Privacy Policy.

1. Introduction

Neural Roots AI ("Neural Roots," "we," "us," or "our") operates neuralroots.ai and provides AI-powered services and engineering solutions for the healthcare, insurance, pharmacy benefit management (PBM), maritime fleet management, and professional services verticals. We are committed to protecting your privacy and handling your personal data with transparency, security, and accountability.

This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you (a) visit our website, (b) subscribe to our newsletter, (c) contact us through our website forms, (d) request a demo, or (e) use our products and platforms. By using our website or services, or submitting your information to us, you acknowledge that you have read and understood this Privacy Policy.

This Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the US CAN-SPAM Act of 2003, Canada's Anti-Spam Legislation (CASL) and PIPEDA, the Digital Personal Data Protection Act, 2023 (India), and the Health Insurance Portability and Accountability Act (HIPAA) where applicable.

2. Scope

This Policy applies to all personal data we process through:

• Our websites, including neuralroots.ai and any subdomains
• Our newsletter and email marketing programs
• Our "Contact Us" and "Book a Demo" forms
• Our products, including Gryphon Rx, Harbor Lynx/FleetWatch, ANDY/ALEX, and our Universal Document Intelligence Platform (UDIP)
• Sales outreach, events, and webinars
• Customer support and professional services engagements

3. Information We Collect

3.1 Information You Provide Directly

Newsletter Subscriptions. When you subscribe to our newsletter or marketing communications, we collect: your name, email address, job title (optional), company name (optional), country (optional), and the topics you have opted in to receive. We also record the date and time of your consent, your IP address at the time of signup, the version of the consent text you accepted, and the form or source through which you subscribed, to maintain a verifiable record of consent as required by GDPR Article 7(1).

Contact Us & Demo Request Forms. When you submit our Contact Us form, Book a Demo form, or otherwise reach out, we collect: your name, business email address, phone number (optional), company name, job title, country, the message or inquiry you submit, and any attachments you provide. We use this information only to respond to your inquiry and, if you separately consent, to send you related marketing communications.

Account Registration & Product Use. When you register for a Neural Roots product or platform, we collect: name, business email, company, job title, billing address, authentication credentials, and any business documents or operational data you upload for processing (such as tax forms, insurance documents, pharmacy benefit records, vessel telemetry, or coaching session inputs).

Payment Information. Billing details are processed through PCI-DSS-compliant third-party payment processors. We do not store full credit card numbers on our systems.

3.2 Information Collected Automatically

• Usage data: IP address, browser type and version, device type, operating system, referring URL, pages viewed, clickstream data, and timestamps
• Cookies and similar technologies: First- and third-party cookies, pixels, web beacons, and SDKs (see Section 11)
• Email engagement: If you receive our marketing emails, we use tracking pixels and link tracking to record whether you opened the email, which links you clicked, and aggregate device or location information
• Product telemetry: Upload timestamps, document types, processing status, accuracy scores, and workflow events generated through your use of our platforms

3.3 Information from Third Parties

• Integration partners: Data you authorize us to access from QuickBooks, TaxWise, Dentrix, AIS data providers, calendaring tools, and similar systems
• Authentication providers: Identity data from Auth0 and similar single sign-on providers
• Sales and prospecting tools: Business contact information from Apollo, LinkedIn Sales Navigator, and similar B2B data providers, used solely for legitimate B2B outreach and CRM enrichment under GDPR Article 6(1)(f) (legitimate interests). You can opt out at any time
• Public sources: Publicly available business information from company websites, press releases, and professional directories

4. How We Use Your Information

4.1 To Provide and Operate Our Services

• Process documents using OCR, machine learning, and generative AI
• Provide voice AI services, fleet tracking, executive coaching AI, and document intelligence
• Enable Human-in-the-Loop (HITL) review and quality assurance
• Integrate with your authorized third-party systems
• Authenticate users and secure your account

4.2 To Communicate With You

• Respond to Contact Us inquiries and demo requests
• Send transactional and service-related messages, including security alerts, billing notices, and product updates
• Send newsletter and marketing communications, but only where you have given prior, affirmative consent (in jurisdictions requiring opt-in) or have not opted out (in jurisdictions permitting opt-out marketing)

4.3 To Improve Our Services

• Analyze usage and performance to enhance our products
• Train and refine AI models using aggregated and de-identified data where permitted by your contract and applicable law
• Conduct A/B testing, security monitoring, and fraud prevention

4.4 For Sales, Marketing, and Business Development

• Personalize content recommendations and case studies
• Conduct B2B outreach to business contacts based on legitimate interest, subject to opt-out rights
• Run events, webinars, and account-based marketing programs

4.5 For Legal and Compliance Purposes

• Comply with tax, accounting, and regulatory obligations
• Enforce our Terms of Service and protect our rights
• Investigate fraud, abuse, or security incidents

