NeuralTask Privacy Policy (GDPR)

The Data Controller of the personal data covered by this Privacy Policy for NeuralTask (the "App") is:

• Alessandro Di Giusto
• Privacy email: neuraltask@alessandrodigiusto.it

This Privacy Policy describes how NeuralTask processes personal data in relation to: (i) use of the App and its features, and (ii) the optional newsletter subscription on neuraltask.app. It is intended to reflect a local-first architecture for user content and is provided in compliance with the Regulation (EU) 2016/679 (GDPR), Apple platform requirements (including App Tracking Transparency), and other applicable law.

3.1 User content processed locally on the device (no access by the Controller)

NeuralTask is designed so that user content generated inside the App is handled locally on the user's device. The Controller does not have access to this content and does not store it on the Controller's servers.

This includes, for example:

• tasks, projects, notes, and preferences created in the App;
• conversations with the Coach feature inside the App;
• Apple Calendar appointments/events managed by the App;
• Apple Reminders managed by the App.

This corresponds to User-Generated Content in App Store privacy categories (for example tasks and text input), primarily processed locally for app functionality.

3.2 Technical data and pseudonymous app identifiers

We may process technical data strictly necessary for app operation, security, service integrity, and measured service improvement. This may include the following App Store privacy data categories:

• User ID: app-generated pseudonymous identifiers (for example installation UUID and, where account features are active, Firebase Auth user identifiers).
• Device ID: technical device/app identifiers (including Advertising ID/IDFA where permitted), installation identifiers, and security logs required for operation and fraud prevention.
• Product Interaction: in-app interaction events used for analytics and product improvement through configured analytics services.
• Search History: in-app search queries and related interaction metadata, where search features are used.
• Advertising Data: ad request/response signals, impressions, reward-validation metadata, and anti-fraud signals for AdMob rewarded ads.
• Analytics Data: usage and engagement metrics processed via Firebase Analytics.
• Crash and Performance Data: crash diagnostics and performance/stability signals processed via Firebase Crashlytics.
• IP address and technical security events where generated by integrated infrastructure/services.

The app-generated Firebase/installation UUID used by NeuralTask is a pseudonymous identifier: it is not intended to directly identify the user by name, but it may still be considered personal data under GDPR when it can be linked to an app installation, device, or related records.

For advertising consent flows, NeuralTask uses Google User Messaging Platform (UMP) where required by law. The Advertising Identifier (IDFA) is used for AdMob personalization only if: (i) the applicable UMP consent flow makes personalized ads eligible, and (ii) the user authorizes Apple App Tracking Transparency (ATT).

If consent is not granted, consent signals are ambiguous/unavailable, or ATT is denied/restricted/not authorized, NeuralTask requests non-personalized ads (NPA) and does not use the IDFA for advertising personalization.

No tracking for advertising (cross-app or cross-website via IDFA) occurs unless the user has granted ATT permission.

Apple App Privacy mapping (summary):

• Used for Tracking (only with ATT authorization): Device ID (IDFA) and Advertising Data for personalized advertising measurement/delivery via AdMob, where applicable.
• Linked to user or app installation context: User ID, Device ID (non-IDFA technical identifiers), Product Interaction, Search History, Advertising Data for rewarded-ad validation/fraud controls, and Crash & Performance diagnostics.
• Not linked to the user (where technically processed that way): aggregated or de-identified analytics/performance reporting that does not include IDFA-based tracking.

NeuralTask does not use Health or Location permissions for advertising personalization or tracking.

3.3 NeuralCoin and transaction data (Firebase)

To manage the balance and movements of NeuralCoin, NeuralTask stores in Firebase only the data necessary for this purpose, associated with the app-generated UUID, for example:

• NeuralCoin balance and movement history (credit/spending);
• reason for spending/credit (e.g., AI features, tasks, reward ads);
• technical transaction/validation identifiers and related timestamps;
• anti-fraud and consistency checks related to NeuralCoin operations.

No task/project content, Coach conversations, Apple Calendar data, or Apple Reminders content is stored by the Controller in Firebase.

