Privacy Policy

1. Introduction

Welcome to NeuroBreath. We are committed to protecting your privacy and handling your personal information with care and transparency.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at https://neurobreath.co.uk and our services.

Who we are: NeuroBreath is currently an initiative and intends to register with Companies House; details will be published once registered.

Our location: Southwark, London, United Kingdom

Contact us: For privacy-related questions, email privacy@neurobreath.co.uk

2. Key Points Summary

• No health data: We do not collect health data, biometric data, or any sensitive categories of personal data.
• No email marketing: We do not use your email address for marketing purposes. We do not operate a newsletter or marketing automation.
• Educational purpose: Educational information only. Not medical advice. No diagnosis. No medical claims.
• Optional accounts: User accounts are optional. You can use most features without creating an account.
• Local-first privacy: Progress tracking uses local storage on your device. Optional account sync available.
• No external tracking: We do not use Google Analytics, Facebook Pixel, or similar third-party tracking services.
• Your rights: You have full control over your data under UK GDPR.

3. What Data We Collect

3.1 Information You Provide Directly

User Accounts (Optional — UK Region Only)

If you create an account, we collect:

• Email address (used for login and password reset)
• Password (stored as a secure hash; we cannot see your actual password)
• Email verification status
• Two-factor authentication settings (if enabled by you)

Contact Form

If you contact us via our contact form, we collect:

• Your name
• Your email address
• Your message

Note: Contact form data is sent to us via email and is not stored in our database. We retain your email in our email inbox only as long as necessary to respond to your inquiry.

3.2 Information Collected Automatically

Progress Tracking (Device-Based)

When you use breathing techniques or learning tools, we store progress data including:

• Device identifier (randomly generated; does not identify you personally)
• Breathing session details (technique used, duration, number of breaths)
• Progress statistics (total sessions, streaks, badges earned)
• Challenge and quest completion status
• Voice and accessibility preferences

Where is this stored? By default, progress data is stored locally on your device using your browser's localStorage. If you create an account, you can optionally sync this data to our secure database so it's available across devices.

Reading Assessment Data (Dyslexia Tools)

If you use our dyslexia reading training tools, we may store:

• Reading attempt results (accuracy, speed, errors)
• Learner placement level
• Progress through reading exercises

This data is associated with your device ID or user account (if logged in).

Technical Data

Our web server automatically logs:

• IP address (for security, rate limiting, and region detection)
• Browser type and version
• Operating system
• Pages visited and time spent
• Referral source (how you found us)

Retention: Technical logs are retained for up to 90 days for security monitoring and troubleshooting, then automatically deleted.

Cookies and Local Storage

We use cookies and localStorage for:

• Essential cookies: Session management, security, region preference (cannot be disabled)
• Functional storage: Saving your progress locally, accessibility preferences
• Consent management: Remembering your cookie choices

See our Cookie Policy for full details.

3.3 What We Do NOT Collect

• We do not collect health data or biometric data
• We do not collect sensitive categories of personal data (race, religion, political opinions, etc.)
• We do not track you across other websites (no cross-site tracking)
• We do not use third-party advertising networks or tracking pixels
• We do not use Google Analytics, Facebook Pixel, or similar external trackers

4. How We Use Your Data

We use your personal data only for the following purposes:

4.1 Providing Our Service

• To enable you to create and access your account
• To save and sync your progress across devices
• To provide personalized learning and breathing tools
• To remember your preferences (voice, accessibility settings)

Lawful basis: Performance of contract (Article 6(1)(b))

4.2 Communication

• To respond to your inquiries via the contact form
• To send password reset emails (if you request one)
• To notify you of important account or security updates (rare)

We do not send marketing emails, newsletters, or promotional content.

Lawful basis: Legitimate interests (Article 6(1)(f)) - responding to inquiries

4.3 Security and Fraud Prevention

• To protect against spam, abuse, and fraudulent activity
• To detect and prevent security incidents
• To enforce our Terms of Service

Lawful basis: Legitimate interests (Article 6(1)(f)) - site functionality and security

4.4 Improvement and Analytics (Future)

Currently, we do not use third-party analytics tools. Our analytics are privacy-focused and stored locally on your device only (no data sent to our servers).

