Compliance

01

Regulatory Framework

NeonNeuron Technologies Ltd. operates from 82a James Carter Road, Mildenhall, United Kingdom, IP28 7DE, and is subject to the following regulatory frameworks. We design our platform and data practices to align with these regulations.

Indian Information Technology Act, 2000

• NeonNeuron complies with the Information Technology Act, 2000, and its subsequent amendments, which govern electronic commerce, data protection, and cybersecurity in India
• We adhere to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, for the handling of sensitive personal data
• We implement reasonable security practices as required under Section 43A of the IT Act to protect user data from unauthorized access, damage, or misuse

General Data Protection Regulation (GDPR)

• While NeonNeuron is headquartered in India, we are committed to GDPR awareness and alignment for users located in the European Economic Area (EEA)
• We provide data access, export, rectification, and deletion rights to all users regardless of their location
• Our data processing practices are designed with principles of data minimization, purpose limitation, and storage limitation in mind
• We use Google Cloud (Firebase/Firestore) infrastructure that maintains GDPR compliance certifications

Digital Personal Data Protection Act (DPDPA), 2023

• NeonNeuron is prepared to comply with the Digital Personal Data Protection Act, 2023, as its provisions are notified and enforced by the Government of India
• We maintain transparent data processing practices and provide clear consent mechanisms for data collection

02

Data Protection

We implement comprehensive data protection measures across the platform to safeguard user information.

• All data in transit is encrypted using TLS 1.2+ (HTTPS) with no unencrypted connections permitted
• Data at rest in Google Cloud Firestore is encrypted using AES-256 with Google-managed encryption keys
• Firebase Auth manages authentication credentials with secure password hashing; plaintext passwords are never stored
• Firestore security rules enforce strict workspace-level data isolation in our multi-tenant architecture
• OTP verification codes are time-limited and automatically purged after use or expiry
• Message auto-expiry (7 days for Members, 10 days for Admins/Managers) ensures communications do not persist indefinitely
• Access to production data and infrastructure is restricted to authorized personnel only

03

User Rights

NeonNeuron upholds the following data rights for all users, consistent with GDPR principles and Indian data protection law.

• Right to Access: Users can view all their personal data, workspace information, and activity through the platform's dashboard and settings at any time
• Right to Data Portability: Admins can export all workspace data in JSON and PDF formats through the built-in data export feature, ensuring data portability
• Right to Rectification: Users can update their profile information, display name, avatar, and other personal details at any time through the Settings page
• Right to Erasure: Users can permanently delete their account through the Settings page. Account deletion triggers complete and irreversible removal of all owned workspace data, including teams, projects, channels, messages, invites, and profile information from our systems
• Right to Restrict Processing: Users may request restriction of certain data processing activities by contacting us at admin@neonneuron.online
• Right to Object: Users may object to specific data processing activities, and we will cease processing unless we demonstrate compelling legitimate grounds
• Right to Withdraw Consent: Users may withdraw consent for data processing at any time by deleting their account or contacting us

04

Data Processing

NeonNeuron processes personal data on the following lawful bases:

Contractual Necessity

• Processing account registration data (name, email, password) to create and maintain your account
• Processing workspace data (teams, projects, channels, messages) to deliver the core platform services
• Processing subscription and billing information to manage your plan and provide access to plan features

Consent

• Sending OTP verification codes to your email via EmailJS for account verification
• Sending workspace invitation emails to individuals invited by Admins and Managers
• Processing avatar images uploaded by users for profile display purposes

Legitimate Interests

• Monitoring platform usage patterns to improve performance, fix bugs, and develop new features
• Implementing security measures including rate limiting, abuse detection, and fraud prevention
• Maintaining audit logs for security and compliance purposes

We do not process personal data for automated decision-making or profiling purposes.

05

Record Keeping

NeonNeuron maintains records of data processing activities as required by applicable regulations.

• Account creation and deletion records are maintained for audit and compliance purposes
• Subscription purchase and refund records are retained for financial and tax compliance
• Workspace activity logs, including team creation, member additions, role changes, and invite actions, are maintained for security auditing
• Authentication events including login attempts, OTP verifications, and session activities are logged
• Data export requests and account deletion requests are documented with timestamps
• All records are stored securely in Firestore with appropriate access controls and retention policies
• Records are retained only as long as necessary for the purposes for which they were collected, or as required by law

06

Compliance Monitoring

We actively monitor and maintain our compliance posture through ongoing practices.

• Regular review of Firestore security rules to ensure proper data isolation and access control enforcement
• Monitoring of third-party service providers (Firebase, EmailJS, Vercel) for compliance with their respective data protection commitments
• Periodic assessment of data processing activities against stated purposes and lawful bases
• Review of data retention practices to ensure data is not held longer than necessary
• Evaluation of security measures and incident response procedures to address evolving threats
• Tracking of regulatory developments in India (DPDPA), EU (GDPR), and other relevant jurisdictions to ensure continued alignment
• Internal documentation of compliance activities and any corrective actions taken

07

Updates

Our compliance practices and this documentation are reviewed and updated regularly to reflect changes in regulations, platform features, and data processing activities.

• Material changes to our compliance practices will be reflected in updates to this page, our Privacy Policy, and our Terms & Conditions
• Registered users will be notified via email at least 30 days before material changes to data protection practices take effect
• The "Last Updated" date at the top of this page indicates when the most recent changes were made
• We encourage users to review this page periodically to stay informed about our compliance practices
• As the Indian DPDPA provisions are notified, we will update our practices and documentation accordingly

08

Contact Information

For compliance-related questions, data protection inquiries, or to exercise your data rights, please contact us: