Privacy Policy
Effective: 2 March 2026
1. Introduction
NeuraTech AG (“we”, “us” or “NeuraTech”), Schürmattstrasse 4b, 6331 Hünenberg, Switzerland, operates the AIvunera platform at aivunera.com. We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP / nDSG) and other applicable data protection laws. This Privacy Policy explains how we collect, use, store and protect your personal data when you use our services.
2. Data controller
NeuraTech AG
Schürmattstrasse 4b
6331 Hünenberg
Switzerland
Data protection enquiries:
3. What data we collect
3.1 Order data
When you place an order, we collect your email address and the information you provide about your AI system (system name, sector, AI type, purpose description and other form fields). This data is used to generate your compliance drafts and to deliver them via a personal download link.
3.2 Generated documents
The generated compliance drafts are stored encrypted in our database (Supabase, located in Zurich) so that you can access them via your personal download link. The retention period is 6 months from the date of purchase (complaint handling).
3.3 Payment information
Payment processing is handled entirely by Stripe. We do not store your credit card number or full payment details on our servers. We retain a Stripe reference ID and basic transaction data (amount, date, document type) for accounting purposes.
3.4 Technical data
We automatically collect standard technical data such as IP address, browser type, operating system and referrer URL when you access our website. This data is used for security, analytics and service optimisation purposes.
3.5 Free risk classifier
When you use our free EU AI Act risk classifier and provide your email address for the full report, we collect:
- Email address
- Information about your AI system (name, sector, AI type, etc.)
- Risk classification result
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) – provision of the requested report. Your email is used exclusively for delivering the report. We will not send you marketing communications unless you have expressly consented.
Retention: Lead data is deleted 12 months after the last access.
4. What we do NOT permanently store
Your AI system data is NOT permanently stored on our servers.
During classification, your inputs are processed in real time and the results are returned directly to you. During document generation, your inputs are sent to the Anthropic Claude API for processing. Anthropic processes this data in accordance with their Privacy Policy and does not use API inputs/outputs for model training. Generated documents are temporarily stored in your order record until download and are subsequently retained only for order fulfilment. Generated documents are retained for 6 months for complaint handling (see section 3.2).
5. AI use at AIvunera (Art. 50 EU AI Act)
AIvunera uses Anthropic Claude (claude-sonnet-4-6) to generate compliance document drafts. Details:
6. Legal bases for processing
We process your personal data on the following legal bases under Art. 6(1) GDPR and in accordance with the Swiss FADP:
- Performance of a contract (Art. 6(1)(b) GDPR) – processing necessary for the provision of our services and the fulfilment of our contractual obligations to you.
- Legitimate interests (Art. 6(1)(f) GDPR) – processing for fraud prevention, security, service improvement and analytics, provided our interests are not overridden by your rights.
- Legal obligation (Art. 6(1)(c) GDPR) – processing necessary to comply with legal obligations, e.g. tax and accounting requirements.
- Consent (Art. 6(1)(a) GDPR) – where applicable, for optional data processing activities. You may withdraw your consent at any time.
7. Data processors
We engage the following third parties as data processors. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with each processor.
| Provider | Purpose | Data location |
|---|---|---|
| Supabase | Database hosting & authentication | Switzerland (Zurich) |
| Stripe | Payment processing | EU / US |
| Vercel | Website & application hosting | Global (Edge) |
| Anthropic | AI document generation (Claude API) | US |
Where data is processed outside the EEA or Switzerland, appropriate safeguards are in place, in particular EU Standard Contractual Clauses (SCCs) and the Swiss-U.S. Data Privacy Framework.
Note on Anthropic: For document generation, your form data is transmitted to the Anthropic Claude API (San Francisco, USA). A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place with Anthropic. Anthropic expressly does not use API data for model training. The data transfer to the USA is safeguarded by EU Standard Contractual Clauses.
8. Retention periods
After the retention period expires, data is permanently deleted or anonymised. You may request earlier deletion of your personal data as described in section 9.
9. Your rights
Under the GDPR and the Swiss FADP, you have the following rights regarding your personal data:
Right of access
You may request a copy of all personal data we hold about you, including the nature of processing and the recipients.
Right to rectification
You may request the correction of inaccurate or incomplete personal data.
Right to erasure
You may request the deletion of your personal data. We will comply unless a statutory retention obligation applies.
Right to data portability
You may request your personal data in a structured, commonly used, machine-readable format.
Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).
To exercise these rights, contact us at . We will respond within 30 days.
10. Cookies
We use a minimal number of cookies, strictly limited to those necessary for the operation of our service:
Authentication cookies
Required to maintain your login session (first-party, httpOnly, Secure).
CSRF protection token
Security cookie to protect against cross-site request forgery attacks.
Vercel Analytics
We use Vercel Analytics for anonymous, aggregated usage statistics. Vercel Analytics does not use cookies, does not collect personal data, and does not track individual users. All data is processed in aggregated form. No consent is required. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service improvement).
We do not use any advertising or tracking cookies.
11. International data transfers
Your personal data is primarily stored in Switzerland (via Supabase, hosted in Zurich). Where data transfers outside the EEA or Switzerland occur, we ensure appropriate safeguards through EU Standard Contractual Clauses (SCCs) and other legally recognised transfer mechanisms.
12. Data security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, as well as access controls.
13. Data breaches (Art. 33–34 GDPR)
In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours of becoming aware and will inform affected individuals without undue delay where there is a high risk.
14. Children’s privacy
Our services are not directed at persons under the age of 16. We do not knowingly collect personal data from children.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days before they take effect.
16. Contact
NeuraTech AG
Data protection enquiries
Schürmattstrasse 4b
6331 Hünenberg, Switzerland
Email:
Phone: