, buttons clicked, time spent on pages, and general interaction patterns with the Service.
• Log Data: IP address, access times, referring URLs, error logs, and server request logs.
• Location Data: Approximate geographic location derived from your IP address (read at our content delivery network edge from headers including CloudFront-Viewer-Country and CloudFront-Viewer-Country-Region), used for the following purposes: (i) determining your applicable pricing region (see Section 3 and the Terms of Service Section 7.4); (ii) determining the age verification method applicable to your jurisdiction (facial age estimation or identity verification — see Terms of Service Section 6) and whether the Service is available in your jurisdiction at all; and (iii) in respect of payments processed via our Payment Services Provider, identifying the billing country associated with your payment method (used by our tax compliance provider to allocate consumption taxes to the relevant tax authority). We do not collect precise GPS location.
• Cookie Data: Information collected through cookies and similar tracking technologies (see Section 6).

2.3 Information from third parties

• OAuth Identity Providers: If you authenticate using Google or Discord, we receive basic profile information (name, email address, and — where made available by the provider — a profile picture) as permitted by the provider's scopes and by the permissions you grant at the OAuth consent screen.
• Rapyd (payment services provider): We receive transaction confirmations, pre-authorisation and capture results, subscription status, and chargeback notifications in respect of your purchases.
• Ondato (age verification provider): We receive the pass/fail result of each age verification attempt (whether by facial age estimation or identity verification), together with a limited technical audit record.

3. How We Use Your Data

We use the information we collect for the following purposes. Section 14 sets out the legal bases under the UK GDPR and EU GDPR on which each processing activity relies.

Service delivery

• To create, manage, and maintain your account.
• To provide AI companion interactions and generate personalised responses.
• To process subscriptions, Nectar purchases, payments, renewals, and refunds.
• To determine your applicable pricing region for subscription and Nectar purchases, based on the approximate geographic location derived from your IP address.
• To allocate the consumption taxes (VAT, sales tax, GST, or equivalent) payable on your purchase to the relevant tax authority, based on the billing country associated with your payment method as provided to our Payment Services Provider, with the assistance of our tax compliance provider.
• To determine, from your approximate geographic location, the age verification method applicable to your jurisdiction (facial age estimation or identity verification) and whether the Service can be made available in your jurisdiction.
• To carry out age verification via Ondato (by facial age estimation, identity verification, or both, as applicable), and to ensure that NSFW content and functionality is made available only to Users who have successfully completed age verification and hold an active Paid Subscription.
• To deliver features you request and enable Service functionality.

Service improvement

• To analyse usage patterns and improve the Service's features, performance, and user experience.
• To train, evaluate, and improve our AI models and content moderation tools, using anonymised and aggregated extracts from conversation data (and subject to your opt-out — see Section 4.4).
• To conduct internal research and development.
• To troubleshoot bugs, resolve technical issues, and monitor system performance.

Communication

• To send you service-related announcements, updates, security alerts, subscription confirmations, pre-renewal reminders, payment receipts, and other transactional notifications.
• To respond to your support inquiries and feedback.
• To send promotional communications if you have opted in. You can opt out at any time using the unsubscribe link in any marketing email or by contacting us.

Safety & compliance

• To detect, prevent, and address fraud, abuse, chargebacks, and security threats.
• To enforce our Terms of Service, our 2257 Compliance Statement, and our other policies.
• To comply with applicable legal obligations, regulations, and law enforcement requests.
• To preserve and report any content suspected to be child sexual abuse material (CSAM) to the appropriate authorities — including the Internet Watch Foundation (IWF) and the National Crime Agency (NCA) in the United Kingdom, the National Center for Missing & Exploited Children (NCMEC) in the United States, and any other competent authority — as described in our 2257 Compliance Statement.
• To protect the rights, property, and safety of QUANTUMCAP LTD, our users, and the public.

4. AI & Conversation Data

4.1 Processing

Your messages are sent through our AI text-model gateway provider, OpenRouter, which routes your messages to one or more underlying large language model providers to generate responses. The specific providers used vary based on the type of interaction. The content of your conversations is processed in real time and is necessary for the core functionality of the Service. Underlying model providers process your messages only for the purpose of generating a response, and OpenRouter operates under contractual data-handling commitments that flow through to those underlying providers.

4.2 Storage

Conversation data is stored on our servers to provide features such as chat history, companion memory, and continuity between sessions. This data is encrypted at rest and access is strictly limited to authorised systems and personnel.

