Apps Safety Company News
Get started

Privacy Policy

How Neuraphic collects, uses, shares, and protects your personal information when you use our products, services, and websites. Last updated April 14, 2026.

Neuraphic, Inc. ("Neuraphic," "we," "us," or "our") is a Delaware corporation that develops artificial intelligence products and services, including a composable backend platform and AI security tools. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our websites, use our products (including Apps, Claeth, Prion, and Praeth), access our APIs, use the command-line interface ("CLI") or the web console, or otherwise interact with our services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

This Privacy Policy applies globally and is designed to comply with the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the United Kingdom Data Protection Act 2018 and UK GDPR, Brazil's Lei Geral de Proteção de Dados ("LGPD"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and other applicable data protection laws worldwide.

1. Information We Collect

We collect information in several ways depending on how you interact with our Services. The categories of information we collect include the following:

1.1 Account Information. When you create an account, we collect your name, email address, organization name (if applicable), billing address, and payment information. If you sign up using a single sign-on provider, we receive your name, email address, and a unique identifier from that provider. We also collect your account preferences, authentication credentials (stored in hashed form), and multi-factor authentication details.

1.2 Personal Information You Provide. We collect information you voluntarily provide to us, such as when you contact our support team, participate in surveys, apply for a job, subscribe to our newsletter, or otherwise communicate with us. This may include your name, email address, phone number, job title, company affiliation, and the content of your messages.

1.3 Usage Data. We automatically collect information about how you interact with our Services, including the pages you visit, the features you use, the actions you take, the time and date of your visits, the duration of your sessions, referring and exit URLs, and click patterns. For API users, we collect request timestamps, endpoint paths, response codes, latency metrics, and token usage counts.

1.4 Device and Technical Information. We automatically collect certain technical information when you access our Services, including your IP address, browser type and version, operating system, device type, device identifiers, screen resolution, language preferences, and time zone. We also collect information through cookies, pixel tags, and similar tracking technologies as described in our Cookie Policy.

1.5 Log Data. Our servers automatically record information when you access our Services, including your IP address, the date and time of each request, the referring page, and system configuration information. For API access, we log request headers (excluding authorization tokens), request and response sizes, and error details.

1.6 Payment Information. When you make a purchase or subscribe to a paid plan, we collect billing details such as your credit card number, expiration date, and billing address. Payment information is processed by our payment processor and is not stored on our servers in unencrypted form. We retain transaction identifiers, amounts, dates, and the last four digits of your payment method for record-keeping and dispute resolution.

2. AI-Specific Data

Given the nature of our AI products and services, we collect and process certain categories of data that are specific to artificial intelligence systems:

2.1 Model Inputs and Outputs. When you use our AI-powered Services, we process the data you submit as input to our models ("Input Data") and the data generated by our models in response ("Output Data"). Input Data may include text prompts, documents, code, configuration parameters, and any other content you provide. Output Data includes AI-generated text, analysis results, security assessments, classification labels, agent actions, and any other content produced by our models.

2.2 Conversation and Interaction Logs. For products that involve multi-turn interactions (such as the AI-assisted composition in Apps), we maintain logs of the interaction sequence, including the series of inputs and outputs, timestamps, session identifiers, and the model version used. These logs are retained to enable session continuity, debugging, and abuse prevention.

2.3 API Call Metadata. For API users, we collect metadata associated with each API call, including the API endpoint accessed, request and response sizes, token counts (input and output), model identifiers, latency measurements, rate limit status, and error codes. This metadata does not include the substantive content of your inputs or outputs unless you have specifically opted in to content logging for your account.

2.4 Model Performance Data. We collect aggregated and de-identified data about model performance, including accuracy metrics, latency distributions, error rates, and usage patterns. This data is used to monitor, maintain, and improve the quality and reliability of our AI systems.

2.5 Safety and Security Signals. Our AI security products (Claeth and Prion) process data specifically for the purpose of detecting and mitigating threats to AI systems. This includes adversarial input patterns, anomaly scores, classification confidence levels, threat signatures, and security event logs. When you deploy our security products, they may process data flowing through your AI systems in order to provide protective functionality.

2.6 Risk Engine Signals. Praeth, our continuous risk engine, processes feature descriptions of authenticated requests entering applications that integrate it. Each scoring event records the feature description, the calibrated risk score returned, the structured reasons supporting that score, the policy decision the calling product took, and the outcome where it can be subsequently labelled. We do not publish the signal taxonomy because doing so would meaningfully reduce the cost of evading the system. Praeth does not use customer-controlled application data to train models that are made available to other customers.

