Privacy Policy

1. Who we are

NeuroPouch is a food supplement brand operating under [Company Legal Name], with registered address at [Company Address]. We are the data controller for personal data collected through this website (getneuropouch.com) and associated services.

Data protection contact: privacy@getneuropouch.com

2. What data we collect

Data you provide directly

• Email address and name — when you join our waitlist or subscribe to marketing communications.
• Order information — name, billing address, delivery address, email, phone number — when you place an order (processed via Stripe; see section 5).
• Communications — any messages you send us via email or contact forms.

Data collected automatically

• Usage data — pages visited, time spent, referring URLs, browser type, device type, and approximate geographic location (country/region level).
• Cookies and similar technologies — see section 7 for full cookie information.

3. Why we collect and use your data (legal bases)

Contractual necessity (Article 6(1)(b) GDPR)

When you place an order, we process your name, contact details, and payment information to fulfil the contract — process payment, arrange delivery, handle returns, and communicate about your order.

Legitimate interests (Article 6(1)(f) GDPR)

We process usage data and analytics to understand how our website is used and to improve it. This processing is necessary for our legitimate business interests and does not override your rights.

Consent (Article 6(1)(a) GDPR)

When you join our waitlist or subscribe to marketing emails, you give explicit consent to receive those communications. You may withdraw consent at any time by clicking "unsubscribe" in any email or by contacting privacy@getneuropouch.com.

Legal obligation (Article 6(1)(c) GDPR)

We retain certain order and transaction records to comply with tax, accounting, and consumer protection obligations under EU and Estonian law.

4. How long we keep your data

• Waitlist / marketing email subscribers: Until you unsubscribe, or after 3 years of inactivity.
• Order records: 7 years from date of transaction, as required for tax/accounting compliance.
• Customer service communications: 2 years from the date of resolution.
• Website analytics: Aggregated and anonymised after 14 months.

5. Third parties who process your data

We use a small number of carefully selected third-party processors. All are GDPR-compliant and operate under data processing agreements with us.

• Stripe (payment processing) — Stripe handles all payment data. We do not store card numbers. Stripe's privacy policy: stripe.com/privacy.
• Klaviyo / Mailchimp (email marketing) — your name and email address are stored on our email platform to send you communications you have consented to.
• Hosting provider — our website is hosted on servers within the EU/EEA.
• Analytics provider — we use privacy-respecting analytics (no personal identifiers are shared with third-party ad networks).

We do not sell your personal data. We do not share it with advertisers or data brokers.

6. International transfers

Some third-party processors (including Stripe and email platforms) may process data outside the EU/EEA. Where this occurs, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or the processor operates under an adequacy decision.

7. Cookies

We use the following categories of cookies:

• Strictly necessary cookies: Required for the website to function. No consent required.
• Analytics cookies: Help us understand how visitors use our site (page views, session duration). Used only in aggregate. Consent required; you may decline via our cookie banner.
• Marketing cookies: We do not currently use third-party advertising or retargeting cookies.

You can manage cookies via your browser settings or our cookie preference centre (displayed on first visit).

8. Your rights under GDPR

As a resident of the EU/EEA, you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction — request that we restrict processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@getneuropouch.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. Payment data is processed exclusively by Stripe using PCI-DSS compliant infrastructure. Our website uses HTTPS throughout.

10. Children

Our website and products are intended for individuals aged 16 and above. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@getneuropouch.com and we will delete it promptly.

11. Changes to this policy

We may update this policy periodically. The "Last updated" date at the top of this page will reflect any changes. For material changes, we will notify active subscribers by email.

12. Contact

For any privacy-related questions or to exercise your rights:
Email: privacy@getneuropouch.com
Post: [Company Legal Name], [Company Address]