4.3 Deletion

You may delete individual conversations at any time from within the Service. You may also request deletion of your full conversation history, or of your entire account, by contacting support@justhoney.ai. Deleted conversations are permanently removed from our active systems, though residual copies may exist in encrypted backup systems for a limited period before being purged on the rolling schedule described in Section 11.

4.4 AI training and research — your choice

We may use anonymised and aggregated extracts from your conversation data to train, evaluate, and improve our AI models and to conduct related research. Before any content is used for training purposes, it is processed to strip directly identifying information.

This use of your conversation data is optional. You can opt out at any time via Account Settings → Privacy → AI Training, and we will not use your conversation data for AI training purposes going forward. Opting out does not affect our use of your conversation data for the operational purposes described in Section 4.1 and 4.2, and does not affect model improvements that have already occurred based on previously-submitted content that was lawfully included prior to your opt-out.

We do not sell your conversation data or share it publicly. The legal basis for training-related processing is our legitimate interest in developing and improving the Service; your opt-out right is what makes the legitimate-interest balance defensible, and we will honour opt-outs promptly.

5. Data Sharing & Disclosure

We do not sell your personal information.

We share your information only in the following circumstances:

• Service Providers (Processors): We share data with the third-party vendors listed in Section 7, who perform services on our behalf under written data processing agreements that restrict their use of your data to the services they provide to us.
• Legal Requirements: We may disclose your information if required to do so by law, in response to a subpoena, court order, or other governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• CSAM Reporting: We will preserve and report any content suspected to be CSAM to the appropriate authorities — including the Internet Watch Foundation (IWF) and the National Crime Agency (NCA) in the United Kingdom, the National Center for Missing & Exploited Children (NCMEC) in the United States, and any other competent authority — in accordance with our zero-tolerance policy set out in the 2257 Compliance Statement.
• Business Transfers: In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
• With Your Consent: We may share your information with third parties when you give us explicit consent to do so.
• Aggregated or De-identified Data: We may share anonymised, aggregated data that cannot reasonably be used to identify you for research, marketing, analytics, and other purposes.

6. Cookies & Tracking Technologies

We use cookies and similar tracking technologies (such as local storage and pixel tags) to operate the Service. Cookies fall into the following categories.

• Strictly necessary (always active): authentication, session management, load balancing, security, fraud prevention, and remembering your cookie preferences. The Service cannot function without these, and under the UK Privacy and Electronic Communications Regulations (PECR) and equivalent EU law these cookies do not require your consent.
• Functional (consent required): remembering your interface preferences, language, and display options to improve your experience on return visits.
• Analytics (consent required): helping us understand how users interact with the Service in aggregate so we can improve it. We use first-party and third-party analytics tools that may set cookies and process limited identifiers (such as a randomised analytics ID and IP address).

We do not currently use marketing or advertising cookies, do not engage in cross-context behavioural advertising, and do not run paid advertising campaigns.

6.1 How we obtain your consent

When you first visit JustHoney.AI, a cookie banner is displayed. Until you make a choice, no Functional or Analytics cookies are set on your device. The banner offers you two equally prominent options:

• Accept — sets all categories, including Functional and Analytics cookies; or
• Reject — sets only Strictly Necessary cookies. The Service will continue to operate normally; only the optional features described above will be unavailable.

Your preference is recorded in a Strictly Necessary cookie so we know your choice on subsequent visits.

6.2 Changing or withdrawing your consent

You can change your cookie preferences at any time, and withdrawing consent is as easy as giving it. To do so, click the "Cookie Preferences" link in the website footer, which will re-open the cookie banner. Your updated preference takes effect immediately, and any Functional or Analytics cookies you previously consented to will be cleared if you opt out.

You can also block or delete cookies through your browser settings. Note that blocking Strictly Necessary cookies via your browser may prevent the Service from functioning correctly.

6.3 Do Not Track

We do not currently respond to "Do Not Track" (DNT) signals because there is no industry consensus on how DNT should be interpreted. The cookie banner described above is our authoritative consent mechanism.

6.4 Cookie list and lifetimes

A current list of the specific cookies we use, their purposes, and their retention periods is available via the "Cookie Preferences" link in the website footer. We update this list when we add, change, or remove cookies.

7. Third-Party Services and Sub-processors

The Service relies on the following categories of third-party services for core functionality. Each is a processor of personal data on our behalf (or, in the case of OAuth providers, an independent controller of the data we receive from them) and is listed with its primary function and processing location.

