Privacy Policy

1.1 Neureson is an intelligent Document Operating System operated by REIID PTY LTD, a company operating from Level 17, 1 Denison Street, North Sydney NSW 2060, Australia.

1.2 For the purposes of this Privacy Policy, REIID PTY LTD is the data controller in respect of personal data collected through the Neureson platform.

1.3 All privacy enquiries, data requests and notices should be directed to legal@neureson.ai or by post to the address above.

2.1 This Privacy Policy applies to all personal data collected, processed and stored by Neureson through the neureson.ai website and platform, including data collected during account registration, document generation, payment processing and customer support interactions.

2.2 This Policy applies to all Users of the Service regardless of location. Additional rights apply to Users located in the European Union, United Kingdom, California and certain APAC jurisdictions as described in clauses 11, 12 and 13.

2.3 This Policy does not apply to third-party websites or services that may be linked from the Neureson platform. Neureson is not responsible for the privacy practices of any third-party website or service.

3.1 Neureson collects the following categories of personal data:

3.1(f) Jurisdiction Data: The governing jurisdiction selected by the User for each Document — including country and state or province where applicable. This data is stored as Document metadata, is visible to the User in their account and is used to apply the appropriate legal reasoning framework to the Document. Jurisdiction data is never used for any purpose other than Document production and platform analytics in anonymised and aggregated form.

3.2 Neureson does not knowingly collect sensitive personal information as defined under the Australian Privacy Act 1988, including health information, racial or ethnic origin, political opinions, religious beliefs or biometric data. If you believe you have inadvertently submitted sensitive information, please contact legal@neureson.ai immediately.

4.1 Neureson uses your personal data for the following purposes:

• —To create and manage your account and provide access to the Service
• —To process document generation requests using the AI Technology
• —To process payments and manage your Subscription and Credits
• —To send transactional emails including account confirmation, payment receipts, credit expiry reminders and service notifications
• —To respond to your support requests, feedback and legal enquiries
• —To monitor and maintain the security, integrity and availability of the Service
• —To detect, investigate and prevent fraudulent, abusive or unlawful use of the Service
• —To comply with applicable legal obligations, court orders and regulatory requirements
• —To enforce our Terms of Service and protect the rights and interests of REIID PTY LTD and other Users
• —To analyse aggregated, anonymised usage data to improve the Service — this analysis never involves identifiable personal data or document content

4.2 Neureson will never use your document content for any purpose other than delivering the Service to you. Your document content will never be used to train, fine-tune or improve any AI model. This is an absolute and unconditional commitment.

We will never sell, rent, trade or otherwise transfer your personal data to third parties for marketing, advertising or commercial purposes. Your data is yours — always.

5.1 For Users located in the European Union or United Kingdom, Neureson relies on the following lawful bases for processing personal data under the General Data Protection Regulation (GDPR):

5.2 For Australian Users, Neureson processes personal data in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth).

6.1 The Neureson Service is powered by leading frontier AI Technology. All document generation requests are processed in a private, encrypted environment. Neureson operates under a leading frontier AI provider whose commercial terms incorporate a Processing Addendum (DPA) with Standard Contractual Clauses (SCCs) by default. By accepting those commercial terms, Neureson has entered into a binding data processing agreement that governs how all AI processing of your data is handled.

6.2 Neureson operates through an AI gateway infrastructure that is bound by a formally incorporated Data Processing Agreement. The DPA prohibits the use of customer data for any purpose beyond the delivery of the Service, prohibits model training on customer data and imposes strict data confidentiality and security obligations at every layer of the processing chain. Zero Data Retention has been enabled across all AI processing routes used by Neureson — meaning prompts and document content are not stored at the processing layer beyond what is required to screen for abuse.

6.3 Zero Data Retention is enabled across all AI processing routes used by Neureson. Your document content and prompts are not stored at the AI processing layer beyond the immediate request. Processing occurs in an isolated session environment. Your content is never accessible to other users. Prompt logging is permanently disabled — Neureson will never enable prompt logging under any circumstances.

