MyNeuroPass ("we", "us") is the data controller for personal data processed through the Service. This policy explains what we collect, why, and your rights under the UK GDPR and EU GDPR.
1. What we collect
- Account data: name, email, password hash, role (candidate/employer/admin).
- Profile data: bio, skills, work style, accessibility preferences (optional).
- Evidence: files, links and descriptions you upload to your Evidence Vault.
- Billing: Stripe customer ID and subscription status. Card data is held by Stripe, never by us.
- Usage: log data such as IP address, browser, and pages viewed, kept for security and abuse prevention.
2. Why we process it
- To provide the Service (contract).
- To keep the Service secure and prevent fraud (legitimate interest).
- To process payments (contract).
- To send essential service emails (contract). Marketing only with your consent.
3. Accessibility & neurodiversity data
Accommodation preferences and neurodiversity-related fields are never used for matching and are hidden from employers by default. They are only shared if and when you explicitly choose to share them.
4. Who we share data with
- Supabase — hosted database, authentication and file storage (EU region).
- Cloudflare — content delivery and DDoS protection.
- Stripe — payment processing.
- Resend / email provider — transactional email.
- Google — only if you sign in with Google.
We do not sell personal data and we do not run advertising trackers.
5. International transfers
Where data leaves the EEA/UK (e.g. Stripe), transfers rely on Standard Contractual Clauses and equivalent safeguards.
6. Retention
Account and profile data is retained while your account is active and for up to 30 days after deletion to allow recovery. Billing records are retained for 7 years to meet tax obligations. Logs are retained for up to 90 days.
7. Your rights
Under GDPR you may access, correct, export, restrict, or erase your personal data, and object to processing based on legitimate interest. Email privacy@myneuropass.com. You can also lodge a complaint with your local supervisory authority.
8. Security
Data is encrypted in transit (TLS 1.3) and at rest. Access is gated by row-level security policies, role-based access controls and audit logs. We operate a responsible-disclosure programme; report issues to security@myneuropass.com.
9. Children
The Service is not directed at children under 16 and we do not knowingly collect their data.
10. Changes
Material changes are notified by email or in-app at least 14 days in advance.
11. Contact
Privacy questions: privacy@myneuropass.com