Privacy Policy
Last updated: 3 June 2026
Introduction
This Privacy Policy explains how Neudash Pty Ltd (ABN 42 692 560 517) ("Neudash", "we", "us" or "our") collects, uses, stores, discloses and otherwise processes Personal Information in connection with our website at www.neudash.com and our AI-powered automation platform and related services (collectively, the "Services").
Neudash is committed to complying with all applicable data protection and privacy laws in the jurisdictions in which we operate, including:
- the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") (Australia);
- Regulation (EU) 2016/679 (the "EU GDPR") and applicable EU member state implementing legislation (European Economic Area);
- the EU GDPR as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), together with the Data Protection Act 2018 (UK) (United Kingdom); and
- the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (the "CCPA"), and other applicable US state privacy laws (United States).
If you are located in the United Kingdom or European Economic Area, please also refer to Addendum A, which contains additional information specific to your rights under the UK GDPR and EU GDPR. If you are located in the United States, please also refer to Addendum B, which contains additional information specific to your rights under the CCPA and other applicable US state privacy laws.
This Privacy Policy should be read together with our Terms of Service, which are incorporated by reference. In the event of any inconsistency between the Terms of Service and this Privacy Policy in relation to the handling of Personal Information, this Privacy Policy will prevail.
Data Controller
For the purposes of the UK GDPR and EU GDPR, the data controller of your Personal Information is:
Neudash Pty Ltd (ABN 42 692 560 517)
12/62 Ocean Street, Woollahra, New South Wales 2025, Australia
Email: privacy@neudash.com
For the purposes of the CCPA, Neudash is the "business" that determines the purposes and means of processing your Personal Information.
Definitions
In this Privacy Policy:
"Customer Content" means any data, text, files, documents, images or other content that you upload, submit, transmit or make available through the Services, including content processed by our AI features to generate Outputs.
"Output" means any content, text, data, analysis or other material generated by the Services in response to your Customer Content or instructions.
"Personal Information" means:
- "personal information" as defined in the Privacy Act 1988 (Cth);
- "personal data" as defined in the EU GDPR or the UK GDPR;
- "personal information" as defined in the CCPA; and
- any information that constitutes "personal information", "personal data" or any equivalent term under any other applicable data protection or privacy law,
in each case, to the extent that such law applies to the processing of that information in connection with the Services.
"Sensitive Information" means:
- "sensitive information" as defined in the Privacy Act 1988 (Cth);
- "special categories of personal data" as defined in Article 9 of the EU GDPR or the UK GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning sex life or sexual orientation); and
- "sensitive personal information" as defined in the CCPA,
in each case, to the extent applicable.
What Personal Information We Collect
Information you provide directly
We collect Personal Information that you provide to us directly, including:
- Account information: your name, email address, password, company name, job title and billing address when you create an account or subscribe to the Services.
- Payment information: credit card details, billing address and other financial information necessary to process payments. Payment processing is handled by our third-party payment processor, Stripe, and we do not store full credit card numbers on our systems.
- Customer Content: any data, documents, emails, text or other content that you upload to or process through the Services, including content transmitted to our AI features for the purpose of generating Outputs. Customer Content may contain Personal Information relating to you or to third parties (for example, if you connect your email account to the Services).
- Community forum content: information you provide when you register for or participate in a Neudash community forum, including your username, profile information, posts, replies, reactions, moderation history, notification preferences and any information you choose to include in forum content.
- Communications: information you provide when you contact our support team, respond to surveys, provide feedback, or otherwise communicate with us.
- Identity verification: information required to verify your identity when you exercise your data protection rights.
Information we collect automatically
When you access or use the Services, we automatically collect certain information, including:
- Usage data: information about how you use the Services, including features accessed, actions taken, frequency and duration of use, and interactions with Outputs.
- Device and technical data: your IP address, browser type and version, operating system, device identifiers, pseudonymous user identifiers (such as your Firebase UID), screen resolution, language preferences and time zone.
- Log data: server logs recording access times, pages viewed, referring URLs, and system activity.
- Cookies and similar technologies: information collected through cookies, web beacons, pixels and similar tracking technologies, as described in the "Cookies and Tracking Technologies" section below.
Information we receive from third parties
We may receive Personal Information about you from third parties, including:
- third-party services that you connect to your Neudash account (for example, email providers, calendar applications or cloud storage services);
- our payment processor (Stripe) in connection with the processing of transactions; and
- publicly available sources, to the extent permitted by applicable law.
Sensitive Information
Certain Services (including client and matter management, document collection and triage, and integrations with third-party professional software) are designed to process Customer Content that may routinely contain Sensitive Information. For example, if you use the Services in connection with migration, legal, healthcare, accounting or financial services, your Customer Content may include information revealing racial or ethnic origin, health information, religious beliefs, financial data or other categories of Sensitive Information. Neudash processes this Sensitive Information solely for the purpose of providing the Services to you.
Where your Customer Content contains Sensitive Information, we will handle it in accordance with this Privacy Policy and all applicable data protection laws. We will only use Sensitive Information contained in your Customer Content for the purpose of providing the Services to you, unless we have your express consent or are required or permitted by law to use it for another purpose. We implement additional safeguards for Sensitive Information, including as described in the "How We Protect Your Personal Information" section.
How and Why We Use Your Personal Information
Purposes and lawful bases
We use your Personal Information for the following purposes. Where the UK GDPR or EU GDPR applies, we have identified the lawful basis for each purpose:
| Purpose | Description | Lawful Basis (UK/EU GDPR) |
|---|---|---|
| Providing the Services | Operating, maintaining and delivering the Services to you, including processing your Customer Content (which may contain Sensitive Information) through our AI features to generate Outputs, and providing client and matter management, document collection and triage, and third-party software integration functionality | Performance of a contract (Article 6(1)(b)). Where Customer Content contains special categories of personal data (Article 9), the additional lawful basis is: explicit consent (Article 9(2)(a)), provided by uploading the relevant content; or, for healthcare-related Services, the provision of health or social care (Article 9(2)(h)), where processing is necessary and subject to appropriate safeguards. |
| Account management | Creating and managing your account, authenticating your identity, and communicating with you about your account | Performance of a contract (Article 6(1)(b)) |
| Payment processing | Processing payments, managing subscriptions, issuing invoices and handling refunds | Performance of a contract (Article 6(1)(b)) |
| Customer support | Responding to your enquiries, troubleshooting issues and providing technical support | Performance of a contract (Article 6(1)(b)); Legitimate interests (Article 6(1)(f)) |
| Service improvement | Analysing usage patterns and performance metrics (using de-identified and aggregated data only) to improve, develop and enhance the Services | Legitimate interests (Article 6(1)(f)) |
| Security and fraud prevention | Detecting, preventing and responding to security incidents, fraud, abuse and other harmful activity | Legitimate interests (Article 6(1)(f)); Compliance with legal obligations (Article 6(1)(c)) |
| Legal compliance | Complying with applicable laws, regulations, legal processes and government requests | Compliance with legal obligations (Article 6(1)(c)) |
| Marketing | Sending you information about our products, services, promotions and events (subject to your consent where required) | Consent (Article 6(1)(a)); Legitimate interests (Article 6(1)(f)) (existing customers — soft opt-in) |
| Analytics | Understanding how the Services are used, measuring effectiveness and generating aggregated benchmarking data | Legitimate interests (Article 6(1)(f)) |
AI-specific processing
The Services use artificial intelligence and machine learning technologies (including large language models provided by third-party AI providers) to process your Customer Content and generate Outputs. This processing involves the transmission of your Customer Content to our third-party AI providers for the sole purpose of generating Outputs as part of the Services.
We do not use your Customer Content (including any Outputs generated from your Customer Content) to train, fine-tune, improve or develop any machine learning model or artificial intelligence model, whether owned or operated by Neudash or any third party. We do not permit our third-party AI providers to use your Customer Content to train, fine-tune or improve their own models or any third-party models. Our agreements with these providers contain contractual restrictions to this effect.
De-identified and aggregated data
We may use de-identified, anonymised and aggregated data derived from your use of the Services (including usage patterns, feature interaction data and performance metrics, but excluding any Customer Content from which you or any individual could reasonably be identified) for the purposes of improving, developing and enhancing the Services, conducting research and analysis, and generating benchmarking data. De-identified and aggregated data does not constitute Personal Information or Customer Content for the purposes of this Privacy Policy.
Marketing
We may send you direct marketing communications about our products, services, promotions and events by email or other electronic means. Where required by applicable law (including PECR in the UK, the ePrivacy Directive in the EEA, and the Spam Act 2003 (Cth) in Australia), we will obtain your prior opt-in consent before sending marketing communications, except where we are permitted to rely on the "soft opt-in" exemption (ie, where you are an existing customer and the marketing relates to similar products or services).
You may opt out of receiving marketing communications at any time by clicking the "unsubscribe" link in any marketing email, adjusting your account settings, or contacting us at privacy@neudash.com. If you opt out, we will cease sending you marketing communications, but we may still send you transactional and service-related communications that are necessary for the operation of your account.
Whom We Share Your Personal Information With
Categories of recipients
We may disclose your Personal Information to the following categories of recipients:
- Third-party AI providers: We use third-party large language model providers to deliver the AI features of the Services. Customer Content is transmitted to these providers for the sole purpose of generating Outputs. These providers are contractually prohibited from using your Customer Content to train their own models.
- Cloud hosting and infrastructure providers: We use Google Cloud Platform to store and process data in connection with the Services.
- Payment processors: We use Stripe to process payments. Stripe's privacy policy is available at https://stripe.com/privacy.
- Analytics and monitoring providers: We use Google Analytics (provided by Google LLC) to monitor the performance of the Services and analyse usage patterns. We transmit your Firebase UID to Google Analytics as a pseudonymous user identifier to enable per-user analytics. Although we have disabled all optional data sharing settings within Google Analytics, Google receives this identifier together with usage and technical data collected through cookies and similar technologies.
- Communication and community providers: We use Customer.io, Discourse, PostHog and Twilio for certain customer communication, community forum and messaging features of the Services.
- Professional advisers: We may disclose Personal Information to our legal, accounting and other professional advisers in connection with the management of our business.
- Law enforcement and regulators: We may disclose Personal Information where required to do so by applicable law, regulation, legal process or government request, or where we reasonably believe disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.
- Corporate transactions: In connection with a merger, acquisition, corporate reorganisation, sale of assets, financing or similar transaction, your Personal Information may be transferred to the acquiring entity, provided that the acquiring entity agrees to handle your Personal Information in accordance with this Privacy Policy.
A current list of our subprocessors (including the services they provide and the countries in which they are located) is available on our Subprocessors page and is updated from time to time. If you subscribe to subprocessor notifications via your account settings, we will notify you of any material changes to this list.
No sale or sharing of Personal Information
Neudash does not "sell" or "share" (as those terms are defined in the CCPA) your Personal Information to third parties for monetary or other valuable consideration, and has not done so in the preceding 12 months.
International Transfers
Neudash is based in Australia. Your Personal Information may be stored and processed in Australia, the United States and any other country in which Neudash or its subprocessors maintain facilities.
Where your Personal Information is transferred to a country that has not been deemed to provide an adequate level of data protection:
- For users in Australia: We will take reasonable steps, in accordance with APP 8, to ensure that overseas recipients of your Personal Information do not breach the APPs in relation to your Personal Information.
- For users in the UK and EEA: We rely on appropriate safeguards under Article 46 of the UK GDPR / EU GDPR, including the European Commission's standard contractual clauses (as supplemented by any additional measures required by applicable law). You may request a copy of the applicable safeguards by contacting us at privacy@neudash.com.
- For all users: We require all subprocessors and service providers that process Personal Information on our behalf to enter into data processing agreements that include appropriate data protection obligations, including obligations relating to international data transfers.
How We Protect Your Personal Information
Security measures
We implement and maintain reasonable technical and organisational measures designed to protect Personal Information from unauthorised access, use, disclosure, alteration, destruction or loss. These measures include:
- Encryption: Data is encrypted in transit (using TLS 1.2 or higher) and at rest (using AES-256 or equivalent encryption standards).
- Access controls: Access to Personal Information is restricted to personnel who require access to perform their duties. Access is controlled through role-based permissions, multi-factor authentication and audit logging.
- Staff training: All personnel who handle Personal Information receive regular training on data protection and information security.
- Incident response: We maintain an incident response plan for detecting, responding to and recovering from data security incidents. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law.
- Third-party security: We require all subprocessors and service providers to maintain appropriate technical and organisational security measures, and we assess their security practices before engaging them.
- Penetration testing and vulnerability management: We conduct regular penetration testing and vulnerability assessments of our systems and infrastructure.
For further information about our security practices, please refer to our Security Overview.
Staff access to Customer Content
Neudash personnel may access your Customer Content only in the following limited circumstances:
- where you have requested support and access to your account or content is necessary to resolve your enquiry;
- where access is required to identify, investigate or remediate a technical error or security incident affecting the Services;
- where access is necessary to investigate a suspected violation of these Terms or to protect the safety of any person; or
- where we are required to do so by applicable law, regulation or legal process.
All staff access to Customer Content is logged and auditable.
How Long We Keep Your Personal Information
Retention periods
We retain your Personal Information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:
| Category of Data | Retention Period |
|---|---|
| Account information | For the duration of your account, and for a period of 12 months after account closure (for the purpose of responding to post-closure enquiries and complying with legal obligations) |
| Customer Content | Deleted from active systems within 30 days of account closure or deletion request, and from backup systems within 60 days, unless: (a) a longer retention period is specified in applicable Product-Specific Terms; or (b) retention is required to comply with a legal, regulatory or professional record-keeping obligation applicable to you, in which case we will retain the relevant Customer Content for the minimum period required and delete it promptly thereafter. You are responsible for requesting or arranging export of your Customer Content before account closure. |
| Payment and billing records | For the period required by applicable tax and accounting laws (typically 7 years) |
| Usage and analytics data | Retained in de-identified and aggregated form for as long as necessary for service improvement purposes. Identifiable usage data is deleted within 2 months. |
| Communications, community forum and support records | For the duration of your account plus 24 months, unless forum content remains visible for community continuity or a longer period is required for legal, moderation or security purposes |
| Cookies and tracking data | See the "Cookies and Tracking Technologies" section below |
Deletion on account closure
Upon termination or expiry of your account:
- your Customer Content will become inaccessible immediately, unless you have requested and completed export of your content prior to closure;
- your Customer Content will be permanently deleted from our active systems within 30 days;
- your Customer Content will be permanently deleted from our backup systems within 60 days; and
- we will use reasonable endeavours to procure the deletion of any copies of your Customer Content held by third-party AI providers engaged by Neudash.
We may retain Personal Information for longer than the periods specified above where required to comply with applicable law, resolve disputes, enforce our Terms of Service, or protect our legal rights.
Content you delete within your account
Content (including any Personal Information) which you upload to Neudash services will be stored on our servers for as long as your account is active. However, if you use the "trash" function to delete any such content, it will remain accessible for approximately 25 days, following which it cannot be accessed (however, it may remain on our servers and application database backups for up to another 60 additional days). Altogether, any content trashed in your product accounts should be purged from all of our systems and logs within 90 days.
Cookies and Tracking Technologies
What are cookies
Cookies are small text files that are placed on your device when you visit a website. We use cookies and similar tracking technologies (including web beacons, pixels and local storage) to operate, secure and improve the Services.