6.4 Your document content will never be used to train, fine-tune, evaluate or improve any AI model — whether operated by Neureson or any third-party AI provider. This commitment is contractually enforced with all AI infrastructure providers.

6.5 Neureson's frontier AI provider is bound by a formally executed Data Processing Addendum incorporating Standard Contractual Clauses (SCCs) as required by applicable data protection law. The DPA prohibits any use of User data beyond the delivery of the Service, prohibits the sale or sharing of User data with any third party, and requires the provider to delete all prompts and outputs following processing. Neureson has additionally sought Zero Data Retention status with its frontier AI infrastructure provider — under which inputs and outputs are not stored at all beyond what is required to screen for abuse — to further substantiate the Confidentiality by Design commitment.

7.1 Neureson engages the following third-party service providers to operate the Service. Each provider is carefully selected and bound by data processing agreements that restrict their use of your data to the specific purpose for which they are engaged:

7.2 Neureson does not sell, rent, trade or otherwise transfer your personal data to any third party for commercial, marketing or advertising purposes. This prohibition is absolute and unconditional.

7.3 Neureson may disclose your personal data to law enforcement, regulatory authorities or courts where required by law, court order or regulatory direction. Where permitted, Neureson will notify you of any such disclosure.

8.1 All User data is stored in Supabase infrastructure hosted on Amazon Web Services (AWS) in the ap-southeast-2 (Sydney, Australia) region. Australian User data does not leave Australia except as described in clause 15.

8.2 Neureson implements the following security measures to protect your data:

• —AES-256 encryption for all data stored at rest
• —TLS 1.3 (with TLS 1.2 as minimum fallback) encryption for all data in transit
• —Per-user Row Level Security (RLS) policies in the database layer — only you can access your data
• —Per-user encryption keys — your documents are encrypted with a key unique to your account
• —Zero-knowledge architecture — Neureson staff cannot access your document content
• —Regular security audits and vulnerability assessments
• —Access controls ensuring only authorised personnel can access system infrastructure
• —Audit logging of all infrastructure access events

8.3 Right to Deletion — Your data, deleted on request. You have the right to request deletion of your account and all associated data at any time. On account deletion, Neureson will destroy your encryption keys within 30 days, rendering your stored document content permanently and cryptographically unrecoverable. You may also request deletion of specific categories of personal data without deleting your entire account — please contact legal@neureson.ai with your request. Neureson will action all deletion requests within 30 days and confirm completion to you in writing.

8.4 While Neureson implements industry-standard security measures, no system is completely immune to security threats. You are responsible for maintaining the security of your account credentials. Please notify Neureson immediately at legal@neureson.ai if you suspect any unauthorised access to your account.

9.1 Neureson retains personal data only for as long as necessary to fulfil the purposes for which it was collected, to provide the Service and to comply with applicable legal obligations. The following retention periods apply:

10.1 Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the following rights in respect of your personal data:

• —Access: You have the right to request access to the personal data Neureson holds about you.
• —Correction: You have the right to request correction of any personal data that is inaccurate, incomplete or out of date.
• —Complaint: You have the right to complain about a breach of the Australian Privacy Principles. Complaints should first be directed to Neureson at legal@neureson.ai. If your complaint is not resolved to your satisfaction, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
• —Anonymity: Where lawful and practicable, you may interact with Neureson anonymously or using a pseudonym.

10.2 To exercise any of these rights — including the right to delete your data — please contact legal@neureson.ai. Neureson will respond to all privacy requests within 30 days and will confirm completion of any deletion request in writing. In some cases, we may need to verify your identity before processing your request.

11.1 If you are located in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

• —Right of Access (Article 15): The right to obtain a copy of your personal data and information about how it is processed.
• —Right to Rectification (Article 16): The right to have inaccurate or incomplete personal data corrected.
• —Right to Erasure (Article 17): The right to request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful.
• —Right to Restriction (Article 18): The right to request that processing of your personal data be restricted in certain circumstances.
• —Right to Data Portability (Article 20): The right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
• —Right to Object (Article 21): The right to object to processing of your personal data based on legitimate interests.
• —Right to Withdraw Consent: Where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of prior processing.
• —Right to Lodge a Complaint: The right to lodge a complaint with your local supervisory authority. For EU users, this is your national data protection authority. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk.

