Privacy Policy | Neurotoned

1. Introduction

Neurotoned LLC ("Neurotoned," "we," "us," or "our") operates the website located at neurotoned.com and related services (collectively, the "Service"). Neurotoned is a Delaware limited liability company with its principal office at 8 The Green STE B, Dover, DE 19901.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, create an account, purchase a subscription, or otherwise interact with our Service. Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described herein. If you do not agree with this Privacy Policy, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

Create an account: name, email address, phone number, and account credentials (passwords are hashed and never stored in plaintext).
Make a purchase or subscribe: billing address and payment information. Payment card details are collected and processed directly by our payment processor, Stripe, Inc. We do not store your full credit card number on our servers.
Communicate with us: any information you include in emails, support tickets, or other correspondence sent to support@neurotoned.com.
Submit testimonials or reviews: your name, likeness, and the content of any testimonial you voluntarily provide.
Participate in surveys or promotions: responses, contact details, and any other information you choose to share.

2.2 Information Collected Automatically

When you access the Service, we and our third-party partners automatically collect certain technical and usage information, including but not limited to:

Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
Usage data: pages visited, time spent on pages, referring URL, click-stream data, and navigation paths.
Cookies and similar technologies: session identifiers, authentication tokens, and preference cookies. See Section 5 for more detail.
Meta/Facebook pixel data: the Meta (Facebook) pixel collects data including your Facebook cookie identifier (fbclid), browsing behavior on our site, conversion events (e.g., page views, purchases, sign-ups), and device information. This data is transmitted to Meta Platforms, Inc. for advertising measurement and optimization.

2.3 Information From Third Parties

Stripe: We receive payment confirmation details, including transaction status, last four digits of your card, and billing address, from Stripe to fulfill and manage your orders.
Meta/Facebook: We may receive aggregated or individual-level ad interaction data from Meta, including information about how you interacted with our advertisements on Meta platforms and whether those interactions led to actions on our Service.

3. How We Use Your Information

We use the personal information we collect for the following purposes:

Provide and maintain the Service: deliver content, process your account registration, and enable access to programs and features.
Process payments: complete transactions, send receipts, and manage subscriptions through Stripe.
Manage your account: authenticate your identity, maintain your preferences, and provide customer support.
Communicate with you: send transactional emails (e.g., purchase confirmations, password resets), respond to inquiries, and, where you have opted in, send marketing communications about new programs, promotions, and updates.
Personalize your experience: tailor content recommendations and program suggestions based on your usage patterns and preferences.
Improve the Service: analyze usage trends, conduct research, and develop new features and content.
Advertising and analytics: measure the effectiveness of our advertising campaigns through the Meta/Facebook pixel, create custom and lookalike audiences, and optimize ad delivery.
Prevent fraud and ensure security: detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities.
Comply with legal obligations: fulfill our legal and regulatory requirements, respond to lawful requests from public authorities, and enforce our terms of service.

4. How We Share Your Information

4.1 Service Providers

We share personal information with third-party service providers who perform services on our behalf, subject to contractual obligations to protect your data:

Stripe, Inc. — payment processing. Stripe receives your payment card details, billing address, and transaction information to process payments securely. See Stripe's Privacy Policy.
Supabase, Inc. — database hosting and user authentication. Supabase stores your account information and authenticates your login sessions. See Supabase's Privacy Policy.
Meta Platforms, Inc. — advertising analytics. The Meta pixel transmits browsing behavior and conversion event data to Meta for ad measurement, targeting, and optimization. See Meta's Privacy Policy.
Vercel, Inc. — website hosting and content delivery. Vercel processes server requests, which may include your IP address and request metadata. See Vercel's Privacy Policy.
Anthropic, PBC — AI-assisted content generation. We may send limited, non-personally-identifiable data (such as anonymized usage patterns or content prompts) to Anthropic's API to generate or enhance educational content. We do not send your name, email, payment information, or other directly identifying personal data to Anthropic.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or legal process; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Service; or (d) protect the personal safety of users of the Service or the public.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information.

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

4.5 Aggregated and De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for research, analytics, or other business purposes.

4.6 No Sale of Personal Information

We do NOT sell your personal information. We have not sold personal information in the preceding twelve (12) months and have no plans to do so.

5. Cookies and Tracking Technologies

5.1 Types of Cookies We Use

Essential cookies: These cookies are strictly necessary for the operation of our Service. They enable core functionality such as user authentication, session management, and security features. You cannot opt out of essential cookies as the Service cannot function without them.
Analytics cookies: These cookies help us understand how visitors interact with our Service by collecting information about pages visited, time on site, and navigation paths. This data is used in aggregate to improve the Service.
Advertising and marketing cookies: The Meta/Facebook pixel places cookies (including the _fbp and _fbc cookies) on your device to track browsing behavior, record conversion events, and enable targeted advertising. The fbclid parameter appended to URLs from Meta ad clicks is used to attribute conversions to specific ad campaigns.

