Privacy Policy

Section I – Introduction

Art. 1

(1) This Privacy and Cookie Policy sets out the principles and practices that NeuraTrek Ltd. (“NeuraTrek,” “we,” “our,” or “us”) follows when collecting, processing, storing, and safeguarding the personal data of individuals who interact with our business. NeuraTrek is an AI automation and solutions agency that designs, builds, deploys, and manages intelligent systems, AI agents, and automation infrastructure for businesses.

(2) This policy covers all personal data processing that occurs when you:

1. Visit, browse, or interact with our website at neuratrek.ai;
2. Submit information through any of our contact or consultation request forms;
3. Subscribe to any newsletter, update, or communication channel we operate;
4. Engage us for consulting, auditing, AI development, or automation services;
5. Communicate with us by email, telephone, messaging platforms, or other means;
6. Interact with our content on third-party platforms where tracking technologies may be active.

(3) We are firmly committed to handling your personal data in a transparent, fair, and lawful manner. We urge you to read this document in its entirety. Should any provision remain unclear, you are welcome to reach out to us using the contact details set out in Section XV.

(4) This Privacy and Cookie Policy was most recently revised on [Insert Date]. We may periodically amend this document; any modifications will be published on this page with an updated effective date.

Section II – General Information About the Data Controller

Art. 2

(1) This website is operated and administered by the following entity:

Legal Entity Name	NeuraTrek Ltd.
Company Registration No.	123445678
VAT Identification No.	BG 12345678
Registered Office	Bulgaria, Sofia, [Enter full address]
Correspondence Address	Bulgaria, Sofia, [Enter full address]
Telephone	+359 893 396 909
Email	info@neuratrek.ai
Website	https://neuratrek.ai

(2) NeuraTrek serves as the data controller for every processing operation described herein, bearing full accountability for ensuring that all processing conforms to the General Data Protection Regulation and all applicable Bulgarian and European data-protection legislation.

Section III – Glossary of Key Terms

Art. 3

(1) To promote clarity and prevent ambiguity, the terms below carry the stated meanings whenever they appear throughout this document:

• “Personal Data” – any piece of information through which a living natural person can be identified, whether directly or in combination with other data. Examples include names, identification numbers, electronic identifiers, location signals, and characteristics tied to a person’s physical, genetic, psychological, economic, cultural, or social identity.
• “Processing” – every action or sequence of actions applied to personal data, whether carried out through automated systems or by hand. This encompasses gathering, recording, organizing, structuring, holding, modifying, extracting, consulting, utilizing, transmitting, distributing, combining, limiting, removing, and destroying data.
• “Data Controller” – the natural or legal person, public body, or other entity that independently or jointly with others establishes the objectives and methods for processing personal data. Within this policy, NeuraTrek Ltd. fulfils this role.
• “Data Processor” – any natural or legal person, public body, or other entity that carries out data processing operations on the controller’s behalf and under the controller’s documented instructions.
• “Data Subject” – the identified or identifiable living individual to whom a given set of personal data pertains.
• “Consent” – a freely offered, specific, well-informed, and unmistakable expression of the data subject’s will, delivered through a declaration or a clear affirmative act, signalling agreement to the processing of personal data that relates to them.
• “Legitimate Interest” – a lawful ground for processing that exists when the controller or a third party has a genuine and reasonable need to process data, provided that this need does not override the fundamental rights, freedoms, or interests of the data subject.
• “AI Services” – any offering by NeuraTrek that involves artificial intelligence, machine learning, automated reasoning, intelligent agents, or algorithmic data analysis, including but not limited to agent development, process automation, system integration, and strategic consulting.
• “Cookies” – compact data files deposited on your device by a website or digital application, serving functions such as preserving your settings, enabling essential site operations, and gathering analytical insights about your browsing patterns.
• “Supervisory Authority” – an independent governmental body created by a European Union member state under Article 51 of the GDPR, entrusted with overseeing the application of data-protection rules within its jurisdiction.
• “Data Breach” – a security incident that leads to the accidental or unlawful destruction, loss, modification, unauthorized revelation of, or access to personal data that has been transmitted, stored, or otherwise processed.

Section IV – Categories of Data We Collect

Art. 4 – Data Provided Directly by You

(1) We gather and process personal data that you voluntarily supply when you engage with our website, complete a contact or consultation request form, subscribe to communications, or enter into a service relationship with us.

