Privacy Policy

We collect three categories of data:

• Account information — your email address, full name, professional role (researcher, investor, founder, etc.), avatar, and authentication identifiers (e.g. a Google OAuth subject ID if you sign in with Google).
• Usage data — your interactions with the Service, including pages viewed, items saved, alerts created, searches performed, reports generated, and timestamps. Used to improve the product and to power features such as keyword alerts and recommendations.
• Payment data — handled exclusively by our payment processor Paddle. We never see or store your full card number or banking details. We do receive and store a Paddle customer identifier, your subscription status, and the email used at checkout, in order to operate your account.

We process your personal data to:

• Deliver the Service — authenticate you, display content, save your preferences, and operate keyword alerts (legal basis: performance of a contract);
• Generate AI reports and summaries — process content and limited account context through our AI providers when you request a report (legal basis: performance of a contract);
• Send transactional emails — alert digests, billing notifications, security notices, and product updates relevant to your account (legal basis: performance of a contract / legitimate interest);
• Improve the product — analyse aggregated, anonymised usage patterns to refine features and content (legal basis: legitimate interest);
• Comply with legal obligations — respond to lawful requests, enforce our Terms, and prevent fraud (legal basis: legal obligation / legitimate interest).

We do not sell your personal data, do not run third-party advertising, and do not share your data with brokers.

Your data is stored on infrastructure operated by Supabase, Inc., our managed backend provider. We provision our database in an EU region wherever practicable to keep European customer data within the EEA, and apply standard contractual clauses for any required transfer.

All data is encrypted in transit (TLS 1.2+) and at rest. Access is restricted to authorised personnel under a need-to-know basis, with audit logging.

We rely on a small number of trusted sub-processors to operate the Service:

• Paddle — payments and billing. Receives your name, email, country, and payment method. Privacy policy: paddle.com/legal/privacy.
• Google (OAuth) — authentication if you sign in with Google. Receives only the OAuth scopes required to verify your identity (email, profile). We never receive your Google password.
• Google Gemini API — generates AI summaries and reports. We send content text and the parameters of your report request; we do not send your name, email, or account identifiers. Gemini does not retain prompts or use them for model training under our enterprise terms.
• PostHog — product analytics. Receives pseudonymous event data (e.g. "report generated", page views) with a hashed user identifier. We disable session recording and IP collection.
• Supabase — primary database, authentication, and file storage.

Each sub-processor is contractually bound to GDPR-grade data protection obligations. We do not authorise any other transfers of your personal data to third parties.

We retain your personal data only for as long as your account is active or as needed to provide the Service. When you delete your account from Settings → Danger zone, we permanently delete all associated data — profile, saved items, alerts, reports, exports, search history, and notifications — within 30 days, subject to limited exceptions for legal, tax, or fraud-prevention obligations (which retain only the minimum necessary records).

Backups containing your data are rotated and overwritten within 35 days of account deletion.

Under the GDPR, CCPA, and similar privacy laws, you have the following rights with respect to your personal data:

• Right of access — obtain a copy of the personal data we hold about you;
• Right to rectification — correct inaccurate or incomplete data;
• Right to erasure ("right to be forgotten") — delete your account and all associated data;
• Right to data portability — receive your data in a structured, machine-readable format (we provide CSV and JSON exports from Exports);
• Right to restrict or object to certain types of processing;
• Right to withdraw consent at any time, where processing is based on consent;
• Right not to be discriminated against for exercising any of these rights (CCPA);
• Right to lodge a complaint with your supervisory authority (e.g. your national data protection regulator in the EU).

To exercise any of these rights, contact legal@neurotechmag.com. We respond within 30 days.

We use a deliberately minimal set of cookies:

• Authentication session cookie — required to keep you signed in. Set by our authentication provider (Supabase). First-party, HTTP-only, secure.
• Theme preference — a small local-storage entry remembering your light/dark choice. No personal data.

We do not use third-party advertising cookies, ad-network retargeting, or cross-site tracking. We do not deploy a cookie consent banner because we do not set non-essential cookies.

PostHog analytics events are sent server-side without browser-stored identifiers beyond a session-scoped pseudonymous ID.

Where personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses and, where applicable, supplementary technical measures to ensure your data benefits from a level of protection essentially equivalent to that guaranteed within the EEA.

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated by email and in-app notice. Continued use of the Service after such changes constitutes your acknowledgement of the updated Policy.

For any privacy-related question, data subject request, or to contact our Data Protection contact, please write to:

legal@neurotechmag.com