Back to home

Privacy Policy

Last updated June 11, 2026

This policy explains what personal data Neurofolio collects, why we process it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR). We keep it in plain language and only collect what the service genuinely needs.

1. Who we are

Neurofolio ("the Service") is operated by Gorazdo("we", "us", "our"), which is the data controller responsible for your personal data under the GDPR.

  • Controller: Gorazdo
  • Registered address: [Registered address — to be completed]
  • Place of establishment: [EU country of establishment — to be completed]
  • Contact for privacy matters: neurofolio@gorazdo.studio

2. The data we collect

We collect only the data needed to run the Service, grouped as follows:

Account data

When you sign up, we store your email address and, depending on your sign-in method, your name and avatar. If you sign in with Google or GitHub, we receive your basic profile (name, email, profile picture) from that provider; we never receive your password.

Content you create

The Service is built around the knowledge you add to it: knowledge entries (projects, achievements, notes), portfolio content, and your conversations with our AI assistants. We also store files and generated artifacts you produce while building your portfolio.

Technical and usage data

Our servers and security tooling process your IP address, device and browser information, and request metadata. We use this to keep the Service available, enforce rate limits, and prevent abuse. If you consent to analytics (see Section 5), we also collect aggregated product-usage events.

3. How and why we use your data

Under the GDPR we must have a legal basis for each purpose. Ours are:

PurposeData usedLegal basis (GDPR Art. 6)
Create and manage your accountAccount dataPerformance of a contract (6(1)(b))
Provide the Service and generate your portfolioContent you createPerformance of a contract (6(1)(b))
Send transactional emails (verification, password reset, sign-in links)Email addressPerformance of a contract (6(1)(b))
Keep the Service secure and prevent abuseTechnical and usage dataLegitimate interests (6(1)(f))
Measure and improve the product through analyticsProduct-usage eventsConsent (6(1)(a))
Comply with legal obligationsAs required by lawLegal obligation (6(1)(c))

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. Where we rely on consent, you may withdraw it at any time (see Section 9).

4. AI processing of your content

Neurofolio uses AI to turn your knowledge into a portfolio. To do this, the content you submit — such as knowledge entries and messages to our AI assistants — is sent to our AI processor to generate text embeddings, portfolio drafts, and assistant responses. This is necessary to provide the Service you asked for.

Our AI processing does not make automated decisions that produce legal or similarly significant effects about you under Article 22 of the GDPR: AI outputs are drafts and suggestions that you review and control. We do not sell your content, and we do not permit our AI processor to use your content to train its general-purpose models.

Public portfolios. Content you choose to publish is made publicly accessible on the internet so that visitors can view your portfolio. Do not include information in published content that you do not want to be public.

5. Cookies and similar technologies

We use a small number of cookies. Strictly-necessary cookies are required to run the Service and do not need your consent. Analytics cookies are optional and are only set if you accept them in our cookie banner — you can decline without losing any functionality.

CookiePurposeCategory
Supabase session (e.g. sb-*)Keeps you signed inStrictly necessary
nf_cookie_consentRemembers your cookie choiceStrictly necessary
Theme and sidebar preferencesRemembers your display settingsStrictly necessary
PostHog analytics (e.g. ph_*)Aggregated product analyticsAnalytics (consent required)

You can withdraw analytics consent at any time by clearing the nf_cookie_consent cookie in your browser, which makes the banner appear again, or by blocking cookies in your browser settings.

6. Who we share your data with

We do not sell your personal data. We share it only with service providers (processors) who help us run the Service, each bound by a data processing agreement and permitted to use your data only on our instructions:

ProviderRoleLocation
SupabaseAuthentication, database, and transactional auth emailsEuropean Union
VercelHosting, file storage, and AI gatewayUnited States
OpenAI (via the Vercel AI Gateway)AI text generation and embeddingsUnited States
PostHogProduct analytics (only with your consent)United States
UpstashRate limiting and cachingEuropean Union / United States

We may also disclose data where required by law, to protect our legal rights, or in connection with a merger or acquisition.

7. International data transfers

Some of our processors are located in the United States, so your data may be transferred outside the European Economic Area. Where this happens, we rely on appropriate safeguards under the GDPR — such as the European Commission's Standard Contractual Clauses, and the EU-US Data Privacy Framework where a provider is certified — to ensure your data receives an equivalent level of protection.

8. How long we keep your data

  • Account data: for as long as your account is active, and deleted within 30 days after you close your account, unless we are legally required to keep it longer.
  • Content you create: until you delete it or close your account.
  • Technical and security logs: for a limited period necessary for security and troubleshooting.
  • Analytics data:retained according to our analytics provider's standard retention settings.

9. Your rights under the GDPR

You have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Eraseyour data (the "right to be forgotten");
  • Restrict or object to certain processing;
  • Port your data to another service in a structured, machine-readable format;
  • Withdraw consent at any time, without affecting processing carried out before withdrawal.

To exercise any of these rights, email us at neurofolio@gorazdo.studio. We will respond within the time limits set by the GDPR. You also have the right to lodge a complaint with a supervisory authority — in our case, [Your national data protection authority — to be completed] — or the authority in your country of residence.

10. How we protect your data

We apply appropriate technical and organisational measures, including encryption in transit, row-level access controls so users can only reach their own data, and restricted administrative access. No system is perfectly secure, but we work to protect your data and to notify you and the relevant authority where the law requires it in the event of a breach.

11. Children

The Service is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of the Service after a change means you accept the updated policy.

13. How to contact us

For any question about this policy or your personal data, contact Gorazdo at neurofolio@gorazdo.studio.