1. Data Controller
The data controller responsible for processing your personal data in connection with NEURODONE, acting in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Slovak Personal Data Protection Act (Act No. 18/2018 Coll.), is:
| Name | Ihor Fomenko |
| Business | Sole Proprietor (Živnostník) |
| Address | Osuského 2476/1, 85103 Bratislava-Petržalka, Slovensko |
| welcome@neurodone.app |
The Controller has not appointed a Data Protection Officer (DPO), as it is not required to do so under Article 37 of the GDPR. For all data protection inquiries, please contact the Controller at the email address above.
2. Categories of Personal Data We Collect
2.1 Account Data
When you register for NEURODONE, we collect your email address and an encrypted password hash. This data is processed by our authentication provider, Supabase.
2.1.1 Third-Party Authentication (SSO)
If you choose to register or log in using a third-party service (such as Google or Apple), we receive your email address, name, and profile picture (if applicable) from that provider. We do not receive or store your password for these third-party services. This processing is based on your consent and contractual necessity to create your account.
2.2 User-Generated Content
The core functionality of NEURODONE involves storing your tasks, projects, micro-steps, and deadlines. When you use the voice input or AI Coach features, your voice transcriptions and text inputs are processed by the Google Gemini API and stored in our database.
2.3 Potential Special Category Data (Health Data)
We acknowledge that task content such as "take ADHD medication at 2pm," "book psychiatrist appointment," or voice memos describing ADHD-related challenges may constitute health data within the meaning of Article 4(15) and Article 9(1) of the GDPR, as further clarified by Recital 35.
2.4 Technical and Usage Data
We may collect device type, browser version, operating system, IP address (anonymized), and basic usage analytics through our analytics provider. This data is used exclusively for improving the App's performance and user experience.
2.5 Support Communications
Messages sent through the "Contact Ihor" feature or via email are stored in our email system. These may contain personal data you voluntarily share.
2.6 Marketing and Promotional Communications
If you opt-in to receive our newsletter or marketing updates, we will process your email address to send you information about new features, updates, and promotional offers (such as invite codes).
2.7 Push Notifications and Device Tokens
To provide timely reminders for your tasks and micro-steps, the App may request permission to send push notifications. If you grant this permission, we collect and store a secure "Device Token" generated by your operating system to route notifications to you. This processing is based entirely on your consent. You can revoke this permission at any time through your device or browser settings.
2.8 Payment and Financial Data
All subscription payments are processed securely by our Merchant of Record, Paddle.com Market Limited. We do not collect, store, or process your full credit card numbers or sensitive banking details. We only receive transaction confirmations, your billing country (for VAT compliance), and your subscription status from Paddle.
3. Legal Bases for Processing (Article 6 and Article 9 GDPR)
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Email, password hash | Account creation & authentication | Art. 6(1)(b) |
| Tasks, projects, micro-steps | Core service functionality | Art. 6(1)(b) |
| Health-related task content | Explicit consent, obtained separately | Art. 9(2)(a) |
| Voice transcripts → Gemini API | Explicit consent before first AI use | Art. 9(2)(a) |
| Technical/usage analytics | Improving service quality | Art. 6(1)(f) |
| Support communications | Resolving support requests | Art. 6(1)(b) / Art. 6(1)(f) |
| Payment data (via Paddle) | Contractual necessity | Art. 6(1)(b) |
| Marketing emails | Promotional communications | Art. 6(1)(a) — Consent |
3.1 Explicit Consent for Health Data
Before you can use the AI-powered features (Smart Parse, AI Coach, voice input), you will be presented with a separate, specific consent screen that clearly explains:
- That your task content and voice data may reveal health information;
- That this data will be transmitted to Google's Gemini API for processing;
- That you can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal;
- How to withdraw consent (via account settings or by contacting us).
3.2 Requirement to Provide Personal Data
The provision of your email address and password is a contractual requirement necessary to create an account and use the App. The provision of health-related data (via tasks or voice inputs) is entirely voluntary and based on your explicit consent.
3.3 Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis, obtaining your consent where required by law.
4. Transparency on AI Data Processing
4.1 How AI Features Work
When you use Smart Parse or AI Coach, your text or voice transcription is sent from our Vercel serverless function to the Google Gemini API via a secure HTTPS connection. The API processes your input and returns structured task data (task names, deadlines, micro-steps). The structured output is then stored in your Supabase database.
4.2 Google Gemini API Data Commitments
NEURODONE uses the paid tier of the Google Gemini API. Under Google's Gemini API Additional Terms of Service (last updated December 2025):
- Google does NOT use your prompts or responses to train or improve its foundational AI models;
- Google processes data in accordance with its Data Processing Addendum (DPA);
- Google may log prompts for a limited period solely for detecting violations of its Prohibited Use Policy;
- Logged data is NOT used to train or fine-tune any AI/ML models.
4.3 EU AI Act Transparency
In accordance with Regulation (EU) 2024/1689 (the EU AI Act), we disclose that NEURODONE integrates a general-purpose AI model (Google Gemini) for task parsing and organization. The AI system is not classified as "high-risk" under Annex III. The AI output is advisory only and does not autonomously execute actions on behalf of the User.
4.4 No Automated Decision-Making or Profiling
We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you within the meaning of Article 22 of the GDPR.
5. Sub-Processors and International Data Transfers
5.1 List of Sub-Processors
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Auth & Database | USA | DPF + SCCs |
| Google LLC (Gemini API) | AI Processing | USA | DPF + SCCs |
| Vercel Inc. | Hosting & Serverless | USA | DPF + SCCs |
| Resend Inc. | Transactional Email | USA | DPF + SCCs |
| Paddle.com Market Ltd. | Payments (MoR) | UK | EU Adequacy Decision |
| Analytics Provider (TBD) | Usage Analytics | TBD | DPF / SCCs |
5.2 Transfer Mechanisms
Personal data may be transferred to the United States. These transfers are protected by:
- EU-U.S. Data Privacy Framework (DPF) — for certified sub-processors (Google, Vercel, Resend). The adequacy of the DPF was confirmed by the European General Court judgment of September 3, 2025;
- Standard Contractual Clauses (SCCs) — as supplementary safeguard with all US-based sub-processors;
- UK Adequacy Decision — for transfers to Paddle (UK).
6. Data Retention and Deletion
6.1 Retention Periods
| Data Category | Retention Period |
|---|---|
| Account data (email, profile) | Duration of account + 30 days |
| Tasks, projects, micro-steps | Duration of account + 30 days |
| Voice transcripts (local) | Processed in real-time, not stored |
| Analytics data | 26 months (anonymized) |
| Support communications | 12 months after resolution |
| Payment records | As required by tax law (10 years) |
6.2 Hard Deletion ("Cascade Delete")
When a User initiates account deletion (via the App or by emailing welcome@neurodone.app):
- Within 24 hours: Account is deactivated, logged out of all sessions;
- Within 30 days: Cascade delete in Supabase permanently removes all authentication records, tasks, projects, micro-steps, and analytics;
- After 30 days: Deletion confirmed. Backup systems purged within additional 30 days.
7. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of these rights, please contact us at welcome@neurodone.app. We will respond within 30 days.
- Right of Access (Art. 15) — Request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17) — Request deletion of your data ("right to be forgotten").
- Right to Restriction (Art. 18) — Request restriction of processing in certain circumstances.
- Right to Data Portability (Art. 20) — Request your data in a machine-readable format (JSON export).
- Right to Object (Art. 21) — Object to processing based on legitimate interest.
- Right to Withdraw Consent (Art. 7(3)) — Withdraw explicit consent for health data processing at any time.
- Right to Lodge a Complaint — With the Slovak Data Protection Authority.
8. "Contact Ihor" Communications
Messages sent through the "Contact Ihor" feature are forwarded to the Trader's secure email inbox (welcome@neurodone.app). These messages are:
- Stored for the purpose of providing support;
- Retained for 12 months after the inquiry is resolved;
- Not shared with any third party other than the email hosting provider;
- Permanently deleted after the retention period.
Users should avoid sharing unnecessary sensitive information in support messages.
9. Cookies and Local Storage
NEURODONE is a Progressive Web App (PWA) and uses minimal cookies and local storage:
- Authentication tokens (session cookies): Strictly necessary for your logged-in session. Legal basis: Art. 6(1)(b). Exempt from consent under the ePrivacy Directive;
- Service Worker cache: Strictly necessary for offline functionality and PWA performance;
- Analytics cookies (if applicable): Subject to your prior consent, collected via a cookie consent banner in compliance with the ePrivacy Directive and Act No. 452/2021 Z. z. on electronic communications.
NEURODONE does not use advertising cookies or third-party tracking pixels.
10. "Do Not Track" and Global Privacy Control
Because NEURODONE does not use third-party advertising cookies, cross-site tracking pixels, or sell your personal data, we natively respect the privacy intent of DNT/GPC signals. Your data is used strictly to provide the App's core functionality.
11. Children's Privacy
NEURODONE is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the data promptly. Please contact us at welcome@neurodone.app if you believe a child has provided us with data.
12. Data Security and Breach Notification
12.1 Technical and Organizational Measures
- Encryption in transit (TLS/HTTPS for all data transmissions);
- Encryption at rest (Supabase database encryption);
- Row Level Security (RLS) policies — users can only access their own data;
- API key security (Gemini API key stored server-side, never exposed to client);
- Rate limiting (50 AI API calls per day per user);
- Secure headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection).
12.2 Data Breach Notification
In the event of a personal data breach posing a high risk to your rights and freedoms, we will notify you and the Slovak Office for Personal Data Protection without undue delay, and within 72 hours where feasible, in accordance with Articles 33 and 34 of the GDPR.
13. Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you via email or in-app notice prior to any ownership change affecting your data processing.
14. Links to Other Websites
The App may contain links to third-party sites. We have no control over and assume no responsibility for the content or privacy practices of these sites.
15. Changes to This Privacy Policy
Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last Updated" date at the top indicates the most recent revision. Continued use after the effective date constitutes acceptance.
16. Contact and Complaints
| Data Controller | Ihor Fomenko |
| welcome@neurodone.app | |
| Address | Osuského 2476/1, 85103 Bratislava-Petržalka, Slovensko |
If you are not satisfied with our response, you have the right to lodge a complaint with:
Úrad na ochranu osobných údajov SR
Hraničná 12, 820 07 Bratislava 27, Slovak Republic
https://dataprotection.gov.sk