⚠️ DRAFT — Pending legal review. Do not treat as legally binding until reviewed by qualified counsel.

Privacy Policy

Last updated: 12 May 2026

1. Who we are

Neuridion ("we", "us") is operated by Neuridion, registered at [TO BE ADDED], Germany. We provide an automated PMS recall search platform for medical device manufacturers operating under EU MDR.

2. What data we collect

  • Account data: email address, full name, company name
  • Device profiles: device names, EMDN codes, intended use descriptions you enter
  • Search data: search queries, date ranges, results, AI filter decisions
  • Generated reports: HTML, PDF and Excel reports stored on our servers
  • Usage data: page views, feature usage, session timestamps (audit log)
  • Technical data: IP address, browser/OS (user-agent), session cookies
  • Billing data: processed by Stripe; we do not store card details

3. Why we process your data

  • To provide and operate the Neuridion platform
  • To generate, store and deliver FSN search reports
  • To manage your account, subscription and billing
  • To send transactional notifications (search completion, account security)
  • To maintain an audit trail required by EU MDR compliance
  • To prevent fraud and abuse (rate limiting, security monitoring)

4. Legal basis

  • Art. 6(1)(b) GDPR — Contract: processing necessary to deliver the service you subscribed to
  • Art. 6(1)(f) GDPR — Legitimate interest: security monitoring, fraud prevention, improving service reliability
  • Art. 6(1)(a) GDPR — Consent: optional analytics cookies (only where you have accepted)
  • Art. 6(1)(c) GDPR — Legal obligation: audit trail retention for regulatory compliance obligations

5. Who we share data with

  • Supabase (EU region): database and authentication infrastructure
  • Anthropic (US): AI filtering of FSN content — see Section 8 for international transfers
  • PDFShift (FR): PDF report generation
  • Render (US): application hosting — see Section 8
  • Stripe (US): payment processing — see Section 8
  • Resend (US): transactional email delivery
  • Upstash (US): rate limiting infrastructure — see Section 8

We do not sell your data to third parties.

6. Data retention

  • Search runs & reports: retained for the lifetime of your account plus 10 years after account closure (EU MDR Art. 83 PMS audit trail requirement)
  • Account data: deleted within 30 days of account deletion request, subject to the retention period above
  • Audit logs: retained for 5 years after creation
  • Marketing communications: until consent is withdrawn

7. Your rights (GDPR)

Under GDPR you have the right to:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate data
  • Erasure: request deletion ("right to be forgotten")
  • Portability: receive your data in machine-readable format
  • Objection: object to processing based on legitimate interest
  • Restriction: request restricted processing in certain circumstances
  • Complaint: lodge a complaint with your supervisory authority — in Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)

To exercise your rights, use the account settings page or contact us at info@neuridion.eu.

8. International transfers

Some of our sub-processors are based outside the EU/EEA. Where personal data is transferred to the US (Anthropic, Render, Stripe, Resend, Upstash), we rely on the EU Standard Contractual Clauses (SCCs) as the transfer mechanism under Art. 46 GDPR. Anthropic processes FSN text content only; no special category data is transmitted.

9. Cookies

We use essential cookies required to authenticate your session. Optional analytics cookies are only set if you consent via the cookie banner. You can withdraw cookie consent at any time via the "Manage cookies" link in the footer.

CookieProviderPurposeDurationType
sb-*-auth-tokenSupabase (1st party)Authentication session JWTSessionEssential
sb-*-auth-token.0/.1Supabase (1st party)Chunked auth token (large JWTs)SessionEssential
__stripe_midStripe (3rd party)Fraud prevention identifier1 yearEssential
__stripe_sidStripe (3rd party)Fraud prevention session30 minutesEssential
neuridion_cookie_consentNeuridion (1st party)Stores your cookie preference1 yearEssential

No third-party tracking, marketing, or advertising cookies are used.

10. Automated decision-making (Art. 22 GDPR)

Neuridion uses AI to classify Field Safety Notices as "relevant", "uncertain", or "excluded" relative to your device profile. This constitutes automated processing but does not produce legal or similarly significant effects on individuals — it classifies publicly available regulatory notices, not personal data.

All AI classifications are advisory and require human review (PRRC sign-off) before inclusion in regulatory documentation. You may opt out of AI processing entirely in Settings > Privacy. For full details on our AI system, see the AI Transparency page.

11. Data Protection Officer

Based on our current processing activities and scale, a Data Protection Officer (DPO) has not been formally appointed under Art. 37 GDPR. We keep this assessment under review as our organisation grows. For all data protection inquiries, please contact us at info@neuridion.eu.

12. Contact

Data controller: Neuridion
Email: info@neuridion.eu
Address: [TO BE ADDED]

← HomeTermsImprint