NeuralTask Privacy Policy (GDPR)

The Data Controller of personal data covered by this Privacy Policy for NeuralTask (the "App") is:

• Alessandro Di Giusto
• Privacy email: neuraltask@alessandrodigiusto.it

This Privacy Policy describes how NeuralTask processes personal data in connection with: (i) use of the App and its features and (ii) optional newsletter subscription at neuraltask.app. It reflects a local-first architecture for user content and is provided in compliance with EU Regulation 2016/679 (GDPR), Apple platform requirements (including App Tracking Transparency), and other applicable laws.

3.1 User Content Processed Primarily Locally on the Device

NeuralTask follows a local-first architecture: tasks, projects, notes, preferences, local histories, Calendar/Reminders integrations, and most AI logic remain primarily on the user's device and/or within Apple services under the user's control.

This includes, for example:

• tasks, projects, notes and preferences created in the App;
• conversations with the Coach feature within the App;
• Apple Calendar events managed by the App;
• Apple Reminders managed by the App.

Important exception: when the user uses a cloud/internet-backed feature (e.g., Cloud AI, remote Coach, Neural Assist, project/task analysis via remote model, or other AI functions delivered by the backend), relevant portions of user-entered content may be transmitted to the NeuralTask backend and to the server-configured AI provider to generate the response. In such flows we adopt payload minimization and sanitization measures, particularly for location data.

3.2 Technical Data and Pseudonymous App Identifiers

We may process technical data strictly necessary for the functioning of the app, security, service integrity, and measured service improvement. This may include the following App Store privacy data categories:

• User ID: pseudonymous identifiers generated by the app (e.g., installation UUID and, where account features are active, Firebase Auth user identifiers).
• Device ID: technical device/app identifiers (including Advertising ID/IDFA where permitted), installation identifiers, and persistent identifiers used for security, AI quota, and fraud/abuse prevention.
• Product Interaction: in-app interaction events used for analytics and product improvement via configured analytics services.
• Advertising Data: ad request/response signals, impressions, reward validation metadata, and anti-fraud signals for AdMob rewarded ads.
• Analytics Data: usage and engagement metrics processed via Firebase Analytics.
• Security / Anti-Abuse / AI Usage Data: daily AI quota records, request timestamps, hashed device ID on the backend, hashed IP for rate limiting/anti-abuse, and technical Auth/App Check verification signals.
• IP address and technical security events where generated by integrated infrastructure/services.

The Firebase/installation UUID generated by the app and used by NeuralTask is a pseudonymous identifier: it is not intended to directly identify the user by name, but may still be considered personal data under GDPR if it can be linked to an app installation, a device, or related records.

For advertising consent flows, NeuralTask uses Google User Messaging Platform (UMP) where legally required. The Advertising Identifier (IDFA) is used for AdMob personalization only if: (i) the applicable UMP consent flow outcome makes personalized ads eligible and (ii) the user authorizes Apple App Tracking Transparency (ATT).

If consent is not granted, consent signals are ambiguous/unavailable, or ATT is denied/restricted/not authorized, NeuralTask requests non-personalized ads (NPA) and does not use IDFA for advertising personalization.

No advertising tracking (cross-app or cross-website via IDFA) occurs unless the user has granted ATT permission.

3.3 NeuralCoin and Transaction Data (Firebase)

To manage NeuralCoin balance and movements, NeuralTask stores in Firebase only the data necessary for this purpose, associated with the app-generated UUID, for example:

• NeuralCoin balance and movement history (credit/spend);
• spend/credit reason (e.g., AI feature, task, reward ad);
• technical transaction/validation identifiers and related timestamps;
• anti-fraud and consistency checks related to NeuralCoin operations.

