Last updated: April 2026
Atenea Labs OÜ (registry code 16668881), a private limited company incorporated under the laws of the Republic of Estonia, with its registered office at Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141, Estonia, is the data controller responsible for the processing of personal data collected through the Neuronos platform (neuronos.app) and all related services. As the data controller, Atenea Labs OÜ determines the purposes and means of processing your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and applicable Estonian data protection legislation. Any reference to "Neuronos", "we", "us", or "our" in this Privacy Policy refers to Atenea Labs OÜ. For data protection inquiries, you may contact our Data Protection Officer at privacy@neuronos.app.
We collect and process the following categories of personal data: (a) Account Data — your email address, display name, password hash, and organization details provided during registration; (b) Usage Data — worker configurations, conversation logs, workflow definitions, credit consumption records, tool execution logs, and interaction history with AI workers; (c) AI Interaction Data — prompts, instructions, and inputs you provide to AI workers, agent memory contents, as well as the outputs generated by those workers, which are stored to deliver the service and maintain conversation context; (d) Technical Data — IP addresses, browser type and version, operating system, device identifiers, referral URLs, session duration, and page interaction data collected automatically when you access the platform; (e) Billing Data — subscription plan details, payment history, and invoice records (note: full payment card details are processed exclusively by Stripe and are never stored on our servers); (f) Documents and Files — any files, documents, or data you upload to worker storage for processing by AI workers.
We process your personal data on the following legal bases under the GDPR: (a) Contract Performance (Art. 6(1)(b)) — processing necessary to create and manage your account, provision AI workers, process prompts through AI models, execute tool actions, maintain conversation history, and deliver the core functionality of the platform; (b) Legitimate Interest (Art. 6(1)(f)) — processing necessary for platform improvement through analysis of aggregated and anonymized usage patterns, security monitoring, fraud prevention, and detection of unauthorized access or abuse; (c) Consent (Art. 6(1)(a)) — where you have given explicit consent, such as for optional analytics cookies or marketing communications, which you may withdraw at any time without affecting the lawfulness of processing carried out prior to withdrawal; (d) Legal Obligation (Art. 6(1)(c)) — processing necessary to comply with applicable laws, regulations, court orders, and governmental requests, including tax and accounting obligations under Estonian law.
We process your personal data for the following purposes: (a) Service Provision — to create and manage your account, provision AI workers, process prompts through AI models, execute tool actions, maintain conversation history, and deliver the core functionality of the platform; (b) AI Model Improvement — we may use anonymized and aggregated data only to improve service quality; we do not use your identifiable data, prompts, conversations, or documents to train, fine-tune, or improve any AI models; (c) Billing and Payments — to process subscriptions, track credit usage, generate invoices, and manage payment transactions through Stripe; (d) Security and Fraud Prevention — to detect, prevent, and respond to security incidents, unauthorized access, and abuse of the platform; (e) Communications — to send account-related notifications, security alerts, service updates, and billing confirmations via email through Resend. We do not sell, rent, or trade your personal data to third parties. We do not use your data for profiling or automated decision-making that produces legal effects.
When you interact with AI workers on the Neuronos platform, your prompts, instructions, and contextual data are transmitted to third-party AI model providers (currently Microsoft Azure OpenAI Service, EU region) for inference processing. AI workers operate autonomously within the boundaries you configure and may access external services through tool executions as permitted by your settings. All conversations, prompts, agent memory, and AI-generated outputs are stored in your workspace within our EU-hosted database to maintain service continuity. You should be aware that AI outputs are not guaranteed to be accurate, complete, or free from bias or hallucination. Neuronos does not guarantee the reliability or fitness for purpose of any AI-generated content, and you are solely responsible for reviewing and validating all AI outputs before relying on them for any business, legal, financial, medical, or other consequential decisions. Tool executions performed by AI workers may interact with external services and produce real-world consequences; you are responsible for configuring appropriate permissions and approval workflows.
We engage the following sub-processors to deliver the Neuronos service, each bound by Data Processing Agreements (DPAs) that ensure GDPR-compliant data handling: (a) Supabase Inc. — database hosting, authentication, and file storage (EU region, Frankfurt); (b) Fly.io Inc. — application compute and worker sandbox execution (EU region, Amsterdam); (c) Stripe Inc. — payment processing, subscription management, and billing (headquartered in the US; data transfers governed by Standard Contractual Clauses and Stripe's GDPR-compliant DPA); (d) Microsoft Azure (Azure OpenAI Service) — AI model inference and language processing (EU West region); (e) Resend Inc. — transactional email delivery (email metadata only). We conduct due diligence on all sub-processors to ensure they maintain appropriate technical and organizational security measures. A current list of sub-processors is maintained and updated in this policy, and we will notify you of any material changes to our sub-processor list.
Your core personal data — including account information, AI interaction data, worker configurations, conversation logs, and uploaded documents — is stored and processed exclusively within the European Union (Supabase EU Frankfurt, Fly.io EU Amsterdam, Azure EU West). We do not transfer personal data to any country outside the EU/EEA unless adequate safeguards are in place as required by Chapter V of the GDPR. For payment processing, certain billing data is transferred to Stripe Inc. in the United States under Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) and Stripe's certified data protection practices. Transactional email metadata is processed by Resend with appropriate contractual safeguards in place.
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected: (a) Active Accounts — your data is retained for the duration of your active subscription and account, and you may request export or deletion of specific data at any time; (b) Suspended Accounts — if your account is suspended due to non-payment or policy violation, your data is retained for thirty (30) days to allow for reactivation, after which it is scheduled for permanent deletion; (c) Deleted Accounts — upon account deletion, all personal data, worker configurations, conversation logs, uploaded documents, and associated files are permanently deleted within thirty (30) days; (d) AI Conversation Logs — conversation logs and AI interaction data are permanently deleted ninety (90) days after account deletion; (e) Billing Records — invoices and transaction records are retained for the period required by applicable tax and commercial law (typically 7 years under Estonian law); (f) Audit Logs — security and compliance audit logs are retained for twelve (12) months from the date of creation.
As a data subject under the GDPR, you have the following rights, which you may exercise at any time by contacting us at privacy@neuronos.app or through your account settings: (a) Right of Access (Art. 15) — you may request a copy of all personal data we hold about you, including AI interaction data and worker logs; (b) Right to Rectification (Art. 16) — you may request correction of inaccurate or incomplete personal data; (c) Right to Erasure (Art. 17) — you may request deletion of your personal data, subject to legal retention obligations; (d) Right to Restriction of Processing (Art. 18) — you may request that we limit the processing of your data in certain circumstances; (e) Right to Data Portability (Art. 20) — you may request your data in a structured, commonly used, machine-readable format; (f) Right to Object (Art. 21) — you may object to processing based on legitimate interests; (g) Rights Related to Automated Decision-Making (Art. 22) — you have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you. We will respond to all data subject requests within thirty (30) days of receipt, extendable by sixty (60) days for complex cases.
We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction: (a) Encryption — all data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption; (b) Tenant Isolation — each workspace is logically isolated using PostgreSQL Row-Level Security (RLS) policies, ensuring that no tenant can access another tenant's data; (c) Sandbox Isolation — AI worker execution environments are isolated per workspace with restricted network access and resource limits; (d) Access Controls — role-based access control (RBAC) with support for admin, manager, user, and viewer roles; (e) Audit Logging — all significant actions (worker creation, tool execution, data access, configuration changes) are logged with timestamps and actor identification; (f) Infrastructure Security — our infrastructure providers (Supabase, Fly.io, Azure) maintain SOC 2 certifications and undergo regular third-party security audits; (g) Incident Response — we maintain an incident response procedure and will notify affected users and relevant supervisory authorities of any personal data breach within 72 hours as required by Art. 33 GDPR; (h) AI Security — we implement prompt injection protection measures, content filtering, and anomalous worker behavior monitoring, although these measures cannot guarantee absolute protection against all forms of adversarial attack.
The Neuronos platform uses a minimal set of cookies: (a) Essential Cookies — strictly necessary cookies required for authentication, session management, language preferences, and security; these cookies cannot be disabled as they are essential for the platform to function, and no consent is required under Art. 5(3) of the ePrivacy Directive; (b) Analytics Cookies (optional) — if you consent, we may use privacy-respecting analytics to understand aggregate usage patterns; analytics cookies are only set after you provide explicit consent through our cookie banner, and you may withdraw your consent at any time. We do not use third-party advertising cookies, tracking pixels, or social media cookies. We do not engage in cross-site tracking or behavioral advertising.
The Neuronos platform is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete such data from our systems. If you believe a minor has provided us with personal data, please contact us at privacy@neuronos.app.
We may update this Privacy Policy periodically to reflect changes in our data processing practices, legal requirements, or service features. Material changes will be communicated via email to the address associated with your account and through a prominent notice on the platform at least thirty (30) days before the changes take effect. Non-material changes (such as formatting or clarifications) may be made without prior notice. The "Last updated" date at the top of this policy indicates when the most recent revision was published. Your continued use of the Neuronos platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at: Atenea Labs OÜ, Harju maakond, Tallinn, Kesklinna linnaosa, Sakala tn 7-2, 10141, Estonia. Registry code: 16668881. Privacy email: privacy@neuronos.app. Support: support@neuronos.app. EU residents who believe their data protection rights have not been adequately addressed may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee or with any other competent EU supervisory authority.