Version: Draft (pending counsel review) Last updated: 2026-06-14 Effective date: [To be set on publication]
This Privacy Policy describes how NeuronKite LLC ("NeuronKite", "we", "us", "our") collects, uses, shares, and safeguards information when you use Blueprint at blueprint.neuronkite.com and related services (the "Service").
This Policy is incorporated into our Terms of Service. If you do not agree with this Policy, do not use the Service.
| You give us | We use it for | We share it with |
|---|---|---|
| Your email + Clerk account | Sign-in, transactional email, billing | Clerk, SendGrid |
| Your Briefs and Artifacts | Generating outputs, displaying in your account | LLM providers (DeepSeek, Gemini, OpenAI) — not for training |
| Your payment card | Subscription + Top-Up billing | Stripe (we never see the card) |
| Service logs (IP, timestamps) | Security, abuse prevention, debugging | Sentry, BetterStack (no Customer Content) |
We do not sell personal data. We do not use Customer Content to train machine-learning models. We process all data in the United States. See §6 for AI-specific disclosures.
| Category | Examples | When |
|---|---|---|
| Account data | Email address, Clerk user ID, display name (optional) | When you create your account |
| Customer Content | Briefs, support documents, project metadata (titles, customer field, sensitivity tier) | When you submit a Brief or create a project |
| Generated content | Artifacts produced by the Service from your Briefs | Run completion |
| Payment data | Stripe customer ID, last 4 digits of card, billing address | When you subscribe or buy a Top-Up |
| Support requests | Email body, attachments | When you email [email protected] or [email protected] |
| User preferences | usage_emails_enabled flag (heads-up email opt-out) | When you toggle preferences |
We do not see, store, or have access to your full payment card number, CVC, or PIN. Stripe handles those directly.
| Category | Examples | Source |
|---|---|---|
| Usage events | Project / run lifecycle (created, started, completed, failed), CU consumption per run, verifier precision metrics | Application telemetry |
| Service logs | IP address, user agent, request timestamps, response codes | Web server access logs (retained 90 days) |
| Error reports | Stack traces, scrubbed request payloads | Sentry (see §3.2) |
| Cookies | Clerk session cookie | Browser, see §8 |
For users in jurisdictions with data-protection laws that require a legal basis (GDPR, UK GDPR, Brazil LGPD), the following table maps each processing purpose to its legal basis. For all users, the table also describes retention.
| Purpose | Categories used | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Deliver the Service (run pipeline, store + serve Artifacts) | Account, Customer Content | Performance of contract (Art 6(1)(b)) | Life of account + 30 days |
| Bill correctly + reconcile with Stripe | Account, Payment | Performance of contract | 7 years (US tax retention) |
| Send transactional email (welcome, run-complete, billing, heads-up) | Account, User preferences | Performance of contract + legitimate interest (Art 6(1)(f)) | Life of account |
| Operate, monitor, debug the Service | Usage events, Service logs, Error reports | Legitimate interest (Art 6(1)(f)) | 90 days for logs; 30 days for errors |
| Detect and prevent abuse, fraud, AUP violations | Service logs, Usage events | Legitimate interest | 12 months |
| Comply with legal obligations (subpoenas, tax records) | All categories as needed | Legal obligation (Art 6(1)(c)) | As required by law |
| Improve product (aggregate, anonymous statistics) | Anonymized usage events | Legitimate interest | Indefinite (anonymized) |
We scrub the following from error reports before they reach Sentry:
brief_ (full text of your Brief)s3_key (storage paths)password, token,
authorization, cookie, vendor API keys)Stack traces and surrounding request metadata may still contain indirectly identifying information. We treat error reports as internal-use-only.
We share data with the subprocessors listed in the Subprocessor List. Each subprocessor is contractually bound to:
We add subprocessors only as needed for product functionality. Net additions are announced 30 days in advance via the Subprocessor List + email to current paying customers.
We may disclose information when required by law (valid subpoena, court order, statutory request) or to:
Where lawful, we will notify the affected user before disclosure, unless prohibited by court order or law enforcement request.
If NeuronKite is involved in a merger, acquisition, or asset sale, personal data may transfer to the acquirer subject to this Policy. We will provide 30 days' notice before any such transfer takes effect.
We may share aggregate, anonymized statistics that do not identify any individual user (e.g., "average CU per Brief by phase across all customers in Q1") without restriction.
We are based in the United States. Production data is stored in Google Cloud Platform's us-east1 region. Subprocessors may process data in other countries (see Subprocessor List for locations).
If you access the Service from outside the United States, your data is transferred to and processed in the United States.
For users in the European Economic Area, the United Kingdom, or Switzerland: we rely on the European Commission's Standard Contractual Clauses (SCCs) for cross-border transfers, executed with each non-EEA subprocessor. The SCCs are incorporated into our Data Processing Addendum.
The U.S. does not have a general data-protection adequacy decision from the European Commission. We have not joined the EU–U.S. Data Privacy Framework as of this Policy's effective date; counsel will revisit before EU customer launch.