3.4 Cloud AI Features (Firebase proxy + server-side LLM provider)

When the user uses remote/cloud AI functions, NeuralTask sends to its proxy backend only the data relevant to generating the response, for example:

• user-entered prompt/text and, if necessary, relevant extracts of tasks, projects, or conversations;
• system instructions and requested model parameters;
• Auth/App Check tokens, daily quota and security metadata, and a technical device identifier processed in hashed form on the backend for anti-abuse purposes;
• if the feature requires it, derived and minimized contextual signals (e.g., ETA bucket or coarse labels such as HOME, WORK, IN_TRANSIT, OUT), without sending raw GPS coordinates to our AI backend.

In the current backend implementation, cloud AI requests pass through Firebase Functions and are forwarded to the server-configured LLM provider, which in the current backend code is OpenAI.

NeuralTask is not designed to store the full prompt text in Firestore as product content; however, prompts are processed transiently to deliver the response, and technical/quota/anti-abuse records associated with the request may be retained.

3.5 Newsletter Data (website: neuraltask.app)

If a user voluntarily subscribes to the newsletter at neuraltask.app, the Data Controller may process and store in Firebase:

• the email address provided by the user;
• newsletter subscription status/preferences and related technical metadata required to manage the subscription and regulatory compliance.

Each newsletter email includes links allowing the recipient to unsubscribe and/or request email deletion, in line with applicable European privacy requirements.

3.6 Apple System Services / Permissions (if enabled by the user)

If the user grants specific permissions, NeuralTask may interact with device features and Apple services, for example:

• Calendar;
• Reminders;
• Notifications;
• Health / Fitness (HealthKit), if the user enables related features (e.g., routine or workout insights);
• Location (including Visits, geocoding/POI classification, place/address searches, travel time estimates, and departure reminders via Apple services), if the user enables smart insights or other location-based features.

Such data is used only to provide the requested functionality. Apple Calendar/Reminders data, location data, and Health data remain primarily on the device and/or within the user's Apple services; their contents are not synced as a central repository by the Data Controller.

These permissions are used only for app features and are not used for advertising or tracking. This functionality is distinct from advertising tracking (IDFA).

NeuralTask does not send raw GPS coordinates to its AI/Firebase backend. If the user activates cloud functions that leverage context or wellness, the backend may receive only derived/minimized versions or sanitized context summaries necessary to generate the response.

We process data for the following purposes:

A. Provision of Core App Features (local-first functionality)

Examples:

• local task/project management on the device;
• workflow organization and personalization;
• local Coach conversation management;
• Apple Calendar and Apple Reminders integration where authorized by the user.

Legal basis: performance of a contract / provision of the requested service (Art. 6.1.b GDPR). Many of these operations occur locally on the user's device and are not accessible to the Data Controller.

B. NeuralCoin Balance Management, Validations and Transactions

Examples:

• NeuralCoin credit/spend associated with the app-generated UUID;
• in-app purchase and reward ad validation;
• fraud prevention, abuse prevention, and duplicate request detection for NeuralCoin operations.

Legal basis: contract performance (Art. 6.1.b GDPR) and the Data Controller's legitimate interest in security and service integrity (Art. 6.1.f GDPR).

C. Provision of Cloud AI Features and Remote Tutoring

Examples:

• generating remote AI responses for Coach, Neural Assist, strategic advice, project/task analysis, and similar functions;
• managing daily AI quota, anti-abuse, rate limiting, and AI proxy security;
• forwarding the sanitized prompt to the server-configured LLM provider.

Legal basis: contract performance / provision of the requested functionality (Art. 6.1.b GDPR) and the Data Controller's legitimate interest in security, abuse prevention, and service continuity (Art. 6.1.f GDPR).

D. Rewarded Ads (Google AdMob)

Examples:

• showing reward ads to credit NeuralCoin;
• managing ad consent in territories where required;
• ad measurement and fraud prevention.

Legal basis: consent (Art. 6.1.a GDPR), where required by applicable law (e.g., EEA/UK for ads and advertising identifiers); in other cases, legitimate interest/technical necessity in accordance with applicable law.

