Privacy Policy

1.1 Neureson is a document drafting platform operated by Brain PR, a business operating from Level 17, 1 Denison Street, North Sydney NSW 2060, Australia.

1.2 For the purposes of this Privacy Policy, Brain PR is the data controller in respect of personal data collected through the Neureson platform.

1.3 All privacy enquiries, data requests and notices should be directed to legal@neureson.ai or by post to the address above.

2.1 This Privacy Policy applies to all personal data collected, processed and stored by Neureson through the neureson.ai website and platform, including data collected during account registration, document generation, payment processing and customer support interactions.

2.2 This Policy applies to all Users of the Service regardless of location. Additional rights apply to Users located in the European Union, United Kingdom, California and certain APAC jurisdictions as described in clauses 11, 12 and 13.

2.3 This Policy does not apply to third-party websites or services that may be linked from the Neureson platform. Neureson is not responsible for the privacy practices of any third-party website or service.

3.1 Neureson collects the following categories of personal data:

3.2 Neureson does not knowingly collect sensitive personal information as defined under the Australian Privacy Act 1988, including health information, racial or ethnic origin, political opinions, religious beliefs or biometric data. If you believe you have inadvertently submitted sensitive information, please contact legal@neureson.ai immediately.

4.1 Neureson uses your personal data for the following purposes:

• —To create and manage your account and provide access to the Service
• —To process document generation requests using the AI Technology
• —To process payments and manage your Subscription and Credits
• —To send transactional emails including account confirmation, payment receipts, credit expiry reminders and service notifications
• —To respond to your support requests, feedback and legal enquiries
• —To monitor and maintain the security, integrity and availability of the Service
• —To detect, investigate and prevent fraudulent, abusive or unlawful use of the Service
• —To comply with applicable legal obligations, court orders and regulatory requirements
• —To enforce our Terms of Service and protect the rights and interests of Brain PR and other Users
• —To analyse aggregated, anonymised usage data to improve the Service — this analysis never involves identifiable personal data or document content

4.2 Neureson will never use your document content for any purpose other than delivering the Service to you. Your document content will never be used to train, fine-tune or improve any AI model. This is an absolute and unconditional commitment.

We will never sell, rent, trade or otherwise transfer your personal data to third parties for marketing, advertising or commercial purposes. Your data is yours — always.

5.1 For Users located in the European Union or United Kingdom, Neureson relies on the following lawful bases for processing personal data under the General Data Protection Regulation (GDPR):

5.2 For Australian Users, Neureson processes personal data in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth).

6.1 The Neureson Service is powered by leading frontier AI Technology. All document generation requests are processed in a private, encrypted environment under strict data confidentiality agreements with our AI infrastructure providers.

6.2 Neureson does not disclose the specific AI models, versions or providers used to power the Service. This non-disclosure is maintained to protect the integrity and competitiveness of the Service.

6.3 Your document content and prompts are never retained by the AI processing infrastructure beyond the processing of your immediate request. Processing occurs in an isolated environment. Your content is never accessible to other Users.

6.4 Your document content will never be used to train, fine-tune, evaluate or improve any AI model — whether operated by Neureson or any third-party AI provider. This commitment is contractually enforced with all AI infrastructure providers.

6.5 All AI infrastructure providers used by Neureson are bound by data processing agreements that prohibit any use of User data beyond the delivery of the Service. These agreements include zero data retention obligations at the inference layer.

Your document content is never used to train AI models — by Neureson or any provider we work with. This is a contractual commitment, not just a policy statement.

7.1 Neureson engages the following third-party service providers to operate the Service. Each provider is carefully selected and bound by data processing agreements that restrict their use of your data to the specific purpose for which they are engaged:

7.2 Neureson does not sell, rent, trade or otherwise transfer your personal data to any third party for commercial, marketing or advertising purposes. This prohibition is absolute and unconditional.

7.3 Neureson may disclose your personal data to law enforcement, regulatory authorities or courts where required by law, court order or regulatory direction. Where permitted, Neureson will notify you of any such disclosure.

8.1 All User data is stored in Supabase infrastructure hosted on Amazon Web Services (AWS) in the ap-southeast-2 (Sydney, Australia) region. Australian User data does not leave Australia except as described in clause 15.

8.2 Neureson implements the following security measures to protect your data:

• —AES-256 encryption for all data stored at rest
• —TLS 1.2 or higher encryption for all data in transit
• —Per-user Row Level Security (RLS) policies in the database layer — only you can access your data
• —Per-user encryption keys — your documents are encrypted with a key unique to your account
• —Zero-knowledge architecture — Neureson staff cannot access your document content
• —Regular security audits and vulnerability assessments
• —Access controls ensuring only authorised personnel can access system infrastructure
• —Audit logging of all infrastructure access events

8.3 Right to Deletion. You have the right to request deletion of your account and all associated data at any time. On account deletion, Neureson will destroy your encryption keys within 30 days, rendering your stored document content permanently and cryptographically unrecoverable. You may also request deletion of specific categories of personal data without deleting your entire account — please contact legal@neureson.ai. Neureson will action all deletion requests within 30 days and confirm completion in writing.

8.4 While Neureson implements industry-standard security measures, no system is completely immune to security threats. You are responsible for maintaining the security of your account credentials.

9.1 Neureson retains personal data only for as long as necessary to fulfil the purposes for which it was collected. The following retention periods apply:

10.1 Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights:

• —Access: You have the right to request access to the personal data Neureson holds about you.
• —Correction: You have the right to request correction of any personal data that is inaccurate, incomplete or out of date.
• —Complaint: You have the right to complain about a breach of the Australian Privacy Principles. Complaints should first be directed to Neureson at legal@neureson.ai. If your complaint is not resolved to your satisfaction, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
• —Anonymity: Where lawful and practicable, you may interact with Neureson anonymously or using a pseudonym.

10.2 To exercise any of these rights, please contact legal@neureson.ai. Neureson will respond within 30 days and confirm completion of any deletion request in writing.

11.1 If you are located in the European Union or United Kingdom, you have the following rights under the GDPR or UK GDPR:

• —Right of Access (Article 15): The right to obtain a copy of your personal data and information about how it is processed.
• —Right to Rectification (Article 16): The right to have inaccurate or incomplete personal data corrected.
• —Right to Erasure (Article 17): The right to request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful.
• —Right to Restriction (Article 18): The right to request that processing of your personal data be restricted in certain circumstances.
• —Right to Data Portability (Article 20): The right to receive your personal data in a structured, commonly used and machine-readable format.
• —Right to Object (Article 21): The right to object to processing of your personal data based on legitimate interests.
• —Right to Withdraw Consent: Where processing is based on consent, the right to withdraw consent at any time.
• —Right to Lodge a Complaint: The right to lodge a complaint with your local supervisory authority.

11.2 To exercise any GDPR rights, please contact legal@neureson.ai. Neureson will respond within 30 days.

12.1 If you are a California resident, the CCPA grants you the following rights:

• —Right to Know: The right to request disclosure of the categories and specific pieces of personal information Neureson has collected about you.
• —Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
• —Right to Opt-Out of Sale: Neureson does not sell personal information. You do not need to opt out.
• —Right to Non-Discrimination: Neureson will not discriminate against you for exercising your CCPA rights.

12.2 To exercise CCPA rights, please submit a verifiable consumer request to legal@neureson.ai. We will respond within 45 days.

13.1 Neureson serves Users across the APAC region and is committed to compliance with applicable data protection laws in each jurisdiction:

• —Singapore: Personal Data Protection Act 2012 (PDPA) — you have the right to access and correct your personal data.
• —Thailand: Personal Data Protection Act B.E. 2562 (PDPA) — similar rights to GDPR apply including access, correction, deletion and portability.
• —India: Digital Personal Data Protection Act 2023 — you have the right to access, correct and erase your personal data.
• —New Zealand: Privacy Act 2020 — you have the right to access and correct personal information held about you.

13.2 To exercise rights under any applicable APAC data protection law, please contact legal@neureson.ai with your jurisdiction and the specific right you wish to exercise.

14.1 Neureson uses cookies and similar tracking technologies to operate the Service, maintain your session and analyse usage:

14.2 You can manage your cookie preferences through your browser settings or through the cookie preference centre on the Neureson website. Disabling essential cookies will impair your ability to use the Service.

15.1 Neureson stores Australian User data in AWS ap-southeast-2 (Sydney, Australia). Where data is transferred to third-party providers located outside Australia — including Stripe (USA) and Resend (USA) — such transfers are made only where appropriate safeguards are in place.

15.2 For EU and UK Users, cross-border transfers are made only where appropriate safeguards are in place including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

15.3 For further information, please contact legal@neureson.ai.

16.1 The Service is not directed at or intended for use by individuals under the age of 18. Neureson does not knowingly collect personal data from anyone under 18 years of age.

16.2 If you believe that a person under 18 has provided personal data to Neureson without parental consent, please contact legal@neureson.ai immediately.

17.1 In the event of a data breach that is likely to result in serious harm to affected individuals, Neureson will notify affected Users and the OAIC as required under the Notifiable Data Breaches scheme in the Privacy Act 1988 (Cth).

17.2 For EU Users, Neureson will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of individuals, as required under GDPR Article 33.

17.3 Neureson will notify affected Users without undue delay where a breach is likely to result in a high risk to their rights and freedoms. Notification will be provided by email to the registered account address.

18.1 Neureson may update this Privacy Policy from time to time. Material changes will be notified to active Users by email with a minimum of 30 days notice.

18.2 Your continued use of the Service following the effective date of any update constitutes your acceptance of the updated Policy.

18.3 Previous versions of this Privacy Policy are available upon request by contacting legal@neureson.ai.

19.1 For all privacy enquiries, data access requests, correction requests, deletion requests, complaints and legal notices relating to this Privacy Policy, please contact: