This Privacy Policy applies to the use of the neurit.ai platform (hereinafter "Service") in accordance with the General Data Protection Regulation (GDPR) and Austrian data protection law (DSG).
1. Data Controller
Mag. David Paci, webse.at — Web & Online Agency
Weiherweg 4, 9500 Villach, Austria
Email: info@webse.at
2. Data We Collect
2.1 Google OAuth (Registration & Sign-in)
When registering via Google OAuth, we receive the following data from Google: name, email address, and profile picture (avatar URL). This data is used exclusively for account creation and identification.
2.2 Usage Data
In the course of using the platform, we store:
- Rits (questions asked and AI-generated answers including lateral shifts)
- Mental map data (thought graph structure, edges between rits)
- Streak and activity data (daily usage history)
- Resonances (semantic similarities between rits of different users)
- Optional user reflections on individual rits
Important: Users' original questions and personal reflections are never shared directly with other users and are not used for resonance matching.
2.3 Technical Data
- IP address (rate limiting via Upstash Redis, automatically deleted after 24 hours)
- Session cookie (technically necessary for authentication via Auth.js JWT; no tracking)
3. Data Sharing with Third Parties
We share personal data only to the extent necessary for operating the service:
Anthropic PBC (USA) — AI Processing
User requests (questions) are transmitted to Anthropic for AI processing. Legal basis: Standard Contractual Clauses (SCC) pursuant to Art. 46 para. 2 lit. c GDPR in conjunction with a Data Processing Agreement (DPA). API data is expressly not used by Anthropic for model training.
OpenAI OpCo, LLC (USA) — Embedding Generation
User requests are transmitted to OpenAI for generating semantic embeddings (vectors). Legal basis: SCC + DPA. API data has expressly not been used by OpenAI for model training since March 2023.
Hetzner Online GmbH (Germany) — Hosting
The service is hosted on servers in Germany (EU). Processing takes place exclusively within the EU.
Neon Inc. (EU-Frankfurt) — Database
User data is stored in a PostgreSQL database in the EU region Frankfurt (eu-central-1).
Lemon Squeezy (USA) — Payment Processing
For paid subscriptions (Pro/Team), payments are processed via Lemon Squeezy as Merchant of Record. Lemon Squeezy assumes responsibility for tax handling. Only data necessary for the transaction is transmitted.
4. Legal Basis for Processing
- Contract performance (Art. 6 para. 1 lit. b GDPR): provision of the service
- Legitimate interests (Art. 6 para. 1 lit. f GDPR): security, abuse prevention, technical operation
- Consent (Art. 6 para. 1 lit. a GDPR): resonance matching (opt-in via rit visibility setting)
5. Your Rights
Under the GDPR, you have the following rights with respect to us as controller:
- Access (Art. 15): what data we have stored about you
- Rectification (Art. 16): correction of inaccurate data
- Erasure (Art. 17): deletion of your account and all associated data
- Restriction (Art. 18): restriction of processing
- Data portability (Art. 20): export of your data in a machine-readable format
- Objection (Art. 21): objection to certain types of processing
To exercise your rights, please contact us by email: info@webse.at
You also have the right to lodge a complaint with the Austrian Data Protection Authority (DSB): dsb.gv.at
6. Data Deletion
When you delete your account, all stored rits, mental map data, resonances, and personal data are irreversibly deleted. IP addresses used for rate limiting are automatically deleted after 24 hours.
7. Cookies & Tracking
We use only technically necessary session cookies (no tracking, no advertising). A cookie banner is therefore not required. Analytics are conducted via Plausible Analytics without cookies and without collecting personal data.
8. Data Security
All connections are SSL/TLS encrypted. Database access is restricted to authorized systems. Embedding vectors cannot be reversed to plain-text data.
Last updated: March 2025