Legal

Privacy Policy

Last updated: 1 April 2026

1. Introduction

NeuroLeash Ltd (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use Luni (“the Service”). We are the data controller for the purposes of UK GDPR and the Data Protection Act 2018.

2. Data We Collect

Account Data

When you register, we collect your name, email address, organisation name, and authentication credentials. If you sign in via Google OAuth, we receive your Google profile information (name, email, avatar).

Meeting Data

When you use Luni to record meetings, we process audio and video recordings, AI-generated transcripts, summaries, and action items. Meeting metadata includes meeting titles, participant counts, timestamps, and platform information.

Calendar Data

If you connect your calendar, we access your calendar events (titles, times, meeting links, attendee lists) to enable auto-join functionality. We do not access event descriptions or attachments unless necessary for meeting link extraction.

Usage Data

We collect information about how you interact with the Service, including pages visited, features used, browser type, device information, and IP address.

Payment Data

Payment processing is handled by our third-party payment processor. We do not store full credit card numbers. We retain transaction IDs, plan details, and billing history.

3. How We Use Your Data

  • Provide, maintain, and improve the Service
  • Process and store your meeting recordings and transcripts
  • Generate AI-powered summaries and action items
  • Manage your account and subscriptions
  • Send service-related communications
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. Legal Basis for Processing

  • Contract performance: Processing necessary to provide the Service
  • Legitimate interests: Improving the Service, ensuring security
  • Consent: Where you have explicitly opted in
  • Legal obligation: Where required by applicable law

5. Data Storage and Security

Your data is stored on secure infrastructure provided by Supabase (PostgreSQL) and Amazon Web Services (S3). All data is encrypted at rest (AES-256) and in transit (TLS 1.3). OAuth tokens are encrypted with AES-256-GCM.

6. Data Retention

  • Account data: Duration of your account, plus 30 days after deletion
  • Recordings and transcripts: According to your plan's storage limit, or until you delete them
  • Usage data: Up to 24 months
  • Billing data: Up to 7 years as required by tax regulations

7. Data Sharing

We do not sell your personal data. We share data only with service providers (infrastructure, payment processing), within your organisation (team members in your workspace), and when required by law. We do not use your meeting content to train AI models.

8. International Transfers

Your data may be processed in the EEA and the United States. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards including Standard Contractual Clauses.

9. Your Rights

Under UK GDPR, you have the right to access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Contact us at privacy@neuroleash.com. We will respond within 30 days.

10. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking or advertising cookies.

11. Children's Privacy

The Service is not intended for individuals under 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

Material changes will be communicated via email at least 30 days before they take effect.

13. Contact and Complaints

Email: privacy@neuroleash.com. You may also lodge a complaint with the ICO at ico.org.uk.