E. Analytics and Product Monitoring

Examples:

• measuring product interaction trends and engagement to improve reliability and UX;
• monitoring feature usage, funnels, and release quality via configured analytics tools;
• supporting product decisions and continuous service improvement.

Legal basis: legitimate interest (Art. 6.1.f GDPR) for security/reliability and service improvement, and consent where required by applicable law or platform requirements.

F. Newsletter Subscription and Communications (neuraltask.app)

Legal basis: consent (Art. 6.1.a GDPR). Consent may be revoked at any time via the links provided in each newsletter email.

G. Security, Abuse Prevention and Service Continuity

Legal basis: legitimate interest (Art. 6.1.f GDPR) and/or legal obligations (Art. 6.1.c GDPR).

H. Legal, Tax and Accounting Compliance

Legal basis: legal obligation (Art. 6.1.c GDPR).

NeuralTask uses third-party services that may process personal data on behalf of the Data Controller (as data processor/service provider) and/or as independent controllers for specific purposes, depending on the service, product configuration, and applicable contractual terms.

5.1 Google AdMob (Rewarded Ads)

Used for:

• delivering rewarded ads (e.g., to earn NeuralCoin);
• measuring and protecting ad traffic;
• managing ad consent in countries where required.

Consent & personalization: Where legally required, users may be presented with ad consent choices via UMP (including personalized and non-personalized ads, where applicable). NeuralTask requests ATT only when the UMP outcome makes personalized ads eligible. If ATT is denied/restricted/not authorized, NeuralTask requests non-personalized and/or limited-personalization ads.

5.2 Firebase (Google) - auth, backend records, AI quota/security, NeuralCoin data, and optional newsletter email

Used for anonymous/account auth bootstrap, session management, App Check, NeuralCoin balance storage, AI quota/security records, anti-abuse, and newsletter email storage (if voluntarily provided on neuraltask.app).

5.3 Cloud AI Provider via Secure Proxy (current backend implementation)

Cloud AI provider: In the current backend implementation, NeuralTask uses OpenAI as its large language model (LLM) provider for cloud AI features. The aiProxyChat backend proxy (Firebase Function) forwards requests to OpenAI. NeuralTask does not share raw GPS coordinates, personally identifiable names, non-derived health data, full payment details, or access credentials with OpenAI.

Data sent to the cloud AI provider: When the user uses a cloud AI feature, the backend proxy sends only the data strictly necessary to generate the response. This includes:

• the user's prompt/text, pre-sanitized and minimized (privacy-sanitized);
• relevant extracts of tasks, projects, or conversations needed to contextualize the request;
• model parameters (e.g., temperature, requested model) and system messages necessary to configure the response;
• derived and minimized context (e.g., HOME, WORK, IN_TRANSIT labels or time ranges), without raw GPS coordinates or non-derived health data;
• daily quota metadata and authentication tokens for the proxy (not shared with the final LLM provider).

Purpose: Data processing at the cloud AI provider is limited to generating responses for NeuralTask's cloud AI features, including:

• generating responses and suggestions for the AI Coach;
• project/task analysis and strategic suggestions (Neural Assist);
• producing context-based insights and recommendations;
• any other remote AI functionality explicitly requested by the user.

Retention and use of data by the provider:

• NeuralTask is not designed to store full prompt text in Firestore as product content. Prompts are processed transiently to deliver the response. Technical records (quota, timestamps, hashed identifiers) are retained as described in Section 7 (typically 30 days for quota records and 7 days for hash-based IP records).
• OpenAI (the LLM provider) processes prompts solely to generate the requested response. Under OpenAI's API data usage policies, data sent via the API is used only to provide the service and is not used to train or improve OpenAI models, unless the user explicitly opts into separate improvement programs (which NeuralTask does not activate). For details, see OpenAI API Data Usage Policies.
• NeuralTask has no control over OpenAI's data processing practices beyond what is described in OpenAI's public policies. Users are encouraged to consult the provider's policies for complete information.