Categories of cookies
We use the following categories of cookies:
| Category | Purpose | Examples | Consent Required |
|---|---|---|---|
| Strictly necessary | Essential for the operation of the Services (eg, authentication, security, load balancing) | Session cookies, authentication tokens, CSRF tokens, cookie consent preference | No |
| Functional | Enable enhanced functionality and personalisation (eg, language preferences, account settings) | None currently in use | Yes (UK/EEA) |
| Analytics | Help us understand how the Services are used, measure performance and identify areas for improvement | Google Analytics, internal analytics | Yes (UK/EEA) |
| Marketing | Used to deliver relevant advertisements and track the effectiveness of marketing campaigns | None currently in use | Yes (all jurisdictions) |
Cookie consent
UK and EEA users: In accordance with the Privacy and Electronic Communications Regulations 2003 (UK) and the ePrivacy Directive (EU), we will obtain your prior opt-in consent before setting any cookies that are not strictly necessary for the operation of the Services. You can manage your cookie preferences at any time through our cookie consent banner or by visiting Cookie Preferences.
Australian users: We rely on implied consent for functional and analytics cookies, in accordance with the APPs. You can manage your cookie preferences through your browser settings.
US users: You can manage your cookie preferences through our cookie consent banner, your browser settings, or by visiting Cookie Preferences.
How to manage cookies
You can control and delete cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Services. For further information about managing cookies, visit www.allaboutcookies.org.
Your Rights
Rights available to all users
Regardless of your location, you have the right to:
- Access: Request access to the Personal Information we hold about you.
- Correction: Request that we correct any inaccurate or incomplete Personal Information.
- Complaint: Lodge a complaint about our handling of your Personal Information (see the "Contact and Complaints" section below).
- Opt out of marketing: Opt out of receiving direct marketing communications at any time.
- Pseudonymity: Where it is practicable and lawful to do so, you have the option of interacting with us without identifying yourself or by using a pseudonym (although our ability to provide the Services may be affected by your decision to interact with us pseudonymously).
Additional rights for UK and EEA users
If you are located in the United Kingdom or European Economic Area, you have the following additional rights under the UK GDPR / EU GDPR (see Addendum A for further details):
- Erasure (right to be forgotten): Request that we delete your Personal Information in certain circumstances.
- Restriction of processing: Request that we restrict the processing of your Personal Information in certain circumstances.
- Data portability: Receive a copy of your Personal Information in a structured, commonly used, machine-readable format and transmit it to another controller.
- Objection: Object to the processing of your Personal Information where we rely on legitimate interests as the lawful basis.
- Automated decision-making: Not be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significantly affects you.
- Withdrawal of consent: Where we rely on consent as the lawful basis for processing, withdraw your consent at any time (without affecting the lawfulness of processing carried out before withdrawal).
Additional rights for US users
If you are a resident of California or another US state with applicable privacy legislation, you have the following additional rights (see Addendum B for further details):
- Right to know: Request information about the categories and specific pieces of Personal Information we have collected, the sources of collection, the purposes for collection and use, and the categories of third parties with whom we share it.
- Right to delete: Request that we delete your Personal Information, subject to certain exceptions.
- Right to correct: Request that we correct inaccurate Personal Information.
- Right to opt out of sale/sharing: Opt out of the "sale" or "sharing" of your Personal Information (as defined in the CCPA). Note: Neudash does not sell or share your Personal Information.
- Right to limit use of Sensitive Information: Request that we limit the use of your Sensitive Information to certain specified purposes.
- Right to non-discrimination: Not be discriminated against for exercising any of your privacy rights.
How to exercise your rights
To exercise any of your rights, please contact us at privacy@neudash.com. We will respond to your request within:
- 30 days (for requests under the APPs);
- one month (for requests under the UK GDPR / EU GDPR, extendable by up to two further months where necessary); or
- 45 days (for requests under the CCPA, extendable by up to an additional 45 days where necessary).
We may ask you to verify your identity before processing your request. We will not charge a fee for exercising your rights, except where permitted by applicable law (for example, where a request is manifestly unfounded or excessive under the UK GDPR).
Children's Data
The Services are not directed at children. You must be at least 18 years old to create an account (or 16 years old with the verified consent of a parent or legal guardian, as set out in our Terms of Service).
We do not knowingly collect Personal Information from children under the age of 16. If you are a parent or guardian and believe that your child has provided Personal Information to us, please contact us at privacy@neudash.com, and we will take steps to delete such information.
US users: In accordance with the Children's Online Privacy Protection Act ("COPPA"), we do not knowingly collect Personal Information from children under the age of 13. If we become aware that we have collected Personal Information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements or other factors. Where we make material changes, we will:
- update the "Last updated" date at the top of this Privacy Policy;
- provide prominent notice on our website or within the Services (for example, through a banner or pop-up notification); and
- where required by applicable law or where the changes materially affect the processing of your Personal Information, send you direct notification by email to the address associated with your account.
Where applicable law requires your consent to any material change (for example, where we propose to process your Personal Information for a new purpose that is materially different from the purpose for which it was originally collected), we will obtain your consent before implementing the change.
Contact and Complaints
Contact us
If you have any questions, concerns or requests regarding this Privacy Policy or our handling of your Personal Information, please contact us at:
Neudash Pty Ltd — Privacy Team
Email: privacy@neudash.com
Address: 12/62 Ocean Street, Woollahra, New South Wales 2025, Australia
Complaints
If you believe we have breached our obligations under applicable data protection law, you may lodge a complaint with us by emailing privacy@neudash.com. We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days.
If you are not satisfied with our response, you may escalate your complaint to the relevant supervisory authority:
- Australia: The Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au.
- United Kingdom: The Information Commissioner's Office (ICO) — www.ico.org.uk.
- European Economic Area: The supervisory authority in the EU member state of your habitual residence. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
- United States: The California Attorney General (for CCPA complaints) — https://oag.ca.gov/privacy, or the relevant state attorney general in your state of residence.
Data Processing Addendum
Where Neudash processes Personal Information contained in your Customer Content on your behalf as a data processor and such processing is subject to the EU GDPR or the UK GDPR, our Data Processing Addendum (DPA) applies automatically to that processing. The DPA sets out Neudash's obligations regarding documented instructions, security measures, sub-processor management, data subject rights assistance, breach notification, international transfers and deletion of Personal Data. The DPA is incorporated into the Terms of Service and applies by virtue of your agreement to those Terms.
Governing Law
Any dispute or claim arising out of or in connection with this Privacy Policy is subject to the governing law and dispute resolution provisions set out in the Terms of Service. For the avoidance of doubt, nothing in this Privacy Policy limits or affects your rights to lodge a complaint with a supervisory authority in your jurisdiction, as set out in the "Contact and Complaints" section above.
Addendum A — For Users in the United Kingdom and European Economic Area
This Addendum applies to you if you are located in the United Kingdom or the European Economic Area. It supplements the core Privacy Policy above and provides additional information required by the UK GDPR and EU GDPR.
Data controller and representative
The data controller is Neudash Pty Ltd (see the "Data Controller" section of the core Privacy Policy for contact details).
Neudash has appointed DataRep as its representative under Article 27 of the UK GDPR and EU GDPR. You can contact DataRep by emailing datarequest@datarep.com with "Neudash Pty Ltd" in the subject line, using DataRep's webform at www.datarep.com/data-request, or mailing DataRep at one of the addresses below. If you contact DataRep by post, please address your correspondence to "DataRep" rather than to Neudash directly.
United Kingdom representative
DataRep
107-111 Fleet Street
London
EC4A 2AB
United Kingdom
European Economic Area representative
DataRep
The Cube
Monahan Road
Cork
T12 H1XY
Republic of Ireland
Lawful bases for processing
The lawful bases for each processing purpose are set out in the "Purposes and lawful bases" table of the core Privacy Policy.
Where we process Sensitive Information (special categories of personal data) contained in your Customer Content, we rely on the following lawful bases: (a) explicit consent (Article 9(2)(a)), which you provide by uploading Customer Content containing such data to the Services — you may withdraw your consent at any time by deleting the relevant Customer Content or closing your account; or (b) where you use the Services in connection with the provision of healthcare, the provision of health or social care (Article 9(2)(h)), where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, or the provision of health or social care treatment, and is subject to appropriate safeguards including the conditions and safeguards referred to in Article 9(3).
