GDPR Compliance Statement

  • Home
  • GDPR Compliance Statement

This GDPR Compliance Statement explains how NeuronArc (“Company,” “we,” “our,” or “us”) complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) in relation to the collection, processing, storage, transfer, and protection of personal data of individuals located within the European Economic Area (“EEA”), the United Kingdom, and, where applicable, Switzerland.

This document is intended to demonstrate regulatory readiness, operational transparency, and structured data governance practices aligned with GDPR principles.

1. Scope of GDPR Applicability

This GDPR Compliance Statement applies to:

  • EEA-based users accessing the NeuronArc platform
  • EU-based customers and business clients
  • Individuals whose personal data is processed in connection with our services
  • EU residents interacting with AI-powered tools, reports, and analytics

NeuronArc acts as:

  • Data Controller for account information, billing data, and direct user interactions

  • Data Processor where processing occurs on behalf of enterprise clients under contractual agreements

While acting as a processor, NeuronArc operates strictly under documented instructions from the data controller.

2. GDPR Principles Observed by NeuronArc

NeuronArc processes personal data in accordance with Article 5 GDPR principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

These principles are embedded in our data governance framework, internal policies, and technical safeguards.

3. Lawful Basis for Processing

Under Article 6 of the GDPR, NeuronArc processes personal data only where a lawful basis exists. Depending on the context, processing may rely on one or more of the following:

3.1 Performance of a Contract (Article 6(1)(b))

Processing is necessary to:

  • Create and manage user accounts
  • Provide AI-generated outputs
  • Deliver reports and analytics
  • Process subscription payments
  • Provide customer support
  • Fulfill contractual obligations

Without such processing, we cannot provide the requested services.

3.2 Legitimate Interests (Article 6(1)(f))

We may process personal data where necessary for legitimate business interests, provided such interests are not overridden by user rights. Legitimate interests may include:

  • Platform security monitoring
  • Fraud prevention
  • Service improvement
  • Product development
  • Risk mitigation
  • Internal analytics

We conduct balancing assessments where required.

3.3 Consent (Article 6(1)(a))

Where required by law, we rely on user consent for:

  • Marketing communications
  • Optional cookies
  • Certain analytics tools
  • Specific AI model training uses (where applicable)

Consent may be withdrawn at any time.

3.4 Legal Obligation (Article 6(1)(c))

We may process personal data to comply with:

  • Tax obligations
  • Financial reporting requirements
  • Law enforcement requests
  • Regulatory compliance mandates

4. Categories of Data Processed

Under GDPR governance, NeuronArc may process the following categories of personal data:

  • Identification data (name, email, company details)
  • Contact information
  • Account credentials
  • Usage and technical data
  • IP addresses
  • Billing and transaction metadata
  • AI-submitted inputs
  • Customer support communications

Sensitive categories of data (Article 9 GDPR) are not intentionally collected. Users are instructed not to submit special category data unless contractually authorized.

5. Data Subject Rights

Individuals located in the EEA are entitled to specific rights under GDPR. NeuronArc has implemented procedures to facilitate the exercise of these rights.

5.1 Right of Access (Article 15)

Data subjects have the right to:

  • Obtain confirmation of whether personal data is processed
  • Access copies of their personal data
  • Receive information regarding the purposes of processing
  • Understand categories of data involved
  • Identify recipients of data

Requests must be submitted via the contact information provided below.

5.2 Right to Rectification (Article 16)

Individuals may request correction of:

  • Inaccurate personal data
  • Incomplete personal data

NeuronArc will take reasonable steps to verify and update information promptly.

5.3 Right to Erasure (“Right to Be Forgotten”) – Article 17

Data subjects may request deletion of personal data where:

  • Data is no longer necessary for its original purpose
  • Consent has been withdrawn
  • Processing is unlawful
  • Data must be erased to comply with legal obligations
  • The individual objects to processing, and no overriding legitimate grounds exist

Erasure requests will be honored unless retention is required by law, regulatory obligation, dispute resolution, or legitimate business necessity.

Where data has been shared with third-party processors, NeuronArc will notify them of deletion requests where feasible.

5.4 Right to Restrict Processing (Article 18)

Individuals may request restriction of processing where:

  • The accuracy of the data is contested
  • Processing is unlawful, but erasure is not desired
  • Data is required for legal claims
  • Objection to processing is pending assessment

During restriction periods, data may be stored but not actively processed.