3. How We Use Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Operations. To provide, maintain, and operate our Services, including processing your requests, delivering AI model outputs, managing your account, processing payments, providing customer support, and communicating with you about your use of our Services.

3.2 Safety, Security, and Abuse Prevention. To protect the safety and security of our Services, our users, and the public. This includes detecting and preventing fraud, abuse, security incidents, and other harmful activity; enforcing our Terms of Service and Acceptable Use Policy; and monitoring for violations of our usage policies. Our AI security products specifically operate to detect adversarial attacks, prompt injection attempts, data exfiltration, and other threats to AI systems.

3.3 Service Improvement and Development. To understand how our Services are used, identify areas for improvement, develop new features and products, conduct research, and perform analytics. We use aggregated and de-identified data for these purposes wherever possible.

3.4 Communication. To send you transactional communications (such as account confirmations, billing receipts, and security alerts), respond to your inquiries, and, where you have opted in, send you marketing communications about our products and services. You may opt out of marketing communications at any time.

3.5 Legal Compliance. To comply with applicable laws, regulations, legal processes, and governmental requests; to enforce our agreements; and to protect our rights, privacy, safety, or property, and that of our users and the public.

3.6 Personalization. To personalize your experience with our Services, including by providing content recommendations, customizing the user interface, and tailoring communications to your interests and preferences.

4. AI Training Disclosure

We believe transparency about AI training practices is essential. This section explains how your data may or may not be used to train or improve our AI models.

4.1 API Customer Data. By default, data submitted through our APIs by customers on paid plans is NOT used to train, fine-tune, or improve our general-purpose AI models. Your Input Data and Output Data processed through our APIs remain yours, and we do not use this content to develop or enhance models that are made available to other customers. This commitment is a core part of our service.

4.2 Opt-In Training. You may voluntarily choose to opt in to allowing your data to be used for model improvement. If you opt in, your data may be used in aggregated and de-identified form to improve model quality, safety, and performance. You may opt in or out at any time through your account settings or by contacting us at [email protected]. Opting out does not affect the availability or quality of our Services to you.

4.3 Free and Standard Plans. Data submitted through free or standard plan services may be used in aggregated and de-identified form to improve our models and Services, on the basis of our legitimate interests in developing and improving our AI systems (GDPR Article 6(1)(f)). You may object to this processing at any time by contacting [email protected] or through your account settings. If you object, we will cease using your data for model training, though certain features that depend on this processing may be limited or unavailable.

4.4 Authentication and Anti-Fraud Telemetry. Independently of API content data, we collect a narrow set of behavioral signals from every authentication request — for example: a pseudonymous device identifier, network-derived country, browser fingerprint hash, captcha verification status, request status code, and request duration. We use this data set to train and continuously improve the fraud-detection, bot-detection, and account-takeover-protection models that defend your account against credential stuffing, synthetic abuse, and unauthorized access. This processing is conducted on the basis of our legitimate interests in protecting the security of our users (GDPR Article 6(1)(f)) and is strictly necessary for the security of processing under GDPR Article 32. The raw telemetry is retained for a maximum of 365 days (see Section 5.1) and is stored in a dedicated cloud project, segregated by access controls from the authentication audit logs, so that engineers working on security models cannot see operational request logs and vice versa. You have the right to object to this processing at any time by contacting [email protected]; doing so may reduce the security guarantees we can provide on your account.

4.5 Knowledge Distillation and Persistent Models. The trained models that result from the processing in Section 4.4 are retained for as long as they remain in production use. These models are not personal data: they consist of numeric weights that encode learned statistical patterns and cannot be reverse-engineered to recover any individual's behavior or identity. When we retrain a model, we use a technique called knowledge distillation, in which the older model serves as a teacher to the newer model. This allows us to delete the underlying raw telemetry on the 365-day schedule described in Section 5.1 while the models continue to incorporate accumulated security knowledge. We consider this approach the most privacy-preserving way to maintain effective defenses against evolving attacks.

4.6 Safety Training. We may use data that has been stripped of all direct and indirect identifiers to improve the safety, security, and alignment of our AI systems. This de-identified data is used solely to train safety classifiers and content filters — not to improve the general capabilities of our models. This processing is conducted on the basis of our legitimate interests in providing safe and reliable AI services and protecting the public (GDPR Article 6(1)(f)).

