Effective Date: 20 February 2026 | Last Updated: 20 February 2026
Neuravant AI Limited ("Neuravant", "we", "us") is the data controller for personal data processed through the NAIL platform and related services. We are committed to protecting your privacy and handling your data transparently and lawfully.
This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under both the UK GDPR and Data Protection Act 2018 (for UK data subjects) and the EU General Data Protection Regulation (Regulation (EU) 2016/679) (for EU/EEA data subjects).
Neuravant AI Limited
Registered in England and Wales, Companies House No. 16071477
Registered office: Bedford House, North Bank, Peterborough, Cambridgeshire, PE6 7YY, United Kingdom
Email: privacy@neuravant.ai
ICO Registration Number: ZB registration pending — notification filed April 2026
For data subjects in the European Economic Area, our representative under Art. 27 GDPR is:
[EU Representative appointment in progress — updated on appointment, target Q2 2026]
Interim contact: privacy@neuravant.ai
We have appointed a Data Protection lead reachable at privacy@neuravant.ai. A formal DPO will be designated where required by Art. 37 GDPR based on processing volumes.
| Data | Purpose | Lawful Basis |
|---|---|---|
| Name, email address | Account creation and communication | Contract performance |
| Company name, role | Subscription management | Contract performance |
| Billing information | Payment processing (via Stripe) | Contract performance |
| Password (hashed) | Account authentication | Contract performance |
| Data | Purpose | Lawful Basis |
|---|---|---|
| Agent endpoint URLs | Running adversarial audits | Contract performance |
| Agent system prompts | Security analysis and classification | Contract performance |
| Agent responses to audit scenarios | Generating NAIL Rating | Contract performance |
| Repository source code (Repo Analyser) | Static risk assessment | Contract performance |
| Behavioural telemetry (fingerprinting) | Anomaly detection and monitoring | Contract performance |
| Decision provenance chains | Tamper-evident audit trail | Contract performance |
| Data | Purpose | Lawful Basis |
|---|---|---|
| IP address, browser type | Security and fraud prevention | Legitimate interest |
| Pages visited, features used | Service improvement | Legitimate interest |
| API call logs | Rate limiting and abuse prevention | Legitimate interest |
| Data | Purpose | Lawful Basis |
|---|---|---|
| Email address (newsletter signup) | Marketing communications | Consent |
| Event registration data | Webinar and conference invitations | Consent |
We do not sell your personal data. We share data only with:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Stripe, Inc. | Payment processing | PCI DSS Level 1 compliant |
| Google Cloud EMEA Ltd. (Ireland) | Infrastructure — europe-west3 (Frankfurt) |
DPA; intra-EEA; see sub-processors |
| Cloudflare, Inc. | CDN, DDoS, static hosting | DPA; EU SCCs 2021/914; DPF certified |
| Insurance underwriting partners | Underwriting and claims (only with your consent) | Data processing agreement; FCA regulated |
| Professional advisors | Legal, accounting, audit | Professional duty of confidentiality |
We will never share your raw Agent source code, system prompts, or audit responses with any third party except at your explicit written request.
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 2 years |
| Audit reports and ratings | Duration of account + 3 years (regulatory retention) |
| Behavioural fingerprints | Duration of monitoring subscription + 1 year |
| Decision provenance chains | Duration of account + 5 years (insurance evidence) |
| Billing records | 6 years (HMRC requirement) |
| Marketing consent records | Until consent withdrawn + 1 year |
| Usage logs | 90 days |
Customer data is primarily processed and stored within the European Economic Area —
Google Cloud region europe-west3 (Frankfurt, Germany). See our
Data Residency statement for the full map.
Where data is transferred to a jurisdiction outside the EEA/UK (for example, engineering support from our UK entity), we rely on:
Copies of executed SCCs are available on request from legal@neuravant.ai.
Under the UK GDPR, you have the right to:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your data (subject to legal retention requirements) |
| Restriction | Request that we limit processing of your data |
| Data Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Withdraw Consent | Withdraw marketing / analytics consent at any time |
| Automated decision-making (Art. 22) | Not to be subject to a decision based solely on automated processing that produces legal effects. Neuravant does not make such decisions about you; NAIL Ratings are advisory tools for human decision-makers. |
To exercise any of these rights, email privacy@neuravant.ai. We will respond within one month (Art. 12(3) GDPR), extendable by a further two months for complex requests. EU data subjects may address our Art. 27 representative directly — see Section 1.1.
We use the following cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session_id | Essential | Authentication session | Session |
| csrf_token | Essential | Security (CSRF protection) | Session |
| preferences | Functional | User preferences (theme, language) | 1 year |
| analytics_id | Analytics | Anonymous usage statistics | 1 year |
Essential cookies are required for the Service to function. Analytics cookies are only set with your consent.
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before they take effect. The "Last Updated" date at the top of this page indicates the most recent revision.
You have the right to lodge a complaint with a supervisory authority. You may contact the authority of your habitual residence, place of work, or place of the alleged infringement.
| Jurisdiction | Authority | Website |
|---|---|---|
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| Germany | Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) | bfdi.bund.de |
| France | Commission Nationale de l'Informatique et des Libertés (CNIL) | cnil.fr |
| Spain | Agencia Española de Protección de Datos (AEPD) | aepd.es |
| Ireland | Data Protection Commission (DPC) | dataprotection.ie |
| Other EEA | See EDPB member list | edpb.europa.eu |
You may also use the EU Online Dispute Resolution platform: ec.europa.eu/consumers/odr.
Neuravant AI Limited — Data Protection
Email: privacy@neuravant.ai
Website: neuravant.ai