5. Legal Bases for Processing (GDPR, UK GDPR, India DPDP)

Where GDPR, UK GDPR, or India's Digital Personal Data Protection Act, 2023 applies, we rely on the following legal bases:

• Consent (Art. 6(1)(a)): for newsletter subscriptions, optional cookies, sensitive data, and other clearly identified opt-in activities. You may withdraw consent at any time
• Contract performance (Art. 6(1)(b)): to deliver services you have subscribed to, including responding to demo requests and providing products
• Legitimate interests (Art. 6(1)(f)): for B2B sales outreach to business contacts, security monitoring, fraud prevention, network defense, and product improvement. We balance these interests against your rights and provide opt-out mechanisms
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, HIPAA, and other regulatory requirements
• Vital interests and public interest: in rare circumstances involving health or safety

6. Newsletter, Email Marketing & CAN-SPAM / CASL Compliance

Our marketing emails are designed to comply with the CAN-SPAM Act (US), CASL (Canada), GDPR / UK GDPR, and applicable US state laws.

6.1 How We Obtain Consent

We use an affirmative opt-in mechanism for all newsletter subscriptions. Pre-checked boxes are never used. For EEA, UK, and Canadian residents, and wherever required by law, we use a double opt-in process: after submitting the signup form, you receive a confirmation email and must click a verification link before any marketing email is sent. We record and retain proof of consent (timestamp, IP, form version, and consent text) for the duration of the subscription plus 24 months.

6.2 What We Send

Subscribers may receive: company updates, product announcements, industry research and thought leadership (including content on RLHF, voice AI, document intelligence, and maritime fleet operations), case studies, event invitations, and curated newsletter content such as The SMB Leader's Edge. Frequency typically ranges from weekly to monthly. You can update your preferences at any time.

6.3 CAN-SPAM Disclosures

Every marketing email we send includes: (a) a truthful "From," "To," and routing header that identifies Neural Roots AI as the sender; (b) a non-deceptive subject line; (c) clear identification of the message as commercial (where required); (d) our valid physical postal address; and (e) a conspicuous, working unsubscribe link.

6.4 Unsubscribing

You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email, replying with "UNSUBSCRIBE," or emailing privacy@neuralroots.ai. We honor unsubscribe requests within 10 business days as required by CAN-SPAM, and immediately where feasible. Unsubscribing from marketing does not affect transactional, service, or legal compliance emails related to your account.

6.5 CASL (Canada)

For recipients in Canada, we rely on express consent prior to sending commercial electronic messages, except where implied consent is permitted (for example, an existing business relationship within the past 24 months). We include identification, contact information, and an unsubscribe mechanism in every commercial electronic message.

7. "Contact Us" and Demo Request Forms

Information you submit through our Contact Us, Book a Demo, or partner inquiry forms is used solely to respond to your request, qualify your inquiry, and where applicable, set up a meeting with our sales or solutions team. We do not automatically add Contact Us submitters to our newsletter list. You will only receive marketing communications if you separately and affirmatively opt in. Contact form data is retained for up to 24 months after the last interaction, then deleted or anonymized, unless a contractual or legal obligation requires longer retention.

8. Data Sharing and Disclosure

We do not sell your personal data. We share personal data only as described below.

8.1 Service Providers (Sub-Processors)

We share data with vetted third-party vendors who process data on our behalf under written Data Processing Agreements, including:

• Cloud infrastructure & AI: Google Cloud Platform (Document AI, Gemini, Vertex AI, Cloud Storage), Microsoft Azure, Amazon Web Services
• LLM and voice AI providers: Anthropic, OpenAI, Google (Gemini), ElevenLabs, Bland AI, Retell AI
• Authentication: Auth0
• Email and communications: SendGrid, Twilio, HubSpot, Salesforce Marketing Cloud
• Analytics and marketing: Google Analytics, Meta Pixel, LinkedIn Insight Tag, Apollo
• Payment processing: Stripe and similar PCI-DSS-compliant processors

A current list of our sub-processors is available on request to privacy@neuralroots.ai.

8.2 Business Transfers

In the event of a merger, acquisition, financing, or sale of assets, personal data may be transferred to the acquiring entity. We will notify affected individuals where required by law.

8.3 Legal Disclosures

We may disclose personal data to comply with legal obligations, court orders, valid government requests, or to protect the rights, property, or safety of Neural Roots, our users, or the public.

8.4 With Your Consent or at Your Direction

We share data with third parties when you explicitly authorize integrations or instruct us to do so.