Each third-party service has its own privacy policy governing its use of data. We encourage you to review their policies. We have written data processing agreements or equivalent contractual protections in place with each of our processors, and for transfers outside the United Kingdom we rely on the safeguards described in Section 12.

Sub-processor changes. We may add, change, or remove sub-processors from time to time as our infrastructure and feature set evolves. We will reflect changes in this section, and where the change involves a new sub-processor processing core categories of your personal data — namely account, payment, age verification or conversation data — we will provide reasonable advance notice, normally at least 30 days, by email to your registered address and/or via in-app notification. You may object to a new sub-processor by terminating your Account before the change takes effect, in accordance with our cancellation routes (Terms of Service section 8.3). Non-material sub-processor changes — for example, changes among CDN edge providers or analytics tools that process aggregated, non-identifying data — are reflected in this section but may not trigger an individual notification.

Where a sub-processor change is required urgently — for example, in response to a security incident, the discontinuation of a service by an existing sub-processor, or a legal or regulatory requirement — we may make the change with shorter or no advance notice, and will explain the reason for the shortened notice period when we update this section.

This sub-processor notification process operates in addition to the general policy-change notification mechanism in Section 15.

8. Data Security

We take the security of your personal information seriously and implement a variety of measures to protect it:

• Encryption: Data is encrypted in transit using TLS/SSL and at rest using industry-standard encryption algorithms.
• Access Controls: Access to personal data is restricted to authorised personnel who need it to perform their job functions.
• Infrastructure Security: Our infrastructure is hosted on enterprise-grade cloud platforms with physical security, network security, and regular vulnerability assessments.
• Authentication: Passwords are hashed using strong, one-way algorithms. We support secure authentication methods including OAuth providers and short-lived authentication tokens.
• Monitoring: We continuously monitor our systems for security threats, unauthorised access, and anomalous activity.

While we strive to protect your information, no system is completely secure. We cannot guarantee the absolute security of your data transmitted to or stored by the Service. You use the Service at your own risk and are responsible for maintaining the confidentiality of your account credentials.

If you believe your account has been compromised, please contact us immediately at support@justhoney.ai. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach and will notify affected users without undue delay, as required by UK GDPR.

9. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (subject to certain exceptions, including our legal obligation to retain payment records under applicable tax and financial regulations).
• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Right to Data Portability: Request a copy of your data in a structured, machine-readable format.
• Right to Object: Object to the processing of your personal data for certain purposes, including direct marketing and processing based on our legitimate interests.
• Right to Withdraw Consent: Withdraw consent where processing is based on your consent, without affecting the lawfulness of processing carried out before withdrawal.
• Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment.

To exercise any of these rights, please contact us at support@justhoney.ai. We will respond to your request within one month (30 days) of receipt, or sooner if required by applicable law. In complex cases we may extend this period by up to two additional months, in which case we will inform you within the initial month and explain the reason for the extension. We may need to verify your identity before processing your request.

We also operate a formal complaints-handling process in accordance with the UK Data (Use and Access) Act 2025. If you are not satisfied with our response to a privacy request, you may escalate the matter to the Information Commissioner's Office (for UK users) or to the relevant supervisory authority in your country of residence (for EU/EEA users).

10. Children's Privacy

JustHoney.AI is strictly for users aged 18 and over (or the age of majority in the user's jurisdiction, whichever is higher). The Service is not directed at, and may not be used by, anyone under the age of 18.

We do not knowingly collect or solicit personal information from anyone under the age of 18. If we become aware that we have collected personal information from a person under 18, we will take immediate steps to delete that information from our servers and to terminate the account concerned.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at support@justhoney.ai so we can take appropriate action.

11. Data Retention

We retain your personal data as follows:

• Account Data: Retained for as long as your account is active. Upon your request for account deletion, your personal data will be permanently deleted or anonymised within 30 days, except where retention is required by law.
• Inactive Accounts: Accounts that have been inactive for 24 consecutive months (no successful login during that period) will be suspended and then deleted, in accordance with Section 16.2 of our Terms of Service. We will send a reactivation notice to your registered email address at least 30 days before any suspension or deletion takes effect.
• Conversation Data: Retained for as long as your account is active to provide chat history and companion memory features. You may delete individual conversations at any time, or request deletion of your full conversation history by contacting support@justhoney.ai.
• Age Verification Audit Records: We retain the pass/fail result, the verification method used (facial age estimation or identity verification), and the Ondato-issued verification reference for 7 years following account closure, to evidence compliance with our age-verification obligations and to handle any subsequent regulatory inquiry.
• Payment and Tax Records: Retained for the period required by applicable tax, financial-services and anti-money-laundering law in each jurisdiction in which we are required to collect and remit tax. This is typically 6 years in the United Kingdom, up to 10 years in EU member states, and 4–7 years in U.S. states. Where multiple retention periods apply to the same record, we retain the record for the longest applicable period.
• Usage & Log Data: Retained for up to 12 months for analytics and security purposes, then aggregated or deleted.
• Backup Data: Encrypted backups are retained for disaster-recovery purposes and are purged on a rolling schedule (typically within 90 days).

