Privacy Policy (US)

1. Introduction

Welcome to NeuroBreath. This Privacy Policy explains how we collect, use, and protect your personal information when you use our website at https://neurobreath.co.uk.

About us: NeuroBreath is currently an initiative and intends to register with Companies House; details will be published once registered. We are based in the UK but welcome users from the United States.

Your privacy matters: We are committed to transparency and giving you control over your personal data.

Contact us: privacy@neurobreath.co.uk

2. Key Points

• No health data: We do not collect health data, biometric data, or any sensitive categories of personal data.
• No email marketing: We do not use your email address for marketing purposes. We do not operate a newsletter or marketing automation.
• Educational purpose: Educational information only. Not medical advice. No diagnosis. No medical claims.
• We do not sell your personal information
• We do not share your data for cross-context behavioral advertising
• No external tracking: We do not use Google Analytics, Facebook Pixel, or third-party trackers
• Local-first privacy: Progress tracking uses local storage on your device
• Your rights: You have rights under US state privacy laws (CCPA/CPRA, etc.)

3. Information We Collect

3.1 Information You Provide

User Accounts (Optional — UK users only):

Currently, user accounts are only available for UK users. US users can use all core features without creating an account.

Contact Form:

• Name, email, message (sent via email; not stored in our database)

3.2 Information Collected Automatically

Progress Tracking (Local Storage):

• Device identifier (randomly generated)
• Breathing session history (technique, duration, breaths)
• Progress stats (sessions, streaks, badges)
• Voice and preference settings

Stored where? By default, on your device's browser localStorage. No server upload unless you create an account and opt in to sync.

Technical Data:

• IP address (for security, rate limiting)
• Browser type, operating system
• Pages visited, referral source

Retention: Technical logs retained for up to 90 days, then deleted.

3.3 Cookies and Local Storage

• Essential cookies: Session, region preference (required for functionality)
• Functional storage: Progress tracking (optional; can be disabled via cookie settings)

See our Cookie Policy for details.

3.4 What We Do NOT Collect

• Health data or biometric data
• Sensitive personal information (race, religion, political views, etc.)
• Cross-site tracking data
• Social Security Numbers or financial information

4. How We Use Your Information

• Provide our service: Enable breathing techniques, save progress, remember preferences
• Communication: Respond to contact form inquiries
• Security: Protect against spam, abuse, fraud
• Analytics (future): If we add analytics, we will request consent

5. Do We Sell or Share Your Personal Information?

NO. We do not sell your personal information. We do not share your information for cross-context behavioral advertising.

5.1 Service Providers

We share limited data with trusted service providers:

• Hosting: Servers in the European Economic Area (EEA)
• Email service: Resend (for contact form responses, password resets)
• Anti-spam: Cloudflare Turnstile (contact form protection)

Service providers are contractually obligated to protect your data.

5.2 Legal Requirements

We may disclose data if required by law (court orders, subpoenas) or to protect safety and security.

6. Data Retention

• Progress data: Until deletion requested or 3 years of inactivity
• Contact form: Email only, not stored in database
• Technical logs: 90 days

7. Your Privacy Rights (US State Laws)

Under laws like the California Consumer Privacy Act (CCPA/CPRA), Virginia CDPA, Colorado CPA, and others, you may have the following rights:

• Right to know: Request details about what personal information we collect, use, and share
• Right to delete: Request deletion of your personal information
• Right to correct: Request correction of inaccurate data
• Right to opt out of sale: We do not sell data, so this does not apply
• Right to opt out of targeted advertising: We do not serve targeted ads
• Right to limit use of sensitive data: We do not collect sensitive personal information
• Right to non-discrimination: We will not discriminate against you for exercising your rights

How to exercise your rights: See our Privacy Rights page or email privacy@neurobreath.co.uk.

8. Children's Privacy (COPPA)

Our service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

If you believe a child has provided us with personal information, contact us at privacy@neurobreath.co.uk and we will delete it promptly.

9. Security

We implement industry-standard security measures:

• HTTPS/TLS encryption for data in transit
• Secure password hashing (bcrypt)
• Access controls and monitoring
• Regular security updates

No system is 100% secure. We will notify you of data breaches as required by applicable law.

10. International Data Transfers

NeuroBreath is based in the UK. Data may be stored on servers in the European Economic Area (EEA). By using our service from the US, you consent to the transfer of your data to the UK/EEA.

We implement appropriate safeguards to protect your data during international transfers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make significant changes:

• We will update the "Last Updated" date
• We will display a prominent notice on our website

Continued use of our service after changes constitutes acceptance.

12. Contact Us

For privacy questions or to exercise your rights:

Email: privacy@neurobreath.co.uk
Location: Southwark, London, United Kingdom

We aim to respond within 5 business days.