Privacy Policy

Neural Omega S.L. ("Neural Omega," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. As a biotechnology company developing solutions for autoimmune disease management, we process sensitive personal data, including health information, in accordance with the highest standards of data protection.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platforms and services. This policy has been designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), and applicable international data protection standards.

This policy applies to:

• Neural Omega – Corporate website and associated digital services
• Neural Omega Health – Patient and clinician platform for autoimmune disease management
• Neural Omega Research – Bioinformatics tools and research platform for pharmaceutical and academic institutions

1. Data Controller and Contact Information

Neural Omega S.L. is the data controller responsible for processing your personal data in accordance with this Privacy Policy.

For all data protection matters, including exercising your rights under GDPR, please contact our Data Protection Officer at the address provided above.

2. Categories of Personal Data We Collect

2.1 Basic Personal Information

We collect standard personal information to provide and maintain our services:

• Identification Data: Full name, date of birth, nationality, national identification numbers (where legally required)
• Contact Information: Email address, telephone number, postal address
• Account Credentials: Username, encrypted password, security questions, two-factor authentication data
• Professional Information: Institution or organisation affiliation, professional role, medical licence or credential numbers, area of clinical or research specialisation
• Financial Data: Billing address, payment method details (processed securely through PCI-DSS compliant third-party payment processors; we do not store full credit card details)

2.2 Health and Medical Data (Special Category Data)

When you use Neural Omega Health, we process special categories of personal data pursuant to Article 9 GDPR. This includes:

• Clinical Information: Medical diagnoses, disease phenotype data, laboratory test results, imaging data, medication history, treatment protocols, adverse reactions, comorbidities
• Patient-Reported Data: Self-reported symptoms, symptom severity scores, disease activity indices, quality of life assessments, functional capacity measurements
• Biometric and Physiological Data: Data from wearable devices, continuous monitoring equipment, vital signs, activity levels, sleep patterns (collected only with explicit consent)
• Genetic and Molecular Data: Genetic test results, biomarker profiles, proteomic or genomic data (processed only under explicit consent and, where applicable, separate informed consent for research purposes)
• Healthcare Provider Data: Clinical notes, consultation records, treatment plans, healthcare professional assessments (shared only with appropriate clinical authorisation)

2.3 Research and Scientific Data

When you use Neural Omega Research or participate in research activities:

• Research Contributions: De-identified or pseudonymised datasets, analysis results, research queries, protocol designs, computational workflows
• Collaborative Data: Shared research projects, multi-institutional study data, data access logs for audit purposes
• Publications and IP: Authorship information, institutional affiliations, research outputs (handled in accordance with intellectual property agreements)
• Biological Sample Information: Sample identifiers, processing metadata, storage conditions (where applicable to biobanking activities)

2.4 Technical and Usage Data

We automatically collect certain technical information when you use our platforms:

• Device and Browser Information: Device type, operating system, browser type and version, screen resolution, language preferences
• Usage Analytics: Pages or features accessed, time spent on platform, click patterns, navigation paths, feature adoption metrics
• Network Data: IP address (anonymised where possible), approximate geographic location (city or region), internet service provider
• Performance Data: Load times, error logs, system performance metrics, API response times
• Security Data: Login attempts, authentication events, security incident logs, threat detection data

2.5 Communications and Support Data

• Correspondence: Emails, support tickets, chat transcripts, phone call recordings (with prior notification), feedback submissions
• Marketing Communications: Newsletter subscriptions, event registrations, webinar attendance, marketing preferences

3. Legal Basis for Processing Personal Data

Under GDPR Article 6, we process your personal data only where we have a valid legal basis. The legal basis depends on the purpose of processing and the type of data collected:

4. How We Use Your Personal Data

We use personal data collected through our platforms for the following purposes:

4.1 Service Provision and Platform Functionality

• Provide access to Neural Omega Health, Research, and Maia platforms
• Enable communication between patients and healthcare providers
• Process and analyse bioinformatics data for research institutions
• Generate clinical decision support tools and calculators
• Facilitate data sharing within your authorised care team

4.2 Research and Development

• Conduct scientific research into autoimmune disease mechanisms and treatment efficacy
• Develop and improve AI/ML algorithms for predictive analytics and decision support
• Identify disease patterns, biomarkers, and potential therapeutic targets
• Advance computational biology and bioinformatics methodologies
• Publish anonymised research findings in peer-reviewed scientific literature