(2) The categories of personal data we handle are confined to what is genuinely necessary for the stated processing purposes, in observance of the data-minimization principle. When you use our contact or consultation form, the data we collect includes:

7. First name and last name;
8. Email address;
9. Telephone number;
10. Company name and job title (where provided);
11. The substance of your message or enquiry;
12. Date and time of the submission.

Art. 5 – Technical and Behavioural Data Collected Automatically

(1) When you visit neuratrek.ai, certain technical information is gathered automatically through cookies and comparable technologies.

(2) We process this technical data on the lawful basis of our legitimate interests in maintaining a functional and secure website and in enhancing our digital services.

(3) The technical data we capture includes: IP address (anonymized where feasible), browser type and version, operating system and device characteristics, referring URL, pages viewed on our site, duration of page visits, click and scroll behaviour, and geographic region derived from IP data.

Art. 6 – Newsletter and Communication Data

(1) Should you subscribe to our newsletter or other periodic communications, we collect your email address and, optionally, your name.

(2) This data is processed exclusively on the basis of the consent you provide at the moment of subscription, indicated through an explicit opt-in mechanism.

Art. 7 – Business and Professional Data From Client Engagements

(1) When you engage NeuraTrek for AI consulting, auditing, agent development, or automation implementation, we may collect information about your business operations, internal workflows, technology environment, organizational structure, and strategic priorities. This information is indispensable for delivering solutions tailored to your specific operational context.

(2) We may also collect billing addresses, banking details, VAT numbers, and transactional records strictly for the administration of payments and compliance with tax and accounting obligations.

Art. 8 – Data Supplied for AI and Automation Projects

(1) In the performance of AI agent development, process automation, or system integration services, you may provide NeuraTrek with datasets, system credentials, business logic documentation, or workflow specifications.

(2) Such data is processed solely within the boundaries of the agreed project scope. NeuraTrek does not utilize client-supplied data to train, refine, or enhance general-purpose AI models, nor for any objective beyond the specific engagement, unless the client furnishes explicit and documented written authorization.

Art. 9 – Sensitive Data Categories

(1) We do not actively seek or process special categories of personal data (such as information pertaining to racial or ethnic background, political views, religious convictions, trade union affiliation, health status, sexual orientation, or genetic or biometric identifiers) unless you voluntarily provide such information.

(2) Should you inadvertently or intentionally submit data of this nature, we will treat it with the heightened protections required by applicable legislation.

Art. 10 – Data Accuracy and Updates

(1) We take reasonable steps to ensure that the personal data in our possession remains accurate, complete, and current where necessary.

(2) You may correct or update your personal information at any time by contacting us through the channels described in Section XV of this policy.

Section V – Purposes and Methods of Data Processing

Art. 11 – General Principles

(1) We process your personal data exclusively for specific, explicitly stated, and legitimate purposes that are directly connected to our services. We do not further process your data in any way that would be incompatible with those stated purposes.

(2) Every processing activity within our operations is linked to a defined purpose, ensuring a clear chain of accountability and transparency.

Art. 12 – Purposes Linked to Contact and Consultation Forms

Personal data submitted through our contact or consultation forms is used for the following objectives:

13. Responding to your enquiries and maintaining communication;
14. Providing information about our AI and automation services that you have specifically requested;
15. Preserving a record of our exchanges for service quality and continuity;
16. Enhancing our client support processes;
17. Executing our contractual commitments to you, where a contract exists;
18. Satisfying legal and regulatory obligations.

Art. 13 – Purposes Linked to Newsletter Communications

(1) Data collected through newsletter subscriptions is used solely to deliver periodic updates, insights, and promotional content related to our AI and automation services and relevant industry developments.

(2) Every communication we send includes a clearly visible mechanism for withdrawing your subscription, enabling you to revoke consent at any moment with immediate effect.

Art. 14 – Purposes Linked to Technical and Behavioural Data

(1) Technical data gathered automatically through cookies and related technologies serves the following objectives:

19. Guaranteeing the reliable operation and security of our website;
20. Understanding visitor behaviour to refine the user experience;
21. Identifying and resolving server-side and client-side technical issues;
22. Evaluating traffic patterns and content performance;
23. Defending against fraudulent or malicious activity;
24. Preserving the stability and availability of our digital infrastructure.

Art. 15 – Purposes Linked to AI Service Delivery

Where personal data is processed as part of an AI development, automation, or integration engagement, the purposes are confined to: designing, building, testing, deploying, and maintaining the AI agents, automation workflows, and integrated systems defined in the applicable statement of work; providing project updates and technical reports; and administering the contractual and financial aspects of the engagement.

Art. 16 – Automated Decision-Making

(1) We do not employ automated decision-making processes, including profiling, that generate legal consequences for you or that affect you in a comparably significant manner.

(2) Where any AI service we deliver for a client involves automated processing that could produce significant effects on individuals, we will disclose this in advance, explain the underlying logic to the extent practicable, and ensure the availability of human review upon request.

Art. 17 – Prohibition on Purpose Deviation

(1) We will not repurpose your personal data for objectives that are incompatible with the original collection purpose without first obtaining your consent, unless such secondary processing is mandated or expressly authorized by law.

(2) Before applying your data to any new purpose, we will furnish you with a clear explanation of that purpose and all pertinent supplementary information.

Section VI – Legal Basis for Processing

Art. 18 – Applicable Framework

(1) NeuraTrek Ltd. is registered and headquartered in Sofia, Bulgaria, an EU member state. Our data-processing operations are therefore governed principally by the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Law on the Protection of Personal Data (Zakon za zashtita na lichnite danni), and all associated national implementing measures and guidance from the Commission for Personal Data Protection of Bulgaria (KZLD).

(2) We process personal data only when supported by at least one of the lawful bases established in Article 6(1) of the GDPR. We have identified and documented the appropriate legal basis for each distinct processing activity.

Art. 19 – Consent – Article 6(1)(a) GDPR

(1) Where processing relies on your consent, we ensure that such consent is freely granted, specifically directed, fully informed, and expressed through an unambiguous affirmative act.

(2) You may withdraw your consent at any point without affecting the lawfulness of processing that took place before the withdrawal. We design the withdrawal process to be as straightforward as the original consent mechanism.

(3) We rely on consent as the legal basis for the following processing activities:

25. Collecting and using your email address and name for newsletter distribution;
26. Deploying cookies and tracking technologies beyond those strictly necessary for website functionality;
27. Processing any supplementary personal data that you voluntarily provide beyond what is required for our services.

Art. 20 – Contractual Necessity – Article 6(1)(b) GDPR

(1) We process personal data under this basis when processing is required to fulfil a contract to which you are a party, or to carry out pre-contractual steps at your request, such as preparing service proposals, conducting discovery audits, or onboarding you as a client.

Art. 21 – Legal Obligation – Article 6(1)(c) GDPR

(1) Certain processing is carried out because EU law or Bulgarian national law obliges us to do so. This encompasses, without limitation, tax reporting duties, accounting record-keeping requirements, anti-fraud measures, and responses to lawfully issued requests from public authorities.

Art. 22 – Legitimate Interests – Article 6(1)(f) GDPR

(1) We process personal data under this basis only after performing a careful balancing assessment to confirm that your interests, fundamental rights, and freedoms do not take precedence over our legitimate needs.

(2) We maintain documented records of every legitimate-interest assessment we conduct and implement proportionate safeguards to protect your rights.

(3) Our legitimate interests include:

28. Optimizing website performance, reliability, and user experience;
29. Safeguarding the security of our digital systems and IT infrastructure;
30. Administering our business operations with reasonable efficiency;
31. Responding to non-contractual enquiries and maintaining communication records;
32. Analysing usage patterns to guide improvements in our service offerings.

Art. 23 – Balancing Assessment Methodology

(1) For every legitimate interest relied upon, our balancing assessment considers: the nature and context of the processing; the type and sensitivity of the data involved; the reasonable expectations of data subjects; the potential consequences for individuals; the safeguards put in place to reduce any adverse effect; and the degree of control available to data subjects over the processing.

Section VII – Data Retention

Art. 24 – General Retention Principles

(1) We hold your personal data only for the period necessary to accomplish the purposes for which it was originally gathered and to comply with applicable legal mandates.

(2) When setting retention periods, we evaluate the volume, nature, and sensitivity of the data, the potential for harm from unauthorized use or disclosure, the objectives of the processing, whether those objectives can be achieved through alternative means, and the requirements of relevant legislation.

(3) We conduct periodic reviews of our retention schedules to confirm they remain proportionate and well-founded.

Art. 25 – Specific Retention Periods

(1) Contact and Consultation Form Data – identity data (name, job title), contact data (email, telephone, company), and correspondence records are retained for three (3) years following your most recent interaction with us.

(2) Newsletter and Subscription Data – subscription details (email, name) are retained for one (1) month after you unsubscribe, to facilitate reinstatement if you request it. Engagement metrics (open rates, click statistics) are retained in identifiable form for six (6) months and in anonymized, aggregate form for two (2) years.

(3) Website Technical Data – technical identifiers (IP address, browser data) are retained for ninety (90) days. Cookie data expires according to the schedules set out in Section XII. Aggregated analytics data is kept in anonymized form for two (2) years.

(4) Client Engagement Records – project documentation, associated communication records, and service-related data are retained for five (5) years following the conclusion of the engagement.

(5) Financial and Invoicing Records – retained for the duration mandated by Bulgarian tax and accounting legislation.

(6) Legal and Compliance Records – consent records are maintained for the duration of the processing relationship plus three (3) years. Records of data-processing objections are kept for five (5) years from the date of the objection.

Art. 26 – Commencement of Retention Periods

Unless stated otherwise, retention periods begin: for contact form data, from the date of the last interaction; for newsletter data, from the date of unsubscription (where applicable); for technical data, from the date of collection; for consent records, from the date consent is withdrawn or updated; and for client engagement records, from the date the engagement concludes.

Art. 27 – Actions at Expiry

(1) When personal data reaches the end of its designated retention period, we will take one of the following steps: securely erase the data from all active systems; render the data permanently anonymous so that it can no longer be associated with any individual; or, where complete erasure is technically impracticable, isolate the data and enforce technical controls that prevent any further processing.

(2) Retention periods may be extended in exceptional circumstances, such as pending or anticipated legal proceedings, regulatory investigations, or compliance audits, where preservation of data is necessary for evidentiary purposes.

Art. 28 – Early Erasure Requests

(1) You have the right to request deletion of your personal data before the standard retention period concludes, subject to any legal basis we may hold for continued processing.

(2) Requests for early deletion should be directed to us using the contact details provided in Section XV of this policy.

Section VIII – Data Security Measures

Art. 29 – Security Commitment

(1) We deploy suitable technical and organizational safeguards to shield your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

(2) Our security architecture is calibrated to deliver a protection level appropriate to the risk, factoring in the current state of technology, implementation costs, the nature and scope of processing, and the potential severity of impact on individuals’ rights and freedoms.

(3) We routinely test, evaluate, and refine the effectiveness of our protective measures to uphold the continuous confidentiality, integrity, availability, and resilience of our processing systems.

Art. 30 – Technical Safeguards

(1) The technical measures we maintain include:

33. Encryption of personal data during transmission using TLS 1.2 or higher;
34. Encryption of personal data at rest employing AES-256 standards;
35. Multi-factor authentication for administrative system access;
36. Firewall protection, intrusion detection, and continuous network monitoring;
37. Systematic security patching across all systems and applications;
38. Encrypted backup procedures with regular recovery testing.

(2) Our digital infrastructure undergoes scheduled vulnerability scanning and penetration testing to uncover and remediate potential weaknesses.

Art. 31 – Organizational Safeguards

(1) The organizational measures we enforce include:

39. Role-based access controls governed by the principle of least privilege;
40. Mandatory data-protection and information-security training for all personnel;
41. Confidentiality commitments embedded in all employment and contractor agreements;
42. Documented policies and procedures covering all aspects of information security;
43. Regular awareness programmes to keep staff informed of evolving threats.

Art. 32 – Third-Party Security Oversight

(1) We ensure that any external service provider processing personal data on our behalf implements adequate security measures by means of: binding contractual provisions including dedicated data-processing agreements; pre-engagement security evaluations; and periodic review of the provider’s security practices.

(2) Access granted to third-party providers is restricted to the minimum necessary for the contracted service, and providers are instructed to process data solely according to our documented directions.

Art. 33 – Breach Response Procedures

(1) In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

1. Notify the competent supervisory authority without undue delay and, wherever practicable, within 72 hours of becoming aware of the incident;
2. Inform affected individuals without undue delay when the breach is likely to present a high risk to their rights and freedoms;
3. Document every breach, recording the factual circumstances, the effects, and all remedial actions undertaken.

(2) Our notification to affected individuals will include: a description of the incident; contact details for obtaining further information; an assessment of the probable consequences; and an outline of the measures taken or proposed to address the breach and mitigate potential harm.

(3) We maintain internal breach escalation protocols to ensure that every member of our team can identify and report a suspected security incident without delay.

Section IX – Your Rights as a Data Subject

Art. 34 – Overview of Rights

(1) As a data subject under the GDPR and applicable Bulgarian legislation, you are entitled to a set of specific rights regarding the processing of your personal data, detailed in Articles 35 through 41 below.

(2) We are dedicated to enabling the effective exercise of these rights and will respond to every legitimate request without undue delay, and in all cases within one calendar month of receipt.

(3) Where the complexity or volume of requests necessitates additional time, we may extend this period by up to two further months. If we invoke such an extension, we will notify you within the initial month and explain the reasons.

Art. 35 – Right of Access

(1) You may ask us to confirm whether we process your personal data and, if so, to provide you with a copy of that data along with the following supplementary information:

44. The objectives of the processing;
45. The categories of personal data involved;
46. The recipients or categories of recipients who have received or will receive the data;
47. The anticipated storage duration, or the criteria used to determine it;
48. The existence of your right to request correction, deletion, or processing restrictions, or to object to processing;
49. Your right to file a complaint with a supervisory authority;
50. Where data was not collected directly from you, all available information about its source;
51. Whether automated decision-making or profiling is applied, and if so, meaningful information about its logic and foreseeable consequences.

Art. 36 – Right to Rectification

(1) You may require the prompt correction of any inaccurate personal data we hold about you.

(2) Taking into account the purposes of the processing, you may also request the completion of any incomplete personal data, including by supplying a supplementary statement.

Art. 37 – Right to Erasure

(1) You may request the deletion of your personal data without undue delay in any of the following circumstances:

4. The data is no longer needed for the purpose for which it was originally collected or processed;
5. You withdraw the consent on which the processing was founded and no alternative legal basis remains;
6. You object to the processing and no overriding legitimate grounds exist for continuing it;
7. The data has been processed in violation of applicable law;
8. Erasure is required to comply with a legal obligation binding on NeuraTrek.

(2) This right does not apply where processing remains necessary for: the exercise of freedom of expression and information; compliance with a legal obligation; reasons of public interest in the field of public health; archiving, research, or statistical purposes in the public interest; or the establishment, exercise, or defence of legal claims.

Art. 38 – Right to Restriction of Processing

(1) You may demand that we restrict the processing of your data where:

9. You dispute the accuracy of the data, for a period allowing us to verify correctness;
10. The processing is unlawful but you prefer restriction over erasure;
11. We no longer require the data for processing, but you need it for the pursuit of legal claims;
12. You have objected to processing pending our verification of whether our legitimate grounds prevail.

(2) While restriction is in effect, the data may-apart from storage-only be processed with your consent, for the establishment or defence of legal claims, for the protection of another person’s rights, or for reasons of significant public interest.

Art. 39 – Right to Data Portability

(1) You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as CSV or JSON).

(2) You may also request that we transmit this data directly to another controller without obstruction, provided that: the processing is grounded in consent or contractual necessity; and the processing is performed by automated means.

(3) Where technically feasible, we will facilitate the direct transfer of your data to the controller of your choice.

Art. 40 – Right to Object

(1) You may object at any time, on grounds specific to your personal situation, to the processing of your data where that processing is based on our legitimate interests or the performance of a task in the public interest.

(2) Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for legal claims.

(3) You hold an unconditional right to object at any time to the processing of your personal data for direct marketing purposes, including any profiling related to such marketing. Upon receiving such an objection, we will immediately halt the relevant processing.

Art. 41 – Right Regarding Automated Decisions

(1) You have the right not to be subject to any decision produced exclusively by automated processing-including profiling-that generates legal effects concerning you or that affects you in a comparably significant way.

(2) This right does not apply where the decision: is essential for entering into or performing a contract between you and us; is authorized by EU or member-state law that includes adequate protective measures; or is based on your explicit consent.

(3) In the situations described in (2), we will implement appropriate measures to protect your rights, including at minimum the right to obtain human intervention, to express your viewpoint, and to challenge the decision.

Art. 42 – How to Exercise Your Rights

(1) You may exercise any of the rights described in Articles 35 through 41 by contacting us through any of the following channels:

52. Email: info@neuratrek.ai
53. Post: NeuraTrek Ltd., [Enter full correspondence address], Sofia, Bulgaria

(2) We will not impose a charge for processing your request unless the request is manifestly unfounded, repetitive, or excessive, in which case we reserve the right to levy a reasonable administrative fee or to decline the request.

(3) To protect you, we may ask you to verify your identity before acting on a request, ensuring that personal data is not disclosed to unauthorized persons.

Section X – International Data Transfers

Art. 43 – General Position

(1) As a general rule, we process and store your personal data on infrastructure located within the European Economic Area (EEA).

(2) We permit the transfer of personal data outside the EEA only where specific operational requirements demand it and only under the safeguards described in this section.

(3) All cross-border transfers are conducted in accordance with Chapter V of the GDPR.

Art. 44 – Transfers Arising from Third-Party Services

(1) We utilize certain external services that may entail the processing of limited personal data on servers outside the EEA, including in the United States. These services are described in detail in Section XI.

(2) The data elements that may be transferred include anonymized IP addresses, cookie identifiers, and browsing behaviour metrics.

(3) We have taken measures to minimize the volume of data leaving the EEA, including: enabling IP anonymization before data departs the browser; configuring shorter data-retention windows than the platform defaults; and activating these tools only after receiving your explicit consent through our cookie management system.

Art. 45 – Transfer Safeguards

(1) For every transfer described in Article 44, we rely on the following protective mechanisms:

13. Standard Contractual Clauses (SCCs) as adopted by the European Commission;
14. Supplementary technical measures implemented in light of the Court of Justice’s Schrems II ruling;
15. Due diligence assessments conducted prior to engaging any third-party service provider.

(2) Supplementary technical measures include: data minimization before transfer; pseudonymization where practicable; encryption during transit and at rest; and regular reassessment of the necessity and scope of each transfer.

Art. 46 – Transfer Impact Assessments

(1) We have prepared and documented transfer impact assessments (TIAs) for all data flows outside the EEA. These assessments evaluate: the specific data elements being transferred; the legal framework of the recipient country regarding governmental access to data; the particular circumstances surrounding the transfer; and the additional safeguards deployed to mitigate identified risks.

(2) We review and update our TIAs on a regular basis to reflect evolving legal landscapes and changes in third-country practices.

Art. 47 – Transparency and Documentation

(1) Upon request, you may obtain a copy of the safeguards governing any transfer of your data outside the EEA. Please direct such requests to info@neuratrek.ai. We will respond within one calendar month.

(2) We may redact portions of the documentation that contain proprietary commercial information or security-sensitive details, while ensuring that you receive meaningful information about the transfers and the protections in place.

Art. 48 – Data Localization Practices

(1) Where possible, we prioritize EEA-based service providers and data-storage solutions. We continually assess available alternatives to limit the necessity for international transfers while preserving essential service capabilities.

(2) Should our transfer practices change in the future, we will update this policy accordingly and, where legally required, seek your consent before routing your personal data to additional third countries.

Section XI – Third-Party Data Recipients

Art. 49 – Commitment Against Data Sales

(1) We share your personal data with a carefully vetted and limited group of third parties who process data on our behalf, strictly according to our documented instructions.

(2) We demand that every third-party recipient demonstrates sufficient organizational and technical capabilities to comply with GDPR requirements and to protect your rights.

(3) We do not sell your personal data to any third party. We do not grant third parties access to your data for their own independent marketing activities without your prior explicit consent.

Art. 50 – Identified Third-Party Recipients

(1) The following third-party services may receive limited personal data in connection with our website operations:

Google Ireland Limited (Google Analytics)

54. Function: website traffic analysis and performance measurement
55. Data elements shared: anonymized IP address, cookie identifiers, browsing behaviour, device characteristics
56. Server locations: data may be routed to facilities worldwide, including the United States
57. Provider’s privacy documentation: https://policies.google.com/privacy

Meta Platforms Ireland Limited (Meta Pixel)

58. Function: advertising conversion tracking and audience segmentation
59. Data elements shared: cookie identifiers, browsing behaviour, device information
60. Server locations: data may be routed to facilities worldwide, including the United States
61. Provider’s privacy documentation: https://www.facebook.com/policy.php

X Corp. (formerly Twitter – X/Twitter Advertising Pixel)

62. Function: remarketing, advertising conversion measurement, and audience building
63. Data elements shared: cookie identifiers, browsing activity, device data
64. Server locations: data may be routed to facilities worldwide, including the United States
65. Opt-out instructions: https://support.twitter.com/articles/20170405
66. Provider’s privacy documentation: https://twitter.com/privacy

(2) Should we introduce additional third-party recipients in the future, we will amend this policy before any new data sharing commences.

Art. 51 – Supporting Service Providers

(1) We also engage service providers who may access limited personal data in the course of performing operational functions on our behalf:

16. Hosting and cloud infrastructure providers for website and application operations;
17. Email delivery platforms for newsletter and transactional communications;
18. IT maintenance and cybersecurity service providers;
19. Payment processing services for billing and invoicing.

(2) All such providers are bound by data-processing agreements that: confine their use of your data to the specific contracted purposes; require the implementation of appropriate security measures; and obligate them to delete or return all personal data upon termination of the service relationship.

Art. 52 – Disclosure Required by Law

(1) We may disclose your personal data where compelled to do so by applicable law, regulation, or legal process-for example, in response to a court order or a lawfully issued information request from a public authority.

(2) We may also disclose personal data where we reasonably believe such disclosure is necessary to: defend the rights, property, or safety of NeuraTrek; protect the rights, privacy, or safety of our clients or the public; or enforce the terms of our agreements.

(3) In all such situations, we will disclose only the minimum data we reasonably consider necessary to satisfy the applicable obligation.

Section XII – Cookies and Tracking Technologies

Art. 53 – What Cookies Are and How We Deploy Them

(1) Our website employs cookies and comparable technologies (including pixel tags, web beacons, and local storage objects) to support core functionality, gather usage analytics, and facilitate our marketing activities.

(2) A cookie is a compact text file placed on your device when you access a website. It allows the site to recognize your device on subsequent visits and to recall certain information about your preferences and behaviour.

(3) We deploy non-essential cookies-such as those used for analytics and advertising-only after receiving your prior, informed consent through the cookie consent interface presented upon your first visit to neuratrek.ai.

Art. 54 – Categories of Cookies We Use

Category	Function	Lifespan
Essential	Enable fundamental website operations such as navigation, secure-area access, and form processing. The site cannot function correctly without them. These cookies do not require your consent.	Session / Persistent
Performance & Analytics	Collect anonymized data on how visitors interact with our website, including pages accessed, time on site, navigation paths, and error messages. This information helps us improve site speed, usability, and content.	Persistent (up to 24 months)
Functionality	Store your preferences-such as language or display settings-to deliver a more tailored experience when you return.	Persistent (up to 12 months)
Advertising & Remarketing	Monitor browsing activity across websites to enable us and our advertising partners to present advertisements aligned with your interests. Activated exclusively upon your explicit consent.	Persistent (varies by provider)

Art. 55 – Google Analytics Configuration

(1) We have configured Google Analytics with the following privacy-protective settings:

20. IP addresses are anonymized prior to storage;
21. The data-retention period has been reduced to 14 months instead of the platform default;
22. Data sharing with Google for advertising purposes has been disabled;
23. Analytics cookies are set only after your explicit consent has been recorded.

(2) If you wish to block Google Analytics tracking specifically, you may install the official Google Analytics Opt-out Browser Add-on, available at: https://tools.google.com/dlpage/gaoptout

Art. 56 – Meta (Facebook) Pixel Configuration

(1) We have configured the Meta Pixel with the following safeguards:

24. The pixel activates only after your explicit consent has been obtained;
25. Data collection is limited to basic website-interaction events;
26. Collected data is used exclusively for conversion measurement and targeted campaign management.

(2) You can manage your advertising preferences within Meta’s platforms at: https://www.facebook.com/ads/preferences

(3) You may also opt out of interest-based advertising from Meta and other participating companies through the Digital Advertising Alliance’s WebChoices tool at: https://optout.aboutads.info

Art. 57 – X (Twitter) Remarketing Configuration

(1) NeuraTrek may utilize X (formerly Twitter) remarketing services to present advertisements to users who have previously visited our website.

(2) You can opt out of X’s interest-based advertising by following the instructions at: https://support.twitter.com/articles/20170405

(3) Further details about X’s data practices can be found in their privacy policy at: https://twitter.com/privacy

Art. 58 – Managing Your Cookie Preferences

(1) Upon your first visit to neuratrek.ai, a cookie consent interface will appear, enabling you to accept or decline each category of non-essential cookies individually.

(2) You may revisit and modify your preferences at any time through the cookie settings link accessible in the website footer.

(3) Additionally, most contemporary web browsers permit you to block, delete, or manage cookies through their built-in settings menus. Be aware that disabling certain cookies may impair website functionality or limit your access to particular features.

(4) Links to cookie management instructions for major browsers: Google Chrome – chrome://settings/cookies; Mozilla Firefox – about:preferences#privacy; Apple Safari – Preferences > Privacy; Microsoft Edge – edge://settings/content/cookies.

Section XIII – Use of Artificial Intelligence and Automated Systems

Art. 59 – AI in Our Operations

(1) As a company built around artificial intelligence, NeuraTrek incorporates AI and automated processing into both client-facing services and internal operational functions. Client-facing AI systems-including conversational agents, voice assistants, workflow automation engines, and analytical tools-may process personal data as an inherent part of their designed function. Internally, we may leverage AI-assisted tools for analytics, content optimization, scheduling, and quality assurance.

Art. 60 – Transparency in Automated Processing

(1) Wherever our AI systems process your personal data, we are committed to ensuring that such processing is lawful, equitable, and transparent. We do not deploy AI systems that produce legal or similarly significant effects on individuals through entirely automated means without implementing appropriate safeguards.

(2) If any service involves automated decision-making that could meaningfully affect you, we will inform you in advance, explain the logic involved to the extent reasonably practicable, and provide you with the means to request human review of any automated outcome.

Art. 61 – Client Data and AI Model Training

(1) NeuraTrek does not feed personal data obtained through client engagements into general-purpose AI models-whether owned by NeuraTrek or by any third party-unless the client has furnished specific, informed, and documented written consent.

(2) Any AI models trained or customized within the scope of a client project are developed exclusively for the benefit of that engagement and remain subject to the intellectual property and confidentiality terms agreed between the parties.

Art. 62 – Regulatory Alignment

(1) NeuraTrek actively monitors the evolving regulatory framework for artificial intelligence, including the EU Artificial Intelligence Act and associated guidance. We design our AI systems and data-processing practices to align with current regulatory expectations and to anticipate foreseeable obligations as this legislative landscape matures.

Section XIV – Provisions Concerning Minors

Art. 63 – Age Restrictions

(1) NeuraTrek’s services are conceived for businesses and professional users and are not directed at individuals under the age of eighteen (18).

(2) We do not knowingly collect, solicit, or process personal data from children or minors. If we discover that we have inadvertently obtained personal data from an individual under eighteen without verified parental or guardian consent, we will take prompt action to delete that data from our systems.

(3) If you believe that a minor’s personal data has been submitted to NeuraTrek without proper authorization, please contact us immediately at info@neuratrek.ai so that we may investigate and take corrective measures.

Section XV – Contact Information, Complaints, and Supervisory Authority

Art. 64 – Privacy Enquiries

(1) We welcome all questions, observations, and concerns relating to your privacy or to this policy. You may reach us through:

67. Email: info@neuratrek.ai
68. Telephone: +359 893 396 909
69. Post: NeuraTrek Ltd., [Enter full correspondence address], Sofia, Bulgaria

(2) We aim to acknowledge every privacy-related enquiry within five (5) business days. For formal data-subject rights requests (Articles 35–41), we will provide a substantive response within the timeframes specified in Article 34.

Art. 65 – Internal Complaint Procedure

(1) If you believe that your personal data has been handled in a way that falls short of the standards described in this policy, we encourage you to contact us first so that we may address your concerns directly.

(2) Our internal complaint-resolution process involves: initial review of the complaint by the person responsible for data protection; investigation of the issues raised; a written response to you within fifteen (15) business days; and implementation of any remedial measures found to be necessary.

Art. 66 – Right to Lodge a Complaint with a Supervisory Authority

(1) Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data-protection supervisory authority if you believe that our processing of your personal data infringes applicable law.

(2) You may lodge such a complaint in the EU member state of your habitual residence, your place of work, or the place where the alleged infringement occurred.

(3) For individuals in Bulgaria, the competent supervisory authority is:

Commission for Personal Data Protection (KZLD)

• Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
• Website: https://www.cpdp.bg
• Email: kzld@cpdp.bg

(4) A directory of all national data-protection authorities within the EEA is maintained by the European Data Protection Board at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

(5) Filing a complaint with a supervisory authority is your right and does not require you to contact us beforehand, though we welcome the opportunity to resolve matters directly.

Section XVI – Changes to This Policy

Art. 67 – Classification of Changes

(1) We review this Privacy and Cookie Policy on a regular basis and may amend it to reflect changes in our practices, technology, regulatory requirements, or other operational factors.

(2) We distinguish between: material changes that significantly alter your rights or the manner in which we process your personal data; and non-material changes such as typographical corrections, formatting adjustments, or minor clarifications.

Art. 68 – Notification of Changes

(1) For material changes, we will: publish the revised policy on neuratrek.ai with a clearly visible notification for no fewer than thirty (30) days before the changes take effect; send an email notice to individuals for whom we hold contact information; and obtain your consent where required by applicable law.

(2) For non-material changes, we will update the effective date at the top of this document and make a summary of changes available upon request.

Art. 69 – Policy Archive

(1) We maintain an archive of prior versions of this policy to ensure transparency regarding its evolution over time. You may request access to earlier versions by contacting us at info@neuratrek.ai.(2) Your continued use of our website or services after the effective date of any update constitutes your acknowledgment of the revised terms, subject to your explicit consent where mandated by law.