4.7 Aggregated and De-Identified Data. We may use aggregated, anonymized, or de-identified data derived from your use of our Services for any purpose, including research, analytics, benchmarking, and product development. Such data cannot be used to identify you or any individual and is not subject to the restrictions described in this section.

5. Data Retention and Deletion

5.1 Retention Periods. We apply the principle of data minimization (GDPR Article 5(1)(e)): personal data is retained only for as long as necessary for the purpose for which it was collected. Retention windows are enforced automatically by our infrastructure, not by manual policy. The specific windows are:

Account information. Retained for the duration of your account and for 30 calendar days after you submit a deletion request. The 30-day window is a soft-delete grace period during which signing in restores the account; after that, the row is hard-deleted from our active databases by an hourly cleanup job. Encrypted off-site backups (used solely for disaster recovery) are created daily and expire after 90 days under an automatic lifecycle rule. Managed-database point-in-time recovery snapshots expire after 7 days. Combined worst case: zero residual personal data anywhere in our systems by day 127 after the deletion request (30-day grace period + 90-day backup expiry + 7-day snapshot expiry).

Authentication audit logs. Retained for a maximum of 90 days for operational debugging, incident response, and legal compliance. Stored in dedicated cloud storage with automatic lifecycle rules: 7 days in standard storage, then archived in cold storage, then deleted on day 90. The same hourly cleanup job that hard-deletes account rows simultaneously erases every line of these logs that references the deleted user, before backup rotation has a chance to copy them.

Behavioral telemetry for security models. Retained for a maximum of 365 days. During this period the data transitions through progressively cheaper storage tiers (30 days standard, 30 days nearline, then cold storage) before automatic deletion on day 365. This data set is segregated from authentication audit logs in a separate cloud project with its own access controls (see Section 4.4). The 365-day window is the upper bound necessary to retrain the fraud-detection and bot-detection models that protect our users from credential stuffing, account takeover, and synthetic abuse. After 365 days the raw events are deleted automatically; the trained models survive but contain no identifiable data (see Section 4.5 on knowledge distillation).

API Input and Output Data on paid plans. Retained for a maximum of 30 days for abuse monitoring and debugging, unless you have configured a shorter retention period in your account settings or opted in to longer retention for features such as conversation history.

Process logs. Application-level diagnostic logs (errors, warnings, server lifecycle events) are retained for 30 days in our cloud logging service and for 90 days in compressed archival storage, then automatically purged.

Payment records and transaction data. Retained for 7 years to comply with applicable tax and financial regulations.

5.2 Deletion Requests. You may request deletion of your personal information at any time through your account settings or by contacting us at [email protected]. Upon receiving a verified request:

Day 0 to 30: Your account enters a soft-delete state. You can cancel the deletion at any time during this window simply by signing in again. No new data is collected during this period.

Day 30 (within 1 hour): An hourly automated job (the "cleaner") performs an atomic hard-delete across every store where your data may live: live cache and ephemeral state, the authentication database, and the behavioral telemetry segregated cloud project. Either every store is erased successfully or the job rolls back and retries on the next run — there is no partial state where one store retains your data while another has erased it.

Day 30 to 395: Encrypted disaster-recovery backups age out under their automatic lifecycle rule. Daily database snapshots expire after 35 days. Weekly database snapshots are retained for up to 365 days in a tamper-evident, vault-locked store (AWS Backup Vault Lock in COMPLIANCE mode) so that we can respond to lawful preservation orders, subpoenas, and security investigations during the statutory window. The vault lock means that no employee — and no third party with our credentials, including ourselves under legal duress — can shorten, alter, or delete these snapshots before their retention period elapses. After the 395-day window, no personal data referencing you exists in any system we operate.

Security and authentication event records. Sign-in attempts, multi-factor enrollments, password changes, and similar account-security events are retained for the same 365-day window under GDPR Article 6(1)(f) (legitimate interest in detecting fraud and unauthorized access) and Article 6(1)(c) (legal obligation to assist law-enforcement preservation requests under, for example, 18 U.S.C. § 2703). These records survive a deletion request because they document past access to the account, not your current profile; they are the minimum necessary to demonstrate, on request, that an action was or was not taken from your account.