4.3 Platform Improvement and Innovation

• Analyse usage patterns to enhance user experience and interface design
• Develop new features and functionalities based on user needs
• Test and validate new algorithms and analytical tools
• Optimise platform performance, speed, and reliability

4.4 Communication and Support

• Respond to enquiries, provide technical support, and resolve issues
• Send service notifications, updates, and important security alerts
• Communicate changes to our services or policies
• Send marketing communications (with consent), including newsletters and event invitations

4.5 Security, Fraud Prevention, and Legal Compliance

• Monitor and prevent unauthorised access, fraud, and security threats
• Investigate and respond to security incidents or data breaches
• Comply with legal obligations, court orders, and regulatory requirements
• Enforce our Terms of Service and other agreements
• Protect our intellectual property and confidential information
• Exercise or defend legal claims

4.6 Automated Decision-Making and Profiling

Our platforms may use AI and machine learning algorithms to provide personalised insights, predict disease progression, and recommend treatment options. Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Important: Our AI-powered recommendations are designed as clinical decision support tools, not autonomous diagnostic systems. All clinical decisions should be made by qualified healthcare professionals who retain full authority over patient care. Neural Omega does is not under Medical Device Regulation (MDR) as our tools do not provide standalone diagnoses or treatment decisions.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your data only in the following strictly limited circumstances:

5.1 Healthcare Providers and Care Teams

With your explicit authorisation, we share relevant health information with your designated healthcare providers, including physicians, nurses, specialists, and other members of your care team. This facilitates coordinated care and ensures your healthcare professionals have access to necessary clinical information.

5.2 Research Collaborators and Academic Institutions

We may share anonymised or pseudonymised data with trusted research partners, including:

• Academic medical centres and universities conducting autoimmune disease research
• Pharmaceutical and biotechnology companies for drug development purposes
• Clinical research organisations managing clinical trials
• Public health agencies for epidemiological studies

Data shared for research purposes is subject to Data Processing Agreements, ethics approvals, and strict confidentiality obligations. Where identifiable data is shared, we obtain your explicit informed consent.

5.3 Service Providers and Processors

We engage carefully vetted third-party service providers to support our operations, including:

• Cloud infrastructure providers (ISO 27001 and SOC 2 certified, EU-based data centres)
• Payment processors (PCI-DSS compliant)
• Email and communication platforms
• Customer support and helpdesk software
• Analytics and performance monitoring tools

All processors are bound by Data Processing Agreements compliant with GDPR Article 28, ensuring they process data only on our instructions and maintain appropriate security measures.

5.4 Legal and Regulatory Authorities

We may disclose personal data when required by law, including:

• Responding to valid legal process (court orders, subpoenas, warrants)
• Complying with regulatory investigations or audits
• Reporting adverse events to medicines agencies
• Cooperating with law enforcement in legitimate criminal investigations
• Protecting vital interests (life-threatening emergencies)

5.5 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such change and ensure the acquiring party commits to protecting your data under terms at least as protective as this Privacy Policy.

5.6 Aggregated and Anonymised Data

We may share aggregated, anonymised data that cannot reasonably be used to identify individuals. This includes statistical reports, research publications, and industry benchmarking data.

6. International Data Transfers

Neural Omega primarily processes and stores personal data within the European Economic Area (EEA). Our data centres are located in Spain and other EU member states that provide adequate levels of data protection under GDPR.

In limited circumstances, we may transfer personal data to countries outside the EEA, including:

• United Kingdom: Recognised as providing adequate protection under the European Commission's adequacy decision
• United States: Only to service providers certified under the EU-U.S. Data Privacy Framework or subject to Standard Contractual Clauses approved by the European Commission
• Other Countries: Only where an adequacy decision exists or appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules) are in place

For health data, we employ additional safeguards including encryption in transit and at rest, pseudonymisation where possible, and contractual restrictions on processing.

You may request information about specific safeguards applied to international transfers by contacting our Data Protection Officer at dpo@neuralomega.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations. Retention periods vary depending on the type of data and purpose of processing:

At the end of the applicable retention period, personal data is securely deleted or anonymised such that it can no longer identify individuals.