5.4 Firebase Analytics (Google)

Used for understanding product interaction trends, feature usage analysis, and supporting aggregate reporting and release quality decisions.

5.5 Apple System Services (Calendar / Reminders / Notifications / Health / Location)

Used to provide user-requested device integrations. Data remains on device and/or within the user's Apple services.

5.6 Apple (App Store / StoreKit)

Used for in-app purchase processing of NeuralCoin packs.

Some third-party providers (e.g., Google AdMob, Firebase, Apple services, and the server-configured cloud AI provider) may process data outside the European Economic Area.

In such cases, the Data Controller adopts reasonable measures to ensure transfers comply with GDPR, including adequacy decisions, Standard Contractual Clauses (SCCs), and other legally required safeguards.

Data is retained for the time strictly necessary for the indicated purposes and in compliance with minimization and storage limitation principles. The periods below are indicative and may vary based on legal obligations, fraud/security investigations, dispute management, and technical requirements.

• User content created in the App (tasks, projects, Coach conversations, Apple Calendar/Reminders data managed by the App): remains primarily on the user's device (and/or within the user's Apple account/services) until deleted by the user. When the user uses a cloud AI function, the prompt/extract necessary for the response is processed for the duration necessary to deliver the service and is not designed to be stored in Firestore as product content.
• Firebase UUID + NeuralCoin data: retained as long as necessary to ensure balance integrity, fraud/abuse prevention, dispute management, and compliance with applicable legal, tax, and accounting obligations.
• Cloud AI quota/security records: uid-scoped AI quota usage records are currently configured with backend retention of approximately 30 days; hash-based IP usage/lock records are currently configured with retention of approximately 7 days; dashboard summaries and related records remain as long as necessary for functionality or until account/session deletion, subject to legal obligations or security needs.
• Firebase Analytics data: retained according to configured analytics retention settings and Google/Firebase service policies, limited to what is necessary for analytics and service improvement.
• Newsletter email (subscription from website): retained until unsubscription or deletion request by the user (including requests via links in each newsletter email), with limited retention of records necessary to document consent/unsubscription/compliance and manage legal claims.
• Technical/security logs: typically for a limited period, e.g., up to approximately 90 days, unless a longer period is required for security incidents, abuse prevention, troubleshooting, or legal obligations.

Under GDPR, the user may exercise the following rights, within the limits provided by law:

• right to information;
• right of access;
• right to rectification;
• right to erasure ("right to be forgotten");
• right to restriction of processing;
• right to data portability;
• right to object;
• right to withdraw consent at any time (without affecting the lawfulness of processing carried out before the withdrawal);
• right to lodge a complaint with the competent supervisory authority.

To exercise your rights, contact: neuraltask@alessandrodigiusto.it.

Current app architecture: NeuralTask maintains a local-first design for personal content while also managing cloud records associated with session/account for NeuralCoin wallet, purchases, AI quota/security, dashboard summaries, newsletter, and other necessary backend operations.

Deletion directly from the App: The current version of the App allows permanent deletion of both guest session and registered account from the settings area. This flow triggers backend deletion of associated cloud data. For guest sessions, a new clean anonymous session is automatically created after completion.

Where required by applicable law, NeuralTask presents users with appropriate consent choices (e.g., via UMP for advertising). Users may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

If ATT is denied, NeuralTask does not use the IDFA and serves only non-personalized or limited-personalization ads.

We may update this Privacy Policy from time to time. Users will be notified of material changes through the App and/or via the contact email provided.

The App is not intended for children under the age of 13 (or the equivalent minimum age in the relevant jurisdiction). We do not knowingly collect personal data from children.

For any questions, requests, or concerns regarding this Privacy Policy, please contact:

• Email: neuraltask@alessandrodigiusto.it
• Data Controller: Alessandro Di Giusto