Privacy Policy
Last updated: June 2026
1. Introduction
Neuranum ("we", "us", "our") operates the neuranum.com platform. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
The data controller for the purposes of applicable data protection law is Unioney LLC, 8 The Green STE B, Dover, Delaware 19901, United States.
By using Neuranum, you agree to the collection and use of information as described in this policy.
This Privacy Policy is part of our Terms of Service. Your use is also governed by our Acceptable Use Policy and Refund Policy.
2. Data We Collect
Account data: Email address (for magic link authentication or Google OAuth). We do not collect passwords.
Payment data: Processed and stored by Stripe. We receive your Stripe customer ID and subscription status. We do not store card numbers, CVVs, or bank details.
Node metrics: Connection counts, bandwidth usage, and destination IP diversity from managed nodes. These metrics power our automated abuse detection system. We do not inspect packet contents or log browsing activity.
Server logs: IP address, request timestamps, and user agent strings for security and rate limiting. Logs are retained for 30 days.
DIY one-time purchases: No email is collected. Stripe processes the payment. After token delivery, we retain no record linking the purchase to a person.
3. How We Use Your Data
- Authenticate your account and manage sessions
- Provision and manage your Personal Cloud Nodes
- Process payments and manage subscriptions
- Detect and prevent abuse (automated monitoring)
- Send transactional emails (magic links, node status, abuse notifications)
- Comply with legal obligations
We do not sell your data. We do not use your data for advertising. We do not profile your browsing activity.
4. Legal Basis for Processing
Under GDPR Article 6, we process your personal data on the following legal bases:
- Contract performance: Processing necessary to deliver the service you subscribed to, including account creation, node provisioning, and subscription management.
- Legitimate interest: Abuse detection, fraud prevention, and platform security measures to protect all users and our infrastructure.
- Consent: Marketing communications, if any. We currently do not send marketing emails.
- Legal obligation: Compliance with applicable laws, responding to valid legal requests, and fulfilling regulatory requirements.
5. Third-Party Services
The following sub-processors and service providers receive limited data strictly to deliver the functionality described:
- Stripe, Inc. — Payment processing. We send your email address and Stripe customer/subscription/item identifiers for billing. Stripe collects card and billing data directly on its hosted checkout — it never touches Neuranum servers. Subject to Stripe's Privacy Policy.
- Hetzner Online GmbH — Cloud infrastructure provider for your Personal Cloud Node and supporting platform servers (located in Germany, Finland, and the United States). Subject to Hetzner's Privacy Policy.
- Cloudflare, Inc. — DNS, CDN, and DDoS protection for neuranum.com and the per-node subdomains. Subject to Cloudflare's Privacy Policy.
- 20i Ltd (Stackmail) — Self-hosted SMTP transactional email delivery for magic-link sign-ins, payment receipts, node-ready notifications, account-deletion confirmations, and guest invites. We send the recipient email address and the email body. Subject to 20i's Privacy Policy.
- Google LLC — Federated identity (only if you choose Google sign-in instead of magic link). We receive your email and Google subject identifier. Subject to Google's Privacy Policy.
IP-intelligence providers (used at sign-in and during node ignition for anti-fraud and geolocation). We send only your IP address — no email, no account identifier — through a layered fallback chain:
- ipapi.is — IP intelligence (proxy / VPN / abuse / geolocation). Subject to ipapi.is's Privacy Policy.
- proxycheck.io — IP reputation scoring (proxy / VPN / abuser detection). Subject to proxycheck.io's Privacy Policy.
- AbuseIPDB Pty Ltd — Abuse reputation lookup by IP. Subject to AbuseIPDB's Privacy Policy.
- MaxMind GeoLite2 — Self-hosted geolocation database (the database is downloaded to and queried on Neuranum-owned servers; your IP is not sent to MaxMind at lookup time). Subject to MaxMind's Privacy Policy in respect of the database download.
The IP-intelligence chain runs only at moments where the platform's anti-fraud or geolocation logic is required (sign-in, node ignition). It does not run on every page load.
First-party (no third-party sharing). Crash reports and diagnostics are collected by an open-source Sentry-compatible service (GlitchTip) running on Neuranum-owned infrastructure at errors.neuranum.com — these never leave Neuranum-controlled servers.
6. International Data Transfers
Your data may be processed and stored in multiple jurisdictions. Servers hosting Neuranum infrastructure are provided by Hetzner and located in Germany, Finland, and the United States.
For users in the European Economic Area (EEA): transfers of personal data to the United States are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection.
Stripe processes payment data in accordance with its own data processing agreement, which includes appropriate safeguards for international transfers.
7. Data Retention & Right to Deletion
The following table mirrors the wording on our public delete-account page (/legal/delete-account) and the verify-link email body, so every surface tells you the same thing.
- Account record (User row): Deleted within 60 seconds of a verified deletion request.
- Personal Cloud Nodes (Hetzner VPS): Destroyed within 60 seconds via the Hetzner Cloud API; DNS records cleaned up at the same time.
