Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is:

NeuroPredict S.L. [Address], 28001 Madrid, Spain Tax Identification Number (CIF): [●] Email: team@neuropredict.eu Phone: [●]

For any questions regarding the processing of your personal data or to exercise your rights under the GDPR and the Spanish Organic Law 3/2018 (LOPDGDD), you may contact us at: team@neuropredict.eu

2. Scope of This Privacy Policy

This Privacy Policy applies when you:

• Visit our Website (https://www.neuropredict.com) or any of our social media pages;
• Access or use our Platform (https://app.neuropredict.com), including any related APIs;
• Register for and/or attend any virtual or in-person events hosted or attended by us;
• Contact our team or complete a web form;
• Participate in user research activities;
• Otherwise interact or communicate with us.

This Privacy Policy applies where NeuroPredict acts as a data controller — i.e., where we determine the purposes and means of the processing of your personal data.

This Privacy Policy does not cover personal data that NeuroPredict processes on behalf of its customers as a data processor. If you have questions about how a NeuroPredict customer processes your personal data, please contact that customer directly.

For information about cookies and similar tracking technologies, please see our Cookie Notice.

3. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by Article 4(1) of the GDPR.
• "Account" means the unique account created for you to access the Service.
• "Service" refers to the NeuroPredict platform and Website.
• "Platform" refers to the NeuroPredict SaaS application at https://app.neuropredict.com.
• "Website" refers to https://www.neuropredict.com.
• "Device" means any device that can access the Service, such as a computer, mobile phone, or tablet.
• "Usage Data" means data collected automatically through the use of the Service or from the Service infrastructure itself.
• "User Content" means any content uploaded by you to the Service, including images, videos, and creative assets.

4. Personal Data We Collect

4.1 Data You Provide to Us

When you create an account, subscribe to a plan, or interact with us, we may collect the following personal data:

• Identity Data: first name, last name;
• Contact Data: email address, phone number, postal address;
• Professional Data: job title, job position, company or organization name, industry;
• Account Data: username, password (hashed), account preferences;
• Payment Data: billing address, payment method details (processed by our third-party payment provider — we do not store full card numbers);
• Communication Data: the content of messages you send to us, support requests, and feedback;
• Event Data: registration and attendance information for events.

4.2 Data We Collect Automatically

When you access or use the Service, we may automatically collect:

• Usage Data: pages visited, features used, actions taken, time and date of visits, time spent on pages, session duration, referring and exit pages;
• Device and Technical Data: IP address, browser type and version, operating system, device type and unique identifiers, screen resolution, language and locale settings;
• Digital Behavioral Data: clicks, scrolling, interactions with the interface;
• Cookie Data: as described in our Cookie Notice.

4.3 Data from Third Parties

If you choose to create an account or log in using a third-party service (such as Google), we may receive personal data associated with your third-party account, such as your name and email address.

4.4 User Content

When you upload media (images, videos) to the Service for analysis, we process this content to provide the Service. If your uploaded media contains images of identifiable individuals, you are the data controller for such personal data, and you are responsible for ensuring all necessary legal bases and consents have been obtained. NeuroPredict processes such data solely as instructed by you, as your data processor for this specific processing activity.

5. Purposes and Legal Bases for Processing

We process your personal data for the following purposes, based on the corresponding legal bases under Article 6(1) of the GDPR:

5.1 Performance of a Contract (Art. 6(1)(b) GDPR)

• Providing and maintaining the Service, including managing your account;
• Processing your subscriptions and payments;
• Delivering Outputs (predictive analytics) based on your User Content;
• Providing customer support and responding to your requests;
• Communicating with you about the Service, including technical notices and updates.

5.2 Legitimate Interests (Art. 6(1)(f) GDPR)

• Improving and developing the Service, including using de-identified and aggregated data to train and refine our AI models;
• Analyzing usage patterns and trends to enhance user experience;
• Ensuring the security and integrity of the Service;
• Preventing fraud and abuse;
• Conducting internal analytics and business intelligence;
• Enforcing our Terms and Conditions.

Where we rely on legitimate interests, you have the right to object at any time (see Section 9).

5.3 Consent (Art. 6(1)(a) GDPR)

• Sending you marketing communications about our products, services, and events;
• Placing non-essential cookies and similar technologies (see our Cookie Notice);
• Processing any special categories of personal data, if applicable.

You may withdraw your consent at any time (see Section 9).

5.4 Legal Obligations (Art. 6(1)(c) GDPR)

• Complying with applicable laws, regulatory requirements, and our internal policies;
• Responding to lawful requests from public authorities;
• Fulfilling tax, accounting, and reporting obligations;
• Preventing, investigating, and addressing data protection and security incidents.

6. AI-Specific Transparency

6.1 How Our AI Works

The Service uses artificial intelligence and machine learning models to analyze visual media (images and videos) and generate predictions about human attention patterns. These models have been trained on aggregated, anonymized datasets of visual attention research and do not process biometric data.

6.2 Automated Decision-Making

The Outputs generated by the Service are informational tools designed to assist marketing professionals. They are not used to make automated decisions that produce legal effects concerning individuals or similarly significantly affect them. If you use the Outputs for decisions that may affect individuals, you are responsible for ensuring appropriate human oversight in accordance with Article 22 of the GDPR and the EU AI Act.

6.3 AI Act Compliance

In accordance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we provide the following transparency information:

• The Service uses AI systems to generate probabilistic predictions about visual attention;
• The AI models are trained on aggregated and anonymized data;
• Outputs are estimates and not definitive assessments;
• Users are informed of the AI nature of the analysis through the platform interface and these legal documents.

7. Data Sharing and Transfers

7.1 Service Providers

We may share your personal data with third-party service providers who perform services on our behalf, under our instructions, in accordance with data processing agreements that ensure appropriate technical and organizational security measures. These providers may include:

• Cloud hosting and infrastructure providers;
• Payment processing providers;
• Analytics and monitoring tools;
• Customer support tools;
• Email and communication services.

A current list of our sub-processors is available upon request at team@neuropredict.eu.

7.2 Affiliates

We may share your personal data with our current and future subsidiaries and affiliated companies for the purposes described in this Privacy Policy.

7.3 Legal Requirements

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order, regulatory inquiry, or government agency request).

7.4 Business Transfers

If NeuroPredict is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

7.5 International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Transfers to countries with an adequacy decision by the European Commission;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Other appropriate safeguards as permitted under Article 46 of the GDPR.

You may request a copy of the safeguards in place by contacting us at team@neuropredict.eu.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this Privacy Policy, subject to any legal obligations requiring longer retention. Our general retention periods are:

• Account and service data: For the duration of your account, plus 7 years after account closure for legal and regulatory compliance;
• Usage and analytics data: Up to 24 months;
• Marketing communication data: Until you withdraw consent or opt out, or 2 years from the last interaction, whichever is earlier, plus 30 days for processing the deletion;
• Payment and transaction data: For the duration of the contractual relationship, plus 7 years as required by Spanish tax and commercial law;
• Support and correspondence data: For the duration of the contractual relationship, plus 3 years;
• Legal obligations data: As required by applicable law or regulation; in case of a dispute, until the settlement of the dispute and exhaustion of all legal remedies.

9. Your Rights

Under the GDPR and the LOPDGDD, you have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of such data.
• Right to Rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data and the completion of incomplete data.
• Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data, subject to certain legal exceptions.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests, including profiling.
• Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: team@neuropredict.eu
• Postal mail: NeuroPredict S.L., [Address], 28001 Madrid, Spain

We will respond to your request within one (1) month, which may be extended by two (2) additional months where necessary.

Right to Lodge a Complaint

Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6, 28001 Madrid, Spain Website: https://www.aepd.es Phone: +34 901 100 099

You may also lodge a complaint with the supervisory authority of your country of habitual residence or place of work.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information. These include the right to know what personal information we collect and how it is used, the right to request deletion, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your privacy rights.

NeuroPredict does not sell your personal information. To exercise your California privacy rights, please contact us at team@neuropredict.eu.

11. Children's Privacy

Our Service is not directed at anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. In Spain, in accordance with the LOPDGDD, the age of digital consent is 14. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from anyone under the applicable age threshold without proper parental consent, we will take steps to remove that information from our servers.

12. Security of Your Personal Data

The security of your personal data is important to us. We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include encryption of data in transit and at rest, access controls, regular security assessments, and incident response procedures.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

13. Links to Other Websites

Our Service may contain links to third-party websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and, where appropriate, sending you an email notification at least thirty (30) days before the changes take effect.

You are advised to review this Privacy Policy periodically for any changes.

15. Contact Us

If you have any questions about this Privacy Policy or about the processing of your personal data, you can contact us:

• Data Protection Contact: team@neuropredict.eu
• General inquiries: team@neuropredict.eu
• Postal mail: NeuroPredict S.L., [Address], 28001 Madrid, Spain

This Privacy Policy is provided in English, French, and Spanish. In the event of any discrepancy between the language versions, the Spanish version shall prevail.