1. Information We Collect

We collect personal information to operate the Platform, facilitate secure collaboration between Clients and AI Experts, and provide our suite of services including NeironLab, NeironConsult, and other Platform features.

1.1 Information You Provide Directly

• Account registration: Name, email address, phone number, company name, job title, billing address, tax identification numbers (for AI Experts), and account credentials.
• Profile information: For AI Experts: professional qualifications, skills, certifications, portfolio samples, work history, verification documents (identity verification, background checks, professional licenses). For Clients: company information, industry sector, project requirements.
• Payment information: Credit card details, bank account information, and billing addresses processed through our payment processor (Stripe). NeironHub does not store complete payment card numbers on our servers.
• Project and workspace data: Project briefs, requirements, acceptance criteria, Deliverables, code, AI models, datasets, analyses, communications, milestone documentation, and Content uploaded to NeironLab secure workspaces.
• Communications: Messages exchanged through the Platform's messaging system, support tickets, feedback, and survey responses.
• NeironConsult data: Session booking details, advisory session recordings (if consent is provided), session notes, and consultation topics.

1.2 Information Collected Automatically

• Device and usage data: IP address, browser type and version, device type, operating system, referring URLs, pages viewed, time spent on pages, access dates and times, and clickstream data.
• Audit logs and security monitoring: Access logs, authentication events, NeironLab workspace activity, AI model usage logs, API calls, security events, and system performance data to ensure Platform security, detect abuse, prevent fraud, and support incident response.
• Analytics: Aggregated and anonymized usage patterns, feature adoption metrics, and platform performance data collected through privacy-focused analytics tools (Plausible Analytics, which does not use cookies or track individual users across sites).
• Cookies and similar technologies: As described in Section 8 below.

1.3 Information from Third-Party Sources

• Verification services: Identity verification, background check results, professional credential validation, and fraud prevention data from third-party verification providers used during the AI Expert verification process.
• Business intelligence: Publicly available business information, company registrations, and professional networking data used to verify Commercial Users and Enterprise Clients.
• Social login: If you choose to authenticate using Google, LinkedIn, or other third-party services, we receive basic profile information (name, email, profile picture) as permitted by the third-party service.

1.4 Sensitive Personal Information

We do not intentionally collect "sensitive" or "special category" personal information (e.g., health data, biometric data, genetic data, sexual orientation, religious beliefs, political opinions, trade union membership, or racial or ethnic origin) unless you voluntarily upload such information to the Platform. If you upload sensitive information to NeironLab workspaces or provide it in Project communications, you are responsible for ensuring you have a lawful basis for processing such data and for complying with applicable data protection laws.

2. How We Use Personal Information

We use personal information for the following purposes:

• Platform operations and service delivery: To create and manage Accounts, authenticate Users, facilitate Projects between Clients and AI Experts, provide access to NeironLab secure workspaces, process payments and escrow transactions, deliver NeironConsult advisory sessions, provide Client support, and enable Platform features including AI-assisted tools.
• Verification and trust & safety: To verify the identity, qualifications, and credentials of AI Experts; conduct background checks; prevent fraud, abuse, and unauthorized access; enforce our Terms of Service and Acceptable Use & AI Policy; and maintain Platform security and integrity.
• Communications: To send transactional notifications (account activity, Project updates, payment confirmations, security alerts), respond to inquiries, provide Client support, and send administrative announcements.
• Intelligent matching and recommendations: To use AI-assisted matching engines and recommendation algorithms to connect Clients with appropriate AI Experts based on Project requirements, expertise, past performance, and availability.
• Platform improvement and development: To analyze usage patterns, improve Platform features, develop new services, test new functionalities, and enhance user experience.
• Marketing and promotional communications (with consent): To send newsletters, promotional offers, product announcements, and market research surveys where you have provided express consent or where permitted by applicable law. You may opt out at any time using the unsubscribe link in each email or through your account settings.
• Legal and regulatory compliance: To comply with applicable laws, regulations, legal processes, and government requests; enforce our Terms of Service; respond to claims and disputes; and protect the rights, property, and safety of NeironHub, our Users, and the public.
• Security monitoring and incident response: To monitor Platform security, detect and prevent security incidents, investigate suspicious activity, maintain audit logs, and respond to security threats in accordance with our SOC2 compliance obligations.
• Business operations and analytics: To perform accounting, auditing, tax reporting, financial analysis, business planning, and other internal business purposes.

2.1 Legal Basis for Processing (GDPR/UK GDPR)

For Users in the European Economic Area, United Kingdom, or other jurisdictions requiring specification of legal basis, we process personal information based on:

• Contract performance: Processing necessary to provide Platform services and fulfill our obligations under the Terms of Service.
• Legitimate interests: Fraud prevention, security monitoring, Platform improvement, direct marketing to existing Users (subject to opt-out rights), and business analytics, balanced against your privacy rights.
• Legal obligation: Compliance with tax laws, financial regulations, anti-money laundering requirements, court orders, and other legal obligations.
• Consent: For marketing communications beyond legitimate interest, optional features requiring data processing, and cookies/analytics where consent is required. You may withdraw consent at any time.

3. Disclosure of Personal Information

We share personal information only as described below:

3.1 Service Providers and Business Partners

We engage trusted third-party service providers to perform business functions on our behalf. These providers are contractually bound to confidentiality and data protection obligations and may only use personal information as necessary to provide their designated services:

• Payment processing: Stripe Connect for payment processing, escrow services, and AI Expert payouts.
• Cloud infrastructure: Amazon Web Services (AWS) for hosting in US-East and US-West regions (with Canada options for Enterprise Clients); Supabase for database services; Vercel for application deployment.
• Analytics: Plausible Analytics (privacy-focused, no cookies, no cross-site tracking).
• Email delivery: Postmark for transactional emails; Mailchimp for marketing communications (with consent).
• Client support and success: Intercom for in-app chat, help documentation, and Client engagement.
• Verification services: Identity verification, background check providers, and professional credential validation services for AI Expert verification.
• AI model providers: Third-party AI APIs (OpenAI, Anthropic, Google, Meta) for Platform AI-assisted features, subject to their respective privacy policies. User data is not used to train third-party AI models unless explicitly authorized.
• Accounting and tax: Pilot (via Stripe Atlas partnership) for bookkeeping and tax preparation services.

This list may be updated from time to time.

3.2 Other Users Within Projects

Limited profile information is visible to other Users within the Platform:

• AI Expert profiles: Publicly visible profiles include professional name, expertise areas, skills, portfolio samples, ratings, reviews, and years of experience. Contact information remains private until a Project is initiated.
• Client profiles: Limited business information (company name, industry sector) may be visible to AI Experts during Project negotiation and execution.
• Project workspace data: Within active Projects, Deliverables, communications, AI Outputs, code, datasets, and documentation are shared between the Client and assigned AI Expert(s) within the isolated NeironLab workspace. Client data never leaves the NeironLab secure environment and is not exposed to other Users or third parties without explicit authorization.

3.3 Legal, Regulatory, and Safety Disclosures

We may disclose personal information when required or permitted by law:

• To comply with court orders, subpoenas, legal processes, government investigations, or regulatory requirements.
• To enforce our Terms of Service, Acceptable Use & AI Policy, or other agreements.
• To detect, prevent, or investigate fraud, security incidents, illegal activity, Terms violations, or threats to Platform integrity.
• To protect the rights, property, safety, or security of NeironHub, our Users, employees, or the public.
• To report suspected child exploitation or other crimes to law enforcement or the National Center for Missing & Exploited Children (NCMEC) as required by law.

3.4 Business Transfers and Corporate Transactions

In connection with a merger, acquisition, consolidation, restructuring, sale of assets, financing, bankruptcy, or other corporate transaction, personal information may be transferred to the acquiring or successor entity. We will provide notice before personal information is transferred and becomes subject to a different privacy policy, and you will have the opportunity to delete your Account if you do not agree to the new policy.

3.5 Aggregated and Anonymized Data

We may create aggregated, de-identified, or anonymized data from personal information by removing information that makes the data personally identifiable. We may use and disclose such data for any lawful business purpose, including industry research, benchmarking reports, marketing materials, and Platform analytics, without restriction.

3.6 No Sale of Personal Information

NeironHub does not sell personal information for monetary consideration. We do not "share" personal information for cross-context behavioral advertising as defined under the CPRA. We may disclose personal information to service providers and business partners as described in this Policy, subject to contractual protections.

4. International Data Transfers

NeironHub is based in the United States and operates globally. Personal information may be transferred to, stored, and processed in the United States, Canada, and other jurisdictions where NeironHub, our affiliates, or our service providers operate.

When we transfer personal information internationally, we rely on the following mechanisms to ensure adequate protection:

• Adequacy decisions: For transfers between jurisdictions recognized as providing adequate data protection (e.g., within the European Economic Area, or between Canada and the EU).
• Standard Contractual Clauses (SCCs): EU-approved Standard Contractual Clauses or UK International Data Transfer Agreement (IDTA) with service providers in the United States or other countries without adequacy determinations.
• User consent: Where other legal mechanisms are unavailable, we obtain your explicit consent for international data transfers.
• Enterprise data residency: Enterprise Clients may request specific data residency requirements (e.g., Canada-only, EU-only hosting), which will be addressed in a separate Enterprise Agreement.

For EEA and UK residents, you have the right to obtain a copy of the safeguards we have in place for international transfers by contacting legal@neironhub.ai.

5. Data Retention and Deletion

5.1 Active Account Data Retention

We retain personal information for as long as your Account is active and as necessary to provide Platform services, comply with legal obligations, resolve disputes, enforce agreements, and for legitimate business purposes.

• Account information: Retained for the duration of Account activity and for the retention periods described below after Account closure.
• Project data: Project communications, Deliverables, AI Outputs, and workspace data are retained for the duration of the Project and for seven (7) years thereafter to support dispute resolution, legal compliance, warranty claims, and audit requirements.
• Payment and transaction records: Retained for seven (7) years to comply with tax laws, financial regulations, and accounting requirements.
• Audit logs and security records: Retained for one (1) year for security monitoring and incident response purposes, or longer if required by applicable law or legal holds.

5.2 Post-Termination Retention

After Account closure or termination, NeironHub will retain your personal information, workspace data, and transaction records for sixty (60) days (the "Retention Period"), or for such longer period as may be required by:

• Applicable law, legal holds, or court orders;
• Tax regulations, financial audit requirements, or government requests;
• Pending disputes, claims, investigations, or legal proceedings; or
• Enterprise Agreements specifying different retention periods.

At the end of the applicable Retention Period, your Content and personal data will be permanently deleted or irreversibly anonymized from our active systems and backups within thirty (30) days. You may request an export of your data before Account closure.

5.3 Data Deletion Exceptions

We may retain certain information after deletion requests or Account closure for the following purposes:

• De-identified or aggregated data that cannot reasonably be used to identify you;
• Information necessary for fraud prevention, abuse detection, security incident investigation, or Terms enforcement;
• Backup copies in disaster recovery systems, which will be deleted during the next scheduled backup rotation cycle (typically within ninety (90) days);
• Information we are legally required to retain for tax, financial, regulatory, or legal purposes;
• Public information such as anonymized reviews, ratings, or testimonials (with identifying information removed).

6. Security Measures and SOC2 Compliance

NeironHub implements industry-standard technical and organizational security measures designed to protect personal information from unauthorized access, disclosure, alteration, destruction, and misuse. Our security program is aligned with SOC2 Type II requirements and includes:

• Encryption: TLS 1.3 for data in transit; AES-256 encryption for data at rest in databases, NeironLab workspaces, and backup systems.
• Zero-trust architecture: Network segmentation, micro-segmentation, and container isolation to ensure Client data processed within NeironLab workspaces remains isolated and is never exposed to other Users or public systems.
• Access controls: Role-based access controls (RBAC), multi-factor authentication (MFA) for all employees and administrators, principle of least privilege, and regular access reviews.
• Security monitoring: Continuous security monitoring, intrusion detection systems (IDS), vulnerability scanning, penetration testing (annual minimum), and automated threat detection.
• Incident response: Documented incident response plan aligned with ISO 27001 Annex A, including detection, containment, investigation, notification, and remediation procedures.
• Employee training: Mandatory security awareness training, confidentiality agreements, background checks, and annual security refresher courses for all employees with access to User data.
• Audit and compliance: Annual SOC2 Type II audits, security assessments, compliance reviews, and audit logging of access to sensitive data.

