Legal

Privacy Policy

Last updated: March 25, 2026

Neurofeed is built on a simple principle: your reading data belongs to you. We collect only what is necessary to run the service, we never sell your data, and you can delete everything at any time.

1. Who We Are

Neurofeed ("we", "us", "our") is an AI-powered reading and learning platform. If you have questions about this policy, contact us at privacy@neurofeed.app.

2. Information We Collect

We collect the following information when you create an account and use Neurofeed:

Account information: your email address, optional display name, and a securely hashed password (we never store your plain-text password).
Usage data: articles you have read, flashcard reviews, quiz scores, and word counts — stored as a JSON blob to power your personal statistics and ELO score.
RSS feed URLs you configure as your personal news sources.
Subscription data: if you subscribe to Neurofeed Pro, we store your Stripe customer ID and subscription status. Full payment details are handled and stored by Stripe — we never see your card number.
Social data: friend connections and friend request history (Pro users only).

We do not collect IP addresses beyond what our hosting provider (Railway) logs for infrastructure purposes, nor do we run any third-party advertising or tracking scripts.

3. How We Use Your Information

To provide, maintain, and improve the Neurofeed service.
To calculate your reading statistics, ELO score, and league tier.
To process your subscription payment via Stripe.
To display your profile to friends you have accepted on the platform (Pro).
To send you transactional emails (account confirmation, password changes) — we do not send marketing emails unless you explicitly opt in.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

Contract performance: processing necessary to provide the service you signed up for (Article 6(1)(b) GDPR).
Legitimate interests: security logging, fraud prevention (Article 6(1)(f) GDPR).
Consent: where you have explicitly opted in to optional features or communications.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only with:

Stripe — payment processing. Governed by Stripe's Privacy Policy.
Railway — our hosting infrastructure provider. They process data solely on our behalf.

All third-party processors are subject to appropriate data processing agreements.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, all personal data — including your usage history, flashcards, and social connections — is permanently erased from our database within 24 hours. Stripe may retain billing records as required by financial regulations.

7. Your Rights

Depending on your location, you may have the following rights:

Right of access: request a copy of the personal data we hold about you.
Right to rectification: correct inaccurate personal data.
Right to erasure ("right to be forgotten"): delete your account and all associated data instantly via Settings → Delete Account, or by emailing us.
Right to data portability: request your data in a machine-readable format.
Right to object: object to processing based on legitimate interests.
Right to lodge a complaint: with your local data protection authority (e.g., ICO in the UK, CNIL in France).

To exercise any of these rights, email privacy@neurofeed.app. We will respond within 30 days.

8. California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information is collected and how it is used.
The right to delete personal information.
The right to opt out of the sale of personal information. We do not sell personal information.
The right to non-discrimination for exercising your CCPA rights.

To submit a CCPA request, email privacy@neurofeed.app with the subject line "CCPA Request".

9. Cookies and Local Storage

Neurofeed uses browser localStorage to store your authentication token and local app state. We do not use advertising cookies or third-party tracking cookies. The only data stored in your browser is necessary for the app to function.

10. Security

We take reasonable technical measures to protect your data:

Passwords are hashed using bcrypt (cost factor 12) — they are never stored in plain text.
All connections are encrypted in transit using HTTPS/TLS.
Authentication tokens are signed with a secret key and expire after 30 days.
Our API is protected against brute-force attacks with rate limiting.
HTTP security headers are set via Helmet (X-Frame-Options, HSTS, X-Content-Type-Options, etc.).

No system is completely secure. If you discover a security vulnerability, please disclose it responsibly to security@neurofeed.app.

11. Children's Privacy

Neurofeed is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected such information, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email or via an in-app notice at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

13. Contact

For privacy-related questions or requests:

Email: privacy@neurofeed.app

This policy applies to the Neurofeed web application available at neurofeed.app.