When data is no longer needed, we securely delete or anonymise it so that it can no longer be associated with you.

12. International Data Transfers

QUANTUMCAP LTD is based in the United Kingdom. The Service's primary infrastructure is hosted on Amazon Web Services in the United States (US East region), and we use a number of other sub-processors (listed in Section 7) based in the United States and in the European Economic Area. In the future, we may replicate or migrate data to additional AWS regions to reduce downtime and improve service resilience.

Where we transfer personal data from the United Kingdom or the European Economic Area to countries that have not been granted an adequacy decision by the UK or the European Commission, we rely on one or more of the following safeguards:

• the UK International Data Transfer Agreement (IDTA) or the UK Extension to the EU-US Data Privacy Framework, for transfers to US-based processors that have self-certified under the Data Privacy Framework;
• EU Standard Contractual Clauses (SCCs) combined with the UK Addendum, for transfers to other recipient jurisdictions;
• any other mechanism recognised under applicable UK or EU data protection law.

For each of our US-based sub-processors, we maintain written data processing agreements that incorporate the applicable transfer safeguards. You may request further details of the transfer mechanism applicable to a specific transfer by contacting support@justhoney.ai.

13. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you in the 12 months preceding your request, the sources from which we collected it, the business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: You may opt out of the "sale" or "sharing" of your personal information for cross-context behavioural advertising. We do not sell your personal information, and we do not currently share it for cross-context behavioural advertising.
• Right to Limit Use of Sensitive Personal Information: You may limit our use and disclosure of your sensitive personal information (which for JustHoney.AI includes your account credentials and — while held by Ondato on our behalf — the data you submit to Ondato for age verification, whether for facial age estimation or identity verification) to uses necessary to provide the Service or as otherwise permitted by law.
• Right to Non-Discrimination: You may exercise your CCPA/CPRA rights without receiving discriminatory treatment.

To exercise any of these rights, contact us at support@justhoney.ai. We will not discriminate against you for exercising your rights.

14. European and UK Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the EU General Data Protection Regulation, the UK General Data Protection Regulation as amended by the Data Protection Act 2018 and the Data (Use and Access) Act 2025, and related data-protection laws.

14.1 Legal bases for processing

We process your personal data on the following legal bases, mapped to the processing purposes described in Section 3.

14.2 Your rights

In addition to the rights listed in Section 9, you have the right to lodge a complaint with your local data protection supervisory authority. In the United Kingdom this is the Information Commissioner's Office (ICO) at ico.org.uk. Before contacting the ICO, we encourage you to contact us first at support@justhoney.ai so that we can try to resolve any concerns directly.

14.3 ICO registration

QUANTUMCAP LTD has applied for registration with the Information Commissioner's Office as a data controller. Our ICO registration number will be displayed here once issued.

14.4 Data protection contact

QUANTUMCAP LTD has carried out and documented an assessment under Article 37 of the UK GDPR and EU GDPR. Based on the current scale and nature of our processing, we have concluded that the formal appointment of a Data Protection Officer is not currently mandatory; we will keep this assessment under review as the Service grows.

We have nonetheless designated a privacy contact who is responsible for handling data-protection enquiries and the exercise of data-subject rights:

Privacy Contact
QUANTUMCAP LTD (trading as JustHoney.AI)
Email: support@justhoney.ai
Postal address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• we will update the "Last updated" date at the top of this page;
• for material changes, we will provide prominent notice through the Service (such as a banner notification); and
• for significant changes that affect how we handle your data, we will send a notification to the email address associated with your account.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes to this Privacy Policy become effective constitutes your acceptance of the revised policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

QUANTUMCAP LTD — Privacy Team
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Company number 17131047
Email: support@justhoney.ai

We will respond to all legitimate inquiries within 30 days of receipt. If you feel that your inquiry has not been adequately addressed, you may have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or with the data protection supervisory authority in your country of residence.

This Privacy Policy was last updated on 28 April 2026, and supersedes all earlier versions.