6.1 Security Incident Notification

In the event of a confirmed security incident that affects User data or compromises the confidentiality, integrity, or availability of personal information, NeironHub will notify affected Users without unreasonable delay and within the timeframes required by applicable law (typically within seventy-two (72) hours of discovery for notification to supervisory authorities where required by GDPR, and without undue delay to affected Users where the breach is likely to result in high risk to their rights and freedoms). Notifications will include:

• The nature of the security incident and affected data categories;
• The approximate number of affected Users and data records;
• Likely consequences of the incident;
• Measures taken or proposed to address the incident and mitigate harm;
• Recommended actions for affected Users; and
• Contact information for further inquiries.

6.2 User Responsibilities

No security measure is 100% secure. While we implement robust protections, you acknowledge that Internet-based services carry inherent risks. Users are responsible for:

• Using strong, unique passwords and enabling multi-factor authentication;
• Keeping account credentials confidential and not sharing login information;
• Configuring appropriate access controls and security settings within NeironLab workspaces;
• Promptly reporting suspicious activity, unauthorized access, or security concerns to security@neironhub.ai;
• Maintaining appropriate backups of critical data outside the Platform; and
• Ensuring devices used to access the Platform are secured with up-to-date antivirus software and operating system patches.

7. Your Privacy Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information. To exercise these rights, please contact us at legal@neironhub.ai. We will verify your identity and respond within the timeframes required by applicable law (typically thirty (30) days for Canada, one (1) month for GDPR, forty-five (45) days for CPRA).

7.1 Universal Rights (All Jurisdictions)

• Access: Request a copy of the personal information we hold about you, including data categories, sources, purposes, and recipients.
• Correction: Request correction of inaccurate, incomplete, or outdated personal information. You can update most information directly in your Account settings.
• Deletion: Request deletion of your personal information, subject to legal retention requirements, active Projects, pending disputes, fraud prevention, or other legitimate business purposes as described in Section 5.
• Data portability: Request a machine-readable copy of your personal information for transfer to another service. We provide data exports in JSON, CSV, or PDF formats.
• Opt-out of marketing: Unsubscribe from marketing emails using the link in each email or update preferences in Account settings.

7.2 Additional Rights for EEA, UK, and Swiss Residents (GDPR)

• Restriction of processing: Request restriction of processing in certain circumstances (e.g., while accuracy is verified, or during objections to processing).
• Objection to processing: Object to processing based on legitimate interests, direct marketing, or profiling.
• Withdraw consent: Withdraw consent for processing based on consent at any time, without affecting the lawfulness of processing before withdrawal.
• Lodge a complaint: Lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.
• Automated decision-making: Object to automated decision-making with legal or similarly significant effects. Our AI-assisted matching and recommendation features do not make solely automated decisions with legal effects.

7.3 Additional Rights for California Residents (CPRA)

• Know: Know what personal information we collect, use, disclose, and sell/share.
• Limit use of sensitive personal information: Limit our use and disclosure of sensitive personal information, though we do not intentionally collect sensitive personal information except as voluntarily provided by you.
• Correct inaccuracies: Correct inaccurate personal information.
• Non-discrimination: Exercise your privacy rights without discriminatory treatment.
• Opt-out of sale/sharing: NeironHub does not sell or share personal information for cross-context behavioral advertising.
• Authorized agent: Designate an authorized agent to exercise rights on your behalf, subject to verification.

7.4 Response Times and Verification

We will respond to requests within the timeframes required by applicable law:

• Canada (PIPEDA/PIPA): Thirty (30) days; extensions require written notice with reasons
• GDPR/UK GDPR: One (1) month, extendable to three (3) months for complex requests
• CPRA: Forty-five (45) days, with a possible forty-five (45) day extension

We will verify your identity before fulfilling requests by requesting information such as email confirmation, account verification, or government-issued ID. This is required to protect your personal information from unauthorized access.

8. Cookies and Similar Technologies

8.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. We also use HTML5 local storage, session storage, and server-placed scripts to enhance Platform functionality and user experience.

8.2 Types of Cookies We Use

• Strictly necessary cookies: Essential for Platform operation, including authentication, security, session management, and fraud prevention. These cookies cannot be disabled without affecting Platform functionality.
• Functional cookies: Remember your preferences, settings, language choices, and previous interactions to provide a personalized experience.
• Analytics cookies: Help us understand how Users interact with the Platform, which pages are visited, feature usage patterns, and performance metrics. We use privacy-focused Plausible Analytics which does not track individual users across sites or use persistent cookies.
• Marketing cookies: Used with your consent to display relevant advertisements and measure campaign effectiveness. We do not share personal information for third-party cross-context behavioral advertising.

8.3 Cookie Consent and Control

On first visit from the EU, UK, California, or other jurisdictions requiring consent, you will see a Cookie Consent Banner. Non-essential cookies are disabled until you click "Accept All" or customize your preferences.

You can manage cookie preferences at any time through:

• Platform settings: Settings → Privacy → Cookie Preferences
• Browser settings: Most browsers allow you to refuse or delete cookies. Consult your browser's help documentation.
• Do-Not-Track: We respect browser Do-Not-Track signals for marketing and analytics cookies (though not for strictly necessary cookies).

Please note that disabling certain cookies may affect Platform functionality and limit available features.

9. Marketing Communications and CASL Compliance

We send commercial electronic messages (marketing emails) only with express or implied consent as required by Canada's Anti-Spam Legislation (CASL) and other applicable anti-spam laws.

9.1 Express Consent

We obtain express consent before sending marketing emails to new Users through opt-in checkboxes during registration, newsletter signups, or marketing preference updates. Express consent does not expire but may be withdrawn at any time.

9.2 Implied Consent (Existing Business Relationship)

We may rely on implied consent based on an existing business relationship or inquiry for up to twenty-four (24) months after the last transaction, or six (6) months after an inquiry, as permitted under CASL.

9.3 Unsubscribe and Opt-Out

Every marketing email includes a clear and prominent unsubscribe link. We will honor opt-out requests within ten (10) business days. You can also manage marketing preferences in your Account settings or by emailing legal@neironhub.ai. Transactional and service-related communications (account notifications, security alerts, Project updates, payment confirmations) are not marketing messages and cannot be opted out of while your Account is active.

10. Children's Privacy

The Platform is not directed to children under sixteen (16) years of age (or thirteen (13) years in the United States). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verifiable parental consent, we will delete that information as quickly as possible. Parents or guardians who believe their child has provided us with personal information may contact legal@neironhub.ai to request deletion.

11. Changes to This Policy

We may update this Policy periodically to reflect changes in our practices, Platform features, legal requirements, or for other operational, legal, or regulatory reasons. We will post the revised Policy on the Platform and update the "Effective" date at the top of this Policy.

Material changes that significantly affect your privacy rights will be announced at least thirty (30) days in advance through:

• Email notification to the address associated with your Account;
• Conspicuous banner or pop-up notification on the Platform; or
• In-app notification.

Your continued use of the Platform after the effective date of the revised Policy constitutes acceptance of the changes. If you do not agree to the revised Policy, you must stop using the Platform and may close your Account as described in the Terms of Service.

12. Contact Us and Complaints

For privacy questions, to exercise your privacy rights, or to file a privacy-related complaint, please contact:

NeironHub INC.

2101 5th Avenue, 4S

New York, NY 10027 USA

Attn: Legal Department

Email: legal@neironhub.ai

We take privacy complaints seriously and will investigate and respond to your concerns within the timeframes required by applicable law.

12.1 Regulatory Authorities

If you are not satisfied with our response, you may contact the following regulatory authorities:

• Canada (Federal): Office of the Privacy Commissioner of Canada - https://www.priv.gc.ca
• European Union: Your local data protection authority - https://edpb.europa.eu/about-edpb/board/members_en
• United Kingdom: Information Commissioner's Office (ICO) - https://ico.org.uk
• California: California Privacy Protection Agency (CPPA) - https://cppa.ca.gov