5.2 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling certain cookies may affect the functionality of the Service. To opt out of Meta's use of cookies for ad targeting, visit Meta Ad Preferences. You may also opt out of interest-based advertising through the Digital Advertising Alliance or the Network Advertising Initiative.

6. Your Privacy Rights

6.1 Rights Available to All Users

Regardless of your location, you may:

Access the personal information we hold about you.
Correct inaccurate or incomplete personal information.
Delete your personal information, subject to certain legal exceptions.
Opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at support@neurotoned.com.

6.2 California Residents — CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information:

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting or selling the information, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information necessary to complete a transaction, detect security incidents, or comply with legal obligations).
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: While we do not sell personal information for monetary consideration, our use of the Meta/Facebook pixel may constitute "sharing" of personal information for cross-context behavioral advertising under the CCPA/CPRA. You have the right to opt out of this sharing. To exercise this right, email us at support@neurotoned.com with the subject line "Do Not Sell or Share My Personal Information."
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a request, email support@neurotoned.com. We will verify your identity before processing your request and will respond within forty-five (45) days. If we need additional time, we will notify you of the extension and the reason.

6.3 EU/EEA/UK Residents — GDPR Rights

If you are located in the European Union, European Economic Area, or the United Kingdom, the General Data Protection Regulation (GDPR) and the UK GDPR provide you with the following rights:

Right of Access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access that data along with information about the purposes of processing.
Right to Rectification: You have the right to obtain the rectification of inaccurate personal data without undue delay.
Right to Erasure ("Right to Be Forgotten"): You have the right to obtain the erasure of personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
Right to Restriction of Processing: You have the right to restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Legal Bases for Processing: We process your personal data on the following legal bases: (a) Consent — where you have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications, Meta pixel tracking); (b) Contract — where processing is necessary for the performance of a contract with you (e.g., providing the Service, processing payments); (c) Legitimate Interests — where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights (e.g., fraud prevention, Service improvement, analytics).

International Data Transfers: Your personal data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner's Office to provide appropriate safeguards for such transfers. See Section 11 for more information.

6.4 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at support@neurotoned.com. We may ask you to verify your identity before processing your request. We will respond to verifiable requests within the timeframes required by applicable law.

7. Data Retention

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. The criteria we use to determine retention periods include:

The duration of your active account and subscription with the Service.
Whether there is a legal obligation to which we are subject (e.g., tax and financial reporting requirements may require us to retain transaction data for up to seven years).
Whether retention is advisable in light of our legal position (e.g., regarding applicable statutes of limitation, litigation, or regulatory investigations).

When you delete your account, we will delete or anonymize your personal information within thirty (30) days, except where we are required or permitted by law to retain certain data. Payment transaction records may be retained for up to seven (7) years to comply with financial reporting obligations. Anonymized or aggregated data that can no longer be associated with you may be retained indefinitely.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS/SSL and encryption of sensitive data at rest.
Role-based access controls limiting employee and contractor access to personal data on a need-to-know basis.
Regular security assessments and monitoring of our systems and infrastructure.
Use of industry-standard security practices by our service providers (Stripe is PCI DSS Level 1 certified; Supabase employs row-level security and encryption at rest).

However, no method of electronic transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and applicable regulatory authorities in accordance with applicable law, including within seventy-two (72) hours where required by the GDPR.

9. Children's Privacy

The Service is not directed to individuals under the age of thirteen (13). We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). For users in the EU/EEA/UK, the Service is not directed to individuals under the age of sixteen (16) unless parental consent has been provided in accordance with applicable member state law.

If we become aware that we have collected personal information from a child under the applicable minimum age without verified parental consent, we will take steps to delete that information as quickly as possible. If you believe we have inadvertently collected information from a minor, please contact us at support@neurotoned.com.

10. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, our Service does not respond to DNT signals. However, you may opt out of certain tracking as described in Section 5 (Cookies and Tracking Technologies) and Section 6 (Your Privacy Rights).

11. International Data Transfers

Your personal information is primarily processed and stored in the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the EU/EEA/UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office. We also assess the laws and practices of the destination country to ensure an adequate level of protection for your personal data.

12. Changes to This Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on the Service. Your continued use of the Service after the posting of changes constitutes your acceptance of such changes. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Company: Neurotoned LLC
Address: 8 The Green STE B, Dover, DE 19901
Email: support@neurotoned.com
Phone: +1-910-777-7061

For privacy-specific inquiries, including requests to exercise your rights under the CCPA/CPRA or GDPR, please email support@neurotoned.com with the subject line "Privacy Inquiry."