The only other exceptions are records we are legally required to retain (for example, payment transaction records under tax law) and aggregated, anonymized statistics that cannot be linked back to you. We will inform you if any exceptions apply to your request.

5.3 Data Portability. You may request a copy of your personal data in a structured, commonly used, and machine-readable format. We will provide this data within 30 days of receiving a verified request. The export includes every store within our retention windows; data outside those windows has been irrecoverably deleted as described above and cannot be reconstructed.

6. Legal Bases for Processing (GDPR Article 6)

If you are located in the European Economic Area ("EEA"), the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following legal bases:

6.1 Performance of a Contract (Article 6(1)(b)). Processing that is necessary to perform our contract with you, including providing our Services, managing your account, and processing payments.

6.2 Legitimate Interests (Article 6(1)(f)). Processing that is necessary for our legitimate interests or those of a third party, provided that your fundamental rights and freedoms do not override those interests. Our legitimate interests include operating and improving our Services, ensuring security and preventing fraud, conducting analytics, and direct marketing to existing customers. You have the right to object to processing based on legitimate interests.

6.3 Consent (Article 6(1)(a)). Processing for which you have given explicit consent, such as opting in to marketing communications, opting in to AI training data usage, or enabling optional data collection features. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6.4 Legal Obligation (Article 6(1)(c)). Processing that is necessary for compliance with a legal obligation to which we are subject, such as tax reporting requirements, responding to lawful government requests, or maintaining records required by applicable regulations.

6.5 Vital Interests (Article 6(1)(d)). In rare circumstances, processing that is necessary to protect the vital interests of you or another person, such as in emergency situations involving safety threats.

7. Data Sharing and Third Parties

We do not sell your personal information. We may share your information in the following limited circumstances:

7.1 Service Providers. We share information with a small number of third-party service providers who perform infrastructure functions on our behalf. We list the categories below; an up-to-date list of named subprocessors is available to enterprise customers on request at [email protected]. Every provider is contractually bound to use your information only for the purposes of providing services to us, is subject to confidentiality obligations, and signs a data processing agreement that complies with applicable law.

Cloud infrastructure provider. Hosts our compute, managed databases, encrypted object storage, and secret management. Your account data and authentication audit logs reside on this provider's infrastructure in the United States. Anti-fraud telemetry resides on the same provider in a separate, isolated project.

Edge network and DDoS provider. Sits in front of our origin servers to terminate TLS, mitigate distributed denial-of-service attacks, route traffic via a private tunnel, serve our static front-end, and provide a captcha challenge. This provider observes connection metadata (IP, user-agent, country) for every request that reaches us.

Cross-cloud disaster-recovery storage. A separate object storage provider, operated by a different company than our primary cloud provider, holds an encrypted copy of our database backups so that a region-wide failure of one provider does not result in data loss. Backups are encrypted with AES-256-CBC before leaving our infrastructure; the provider cannot read their contents.

Transactional email delivery. Sends verification emails, password resets, and security notifications. Receives only the recipient address, subject, and HTML body necessary to deliver the message.

Payment processor. Handles credit-card and other payment-method data on PCI-DSS-compliant infrastructure; we never store full card numbers ourselves.

7.2 Legal Requirements. We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud or other illegal activity, protect the personal safety of users or the public, or respond to a lawful request from a governmental authority.

7.3 Business Transfers. If Neuraphic is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

7.4 With Your Consent. We may share your information with third parties when you have explicitly consented to such sharing.

7.5 Affiliates. We may share information with our corporate affiliates and subsidiaries for purposes consistent with this Privacy Policy.

7.6 No Sale of Personal Information. We do not sell, rent, or trade your personal information to third parties for their marketing purposes. For purposes of the CCPA/CPRA, we do not "sell" or "share" (as those terms are defined under the CCPA/CPRA) your personal information.

8. International Data Transfers

8.1 Transfer Mechanisms. Neuraphic is headquartered in the United States. Our primary processing infrastructure is located in the United States. Encrypted disaster-recovery copies of our database backups are additionally stored on a cross-cloud provider with global object replication, for the sole purpose of guaranteeing that a single-provider failure does not result in data loss. The backups are encrypted with AES-256-CBC before leaving our primary infrastructure and the disaster-recovery providers cannot read their contents. If you access our Services from outside the United States, your information may also be transferred to, stored in, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your country.