- Protocol credentials (WireGuard / VLESS / Hysteria / IKEv2 / Outline-SS): Deleted with the nodes; existing tunnel sessions disconnect immediately.
- Guest seats you issued: All guests are deactivated; their app sign-ins are revoked.
- Active Stripe subscriptions: Cancelled at deletion time; no further billing occurs.
- Stripe transaction history: Retained for 7 years by Stripe per applicable tax-law standards (Stripe customer object is preserved to ensure chargeback evidence; we do not call
stripe.Customer.delete()). - Anonymized audit log entries: Retained for 24 months after deletion (user_id set to NULL) for fraud-investigation continuity; purged automatically after.
- Unmatched deletion-request hashes: When the email submitted at
/legal/delete-accountdoes not match any account, an audit row containingsha256(email)[:16](no plaintext) is written so abuse patterns are observable; these rows are purged after 90 days. - Node metrics & server logs: Retained for 30 days then anonymized; aggregate totals (no per-user identifiers) may be retained for capacity planning.
- DIY one-time tokens: Purged 24 hours after delivery to the buyer.
How to request deletion: use the public form at neuranum.com/legal/delete-account — accessible without the app installed and without logging in. We email a one-use confirmation link (15-minute TTL). Tapping it triggers the deletion sequence above. The flow is identical for active users (in-app) and ex-users.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, as required by applicable law.
Notification will be sent to your registered email address and, where required, to the relevant supervisory authority.
9. Your Rights Under GDPR
If you are in the European Economic Area (EEA), you have the following rights under GDPR:
- Access: Request a copy of all data we hold about you.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your account and associated data.
- Portability: Request your data in a machine-readable format.
- Objection: Object to processing of your data for specific purposes.
- Restriction: Request that we limit how we process your data.
To exercise any of these rights, contact us at s*****t@***.com. We will respond within 30 days.
10. Your Rights Under CCPA / CPRA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) effective 2023:
- Right to know: You have the right to know what personal information is collected, used, disclosed, or shared, and the sources and purposes of that collection.
- Right to delete: You have the right to request deletion of personal information we have collected about you.
- Right to correct (CPRA): You have the right to request correction of inaccurate personal information we hold about you.
- Right to opt-out of sale or sharing (CPRA): Neuranum does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
- Right to limit use of sensitive personal information (CPRA): Neuranum does not collect "sensitive personal information" as defined by the CPRA (we do not collect government IDs, financial account credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, mail/email/text contents, biometric identifiers, or health/sex-life information). Your IP address is collected only for fraud prevention and security, which is a permitted business purpose.
- Right to opt-out of automated decision-making (CPRA): We use automated processing to score IP-address fraud risk during sign-in and node ignition. You have the right to know about and opt out of this processing; opting out may result in our being unable to provide the service if the fraud signal cannot be evaluated by another means.
- Right to non-discrimination: You will not be discriminated against — including in pricing or service quality — for exercising any of these rights.
To exercise any of these rights, contact us at s*****t@***.com. We will verify your identity using your registered email and respond within 45 days, with one 45-day extension where reasonably necessary, in accordance with the CPRA.
If you are a California resident under the age of 16, we do not knowingly collect, sell, or share your personal information.
11. Children's Privacy
Neuranum is intended for adults. You must be at least eighteen (18) years of age to create an account or use the Service. In compliance with the Children's Online Privacy Protection Act (COPPA), the Service is not directed to children under the age of 13, and we do not knowingly collect personal information from anyone under 13.
If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible. If you believe we may have any information from or about a child under 13, please contact us at s*****t@***.com.
12. Cookies and Local Storage
Neuranum uses only strictly-necessary cookies and browser local storage to hold JWT authentication tokens that keep you signed in. We do not use tracking cookies, analytics cookies, advertising cookies, third-party cookies, or any form of persistent identifier for cross-site profiling.
Because the cookies and local storage we use are strictly necessary for the service to function — the application cannot authenticate you without them — no separate consent banner is required under Article 5(3) of the EU ePrivacy Directive (2002/58/EC, as amended) or the United Kingdom's Privacy and Electronic Communications Regulations (PECR). Continuing to use the service constitutes acknowledgement that these strictly-necessary cookies will be set.
12a. Do Not Track Signals
Neuranum does not engage in cross-site tracking. We have no third-party analytics, no advertising network embeds, and no behavioral profiling. Because we do not track users across sites or applications in the first place, the Do Not Track (DNT) browser header and the Global Privacy Control (GPC) signal have no operational effect on our service — there is no tracking activity to opt out of.
13. Security
All data is encrypted in transit (TLS 1.3). Sensitive credentials are encrypted at rest using AES-256-GCM. Authentication uses cryptographically secure tokens. We follow industry-standard security practices to protect your data.
14. Changes to This Policy
We may update this policy from time to time. Significant changes will be communicated via email to registered users. The "Last updated" date at the top reflects the most recent revision.
This Privacy Policy is governed by the laws of the State of Delaware, United States.
15. Contact
Questions about this privacy policy: s*****t@***.com
Phone: +1 (***) ***-****
Unioney LLC, 8 The Green STE B, Dover, Delaware 19901, United States