For in-app purchases (NeuralCoin packages):

• payments are processed by Apple (App Store / StoreKit);
• NeuralTask may receive and process transaction metadata (e.g., transactionId, productId, validation status, timestamp) to verify and correctly credit NeuralCoin;
• NeuralTask does not directly collect payment card data.

3.4 Newsletter data (website: neuraltask.app)

If a user voluntarily subscribes to the newsletter on neuraltask.app, the Controller may process and store in Firebase:

• the email address provided by the user;
• newsletter subscription status/preferences and related technical metadata required to manage the subscription and legal compliance.

Each newsletter email includes links that allow the recipient to unsubscribe and/or request email deletion, in line with applicable European privacy requirements.

The website may also generate standard technical/server logs (for example IP address, user-agent, timestamps, and request metadata) for security, abuse prevention, and operational reliability. Unless explicitly stated otherwise in a dedicated website notice/banner, the website is not intended to use profiling cookies for newsletter subscription purposes.

3.5 Apple system services / permissions (if enabled by the user)

If the user grants specific permissions, NeuralTask may interact with device features and Apple services, for example:

• Calendar;
• Reminders;
• Notifications;
• Health / Fitness (HealthKit), if the user enables related features (e.g., routine or workout insights);
• Location (including Visits and geocoding/POI classification with Apple services), if the user enables smart insights or other location-based features.

Such data are used only to provide the requested feature. As stated above, the Controller does not access or centrally store the user's personal content created/managed through these integrations.

These permissions are used to provide app functionality only and are not used for advertising or tracking. This functionality is distinct from tracking for advertising (IDFA).

Location/Health insights remain on-device; we do not send GPS coordinates to our backend AI/Firebase.

Where location insights require geocoding or POI classification, NeuralTask may use Apple system services (e.g., CLGeocoder / MKLocalSearch), which may involve transmitting coordinates to Apple for that purpose.

3.6 Future backup/account feature (not active unless expressly implemented)

If NeuralTask introduces a future backup/account feature, user personal content (including tasks, projects, Coach conversations, Apple Calendar appointments managed by the App, and Apple Reminders managed by the App) will be encrypted and stored in the user's personal drive/storage. The feature is intended so that no one other than the user can access that backup content.

We process data for the following purposes:

A. Provision of the App's main features (local-first functionality)

Examples:

• task/project management performed locally on the device;
• organization and customization of the user workflow;
• local management of Coach conversations;
• integration with Apple Calendar and Apple Reminders where authorized by the user.

Legal basis: performance of a contract / provision of the requested service (Art. 6.1.b GDPR). Many of these operations occur locally on the user's device and are not accessible to the Controller.

B. Management of NeuralCoin balances, validations, and transactions

Examples:

• crediting/spending NeuralCoin associated with the app-generated UUID;
• validation of in-app purchases and reward ads;
• prevention of fraud, abuse, and duplicate claims related to NeuralCoin operations.

Legal basis: performance of the contract (Art. 6.1.b GDPR) and the Controller's legitimate interest in service security and integrity (Art. 6.1.f GDPR).

C. Delivery of Rewarded Ads (Google AdMob)

Examples:

• showing reward ads to credit NeuralCoin;
• managing ad consent in territories where required;
• measurement and prevention of advertising fraud.

Legal basis: consent (Art. 6.1.a GDPR), where required by applicable law (e.g., EEA/UK for ads and advertising identifiers); in other cases, legitimate interest/technical necessity in compliance with applicable law.

For rewarded ads, NeuralTask applies a gated advertising flow: (1) Google User Messaging Platform (UMP) consent evaluation/presentation where required, (2) Apple App Tracking Transparency (ATT) request only when personalization is a candidate, (3) AdMob start/initialization, and then (4) ad preload and delivery.

If consent does not support personalization, if ATT is not authorized, or if consent signals are unavailable/ambiguous (including missing or unusable TCF consent signals/keys), NeuralTask uses a compliance-first fallback to non-personalized advertising (NPA).

Non-personalized ads may still use limited information for ad delivery, frequency capping, fraud prevention, security, and aggregated reporting/measurement, subject to applicable law and provider policies.

Without ATT authorization, NeuralTask does not use IDFA, does not enable tracking for advertising personalization, and serves non-personalized/limited-personalization ads only.

D. Analytics, crash diagnostics, and performance monitoring

Examples:

• measuring product interaction and engagement trends to improve reliability and UX;
• collecting app crash diagnostics and performance metrics to detect and fix errors;
• monitoring service health and release quality over time.

Legal basis: legitimate interest (Art. 6.1.f GDPR) for security/reliability and service improvement, and consent where required by applicable law or platform requirements.

E. Newsletter subscription and communications (neuraltask.app)

Examples:

• sending newsletter emails to users who voluntarily subscribed on the website;
• processing unsubscribe and email deletion requests through links included in newsletter emails;
• maintaining records necessary to manage newsletter preferences and compliance.

Legal basis: consent (Art. 6.1.a GDPR). Consent may be withdrawn at any time through the links provided in each newsletter email.

F. Security, abuse prevention, and service continuity

Examples:

• technical logs, anti-fraud checks, transaction verification, and infrastructure protection related to backend services (including Firebase and ad/reward validation).

Legal basis: legitimate interest (Art. 6.1.f GDPR) and/or legal obligations (Art. 6.1.c GDPR).

G. Legal, tax, and accounting compliance

Examples:

• retention obligations for records/transactions, where applicable.

Legal basis: legal obligation (Art. 6.1.c GDPR).

NeuralTask uses third-party services that may process personal data on behalf of the Controller (processor/service provider role) and/or as independent controllers for specific purposes, depending on the service, product configuration, and applicable contractual terms.

In particular, Google services (including AdMob and Firebase) may act as independent controllers for certain activities such as ad delivery, measurement, and fraud prevention under Google's own policies, while also acting as processors/service providers for certain configured services where applicable.

Useful references: Google Privacy Policy, Google Mobile Ads / AdMob Privacy Guidance, Firebase Privacy and Security, and Firebase Crashlytics Documentation.

5.1 Google AdMob (Rewarded Ads)

Used to:

• deliver reward ads (e.g., to obtain NeuralCoin);
• measure and secure advertising traffic;
• manage advertising consent in countries where required.

Data involved (examples):

• advertising/device identifiers (where permitted);
• technical ad delivery data;
• anti-fraud signals and reward confirmations.

Consent & personalization: where required by law, users may be presented with advertising consent choices through UMP (including personalized and non-personalized ads, where applicable). NeuralTask requests ATT only when the UMP outcome makes personalized advertising a candidate. If ATT is denied/restricted/not authorized, NeuralTask requests non-personalized ads and/or ads with limited personalization.

Non-personalized ads may still involve limited information processing for ad delivery, frequency capping, fraud prevention, security, and reporting/measurement, according to applicable law and Google policies.

IDFA is accessed only after ATT authorization. If ATT is not authorized, the app serves non-personalized or limited-personalization ads only and does not perform tracking for advertising purposes.

We do not use Health or Location data for advertising personalization.

5.2 Firebase (Google) - backend records, pseudonymous IDs, NeuralCoin data, and optional newsletter email

Used to:

• store NeuralCoin balances and transaction/validation data associated with an app-generated UUID;
• support backend integrity/security checks related to NeuralCoin and service operations;
• store the email address voluntarily provided by the user on neuraltask.app for newsletter purposes (if submitted by the user).

Data involved (examples):

• app-generated pseudonymous UUID (not directly attributable by the Controller to the natural person using the App);
• NeuralCoin balance, transaction, validation, and anti-fraud metadata;
• newsletter email address and related subscription status/preferences (website subscription only);
• technical logs necessary for backend operation/security.

Important: Firebase is not used by the Controller to store user task/project content, Coach conversations, Apple Calendar appointments, or Apple Reminders content managed by the App.

5.3 Firebase Analytics (Google)

Used to:

• understand product interaction trends and feature usage;
• analyze engagement (including search and navigation behaviors) to improve app quality;
• support aggregate reporting and release quality decisions.

Data involved (examples): product interaction data, search history events, app/device technical metadata, and pseudonymous identifiers used for analytics measurement.

5.4 Firebase Crashlytics (Google)

Used to:

• collect crash reports and diagnostics;
• monitor app stability and performance to fix issues;
• reduce service disruptions and improve reliability.

Data involved (examples): crash stack traces, performance diagnostics, device/app version metadata, and pseudonymous crash identifiers.

5.5 Apple system services (Calendar / Reminders / Notifications)

Used to:

• create/manage calendar events and reminders when the user grants permission;
• deliver app notifications;
• support user-requested system integrations.

Note: data handled through these integrations remain within the user's device and/or Apple services under the user's control. The Controller does not centrally store this personal content.

5.6 Apple (App Store / StoreKit)

Used to:

• process in-app purchases of NeuralCoin packages;
• provide transaction metadata necessary for validation/crediting.

Note: payment data are processed by Apple under its own policies; NeuralTask mainly receives transaction data useful for verification and management of the virtual balance.

Some third-party providers (e.g., Google AdMob, Firebase Analytics, Firebase Crashlytics, and Apple services) may process data outside the European Economic Area.

In such cases, the Controller adopts reasonable measures to ensure that transfers take place in compliance with the GDPR, for example through:

• adequacy decisions (where applicable);
• standard contractual clauses (SCCs);
• other safeguards provided by law.

Data are retained for the time strictly necessary for the purposes indicated and in compliance with the principles of data minimization and storage limitation. The retention periods below are indicative and may vary depending on legal obligations, fraud/security investigations, dispute handling, and technical requirements.

• User content created in the App (tasks, projects, Coach conversations, Apple Calendar/Reminders data managed by the App): not retained by the Controller; such content is managed locally on the user's device (and/or under the user's Apple account/services, where applicable) until the user deletes it.
• Firebase UUID + NeuralCoin data: retained as long as necessary to ensure balance integrity, fraud/abuse prevention, dispute management, and compliance with applicable legal/tax/accounting retention obligations.
• Firebase Analytics data: retained according to configured analytics retention settings and Google/Firebase service policies, limited to what is necessary for analytics and service improvement.
• Firebase Crashlytics data: retained for the period necessary to investigate, remediate, and monitor crashes/performance issues, subject to configured retention and applicable legal obligations.
• Newsletter email (website subscription): retained until the user unsubscribes or requests deletion (including through the links available in each newsletter email), with limited retention of records that may be necessary to document consent/unsubscribe/compliance and to handle legal claims.
• Future backup feature (if implemented): backup content would be encrypted and stored in the user's personal drive/storage under the user's control, not as a centrally accessible copy of the Controller.
• Technical/security logs: typically for a limited period, such as up to approximately 90 days, unless a longer period is necessary for security incidents, abuse prevention, troubleshooting, or legal obligations.

Under the GDPR, the user may exercise the following rights, within the limits provided by law:

• right to information;
• right of access;
• right to rectification;
• right to erasure ("right to be forgotten");
• right to restriction of processing;
• right to data portability;
• right to object;
• right to withdraw consent at any time (without affecting the lawfulness of processing carried out before withdrawal);
• right to lodge a complaint with the competent Supervisory Authority (in Italy: Garante per la protezione dei dati personali).

To exercise your rights, contact: neuraltask@alessandrodigiusto.it.

For data that remain only on your device (local app content, Apple Calendar/Reminders content managed by the App), many controls are exercised directly by the user through the App, device settings, Apple Calendar, and Apple Reminders.

The Controller may request additional information to verify the identity of the requester. Requests will be handled without undue delay and, in general, within 1 month of receipt, except in cases provided for by the GDPR.

Current app architecture: NeuralTask does not centrally store user task/project content, Coach conversations, Apple Calendar appointments, or Apple Reminders content managed by the App. These data remain local to the user's device and/or the user's Apple services.

To help us locate server-side records related to your app installation (e.g., Firebase/NeuralCoin records associated with a pseudonymous UUID), we may ask you to provide the app installation identifier/UUID shown in the App settings (if available), or we can guide you on how to retrieve it.

The user may request or perform, as applicable:

• deletion of local app content directly from the App/device;
• deletion of Apple Calendar/Reminders items through Apple apps/services under the user's control;
• deletion/unsubscribe of the newsletter email via the links included in each newsletter email or by writing to neuraltask@alessandrodigiusto.it;
• deletion/anonymization of server-side data that may be associated with the app-generated UUID (where technically possible and where the request can be matched to the relevant UUID record).

