Privacy Notice
1. What this Notice covers
Cookies
We use the collected information for the following purposes: To provide, maintain, and improve our Service To process transactions and send related information To send administrative information, updates, and promotional communications To respond to your comments and questions To analyze usage trends and optimize our Service To protect our legal rights and prevent misuse
2. Data we process
Account & profile: email, name (if provided), password hash, subscription status.
Health & wearable data (special category): activity, heart rate, sleep, body metrics, device info obtained when you connect your wearable/health sources via Terra API.
AI chat content: the text you enter and the assistant responses. We pseudonymize AI requests (no names or direct identifiers included). Processed on Microsoft Azure OpenAI in EU regions where configured.
Telemetry/analytics & diagnostics: app events, device model/OS, crash logs, app performance via Firebase and Datadog.
Support communications & feedback.
Consent records & preferences.
We do not require you to enter medical diagnoses. Only share information you are comfortable sharing.
3. Purposes & legal bases
Provide the Service (account, sync, features)Account, Terra data, AI chat contentContract (Art. 6(1)(b))Process health data for insightsTerra data, AI chatExplicit consent (Art. 9(2)(a)); withdrawal anytimeSecurity, abuse prevention, reliabilityTelemetry, logs, minimal identifiersLegitimate interests (Art. 6(1)(f))Analytics & product improvementTelemetry, app events, RUMConsent under ePrivacy + Art. 6(1)(a)Compliance & requests from authoritiesAccount, transactionalLegal obligation (Art. 6(1)(c))
4. Children
Neura Health is intended for adults. If we later offer services to minors, Finland’s digital consent age (13) will apply and parental authorization may be required.
5. Where your data goes (processors & disclosures)
We use vetted processors under GDPR DPAs:
Terra API (EU/US): unified wearable integrations; webhook delivery; HMAC-signed payloads.
Google Firebase (global/EU, some US-only features): analytics, crash, storage, authentication. Firebase Authentication is operated from the U.S.
Datadog: logs and real-user monitoring (RUM). We host data in the EU region (Germany); support access may be global.
Microsoft Azure OpenAI (EU regions): processes AI prompts/responses; service may retain interaction data briefly for abuse monitoring (per Microsoft documentation).
We do not sell personal data. We disclose data only to provide the Service, comply with law, or with your direction.
6. International transfers
When processors are outside the EEA, we rely on:
EU-U.S. Data Privacy Framework where the processor is certified; and/or
Standard Contractual Clauses (2021/914) plus transfer impact assessments.
We also prefer EU data residency options (Azure EU boundary, Datadog EU region, Firebase EU regions where available).
7. Retention
Account & subscription: while your account is active, then 90 days after deletion (billing & security logs may be kept longer as required by law).
Health & wearable data: until you withdraw consent or delete your account; routine cleanup after 30 days.
AI chat content: retained in your account history until you delete it; Azure OpenAI may keep service logs for a short period.
Analytics & diagnostics: 13 months (aggregate thereafter).
Support tickets: 24 months.
8. Security
We apply encryption in transit and at rest, role-based access, key management, audit logging, least-privilege principles, data pseudonymization, and HMAC-signed webhooks for Terra.
9. Your rights (GDPR / EU users)
You have the rights of access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent at any time without affecting prior processing. You may lodge a complaint with the Finnish Data Protection Authority.
10. Automated decision-making
We do not make decisions producing legal or similarly significant effects solely by automated means.
11. Cookies/SDKs & consent
We use in-app SDKs for analytics and diagnostics. Non-essential SDKs run only with your consent; you can change this anytime in Settings.
12. How to exercise your rights
Use the in-app Privacy & Data controls or email support@neura.health. We verify identity before fulfilling requests.
13. Changes
We’ll update this Notice as needed (e.g., new processors, purposes, retention). Material changes will be communicated in-app or by email.
Regional Addenda
A) UK Residents
If you are in the United Kingdom, the UK GDPR and Data Protection Act 2018 apply.
You have the same rights as EU users.
Our legal representative in the UK (if required by scale of processing) will be disclosed upon request.
You may lodge complaints with the Information Commissioner’s Office (ICO): www.ico.org.uk.
B) U.S. Residents
California (CCPA/CPRA)
If you reside in California, you have the following additional rights:
Right to know what categories of personal information we collect, the sources, purposes, and third-party disclosures.
Right to access and portability of your personal information.
Right to delete personal information we hold about you (subject to legal exceptions).
Right to correct inaccurate information.
Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising.
Right to limit sensitive information use: We use health-related data only for providing the Service, not for marketing.
You can exercise these rights by emailing support@neura.health or through the in-app Privacy & Data settings.
Other States (Virginia, Colorado, Connecticut, Utah, etc.)
Residents of these states also have rights to access, correction, deletion, and portability of personal data, and the right to opt-out of targeted advertising or data sales. We honor such rights requests in the same way as California.
Appeals
If we decline to act on a request, U.S. state residents may appeal our decision by replying to our response email.
14. Contact
Neura Labs Oy
Pitkäkalliontie 9, 01800 Klaukkala, Finland
support@neura.health