8. Your Rights Under GDPR

As a data subject under GDPR, you have extensive rights regarding your personal data. We are committed to facilitating the exercise of these rights. You may exercise any of the following rights by contacting us at dpo@neuralomega.com:

9. Data Security and Protection Measures

We implement rigorous technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our security framework aligns with ISO 27001 standards and includes:

9.1 Technical Security Measures

• Encryption: End-to-end encryption for health data transmission using TLS 1.3. Data at rest is encrypted using AES-256 encryption.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and least-privilege principles ensure only authorised personnel access personal data.
• Network Security: Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) protect our infrastructure.
• Secure Development: Security-by-design principles, code reviews, static and dynamic analysis, and secure coding standards are embedded in our development lifecycle.
• Data Pseudonymisation and Anonymisation: Where possible, we pseudonymise or anonymise data to reduce privacy risks, particularly for research and analytics purposes.
• Backup and Disaster Recovery: Regular encrypted backups with off-site storage ensure data availability and business continuity.

9.2 Organisational Security Measures

• Data Protection Governance: Designated Data Protection Officer (DPO) overseeing compliance with GDPR and internal data protection policies.
• Employee Training: Mandatory data protection training for all staff, with specialised training for those handling health data.
• Confidentiality Obligations: All employees and contractors sign confidentiality agreements and are bound by strict data handling protocols.
• Incident Response Plan: Documented procedures for detecting, reporting, investigating, and mitigating data breaches.
• Vendor Management: Due diligence assessments of all third-party processors, with contractual obligations ensuring equivalent security standards.
• Regular Audits: Internal and external audits assess compliance with data protection laws and security standards.

9.3 Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (AEPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms, as required by GDPR Article 34
• Provide information about the nature of the breach, likely consequences, and measures taken or proposed to address it

10. Cookies and Similar Technologies

Our platforms use cookies and similar tracking technologies to enhance functionality, analyse usage, and improve user experience. We adhere to the EU ePrivacy Directive and obtain consent where required.

10.1 Types of Cookies We Use

10.2 Managing Cookie Preferences

You can manage cookie preferences through:

• Our cookie consent banner (displayed on first visit)
• Your account settings (for registered users)
• Your browser settings (to block or delete cookies entirely)

Please note that disabling certain cookies may limit functionality and affect your user experience.

11. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18 without verifiable parental or guardian consent.

If you are a parent or guardian and believe your child under 18 has provided personal data to us without consent, please contact us immediately at dpo@neuralomega.com. We will promptly investigate and delete such data.

In cases where our services are used for patients under 18, we require explicit consent from a parent or legal guardian with parental responsibility, in accordance with GDPR Article 8.

12. Third-Party Services and Links

Our platforms may contain links to third-party websites, services, or integrations (e.g., wearable device APIs, healthcare provider portals). This Privacy Policy applies only to Neural Omega's services.

Third-party services have their own privacy policies, and we are not responsible for their data practices. We encourage you to review the privacy policies of any third-party services you access through our platforms.

Where we integrate third-party services that process personal data on our behalf, we ensure they are bound by Data Processing Agreements and provide adequate safeguards.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email (to your registered email address)
• Display a prominent notice on our platforms
• Where required by law, seek your renewed consent

Your continued use of our services after notification of changes constitutes acceptance of the updated policy, unless you exercise your right to object or withdraw consent.

14. Intellectual Property and Confidentiality

Neural Omega has developed proprietary algorithms, AI models, bioinformatics tools, and clinical decision support systems that constitute valuable intellectual property. While this Privacy Policy governs personal data processing, please note:

• Our algorithms, models, and methodologies are protected by intellectual property rights and trade secret laws
• Reverse engineering, decompiling, or attempting to extract proprietary algorithms is strictly prohibited
• Research data and analyses produced by our platforms remain subject to confidentiality obligations outlined in user agreements
• Publications or disclosures of research findings must comply with data protection requirements and anonymisation standards

15. Governing Law and Jurisdiction

This Privacy Policy and all matters relating to your privacy shall be governed by and construed in accordance with the laws of Spain and the European Union, without regard to conflict of law principles.

Any disputes arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Madrid, Spain, except where GDPR grants you the right to bring proceedings in the courts of your habitual residence.