11.2 To exercise any GDPR rights, please contact legal@neureson.ai. Neureson will respond within 30 days. Where requests are complex or numerous, we may extend this period by a further 60 days with notice to you.

12.1 If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• —Right to Know: The right to request disclosure of the categories and specific pieces of personal information Neureson has collected about you, the sources from which it was collected, the purposes for which it is used and the third parties with whom it is shared.
• —Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
• —Right to Opt-Out of Sale: Neureson does not sell personal information. You do not need to opt out.
• —Right to Non-Discrimination: Neureson will not discriminate against you for exercising your CCPA rights.

12.2 To exercise CCPA rights, please submit a verifiable consumer request to legal@neureson.ai. We will respond within 45 days. We may need to verify your identity before processing your request.

13.1 Neureson serves Users across the APAC region and is committed to compliance with applicable data protection laws in each jurisdiction. The following frameworks apply to Users in their respective jurisdictions:

• —Singapore: Personal Data Protection Act 2012 (PDPA) — you have the right to access and correct your personal data.
• —Thailand: Personal Data Protection Act B.E. 2562 (PDPA) — similar rights to GDPR apply including access, correction, deletion and portability.
• —India: Digital Personal Data Protection Act 2023 — you have the right to access, correct and erase your personal data.
• —New Zealand: Privacy Act 2020 — you have the right to access and correct personal information held about you.

13.2 To exercise rights under any applicable APAC data protection law, please contact legal@neureson.ai with your jurisdiction and the specific right you wish to exercise.

14.1 Neureson uses cookies and similar tracking technologies to operate the Service, maintain your session and analyse usage. The following categories of cookies are used:

14.2 You can manage your cookie preferences through your browser settings or through the cookie preference centre available on the Neureson website. Note that disabling essential cookies will impair your ability to use the Service.

15.1 Neureson stores Australian User data in AWS ap-southeast-2 (Sydney, Australia). Where data is transferred to third-party providers located outside Australia — including Stripe (USA) and Resend (USA) — such transfers are made only where appropriate safeguards are in place.

15.2 For EU and UK Users, cross-border transfers of personal data are made only where the recipient country provides an adequate level of protection as determined by the European Commission, or where appropriate safeguards are in place including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

15.2A Jurisdiction Selection and Cross-Border Transfers. Where a User selects a jurisdiction outside Australia for Document creation, the Document content is processed using Neureson's AI reasoning infrastructure in accordance with the zero data retention and data processing commitments set out in clause 6. The selection of a foreign jurisdiction for Document drafting purposes does not constitute a transfer of personal data to that jurisdiction. All personal data remains subject to Australian Privacy Act 1988 protections and the additional safeguards described in this Policy.

15.3 For further information about cross-border transfers and the safeguards in place, please contact legal@neureson.ai.

16.1 The Service is not directed at or intended for use by individuals under the age of 18. Neureson does not knowingly collect personal data from anyone under 18 years of age.

16.2 If you believe that a person under 18 has provided personal data to Neureson without parental consent, please contact legal@neureson.ai immediately. Neureson will take prompt steps to delete that data.

17.1 In the event of a data breach that is likely to result in serious harm to affected individuals, Neureson will notify affected Users and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme in the Privacy Act 1988 (Cth).

17.2 For EU Users, Neureson will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of individuals, as required under GDPR Article 33.

17.3 Neureson will notify affected Users without undue delay where a breach is likely to result in a high risk to their rights and freedoms. Notification will be provided by email to the registered account address.

18.1 Neureson may update this Privacy Policy from time to time to reflect changes in our practices, the Service or applicable law. Material changes will be notified to active Users by email to the registered account address with a minimum of 30 days notice.

18.2 The date of the most recent update is displayed at the top of this Policy. Your continued use of the Service following the effective date of any update constitutes your acceptance of the updated Policy.

18.3 Previous versions of this Privacy Policy are available upon request by contacting legal@neureson.ai.