Privacy Modes

Control what data is sent to the NotPixel API with privacy modes. Choose the level of privacy that fits your use case.

Available Modes

Mode	What’s Sent	Privacy Level	Use Case
`privacy: true`	Embedding vector only	Maximum	Sensitive data, healthcare, legal
`privacy: false` (default)	Sanitized text (PII removed)	Standard	General use

Recommended: Use privacy: true for maximum privacy. Text never leaves the user’s device — only a mathematical vector is sent to the server.

Privacy Mode (Recommended)

With privacy: true, text is embedded locally on the client and only the numerical vector is sent to the server. The text never leaves the user’s device.


import Ads from 'notpixel';
 
const ads = new Ads({
  publisherId: 'pub-xxx',
  privacy: true,
});

How It Works


┌─────────────────────────────────────────────────────────────────┐
│ User Input: "I need advice about my medical condition"          │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
               ┌──────────────────────────────┐
               │ Local Embedding Model        │
               │ (runs in browser/Node.js)    │
               │ @huggingface/transformers    │
               └──────────────────────────────┘
                              │
                              ▼
               ┌──────────────────────────────┐
               │ Vector: [0.12, 0.34, ...]    │
               │ 384 numbers (irreversible)   │
               └──────────────────────────────┘
                              │
                              ▼
               ┌──────────────────────────────┐
               │ NotPixel API                 │
               │ (receives ONLY the vector)   │
               └──────────────────────────────┘

The embedding vector is mathematically irreversible — it cannot be converted back to the original text. This is verified by the information-theoretic properties of the embedding model.

Preloading the Model

For best performance, preload the embedding model during app initialization:


const ads = new Ads({
  publisherId: 'pub-xxx',
  privacy: true,
});
 
// Preload on app startup
await ads.embedding.preload({
  onProgress: (p) => console.log(`Loading: ${p.status} ${p.progress}%`)
});
 
// Check if ready
console.log(ads.embedding.isReady()); // true
 
// Get model info
console.log(ads.embedding.info());
// { model: 'Xenova/bge-small-en-v1.5', loaded: true, enabled: true }

Advanced Configuration

Customize the embedding model and settings:


const ads = new Ads({
  publisherId: 'pub-xxx',
  privacy: {
    model: 'Xenova/bge-base-en-v1.5',  // Larger model (768 dims)
    dtype: 'fp32',                       // Full precision (vs 'q8' quantized)
    onProgress: (p) => updateLoadingUI(p),
  },
});

Available Models

Model	Dimensions	Size	Quality
`Xenova/bge-small-en-v1.5` (default)	384	~23MB (q8: ~8MB)	~90%
`Xenova/bge-base-en-v1.5`	768	~110MB	~95%
`Xenova/all-MiniLM-L6-v2`	384	~23MB	~85%

Fallback Behavior

If local embedding fails (e.g., model loading error), the SDK automatically falls back to server-side processing:


// This is automatic — no code needed
// If local embedding fails:
// 1. Warning is logged to console
// 2. Request falls back to 'blackbox' mode (sanitized text)
// 3. Ad is still served normally

Standard Mode (Default)

Even in standard mode, we take privacy seriously. All text is automatically sanitized before being sent to our servers.


const ads = new Ads({
  publisherId: 'pub-xxx',
  // privacy: false is the default
});

Automatic PII Sanitization

PII (Personally Identifiable Information) is automatically removed from all requests:

Data Type	Example	Sent as
Email addresses	`john@company.com`	`[email]`
Phone numbers	`+1 555-123-4567`	`[phone]`

Example


User types:
"Help me optimize SQL, my email is john@company.com and phone 11-99999-1234"

What's sent to NotPixel API:
"Help me optimize SQL, my email is [email] and phone [phone]"

The semantic context is preserved (SQL, optimization) while personal identifiers are removed. This ensures relevant ads without compromising user privacy.

Additional Protections

Text truncation: Input is limited to 256 characters
No storage: We don’t store the sanitized text after ad matching
No profiling: Text is used only for contextual matching, never for user profiling

All sanitization happens automatically in the SDK — no configuration needed. Your users’ personal data never reaches our servers.

Comparison

Feature	`privacy: true`	`privacy: false`
Text leaves device	No	Yes (sanitized)
Ad relevance	High (~90%)	Maximum
Bundle size impact	+8-23MB (cached)	None
First request latency	~50-100ms	~0ms
Subsequent requests	~50-70ms	~0ms
Works offline	Yes	No
GDPR/LGPD friendly	Yes	Partial

Verifying Privacy

You can verify that text doesn’t leave the client using browser DevTools:

Open DevTools → Network tab
Make a request with privacy: true
Inspect the request payload
You’ll see: { "mode": "embedding", "embedding": [0.12, 0.34, ...] }
No input field — text never sent


// Example request body with privacy: true
{
  "publisherId": "pub-xxx",
  "mode": "embedding",
  "embedding": [0.123, 0.456, 0.789, ...]  // 384 numbers, NO "input" field!
}
 
// Example request body with privacy: false (default)
{
  "publisherId": "pub-xxx",
  "mode": "standard",
  "input": "sanitized text with [email] replaced"
}

For a complete step-by-step verification guide with screenshots for Chrome, Firefox, and Safari, see the Network Inspector Guide.

Regulatory Compliance

NotPixel is designed with privacy regulations in mind:

Requirement	How NotPixel Complies
Data minimization	Only semantic context is used, PII is stripped
Purpose limitation	Data used only for ad matching, never profiling
No consent for PII	PII never reaches our servers (sanitized client-side)
Right to erasure	Nothing to erase — we don’t store user data

With `privacy: true` (Maximum Compliance)

When using local embeddings, your compliance posture is even stronger:

✅ No personal data transmitted — only mathematical vectors
✅ Vectors are irreversible — cannot be converted back to text
✅ Works offline — no network dependency for embedding
✅ Verifiable — users can inspect network traffic

For healthcare, legal, financial, or any sensitive context, we recommend privacy: true for maximum regulatory compliance.

For complete details on our privacy architecture, data handling, and security measures, see the Transparency Report.

Installation

The privacy mode requires @huggingface/transformers as an optional peer dependency:


npm install @huggingface/transformers

If you don’t install @huggingface/transformers, using privacy: true will automatically fall back to standard mode with a console warning.