Privacy Policy

Information You Provide Directly:

• Account information: Email address and profile details you provide when creating an account
• Document content: Topics, assignments, thesis statements, prompts, and generated documents
• Uploaded files: PDF or Word files you upload for assignment context (e.g., rubrics)
• Payment information: Processed securely by our payment processor — we never store card details on our servers
• Communications: Support requests and feedback you send us

Information Collected Automatically:

• Usage data: API calls, document counts, word usage, and feature interactions used to enforce plan limits and improve the Service
• Device information: Browser type, operating system, and general device category
• Analytics data: Page views, session duration, and navigation patterns collected in aggregated or anonymized form
• Cookies: Essential authentication cookies and optional analytics cookies (see our Cookie Policy)

• Student names or personally identifiable academic information beyond your account email
• Payment card numbers, CVVs, or bank account details (handled entirely by our payment processor)
• Biometric data of any kind
• Precise geolocation data
• Social media profiles (unless you voluntarily provide them to our support team)
• Government-issued identification numbers

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contractual necessity: To provide the Service you signed up for, including account management, document generation, and billing
• Legitimate interests: To improve our Service, prevent fraud, maintain security, and conduct analytics — where these interests are not overridden by your data protection rights
• Consent: For optional analytics cookies and marketing communications, which you may withdraw at any time
• Legal obligation: When required to comply with applicable laws, including tax and financial recordkeeping requirements

• To provide, operate, and maintain the Service
• To generate, store, and allow re-download of your documents
• To track plan usage and enforce subscription limits
• To process payments and manage subscriptions
• To send transactional emails (trial expiration, billing confirmations, account changes)
• To respond to support requests and inquiries
• To improve our Service using anonymized, aggregated data only — never individual content
• To detect, prevent, and address technical issues, fraud, or abuse
• To comply with legal obligations

We do not use your content to train AI models, and we do not use your personal data for advertising or sell it to third parties.

To deliver the Service, we engage trusted sub-processors — third-party companies that process data on our behalf. Your content may be transmitted to these providers as part of normal operations. We only share data to the extent strictly necessary to provide the feature you are using. All sub-processors are contractually bound to handle your data only on our instructions and in accordance with applicable privacy law.

Authentication & User Management:

• We use a SOC 2 Type II and HIPAA-certified identity provider for authentication, session management, and user profiles. This provider receives your email address and authentication tokens.

Infrastructure & Hosting:

• Application hosting: Our application runs on SOC 2 Type II, ISO 27001, and HIPAA-certified cloud infrastructure. This provider processes request metadata and may collect anonymized analytics.
• Database & storage: Your documents and account data are stored on SOC 2 Type II and HIPAA-certified database infrastructure, hosted in the United States.
• Error monitoring: We use an error monitoring service to detect application issues. Error reports may include request metadata but are not linked to document content.

AI & Content Processing:

• Primary AI provider: Your document prompts and content are processed by our primary AI provider (SOC 2 Type II, ISO 27001, and HIPAA certified) for content generation and the Chat feature. This provider does not use API inputs or outputs to train its models.
• Specialized AI pipeline providers: We use additional AI services for research sourcing, content refinement, humanization, and quality scoring. Each processes your content in real-time only; none retain your content for model training. A complete and current list of our AI sub-processors is available upon request at support@neurawrite.ai.

Payment Processing:

• Stripe — All payment processing, subscription management, and billing is handled by Stripe. Payment card data is handled exclusively by Stripe and is never stored on our servers. (Stripe Privacy Policy)

The AI Chat Assistant is designed with privacy isolation as a core principle:

• No server-side chat storage. We do not store your AI Chat conversation history in our database. Your chat history lives only in your browser's memory for the duration of your session and is cleared when you close or refresh the page.
• Per-request processing only. Each message you send is transmitted to our AI provider as a single isolated API call. Conversation history you see on screen is managed client-side and sent to the API solely to provide context for your current response — it is not retained on our servers between sessions.
• No cross-user access. It is technically impossible for another user to access your chat content. There is no shared chat database, no session persistence on our servers, and no mechanism by which chat data from one user can be exposed to another.
• AI provider data practices. Content sent to our AI provider via API is subject to the provider's API privacy terms. Under those terms, API inputs and outputs are not used to train models.
• Usage metadata only. We log anonymous token counts and estimated costs per request for billing and abuse monitoring. This log contains no message content — only your user ID, timestamp, token count, and service category.

• Uploaded files (e.g., rubrics): Automatically deleted after 30 days
• Generated documents: Stored as long as your account is active
• Account data: Deleted within 30 days of a valid account deletion request
• Usage and billing records: Retained for up to 7 years for tax and legal compliance
• Analytics data: Retained in anonymized or aggregated form
• AI Chat messages: Not retained on our servers beyond the active request session

We implement industry-standard security measures to protect your data, including:

• Encryption in transit using TLS 1.3
• Encryption at rest using AES-256
• Row-level access controls enforced at the database layer — your documents are accessible only via your authenticated account
• Server-side authentication validation on every API request
• Strict credential isolation — no credentials are exposed to client-side code
• Webhook signature verification for external payment integrations
• Real-time error and anomaly monitoring

All of our infrastructure partners hold SOC 2 Type II and HIPAA certifications. NeuraWrite itself is actively working toward SOC 2 Type I certification (target Q4 2026). See our Trust & Security page for full details.

Data Breach Notification: In the event of a data breach that affects your personal information, we will notify you and applicable regulatory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33. We also comply with applicable U.S. state breach notification laws.

If you are in the EEA or UK, you have the following rights under the General Data Protection Regulation:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations
• Right to Restrict Processing (Art. 18): Request limitation of how we process your data in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Automated Decision-Making (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects. If this changes, we will update this policy and provide appropriate safeguards.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at support@neurawrite.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, or disclose
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not process sensitive personal information beyond what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Do Not Sell or Share My Personal Information: NeuraWrite does not sell or share personal information as defined by the CCPA/CPRA.

To exercise your California privacy rights, contact us at support@neurawrite.ai. You may designate an authorized agent to make requests on your behalf with written authorization.

For privacy questions, data deletion requests, sub-processor lists, DPA inquiries, or to exercise your data rights:

• Privacy inquiries: support@neurawrite.ai
• General support: support@neurawrite.ai

We will respond to all valid requests within 30 days. For GDPR-related requests, you may also contact your local data protection authority if you believe your rights have not been adequately addressed.

NeuraWrite does not currently designate a formal Data Protection Officer (DPO) as we are not legally required to do so under GDPR Article 37 at this stage of our operations. All privacy-related inquiries are handled by our team at the address above.