If we introduce server-side analytics in the future, we will:

• Request your explicit consent via our cookie banner
• Use privacy-friendly analytics tools (no cross-site tracking)
• Anonymize or pseudonymize data wherever possible
• Update this Privacy Policy and notify existing users

Lawful basis (if implemented): Consent (Article 6(1)(a)) - if enabled by user

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5.1 Service Providers

We may share data with trusted service providers who help us operate our service:

• Hosting provider: Your data is stored on secure servers in the European Economic Area (EEA)
• Email service: For sending password reset emails and responding to contact form submissions (Resend)
• Anti-spam service: For protecting our contact form from abuse (Cloudflare Turnstile)

All service providers are contractually required to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your data if required by law, including:

• To comply with a court order, subpoena, or legal process
• To protect the rights, property, or safety of NeuroBreath, our users, or the public
• In connection with an investigation of fraud, abuse, or security incidents

5.3 Business Transfers

If NeuroBreath is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you via email and/or a prominent notice on our website before your data is transferred and becomes subject to a different Privacy Policy.

6. International Data Transfers

Data is stored on secure servers in the European Economic Area (EEA). For UK users, data remains subject to UK GDPR.

If we transfer data outside the UK or EEA in the future, we will ensure appropriate safeguards are in place, such as:

• European Commission-approved Standard Contractual Clauses
• Adequacy decisions recognizing equivalent data protection standards
• Other lawful transfer mechanisms under UK GDPR

7. Data Retention

We retain your data only for as long as necessary:

• User accounts: 2 years of inactivity
• Progress data: Until deletion requested or 3 years of inactivity
• Password reset tokens: 1 hour
• Contact form emails: Email only, not stored in database
• Technical logs: Up to 90 days

When you delete your account or request data deletion, we will permanently delete your data within 30 days, except where we are required to retain it for legal or regulatory purposes.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

8.1 Right of Access

You can request a copy of all personal data we hold about you. We will provide this free of charge within one month.

8.2 Right to Rectification

You can ask us to correct any inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain it.

8.4 Right to Restrict Processing

You can ask us to limit how we use your data in certain circumstances.

8.5 Right to Data Portability

You can request your data in a structured, machine-readable format (e.g., JSON) and transfer it to another service.

8.6 Right to Object

You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your rights.

8.7 Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

8.8 How to Exercise Your Rights

To exercise any of these rights, please:

• Email us at privacy@neurobreath.co.uk
• Visit our Data Rights page for detailed instructions
• Include enough information to verify your identity (we may ask for confirmation to prevent fraud)

We will respond within one month. If your request is complex, we may extend this by two additional months.

8.9 Right to Complain

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Helpline: 0303 123 1113

9. Children's Privacy

Our service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@neurobreath.co.uk. We will delete the information promptly.

Note for educators and parents: If you are using NeuroBreath in a school or family setting with children, you are responsible for ensuring appropriate consent and supervision.

10. Security Measures

We take security seriously and implement industry-standard measures to protect your data:

• Encryption: All data in transit is encrypted using HTTPS/TLS
• Password security: Passwords are hashed using bcrypt (we cannot see your plaintext password)
• Access controls: Only authorized personnel can access databases and systems
• Regular updates: We keep our software and dependencies up to date with security patches
• Rate limiting: Protection against brute-force attacks and abuse
• Monitoring: We monitor for suspicious activity and security incidents

No system is 100% secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the ICO within 72 hours as required by UK GDPR.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

When we make significant changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify registered users via email (if we have your email address)
• Display a prominent notice on our website

Continued use of our service after changes take effect constitutes acceptance of the updated Privacy Policy.

12. Contact Us

For questions, concerns, or to exercise your data rights, contact us at:

Email: privacy@neurobreath.co.uk
General inquiries: contact@neurobreath.co.uk
Location: Southwark, London, United Kingdom

We aim to respond to all privacy inquiries within 5 business days.