1. Who we are

Neutrally ("we", "us", "our") is operated from the United Kingdom. We provide an AI workspace with persistent memory across conversations and AI models, accessible at neutrally.app.

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018, we are the data controller for your personal data.

Contact: privacy@neutrally.app

2. What data we collect

We collect the following categories of personal data:

Account information: Email address, name, role, and use case provided during registration and onboarding.
Conversation data: Messages exchanged between you and AI models through our platform, including conversation titles, summaries, and extracted memory items.
Memory data: Facts, preferences, and context extracted from your conversations and stored as part of our persistent memory feature, including any memory items you manually create.
API keys (BYOK users): If you choose to bring your own API keys, these are encrypted using AES-256-GCM before storage. We never store API keys in plaintext.
Usage data: Token usage, conversation counts, feature usage patterns, and technical logs necessary for operating the service.
Technical data: IP address, browser type, device information, and cookies as described in Section 8.
File uploads: Files you attach to conversations (images, PDFs, text files, CSVs) up to 10MB, processed for content extraction.
MCP connector data: When you connect a third-party AI client (Claude, Cursor, ChatGPT, or any other client supporting the Model Context Protocol) to your Neutrally account, that client sends conversation text, tool calls, and memory queries to our MCP endpoint (/api/mcp). We process this data to save, search, and recall memory items on your behalf. OAuth identifies which Neutrally account the client is acting on; no data from one user's account is ever readable by another.

3. How we use your data

We process your personal data for the following purposes:

To provide and maintain the Neutrally service, including persistent memory across conversations
To personalise your experience by maintaining context across AI models and sessions
To process your conversations through third-party AI providers (see Section 5)
To extract and store memory items from your conversations for future context
To generate conversation summaries and keyword indices for search and retrieval
To manage your account, including authentication and access control
To monitor usage and enforce fair use limits
To send essential service communications (welcome emails, password resets, account notifications)
To detect, prevent, and address technical issues, abuse, and security incidents
To improve and develop our service based on aggregated, anonymised usage patterns

4. Legal basis for processing

Under the UK GDPR and EU GDPR, we rely on the following legal bases:

Performance of a contract (Article 6(1)(b)): Processing necessary to provide the service you signed up for, including storing conversations, maintaining memory, and processing AI requests.
Legitimate interests (Article 6(1)(f)): Service improvement, security, fraud prevention, and analytics, where our interests do not override your rights and freedoms.
Consent (Article 6(1)(a)): Where required, such as for optional analytics cookies. You may withdraw consent at any time.
Legal obligation (Article 6(1)(c)): Where processing is necessary to comply with applicable law.

5. Third-party services and data sharing

We share data with the following categories of third-party service providers, strictly as necessary to operate the service:

AI model providers (OpenAI, Anthropic, Google): Your conversation messages are sent to these providers to generate AI responses. These providers process data under their own API terms and do not use API-submitted data for model training. For BYOK users, data is sent using your own API keys under your direct relationship with the provider.
OpenAI (embeddings): In addition to chat completions, we send the text of saved memory items to OpenAI's embeddings API (text-embedding-3-large) to convert each memory into a numerical vector. The vector — not the original text — is what we use for fast similarity search at recall time. OpenAI processes this data under their API terms and does not retain or train on it.
MCP clients (Claude, Cursor, ChatGPT, and others supporting the Model Context Protocol): When you connect one of these clients to your Neutrally account, the connection is initiated by the client. The client receives the responses to its own MCP tool calls (e.g. the memory items returned by a search_memory call). These clients are not our sub-processors — they are tools you have chosen to authorise on your behalf via OAuth.
Infrastructure (Supabase, Vercel): Database hosting, authentication, and application hosting. Data is processed under their respective data processing agreements.
Analytics (PostHog): Privacy-focused product analytics. We collect anonymised usage events. PostHog is configured to respect Do Not Track signals.
Email (Resend): Transactional emails only (welcome, password reset, account notifications). We do not send marketing emails.

We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.

6. International data transfers

Some of our service providers are based outside the United Kingdom and European Economic Area. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO
Transfers to countries with adequate data protection as determined by the UK or EU
Data processing agreements with all sub-processors

7. Data retention

Account data: Retained for the duration of your account and deleted within 30 days of account deletion.
Conversations and memory: Retained for the duration of your account. You may delete individual conversations or memory items at any time through the application.
API keys (BYOK): Deleted immediately upon account deletion or when you remove them from settings.
Deleted accounts: Email addresses of deleted accounts are retained for 30 days solely to enforce the re-registration cooldown period, then permanently deleted.
Technical logs: Retained for up to 90 days for security and debugging purposes.

8. Cookies and tracking

We use the following cookies and similar technologies:

Essential cookies: Authentication tokens and session identifiers required for the service to function. These cannot be disabled.
Analytics cookies: We use PostHog (eu.i.posthog.com, EU-hosted) to collect anonymised pageviews, navigation patterns, and click events. These help us understand how visitors use this site so we can improve it. IP addresses are anonymised at ingestion. If you choose"Essential only" on the cookie banner, pageview and autocapture analytics still run as essential service analytics — these do not identify you personally and are used only to operate and improve the site.
Session recording (non-essential — consent required): PostHog can record anonymised session replays to help us diagnose usability issues. This feature is only activated when you choose "Accept all" via the cookie-consent banner. It is not enabled for visitors who choose "Essential only".
Heatmaps (non-essential — consent required): PostHog can generate page heatmaps based on aggregated click and scroll data. This feature is only activated when you choose "Accept all" via the cookie-consent banner. It is not enabled for visitors who choose "Essential only".

Your consent choice is stored locally in your browser under the key neutrally-analytics-consent. No choice is sent to our servers. You can change your choice at any time by clearing the banner — open your browser's developer tools, go to Application → Local Storage, and delete the neutrally-analytics-consent key. The banner will reappear on your next visit.

We do not use advertising cookies or tracking pixels.

9. Your rights

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

Right of access: Request a copy of your personal data.
Right to rectification: Request correction of inaccurate data.
Right to erasure: Request deletion of your data. You can delete your account and all associated data through Settings.
Right to restrict processing: Request limitation of how we process your data.
Right to data portability: Request your data in a machine-readable format.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, withdraw at any time.

To exercise these rights, contact us at privacy@neutrally.app. We will respond within one month as required by law.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local EU data protection authority.

10. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

AES-256-GCM encryption for stored API keys
Row-level security (RLS) on all database tables ensuring users can only access their own data
SHA-256 hashing for CLI authentication tokens
Rate limiting across all API endpoints
HTTPS encryption for all data in transit
Input sanitisation and output encoding to prevent injection attacks

11. Children's privacy

Our service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact

For any questions about this Privacy Policy or our data practices, contact us at:

privacy@neutrally.app