Legal
Privacy notice
How Neurotoo processes your personal data.
Version 1.0.0 · Effective 4 July 2026
Document hash 68131ef2595e…
Privacy notice
Version 1.0.0 · Effective 5 July 2026
This privacy notice explains how Neurotoo Ltd ("Neurotoo", "we", "us") collects, uses, stores, and protects your personal data when you use neurotoo.com and related services (the "Service").
We are the data controller for personal data described in this notice. We are not a law firm and we do not provide legal advice.
1. Who we are
Neurotoo Ltd operates Neurotoo, neurodivergent rights infrastructure that helps you understand what may matter, organise evidence, and choose your next move on your terms.
**Data protection contact:** privacy@neurotoo.com
**General support:** support@neurotoo.com
For registered company details, write to privacy@neurotoo.com.
2. Scope
This notice applies when you:
- Visit our website or use the public demonstration
- Create an account and use the Rights Passport, Workplace Record, Timeline, Evidence, Next Moves, Share, or Pack features
- Contact us, join the Founding Partner Programme, or use partner or admin portals where we act as controller
Separate notices apply to specific flows:
- Cookie policy at /cookies
- Evidence Vault terms at /vault-terms
- Sharing terms at /sharing-terms
- Special category processing notice at /settings/consent
Where we process personal data on behalf of a professional firm under your instruction, that firm may be an independent controller. We document our processor role in our data processing agreements.
3. What Neurotoo is — and is not
Neurotoo provides infrastructure and general information. It does not determine unlawfulness, case strength, compensation, or outcomes. Nothing is sent to a professional until you review a consultation pack and authorise sharing.
The public demonstration uses synthetic data only. Real sensitive uploads are gated behind production privacy controls described on our compliance page.
4. Personal data we collect
We collect only what we need to operate the Service.
Account and identity
- Email address (for passwordless sign-in via one-time code)
- Display name (optional)
- Account role (user, partner, or admin)
- Authentication session metadata
Rights Passport and profile
- Jurisdiction context (where you live, where an event occurred, where an organisation is based)
- Setting (workplace, education, or other)
- Employment or study context you choose to provide
- Communication and accessibility preferences
Workplace Record, Timeline, and Evidence
- Events, notes, dates, and descriptions you record
- Evidence metadata (titles, types, dates)
- Files you upload to your private Evidence Vault when that feature is enabled for your account
Sharing and professional contact
- Your sharing authorisations, pack selections, and messages you choose to send
- Records of which document versions you accepted
Consent and compliance
- Consent grants and revocations (purpose, basis, document version, timestamp)
- Hashed IP address and user-agent strings at key consent events (not raw IP storage for routine browsing)
- Data subject access requests and fulfilment records
Website and product usage
- Strictly necessary cookies for sign-in and security
- Optional functional, analytics, and marketing cookies only if you opt in (see /cookies)
- Aggregated, non-identifying usage metrics when analytics consent is granted
Communications
- Messages you send to support, founding, privacy, or ops addresses
- Programme and onboarding correspondence
We do not buy or sell personal data lists. We do not quietly sell your story.
5. Special category data
Some information you may enter relates to disability, neurodivergence, health, or accessibility needs. Under UK GDPR this is special category data (Article 9).
We process this data only when you choose to provide it and, where required, after you give explicit consent in Settings. You may withdraw that consent at any time. Withdrawal does not affect lawfulness of processing before withdrawal, but we will stop further special-category processing and may limit related features.
Our separate special category processing notice explains this in more detail.
6. How we use your data and lawful bases
| Purpose | Typical data | Lawful basis |
|---|---|---|
| Provide and secure your account | Email, session data | Contract |
| Operate Rights Passport and workplace infrastructure | Profile, events, evidence metadata | Contract |
| Store files you upload to your vault | Evidence files | Contract |
| Record and honour your sharing choices | Authorisations, pack content | Contract and consent |
| Process special category data you choose to save | Neurodivergence, accessibility needs | Explicit consent (Article 9(2)(a)) |
| Comply with law and respond to valid legal demands | Relevant account and audit records | Legal obligation |
| Maintain immutable audit and consent records | Action metadata, consent ledger | Legitimate interests (accountability, security, and demonstrating compliance) |
| Improve the Service with optional analytics | Aggregated usage data | Consent |
| Send product or programme updates you opt into | Consent | |
| Protect the Service from abuse | Security logs, hashed request metadata | Legitimate interests (security) |
We do not use your workplace record or evidence to train public AI models. We do not perform automated legal merits assessment or outcome prediction.
7. Sharing your data
We share personal data only as described below.
Infrastructure providers
We use trusted processors to host and operate the Service, including Supabase (database, authentication, and storage) and Vercel (application hosting). They process data under our instructions and appropriate contractual safeguards.
Professionals you authorise
When you authorise a consultation pack, we transmit only the components you selected to the recipient you chose. We do not preselect sensitive documents. Professionals handle received information under their own legal and professional obligations.
Partners and firms
If you use a partner portal, your firm may access data within the scope of our agreement with that firm and your authorisations. Founding Partner relationships are governed by separate commercial contracts.
Legal and regulatory
We may disclose data where required by applicable law, court order, or regulatory request, subject to our legal demands process and user notification where permitted.
We do not share your workplace record or evidence with advertisers, data brokers, or unrelated third parties.
8. International transfers
Our processors may store or process data in the United Kingdom, European Economic Area, United States, or other countries where they operate facilities.
Where personal data is transferred outside the UK, we rely on appropriate safeguards such as UK International Data Transfer Agreements, adequacy regulations, or processor standard contractual clauses. You may request more information about safeguards by emailing privacy@neurotoo.com.
9. How long we keep data
We keep personal data only as long as necessary for the purposes above.
- **Account and passport data:** for the life of your account, then deleted or anonymised within 30 days of confirmed deletion unless law requires longer retention
- **Evidence files:** until you delete them or your account is deleted, subject to retention policies published in admin settings
- **Sharing records:** for the life of your account plus up to seven years for accountability and dispute resolution
- **Consent ledger and audit log:** up to seven years as immutable compliance records
- **Cookie preferences:** 180 days, then refreshed
- **Support correspondence:** up to three years unless a longer period is needed for an open matter
- **DSAR records:** up to three years after fulfilment
Backup copies may persist for a limited period before automatic purge.
10. Security
We design for privacy by default: row-level security on user data, private storage for evidence, append-only consent and audit records, role-based access for admin functions, and encryption in transit.
No online service can guarantee absolute security. If we become aware of a personal data breach likely to affect your rights, we will notify you and the Information Commissioner's Office where required by law.
11. Your rights
Under UK GDPR you have the right to:
- **Access** — request a copy of personal data we hold about you
- **Rectification** — correct inaccurate or incomplete data
- **Erasure** — request deletion in certain circumstances
- **Restriction** — ask us to limit processing in certain circumstances
- **Object** — object to processing based on legitimate interests
- **Portability** — receive certain data in a structured, machine-readable format
- **Withdraw consent** — where processing is based on consent, without affecting prior lawful processing
You can exercise many rights in Settings under Data rights. We respond within one month, extendable by two months for complex requests.
We may need to verify your identity before fulfilling a request.
12. Cookies and similar technologies
We use strictly necessary cookies for authentication and to remember your cookie choice. All other categories are off until you opt in through our preference centre. See /cookies for details.
13. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact privacy@neurotoo.com and we will delete it.
14. Automated decision-making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects about you.
15. Changes to this notice
We may update this notice when our Service, processors, or legal requirements change. We publish the current version at /privacy with version number and effective date. Material changes will be brought to your attention through the Service or by email where appropriate.
Continued use after the effective date of an update constitutes acknowledgement of the revised notice where contract or consent applies.
16. Complaints
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Helpline: 0303 123 1113
We encourage you to contact us first at privacy@neurotoo.com so we can try to resolve your concern.
17. Contact
Neurotoo Ltd — Data protection
Email: privacy@neurotoo.com
Website: neurotoo.com/privacy
Read our terms of service. Manage cookie choices in Cookie settings. Manage account consents in Settings. Exercise your data rights in Data rights.