Privacy Policy
Last updated: November 28, 2025
1. Who we are
NeroxynLabs ("Neroxyn", "we", "us") provides a SaaS tool for generating tool-aware AI prompts and acts as the data controller for the personal data described in this notice. Contact: privacy@neroxyn.com.
2. What we collect
- Account data: email, display name, avatar (if you set one), plan.
- Auth data: sign-in provider (email/password or Google).
- Usage data: the briefs you submit, the prompts we generate for you, your saved memory and folders, your favorites and shares.
- Billing data: handled entirely by Paddle.com (our Merchant of Record). We receive only a customer ID, subscription status, and renewal date — never your card details.
- Technical data: IP address, browser, basic analytics needed to run and secure the Service.
3. Why we use it
- To run the Service — generate prompts, store your history, apply your Creator Memory.
- To authenticate you and prevent fraud.
- To send transactional emails (signup confirmation, plan changes, password resets).
- To improve the product through aggregated, anonymized analytics.
We do not sell your data. We do not train AI models on your inputs or outputs.
4. Sub-processors
- Supabase — managed database and authentication (EU/US regions).
- Cloudflare — edge hosting and DDoS protection.
- Paddle.com — payment processing and tax compliance.
- Lovable AI Gateway — routes your briefs to underlying AI models (Google Gemini) for prompt generation.
- Google — only if you sign in with Google (we receive email + name + avatar only).
5. Data retention
We keep your data until you delete your account. Generated prompts and memory can be deleted individually from History and Memory pages. On account deletion, your data is purged within 30 days, except where retention is legally required (e.g. billing records: 7 years).
6. Your rights (GDPR / CCPA)
You can request access, correction, export, or deletion of your data at any time by emailing privacy@neroxyn.com or by deleting your account from Settings. EU residents may lodge complaints with their local data protection authority.
7. Cookies
We use essential cookies only — for authentication and CSRF protection. No advertising or third-party tracking cookies.
8. Security
Data is encrypted in transit (TLS) and at rest. Database access is restricted via row-level security so users can only see their own rows.
9. International transfers
Data may be processed in the EU or US depending on the sub-processor. Standard Contractual Clauses are in place where required.
10. Children
The Service is not directed at children under 13 (or 16 in the EU). If you believe a child has signed up, email us and we'll delete the account.
11. Changes
We'll notify you of material changes via in-app banner or email. Continued use after the effective date constitutes acceptance.