5.5 Right to Data Portability (Article 20)

Data subjects have the right to:

  • Receive personal data in a structured, commonly used, machine-readable format
  • Transmit such data to another controller

This right applies where processing is based on consent or contract and carried out by automated means

5.6 Right to Object (Article 21)

Individuals may object to processing based on legitimate interests.

Where objections are raised, NeuronArc will:

  • Assess whether compelling legitimate grounds override user rights
  • Cease processing where no overriding grounds exist

Direct marketing processing will cease upon objection.

5.7 Rights Related to Automated Decision-Making (Article 22)

NeuronArc does not conduct automated decision-making that produces legal or similarly significant effects without meaningful human oversight.

AI-generated outputs are informational tools and do not constitute binding decisions.

6. Data Protection Officer (DPO)

NeuronArc has designated a Data Protection Officer (DPO) or equivalent responsible privacy contact.

Data Protection Officer
 NeuronArc
 Email: []
 Address: [Insert Registered Address]

The DPO is responsible for:

  • Monitoring GDPR compliance
  • Advising on data protection obligations
  • Conducting impact assessments
  • Serving as a contact point for supervisory authorities
  • Responding to data subject requests

7. Data Breach Notification Process

NeuronArc maintains documented incident response procedures.

7.1 Internal Detection and Assessment

In the event of a suspected personal data breach:

  • The incident is immediately logged
  • Internal security teams assess severity
  • Data exposure scope is identified
  • Risk to individuals is evaluated
7.2 Notification to Supervisory Authorities

Where a breach poses a risk to rights and freedoms, NeuronArc will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.

7.3 Notification to Affected Individuals

If a breach is likely to result in high risk to individuals, affected data subjects will be informed without undue delay, including:

  • Nature of the breach
  • Likely consequences
  • Measures taken
  • Recommended protective steps

All incidents are documented regardless of the reporting threshold.

8. Data Processing Agreements (DPAs)

Where NeuronArc acts as a processor, we enter into Data Processing Agreements that include:

  • Confidentiality obligations
  • Security commitments
  • Sub-processor controls
  • Data transfer safeguards
  • Assistance with data subject rights
  • Breach notification procedures

Sub-processors are selected based on compliance capability and contractual safeguards.

9. International Data Transfers

Where personal data is transferred outside the EEA, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions (where applicable)
  • Binding corporate rules (where applicable)
  • Supplementary security measures

Transfer impact assessments are conducted where required.

10. Data Retention Practices

Personal data is retained only for as long as necessary to:

  • Fulfill contractual obligations
  • Comply with regulatory requirements
  • Resolve disputes
  • Enforce agreements

Retention schedules are periodically reviewed.

When retention periods expire, data is

  • Securely deleted
  • Anonymized
  • Archived where legally required

11. Data Protection Impact Assessments (DPIAs)

Where processing is likely to result in high risk to individuals, NeuronArc conducts Data Protection Impact Assessments in accordance with Article 35 GDPR.

DPIAs evaluate:

  • Nature and scope of processing
  • Necessity and proportionality
  • Risk to rights and freedoms
  • Mitigation measures

12. Security Measures

NeuronArc implements technical and organizational safeguards, including:

  • Encryption in transit
  • Access control mechanisms
  • Role-based access restrictions
  • Secure cloud infrastructure
  • Continuous monitoring
  • Vendor risk assessments
  • Employee confidentiality agreements

Security practices are periodically reviewed and updated.

13. Accountability and Documentation

NeuronArc maintains documentation demonstrating compliance, including:

  • Records of processing activities (Article 30)
  • Data flow mapping
  • Vendor agreements
  • Internal policies
  • Training records

Compliance efforts are subject to internal review and oversight.

14. Complaints to Supervisory Authorities

Data subjects have the right to lodge complaints with a supervisory authority in their country of residence, place of work, or place of alleged infringement.

NeuronArc encourages individuals to contact us first to resolve concerns directly.

15. Updates to This GDPR Statement

This GDPR Compliance Statement may be updated to reflect:

  • Regulatory changes
  • Operational modifications
  • Supervisory authority guidance
  • Platform evolution

Updates will be published on the Platform with an updated effective date.

16. Commitment to GDPR Compliance

NeuronArc is committed to maintaining lawful, transparent, and secure processing of personal data in accordance with GDPR.

We continuously review our data protection practices to ensure alignment with evolving regulatory standards and technological developments.

Individuals seeking clarification regarding GDPR rights or compliance practices may contact our Data Protection Officer using the details provided above.