9. International Data Transfers

Neural Roots operates across the United States, United Kingdom, and India. Personal data may be transferred to, and processed in, countries other than your country of residence, including the US and India. Where personal data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office (UK IDTA / Addendum)
• Adherence by relevant US sub-processors to the EU-US Data Privacy Framework (DPF), the UK Extension to the DPF, and the Swiss-US DPF where they self-certify
• Supplementary technical and organizational measures, including encryption and access controls

10. Data Retention

• Newsletter subscribers: Retained while your subscription is active and for 24 months after unsubscribe (for suppression-list and consent-proof purposes), then deleted
• Contact Us / Demo data: Up to 24 months after last interaction, then deleted or anonymized
• Active customer data: For the duration of your subscription plus 90 days
• Processed business documents: Up to 7 years (or longer where required by tax, HIPAA, or sector regulation)
• Account information: Up to 3 years after account closure for legal and audit purposes
• Consent records: For the duration of the relationship plus any applicable statute of limitations

You may request earlier deletion subject to legal retention requirements (see Section 12).

11. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

• Strictly necessary: Required for authentication, session management, and core site functionality. These cannot be disabled
• Performance and analytics: Google Analytics and similar tools that help us understand site usage. Set only after consent in jurisdictions requiring opt-in
• Marketing and advertising: Meta Pixel, LinkedIn Insight Tag, and Apollo tracking — used to measure campaign performance and deliver relevant content. Opt-in required where mandated by law

You can manage your preferences via our cookie banner and your browser settings. Disabling non-essential cookies will not affect access to our services. We honor Global Privacy Control (GPC) signals as an opt-out of "sale" or "sharing" under CCPA/CPRA.

12. Your Privacy Rights

12.1 Rights for All Users

12.2 Additional Rights for EEA, UK, and Swiss Residents (GDPR / UK GDPR)

• Restriction of processing: Ask us to limit how we use your data
• Objection: Object to processing based on legitimate interests or direct marketing
• Withdrawal of consent: Where processing is based on consent, you may withdraw at any time without affecting prior processing
• Rights related to automated decision-making: Where we use automated decision-making with legal or similarly significant effects (see Section 14), you have the right to human review, to express your point of view, and to contest the decision
• Lodge a complaint: With your local data protection authority. For Ireland, this is the Data Protection Commission (dataprotection.ie). For the UK, the ICO (ico.org.uk)

12.3 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: (i) know what categories and specific pieces of personal information we collect, use, disclose, and (if applicable) sell or share; (ii) request deletion; (iii) request correction; (iv) opt out of any sale or sharing of personal information for cross-context behavioral advertising; (v) limit the use and disclosure of sensitive personal information; and (vi) not be discriminated against for exercising your rights.

We do not sell your personal information as defined by CCPA/CPRA and we do not knowingly sell or share personal information of consumers under 16 years of age. To the extent that our use of third-party advertising cookies may constitute "sharing" under CPRA, you may opt out via our cookie banner or by sending a verified request to privacy@neuralroots.ai. We honor Global Privacy Control (GPC) signals.

Categories of personal information we have collected in the prior 12 months include: identifiers (name, email, IP); commercial information; internet or other electronic network activity; professional or employment-related information; and inferences drawn from the foregoing.

You may designate an authorized agent to make requests on your behalf. We will verify the identity of the requestor and the agent's authority before fulfilling the request.

12.4 Rights for Indian Residents (DPDP Act, 2023)

If you are a Data Principal under India's Digital Personal Data Protection Act, 2023, you have the right to: (i) obtain confirmation and a summary of the personal data we process; (ii) request correction, completion, updating, and erasure; (iii) nominate another individual to exercise rights in case of death or incapacity; and (iv) grievance redressal through our Grievance Officer (Section 16).

12.5 How to Exercise Your Rights

13. Data Security

We implement industry-standard administrative, technical, and physical safeguards, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control and multi-factor authentication for internal systems
• Cloud infrastructure on Google Cloud Platform, Microsoft Azure, and AWS (SOC 2 Type II, ISO 27001)
• Audit logging, intrusion detection, and regular security assessments including penetration testing
• Vendor risk management and Data Processing Agreements with all sub-processors
• Employee training on data protection and confidentiality

Data breach notification. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33, and notify affected individuals without undue delay where the breach is likely to result in a high risk.

14. Automated Decision-Making and AI Processing

Our products use machine learning and large language models to classify documents, extract data, score quality, generate coaching feedback, and route calls. In most cases, output is reviewed by a human (HITL) before any action that produces a legal or similarly significant effect on an individual. Where any fully automated decision could have such an effect, we will inform affected individuals and, where required by GDPR Article 22 or comparable law, provide the right to human intervention, to express their point of view, and to contest the decision.

15. Children's Privacy

Our website and services are directed to business users and are not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, contact privacy@neuralroots.ai for immediate deletion.

16. Contact, Privacy Officer, and Grievance Redressal

Privacy questions, data subject requests, complaints, and security concerns may be directed to:

We aim to respond to all privacy inquiries within 30 days.

17. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our services, technologies, legal requirements, or business practices. Material changes will be communicated via email to registered users, prominent notice on our website, and an updated "Last Updated" date. Continued use of our services after the effective date of an updated Policy constitutes acceptance of the changes.