What happens after a valid deletion request

• applicable centrally stored data (e.g., newsletter email data and/or Firebase UUID-related records where identifiable for the request) will be deleted or anonymized, except where retention is required for legal, tax, security, fraud-prevention, or litigation-defense purposes;
• backup copies, if any, are handled according to normal technical retention cycles;
• for future backup features (if introduced), backup content would remain under the user's personal drive/storage and user control, based on the design of that feature.

For processing activities based on consent (in particular advertising/advertising identifiers, where applicable, and newsletter subscription on neuraltask.app):

• the user may choose whether or not to give consent;
• the user may withdraw or modify advertising consent through the privacy/consent options available in the App (where provided), including reviewing available UMP privacy options;
• the user may manage Apple App Tracking Transparency (ATT) permission in iOS Settings (Privacy & Security > Tracking);
• the user may manage Location and Health permissions in iOS settings (and Health app permissions, where applicable) for app functionality features;
• reinstalling the App (and/or resetting relevant device privacy settings) may cause the consent/permission flow to be shown again;
• newsletter recipients can unsubscribe and/or request email deletion directly through the links included at the bottom of each newsletter email.

If advertising consent is withdrawn, unavailable, or ATT authorization is not granted, NeuralTask falls back to non-personalized advertising (where ads are shown), does not use IDFA for advertising personalization, and does not perform tracking for advertising purposes.

In practical terms, ATT acts as the final gate for tracking: without ATT authorization, NeuralTask may still show ads, but only in non-personalized/limited-personalization mode.

Withdrawal of consent does not affect processing carried out before the withdrawal.

NeuralTask adopts a local-first design for user content in order to reduce centralized exposure of personal information. The Controller also adopts appropriate technical and organizational measures for the server-side components actually used (e.g., Firebase records related to pseudonymous IDs/NeuralCoin data, Firebase Analytics and Crashlytics telemetry, and newsletter email data, where applicable).

If a future backup/account feature is implemented, the intended design is that user content will be encrypted and stored in the user's personal drive/storage so that no one other than the user can access the backup content.

No system is completely invulnerable; however, NeuralTask adopts reasonable and proportionate measures to reduce risks.

NeuralTask is not intended for minors under 16 years of age without the consent of a parent/legal guardian, where required by applicable law.
If you believe that a minor has provided personal data without authorization, contact the Controller at neuraltask@alessandrodigiusto.it to request removal.

The Controller may periodically update this notice to reflect legal, technical, or functional changes to the App and/or the website newsletter service.

In the event of significant changes, users will be informed through:

• an update to the "Last updated" date;
• in-app notification and/or other appropriate channels (if necessary).

For privacy questions, data subject rights requests, or data deletion requests:

• Privacy email: neuraltask@alessandrodigiusto.it
• Controller: Alessandro Di Giusto
• Newsletter management: unsubscribe and email deletion links are available in each newsletter email.

• Apple App Review Guidelines (privacy policy, data collection, deletion): https://developer.apple.com/app-store/review/guidelines/
• Apple App Privacy Details in App Store Connect: https://developer.apple.com/help/app-store-connect/manage-app-privacy/
• Apple App Tracking Transparency framework: https://developer.apple.com/documentation/apptrackingtransparency
• European Commission - Data subject rights (GDPR): https://commission.europa.eu/law/law-topic/data-protection/information-individuals_en
• European Commission - Handling data subject rights requests (timing/1 month): https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/dealing-citizens/how-should-requests-individuals-exercising-their-data-protection-rights-be-dealt_en
• Firebase - Privacy and Security: https://firebase.google.com/support/privacy/
• Firebase Analytics (Google Analytics for Firebase): https://firebase.google.com/docs/analytics
• Firebase Crashlytics: https://firebase.google.com/docs/crashlytics
• Google AdMob (iOS) - GDPR / disclosure and EEA-UK consent: https://developers.google.com/admob/ios/privacy/gdpr
• GDPR (EUR-Lex / Regulation (EU) 2016/679): https://eur-lex.europa.eu/eli/reg/2016/679/oj