Safety Company News
Get Workers

Privacy Policy

How Neuraphic collects, uses, shares, and protects your personal information when you use our products, services, and websites. Last updated April 1, 2026.

Neuraphic, Inc. ("Neuraphic," "we," "us," or "our") is a Delaware corporation that develops artificial intelligence products and services, including AI security tools and an AI agents platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our websites, use our products (including Prion, Claeth, and Workers), access our APIs, or otherwise interact with our services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

This Privacy Policy applies globally and is designed to comply with the European Union General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the United Kingdom Data Protection Act 2018 and UK GDPR, Brazil's Lei Geral de Proteção de Dados ("LGPD"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and other applicable data protection laws worldwide.

1. Information We Collect

We collect information in several ways depending on how you interact with our Services. The categories of information we collect include the following:

1.1 Account Information. When you create an account, we collect your name, email address, organization name (if applicable), billing address, and payment information. If you sign up using a single sign-on provider, we receive your name, email address, and a unique identifier from that provider. We also collect your account preferences, authentication credentials (stored in hashed form), and multi-factor authentication details.

1.2 Personal Information You Provide. We collect information you voluntarily provide to us, such as when you contact our support team, participate in surveys, apply for a job, subscribe to our newsletter, or otherwise communicate with us. This may include your name, email address, phone number, job title, company affiliation, and the content of your messages.

1.3 Usage Data. We automatically collect information about how you interact with our Services, including the pages you visit, the features you use, the actions you take, the time and date of your visits, the duration of your sessions, referring and exit URLs, and click patterns. For API users, we collect request timestamps, endpoint paths, response codes, latency metrics, and token usage counts.

1.4 Device and Technical Information. We automatically collect certain technical information when you access our Services, including your IP address, browser type and version, operating system, device type, device identifiers, screen resolution, language preferences, and time zone. We also collect information through cookies, pixel tags, and similar tracking technologies as described in our Cookie Policy.

1.5 Log Data. Our servers automatically record information when you access our Services, including your IP address, the date and time of each request, the referring page, and system configuration information. For API access, we log request headers (excluding authorization tokens), request and response sizes, and error details.

1.6 Payment Information. When you make a purchase or subscribe to a paid plan, we collect billing details such as your credit card number, expiration date, and billing address. Payment information is processed by our payment processor and is not stored on our servers in unencrypted form. We retain transaction identifiers, amounts, dates, and the last four digits of your payment method for record-keeping and dispute resolution.

2. AI-Specific Data

Given the nature of our AI products and services, we collect and process certain categories of data that are specific to artificial intelligence systems:

2.1 Model Inputs and Outputs. When you use our AI-powered Services, we process the data you submit as input to our models ("Input Data") and the data generated by our models in response ("Output Data"). Input Data may include text prompts, documents, code, configuration parameters, and any other content you provide. Output Data includes AI-generated text, analysis results, security assessments, classification labels, agent actions, and any other content produced by our models.

2.2 Conversation and Interaction Logs. For products that involve multi-turn interactions (such as Workers agents), we maintain logs of the interaction sequence, including the series of inputs and outputs, timestamps, session identifiers, and the model version used. These logs are retained to enable session continuity, debugging, and abuse prevention.

2.3 API Call Metadata. For API users, we collect metadata associated with each API call, including the API endpoint accessed, request and response sizes, token counts (input and output), model identifiers, latency measurements, rate limit status, and error codes. This metadata does not include the substantive content of your inputs or outputs unless you have specifically opted in to content logging for your account.

2.4 Model Performance Data. We collect aggregated and de-identified data about model performance, including accuracy metrics, latency distributions, error rates, and usage patterns. This data is used to monitor, maintain, and improve the quality and reliability of our AI systems.

2.5 Safety and Security Signals. Our AI security products (Prion and Claeth) process data specifically for the purpose of detecting and mitigating threats to AI systems. This includes adversarial input patterns, anomaly scores, classification confidence levels, threat signatures, and security event logs. When you deploy our security products, they may process data flowing through your AI systems in order to provide protective functionality.

3. How We Use Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Operations. To provide, maintain, and operate our Services, including processing your requests, delivering AI model outputs, managing your account, processing payments, providing customer support, and communicating with you about your use of our Services.

3.2 Safety, Security, and Abuse Prevention. To protect the safety and security of our Services, our users, and the public. This includes detecting and preventing fraud, abuse, security incidents, and other harmful activity; enforcing our Terms of Service and Acceptable Use Policy; and monitoring for violations of our usage policies. Our AI security products specifically operate to detect adversarial attacks, prompt injection attempts, data exfiltration, and other threats to AI systems.

3.3 Service Improvement and Development. To understand how our Services are used, identify areas for improvement, develop new features and products, conduct research, and perform analytics. We use aggregated and de-identified data for these purposes wherever possible.

3.4 Communication. To send you transactional communications (such as account confirmations, billing receipts, and security alerts), respond to your inquiries, and, where you have opted in, send you marketing communications about our products and services. You may opt out of marketing communications at any time.

3.5 Legal Compliance. To comply with applicable laws, regulations, legal processes, and governmental requests; to enforce our agreements; and to protect our rights, privacy, safety, or property, and that of our users and the public.

3.6 Personalization. To personalize your experience with our Services, including by providing content recommendations, customizing the user interface, and tailoring communications to your interests and preferences.

4. AI Training Disclosure

We believe transparency about AI training practices is essential. This section explains how your data may or may not be used to train or improve our AI models.

4.1 API Customer Data. By default, data submitted through our APIs by customers on paid plans is NOT used to train, fine-tune, or improve our general-purpose AI models. Your Input Data and Output Data processed through our APIs remain yours, and we do not use this content to develop or enhance models that are made available to other customers. This commitment is a core part of our service.

4.2 Opt-In Training. You may voluntarily choose to opt in to allowing your data to be used for model improvement. If you opt in, your data may be used in aggregated and de-identified form to improve model quality, safety, and performance. You may opt in or out at any time through your account settings or by contacting us at [email protected]. Opting out does not affect the availability or quality of our Services to you.

4.3 Free and Standard Plans. Data submitted through free or standard plan services may be used in aggregated and de-identified form to improve our models and Services, on the basis of our legitimate interests in developing and improving our AI systems (GDPR Article 6(1)(f)). You may object to this processing at any time by contacting [email protected] or through your account settings. If you object, we will cease using your data for model training, though certain features that depend on this processing may be limited or unavailable.

4.4 Safety Training. We may use data that has been stripped of all direct and indirect identifiers to improve the safety, security, and alignment of our AI systems. This de-identified data is used solely to train safety classifiers and content filters — not to improve the general capabilities of our models. This processing is conducted on the basis of our legitimate interests in providing safe and reliable AI services and protecting the public (GDPR Article 6(1)(f)).

4.5 Aggregated and De-Identified Data. We may use aggregated, anonymized, or de-identified data derived from your use of our Services for any purpose, including research, analytics, benchmarking, and product development. Such data cannot be used to identify you or any individual and is not subject to the restrictions described in this section.

5. Data Retention and Deletion

5.1 Retention Periods. We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. The specific retention period depends on the nature of the data and the purpose for which it was collected:

Account information is retained for the duration of your account and for up to 30 days following account deletion, after which it is permanently removed from our active systems. Backup copies may persist for up to 90 additional days before being overwritten.

API Input and Output Data processed on paid plans is retained for a maximum of 30 days for operational purposes (such as abuse monitoring and debugging), unless you have configured a shorter retention period in your account settings, or unless you have opted in to longer retention for features such as conversation history.

Usage data and server logs are retained for up to 24 months for analytics, security monitoring, and service improvement purposes. IP addresses in server logs are anonymized after 90 days.

Payment records and transaction data are retained for 7 years to comply with applicable tax and financial regulations.

5.2 Deletion Requests. You may request deletion of your personal information at any time by contacting us at [email protected] or through your account settings. Upon receiving a verified deletion request, we will delete or de-identify your personal information within 30 days, except where retention is required by law or necessary for our legitimate business interests (such as fraud prevention and security). We will inform you if any exceptions apply to your request.

5.3 Data Portability. You may request a copy of your personal data in a structured, commonly used, and machine-readable format. We will provide this data within 30 days of receiving a verified request.

6. Legal Bases for Processing (GDPR Article 6)

If you are located in the European Economic Area ("EEA"), the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following legal bases:

6.1 Performance of a Contract (Article 6(1)(b)). Processing that is necessary to perform our contract with you, including providing our Services, managing your account, and processing payments.

6.2 Legitimate Interests (Article 6(1)(f)). Processing that is necessary for our legitimate interests or those of a third party, provided that your fundamental rights and freedoms do not override those interests. Our legitimate interests include operating and improving our Services, ensuring security and preventing fraud, conducting analytics, and direct marketing to existing customers. You have the right to object to processing based on legitimate interests.

6.3 Consent (Article 6(1)(a)). Processing for which you have given explicit consent, such as opting in to marketing communications, opting in to AI training data usage, or enabling optional data collection features. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6.4 Legal Obligation (Article 6(1)(c)). Processing that is necessary for compliance with a legal obligation to which we are subject, such as tax reporting requirements, responding to lawful government requests, or maintaining records required by applicable regulations.

6.5 Vital Interests (Article 6(1)(d)). In rare circumstances, processing that is necessary to protect the vital interests of you or another person, such as in emergency situations involving safety threats.

7. Data Sharing and Third Parties

We do not sell your personal information. We may share your information in the following limited circumstances:

7.1 Service Providers. We share information with third-party service providers who perform services on our behalf, such as cloud hosting, payment processing, analytics, customer support tools, and email delivery. These providers are contractually bound to use your information only for the purposes of providing services to us and are subject to confidentiality obligations and data processing agreements that comply with applicable law.

7.2 Legal Requirements. We may disclose your information if required to do so by law or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud or other illegal activity, protect the personal safety of users or the public, or respond to a lawful request from a governmental authority.

7.3 Business Transfers. If Neuraphic is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

7.4 With Your Consent. We may share your information with third parties when you have explicitly consented to such sharing.

7.5 Affiliates. We may share information with our corporate affiliates and subsidiaries for purposes consistent with this Privacy Policy.

7.6 No Sale of Personal Information. We do not sell, rent, or trade your personal information to third parties for their marketing purposes. For purposes of the CCPA/CPRA, we do not "sell" or "share" (as those terms are defined under the CCPA/CPRA) your personal information.

8. International Data Transfers

8.1 Transfer Mechanisms. Neuraphic is headquartered in the United States. If you access our Services from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your country.

8.2 Safeguards for EEA/UK Transfers. When we transfer personal data from the EEA or the UK to countries that have not been deemed to provide an adequate level of data protection by the European Commission or UK authorities, we implement appropriate safeguards, including Standard Contractual Clauses ("SCCs") adopted by the European Commission, supplemented by additional technical and organizational measures where necessary. You may request a copy of the applicable SCCs by contacting us at [email protected].

8.3 Additional Safeguards. Regardless of where your data is processed, we apply the same level of protection described in this Privacy Policy and implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, and regular security assessments.

9. Your Rights

Depending on your location, you may have some or all of the following rights with respect to your personal information:

9.1 Rights Under the GDPR (EEA and UK Residents).

Right of Access. You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.

Right to Rectification. You have the right to request correction of inaccurate personal data and completion of incomplete personal data.

Right to Erasure ("Right to Be Forgotten"). You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

Right to Restriction of Processing. You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object. You have the right to object to processing of your personal data based on our legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making. You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. Where our AI systems make automated decisions that affect you, you have the right to obtain human intervention, express your point of view, and contest the decision.

Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection supervisory authority.

9.2 Rights Under the CCPA/CPRA (California Residents).

Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which personal information is collected, the business or commercial purpose for collecting or selling personal information, and the categories of third parties with whom we share personal information.

Right to Delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.

Right to Correct. You have the right to request that we correct inaccurate personal information that we maintain about you.

Right to Opt Out. You have the right to opt out of the "sale" or "sharing" of your personal information. As stated above, we do not sell or share your personal information as defined by the CCPA/CPRA.

Right to Non-Discrimination. You have the right not to receive discriminatory treatment for exercising your privacy rights.

Right to Limit Use of Sensitive Personal Information. If we collect sensitive personal information, you have the right to limit our use and disclosure of that information.

9.3 Rights Under Other Applicable Laws. If you are located in Brazil (LGPD), Canada (PIPEDA), Australia, Japan, South Korea, or another jurisdiction with applicable data protection legislation, you may have similar rights under your local law. We will honor requests made under applicable local data protection laws. Please contact us at [email protected] to exercise your rights.

9.4 Exercising Your Rights. To exercise any of the rights described above, please contact us at [email protected] or use the tools available in your account settings. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may need to verify your identity before fulfilling your request. If we cannot verify your identity, we may request additional information from you. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.

10. Children's Privacy

Our Services are not directed to children under the age of 18 (or such other age as required by applicable law). We do not knowingly collect personal information from children under the age of 18. If you are a parent or guardian and you believe that your child has provided us with personal information, please contact us at [email protected] and we will take steps to delete such information from our systems promptly. If we become aware that we have collected personal information from a child under the applicable age without verification of parental consent, we will take steps to remove that information from our servers.

11. Security Measures

We implement and maintain appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS 1.2 or higher, and encryption of data at rest using AES-256 or equivalent standards. Access controls based on the principle of least privilege, including role-based access control and multi-factor authentication for administrative access. Regular security assessments, penetration testing, and vulnerability scanning of our infrastructure and applications. Employee security training and background checks for personnel with access to personal data. Incident response procedures and breach notification processes in compliance with applicable laws. Physical security measures for our data center infrastructure, including access controls and environmental protections. Secure software development practices, including code review, automated testing, and security-focused design reviews.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information, but we are committed to maintaining commercially reasonable security measures and continuously improving our security posture.

11.2 Data Breach Notification. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay. We comply with all applicable state and federal breach notification requirements.

12. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, including the use of data for AI model training and automated decision-making. Summaries of relevant DPIAs are available upon request to our Data Protection Contact.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy with a revised "Last Updated" date and, where required by applicable law, by sending you an email notification or providing a prominent notice within our Services. For changes to processing that rely on consent, we will seek re-consent rather than rely on continued use as acceptance.

14. Data Protection Contact

If you have questions or concerns about our data protection practices, or if you wish to exercise your rights under applicable data protection law, you may contact our Data Protection Contact at [email protected].

For EEA and UK residents, you may also lodge a complaint with your local data protection supervisory authority.

15. International Representatives

For individuals in the European Economic Area, our EU representative pursuant to GDPR Article 27 can be contacted at [email protected]. For individuals in the United Kingdom, our UK representative pursuant to UK GDPR Article 27 can be contacted at [email protected].

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Neuraphic, Inc.
Attn: Legal Department
Email: [email protected]

We will endeavor to respond to all inquiries within a reasonable timeframe and no later than 30 days from receipt of your request, or such shorter period as required by applicable law.