The core function of Blueprint is to generate systems-engineering Artifacts from your Brief using large language models (LLMs). This means:
We do not use your Customer Content to train, fine-tune, or evaluate our models or any third-party models.
Where supported, we have configured the third-party LLM providers to retain inputs only transiently for safety filtering and abuse prevention, with retention windows summarized in the Subprocessor List. Some providers retain inputs for up to 30 days in their service logs; we cannot warrant complete deletion from third-party logs after that window.
In compliance with applicable AI transparency laws (including the EU AI Act for GPAI deployers and the Colorado AI Act effective 2026-02-01):
We do not use AI to make decisions that produce legal effects about you (e.g., access to credit, employment, education, housing, or government benefits). The Service produces engineering documents at your direction; it does not evaluate users.
You retain full control of AI Output. Every Artifact is delivered to you for review; we do not act on Artifacts without your direction. You may request that we re-run, revise, or delete any Artifact at any time from the in-product UI or by emailing [email protected].
Depending on where you are, you may have any of the following
rights. To exercise them, email
[email protected] with the subject Data Subject Request.
| Right | What it means | How to use |
|---|---|---|
| Access | Get a copy of the data we hold about you | Email request; we respond within 30 days |
| Correction | Correct inaccurate data | Email request; for account email, also update in Clerk |
| Deletion | Delete your account and data | Close account from the Billing page (auto-deletes in 30 days); or email request |
| Portability | Export your Briefs + Artifacts in a machine-readable format | Email request; we deliver via signed download link within 30 days |
| Restriction | Pause processing while a dispute is open | Email request |
| Objection | Object to processing based on legitimate interest | Email request; we evaluate |
| Withdrawal of consent | Where processing relies on consent (e.g., usage emails toggle) | In-product toggle for usage emails; email for anything else |
| Non-discrimination | We will not discriminate against you for exercising any of these rights | Automatic |
We verify your identity before honoring requests (typically by confirming the request came from your registered email address). We do not charge a fee for the first request in any 12-month period.
If you are in the EEA, UK, or Switzerland and believe we have violated GDPR or UK GDPR, you have the right to lodge a complaint with your local data-protection authority. Contact us first and we will work to resolve the issue.
In addition to the rights above, California residents have:
Authorized agents may submit requests on your behalf with written authorization.
residents
State privacy laws in Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), and New Jersey (NJDPA) grant rights largely overlapping with CCPA/GDPR. The exercise procedure above applies.
Rights largely overlap with GDPR. Same exercise procedure.
| Jurisdiction | Statutory window | Our target |
|---|---|---|
| GDPR (EU/UK) | 30 days (one-time 60-day extension allowed) | 30 days |
| CCPA (California) | 45 days (one-time 45-day extension allowed) | 30 days |
| LGPD (Brazil) | 15 days | 15 days |
| All others | 30 days | 30 days |
The Service uses a small set of strictly necessary cookies:
| Cookie | Set by | Purpose | Expiry |
|---|---|---|---|
__session | Clerk | Authentication session | Session |
__clerk_* | Clerk | Sign-in flow state | Various |
We do not use advertising cookies, analytics cookies that build cross-site profiles, or marketing pixels.
Some browsers send a "Do Not Track" or Global Privacy Control (GPC) signal. We honor GPC signals as a valid opt-out of "sale" or "sharing" (we don't do either, but we record the opt-out preference). We do not currently respond to Do Not Track headers because there is no industry consensus on their handling.
Because we use only strictly necessary cookies, we do not display a cookie consent banner. If we add non-essential cookies in the future, we will request consent before setting them in jurisdictions that require it (e.g., EU ePrivacy Directive).
We maintain administrative, technical, and physical safeguards designed to protect Customer Content, including:
No internet system is perfectly secure. If we discover a security incident materially affecting your personal data, we will notify you without undue delay (per GDPR Art 34 / state breach notification laws), typically within 72 hours of becoming aware.
Please email [email protected] with details. We appreciate responsible disclosure and will acknowledge receipt within 24 hours.
The Service is for users 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn we have collected personal information from a child under 18, we will delete it. If you believe a child has provided personal information to us, contact [email protected].
We may update this Policy from time to time. Material changes will be announced at least 30 days in advance via:
We will retain prior versions for at least 24 months and link them from the Policy page.
For privacy questions or to exercise your rights:
NeuronKite LLC Attn: Privacy 4539 N 22nd St #6544, Phoenix, AZ 85016 [email protected]
EU / UK representative (if required): [Counsel to assess whether GDPR Art 27 representative is required based on customer geography. Most US-based SMBs avoid this by not actively targeting EU consumers.]
Data Protection Officer: Not currently appointed. We have assessed that a DPO is not required under GDPR Art 37(1) at our current scale and processing scope. We will appoint a DPO if our processing changes to trigger Art 37(1) (regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special category data).