Your rights in detail
You have the following rights under the UK GDPR / EU GDPR:
- Right of access (Article 15): You have the right to obtain confirmation as to whether we process your Personal Information and, where we do, access to that information together with certain supplementary information (including the purposes of processing, the categories of data concerned, the recipients to whom data has been disclosed, and the retention period).
- Right to rectification (Article 16): You have the right to request that we correct any inaccurate Personal Information and complete any incomplete Personal Information.
- Right to erasure (Article 17): You have the right to request that we delete your Personal Information where: (i) it is no longer necessary for the purposes for which it was collected; (ii) you withdraw consent and there is no other lawful basis for processing; (iii) you object to processing and there are no overriding legitimate grounds; (iv) the data has been unlawfully processed; or (v) deletion is required to comply with a legal obligation.
- Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your Personal Information where: (i) you contest the accuracy of the data (for a period enabling us to verify accuracy); (ii) the processing is unlawful and you request restriction rather than erasure; (iii) we no longer need the data but you require it for the establishment, exercise or defence of legal claims; or (iv) you have objected to processing pending verification of whether our legitimate grounds override yours.
- Right to data portability (Article 20): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your Personal Information in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance.
- Right to object (Article 21): You have the right to object to the processing of your Personal Information where we rely on legitimate interests as the lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. You have an absolute right to object to processing for direct marketing purposes at any time.
- Rights relating to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning you or similarly significantly affects you. Neudash does not currently make any decisions based solely on automated processing that produce legal effects or similarly significantly affect you. If this changes, we will update this Privacy Policy and provide you with meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing.
- Right to withdraw consent: Where we rely on consent as the lawful basis for processing, you may withdraw your consent at any time by contacting us at privacy@neudash.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
International transfers
Where your Personal Information is transferred from the UK or EEA to a country that has not been recognised as providing an adequate level of data protection by the European Commission (for EU transfers) or the UK Secretary of State (for UK transfers), we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): We enter into the European Commission's standard contractual clauses (Commission Implementing Decision (EU) 2021/914), as supplemented by the UK Addendum to the EU SCCs (issued by the ICO under section 119A of the Data Protection Act 2018), with each recipient of Personal Information located in a non-adequate country.
- Supplementary measures: Where required by applicable guidance (including the EDPB's Recommendations 01/2020), we implement supplementary technical, organisational or contractual measures to ensure that the level of protection of Personal Information is not undermined by the transfer.
You may request a copy of the applicable SCCs and any supplementary measures by contacting us at privacy@neudash.com.
Cookie consent (PECR / ePrivacy)
In accordance with the Privacy and Electronic Communications Regulations 2003 (UK) and Directive 2002/58/EC (ePrivacy Directive), we obtain your prior opt-in consent before setting any cookies on your device that are not strictly necessary for the operation of the Services. You can manage your cookie preferences at any time through our cookie consent banner or by visiting Cookie Preferences. See the "Cookies and Tracking Technologies" section of the core Privacy Policy for further details.
Addendum B — For Users in the United States
This Addendum applies to you if you are a resident of California or another US state with applicable consumer privacy legislation (including, as at the date of this Privacy Policy, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Indiana, Tennessee and Delaware). It supplements the core Privacy Policy above and provides additional information required by the CCPA and other applicable US state privacy laws.
Categories of Personal Information collected
The following table describes the categories of Personal Information we have collected in the preceding twelve (12) months, mapped to the CCPA's enumerated categories:
| CCPA Category | Examples | Sources | Purpose |
|---|---|---|---|
| Identifiers | Name, email address, IP address, account ID, pseudonymous user identifier (Firebase UID) | Directly from you; automatically collected | Providing the Services; account management; security; analytics |
| Commercial information | Subscription plan, billing history, payment records | Directly from you; Stripe | Payment processing; billing |
| Internet or electronic network activity | Usage data, log data, browser type, device identifiers | Automatically collected | Analytics; service improvement; security |
| Geolocation data | Approximate location derived from IP address | Automatically collected | Security; localisation |
| Professional or employment-related information | Job title, company name | Directly from you | Account management |
| Inferences | Usage preferences, feature interaction patterns (aggregated and de-identified only) | Derived from usage data | Service improvement; analytics |
In addition to the categories listed in the table above, Neudash may collect and process the following categories of sensitive personal information (as defined in Cal. Civ. Code § 1798.140(ae)) where you use Services designed for regulated industries: (a) personal information that reveals racial or ethnic origin, religious or philosophical beliefs, citizenship or immigration status, or health information, where such information is contained in Customer Content you upload to the Services (for example, in connection with migration, legal or healthcare services); and (b) the contents of communications (such as emails and documents) processed through the Services at your direction. Neudash uses sensitive personal information only for the purpose of providing the Services to you, in accordance with Cal. Civ. Code § 1798.121(a). Neudash does not use or disclose sensitive personal information for any purpose other than those specified in § 1798.121(a), and you have the right to limit such use under § 1798.121.
No sale or sharing
Neudash does not "sell" or "share" your Personal Information as those terms are defined in the CCPA (Cal. Civ. Code § 1798.140(ad) and § 1798.140(ah)). We have not sold or shared Personal Information in the preceding twelve (12) months.
"Do Not Sell or Share My Personal Information"
Although we do not sell or share Personal Information, we maintain a Do Not Sell or Share My Personal Information notice in accordance with Cal. Civ. Code § 1798.135, which confirms this position.
Your rights under the CCPA
If you are a California resident, you have the following rights under the CCPA:
- Right to know (§ 1798.100, § 1798.110): You have the right to request that we disclose: (i) the categories of Personal Information we have collected; (ii) the categories of sources from which it was collected; (iii) the business or commercial purpose for collection; (iv) the categories of third parties with whom we share it; and (v) the specific pieces of Personal Information we have collected about you.
- Right to delete (§ 1798.105): You have the right to request that we delete Personal Information we have collected from you, subject to certain exceptions (including where retention is necessary to complete a transaction, comply with a legal obligation, detect security incidents, or exercise free speech rights).
- Right to correct (§ 1798.106): You have the right to request that we correct inaccurate Personal Information.
- Right to opt out of sale/sharing (§ 1798.120): You have the right to opt out of the "sale" or "sharing" of your Personal Information. As noted above, Neudash does not sell or share Personal Information.
- Right to limit use of sensitive personal information (§ 1798.121): You have the right to limit the use and disclosure of your Sensitive Information to specified purposes. Neudash uses Sensitive Information contained in your Customer Content only for the purpose of providing the Services.
- Right to non-discrimination (§ 1798.125): We will not discriminate against you for exercising any of your CCPA rights, including by denying you the Services, charging different prices, providing a different level of service, or suggesting that you will receive a different price or level of service.
Authorised agents
You may designate an authorised agent to submit a request on your behalf. We may require the authorised agent to provide written proof of authorisation and may verify your identity directly.
Children's privacy (COPPA)
We do not knowingly collect Personal Information from children under the age of 13. If we become aware that we have collected Personal Information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible. If you believe a child under 13 has provided us with Personal Information, please contact us at privacy@neudash.com.
Financial incentive programmes
Neudash does not offer any financial incentive programmes (as defined in Cal. Civ. Code § 1798.125(b)) in connection with the collection of Personal Information.
Other US state privacy laws
If you are a resident of a US state with applicable consumer privacy legislation other than the CCPA (including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Indiana, Tennessee and Delaware), you may have similar rights to those described in this Addendum above, including rights to access, correct, delete and opt out of certain processing activities. To exercise any such rights, please contact us at privacy@neudash.com. We will respond to your request in accordance with the applicable state law.
CAN-SPAM compliance
Where we send marketing emails to US recipients, we comply with the CAN-SPAM Act, including by:
- not using false or misleading header information;
- not using deceptive subject lines;
- identifying the message as an advertisement where applicable;
- including our physical postal address; and
- honouring opt-out requests within 10 business days.