8.2 Safeguards for EEA/UK Transfers. When we transfer personal data from the EEA or the UK to countries that have not been deemed to provide an adequate level of data protection by the European Commission or UK authorities, we implement appropriate safeguards, including Standard Contractual Clauses ("SCCs") adopted by the European Commission, supplemented by additional technical and organizational measures where necessary. You may request a copy of the applicable SCCs by contacting us at [email protected].

8.3 Additional Safeguards. Regardless of where your data is processed, we apply the same level of protection described in this Privacy Policy and implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, and regular security assessments.

9. Your Rights

Depending on your location, you may have some or all of the following rights with respect to your personal information:

9.1 Rights Under the GDPR (EEA and UK Residents).

Right of Access. You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.

Right to Rectification. You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

Right to Erasure ("Right to Be Forgotten"). You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

Right to Restriction of Processing. You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object. You have the right to object to processing of your personal data based on our legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making. You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. Where our AI systems make automated decisions that affect you, you have the right to obtain human intervention, express your point of view, and contest the decision.

Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection supervisory authority.

9.2 Rights Under the CCPA/CPRA (California Residents).

Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which personal information is collected, the business or commercial purpose for collecting or selling personal information, and the categories of third parties with whom we share personal information.

Right to Delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.

Right to Correct. You have the right to request that we correct inaccurate personal information that we maintain about you.

Right to Opt Out. You have the right to opt out of the "sale" or "sharing" of your personal information. As stated above, we do not sell or share your personal information as defined by the CCPA/CPRA.

Right to Non-Discrimination. You have the right not to receive discriminatory treatment for exercising your privacy rights.

Right to Limit Use of Sensitive Personal Information. If we collect sensitive personal information, you have the right to limit our use and disclosure of that information.

9.3 Rights Under Other Applicable Laws. If you are located in Brazil (LGPD), Canada (PIPEDA), Australia, Japan, South Korea, or another jurisdiction with applicable data protection legislation, you may have similar rights under your local law. We will honor requests made under applicable local data protection laws. Please contact us at [email protected] to exercise your rights.

9.4 Exercising Your Rights. To exercise any of the rights described above, please contact us at [email protected] or use the tools available in your account settings. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may need to verify your identity before fulfilling your request. If we cannot verify your identity, we may request additional information from you. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.

10. Children's Privacy

Our Services are not directed to children under the age of 18 (or such other age as required by applicable law). We do not knowingly collect personal information from children under the age of 18. If you are a parent or guardian and you believe that your child has provided us with personal information, please contact us at [email protected] and we will take steps to delete such information from our systems promptly. If we become aware that we have collected personal information from a child under the applicable age without verification of parental consent, we will take steps to remove that information from our servers.

11. Security Measures

We implement and maintain appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS 1.2 or higher, and encryption of data at rest using AES-256 or equivalent standards. Access controls based on the principle of least privilege, including role-based access control and multi-factor authentication for administrative access. Regular security assessments, penetration testing, and vulnerability scanning of our infrastructure and applications. Employee security training and background checks for personnel with access to personal data. Incident response procedures and breach notification processes in compliance with applicable laws. Physical security measures for our data center infrastructure, including access controls and environmental protections. Secure software development practices, including code review, automated testing, and security-focused design reviews.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information, but we are committed to maintaining commercially reasonable security measures and continuously improving our security posture.

11.2 Data Breach Notification. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay. We comply with all applicable state and federal breach notification requirements.

12. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, including the use of data for AI model training and automated decision-making. Summaries of relevant DPIAs are available upon request to our Data Protection Contact.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy with a revised "Last Updated" date and, where required by applicable law, by sending you an email notification or providing a prominent notice within our Services. For changes to processing that rely on consent, we will seek re-consent rather than rely on continued use as acceptance.

14. Data Protection Contact

If you have questions or concerns about our data protection practices, or if you wish to exercise your rights under applicable data protection law, you may contact our Data Protection Contact at [email protected].

For EEA and UK residents, you may also lodge a complaint with your local data protection supervisory authority.

15. International Representatives

For individuals in the European Economic Area, our EU representative pursuant to GDPR Article 27 can be contacted at [email protected]. For individuals in the United Kingdom, our UK representative pursuant to UK GDPR Article 27 can be contacted at [email protected].

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Neuraphic, Inc.
Attn: Legal Department
Email: [email protected]

We will endeavor to respond to all inquiries within a reasonable timeframe and no later than 30 days from receipt of your request, or such shorter period as required by applicable law.