Privacy Policy

NeoPower Digital, LLC Effective date: October 7, 2025 Version: 1.0

This Policy describes how NeoPower Digital, LLC (“NeoPower,” “we,” “us”) processes personal data in connection with its B2B process-automation platform and integrations. It applies to the neopower.digital domain and its applicable subdomains.

1. Who we are & how to contact us

Controller: NeoPower Digital, LLC (Delaware LLC) EIN: 36-5041139 Incorporation date: October 14, 2022 Registered agent: Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, US Privacy email: privacy@neopower.digital Website: https://neopower.digital (including applicable subdomains)

2. Scope & target audience

B2B: we provide services to businesses.
Customers’ end-users’ data: we may process personal data (e.g., name, email, phone, purchases, messages) when the customer subscribes to services that require it.
Minors: the service is not directed to individuals under 18 years old and their use is prohibited.

3. Categories of personal data we process

Processing depends on the automation services subscribed by the customer. We may process:

Identity & contact: name, email, phone, job title, company.
Account & authentication: credentials, third-party IDs, OAuth tokens, roles/permissions.
Commercial/operational data (variable): orders, catalogs, inventory, billing, tickets, sales/purchase records.
Communications (variable): content/metadata of chats, messaging (e.g., WhatsApp Business), emails, notes; only if the customer subscribes to those workflows.
Telemetry & technical analytics: IP address, user agent, usage events, logs, device/browser identifiers.
AI-related data: prompts, inputs, outputs, feedback, and quality signals tied to the use of AI features.
Sensitive data: we do not process special categories (health, biometric, etc.).

4. Sources of data

Direct input by the customer’s users via the admin panel and/or chat interfaces.
APIs & webhooks from third-party integrations (e.g., messaging tools, e-commerce, email, calendar, ERP/CRM), authorized by the customer (e.g., OAuth).
Imports via files (CSV/spreadsheets).
Scraping: not performed; we use only official APIs and webhooks.

5. Purposes & legal bases

5.1 Purposes

Service delivery (automations, integrations, orchestration of workflows).
Support & assistance (issue resolution, quality improvement).
Security (abuse, fraud, and misuse detection).
Usage analytics and product improvement.
AI features: use of data at runtime (prompts/evaluations) to execute AI functionality requested by the customer (see §6).

5.2 Legal bases (reference)

Contract performance as the primary basis (B2B services).
Legitimate interests for security and aggregated analytics, where appropriate.
Consent for newsletter marketing (opt-in).

Automated decision-making: we do not make decisions with legal or similar significant effects without human involvement under our standard service.

6. AI processing (use of data)

We do not train our models with customer data.
Customer data may be used at inference time (prompts/contexts) to operate AI features requested by the customer.
We may use operational metrics and quality signals anonymized or aggregated for internal performance evaluation.
Training opt-out: not applicable, since we do not train models with customer data.
The customer is responsible for not submitting sensitive or unauthorized data into AI inputs unless it has a valid legal basis.

7. Cookies & analytics

We use analytics tools such as Google Analytics and Microsoft Clarity to understand usage and improve the service.
We currently do not implement a CMP (consent banner); where required by applicable law, we will obtain consent before activating non-essential cookies.
We do not perform email tracking via pixels.

Users can manage cookies in their browser settings and, where applicable, via in-app controls.

8. Retention & deletion

Default rule: we delete all data 3 months after account inactivity or at the end of the monthly subscription.
Deletion upon request: the customer may request deletion before the default timeline.
Backups: backups are purged per rotation policies; deletions are reflected when the relevant backup expires.
Longer retention may apply where required by law or to establish, exercise, or defend legal claims.

9. Disclosures, processors & sub-processors

We may share data with service providers acting as processors (hosting, databases, analytics/observability, AI services, messaging) solely to deliver the service and under confidentiality and security obligations.
For security reasons, we do not publish a named list of sub-processors; we can provide a category- and region-level description upon reasonable request.
International transfers: we do not conduct additional international transfers beyond those necessary to provide the service in the region selected by the customer and by our providers.
DPA: we currently do not offer a standard data processing agreement with customers; for specific needs, contact privacy@neopower.digital.

10. Security

Encryption in transit (TLS) and at rest aligned with our platform capabilities.
Least-privilege access management, logical isolation by organization/tenant, access logging, and operational monitoring.
We currently do not hold certifications (e.g., ISO 27001/SOC 2).
Breach notification: we will notify security incidents in accordance with applicable law (e.g., within 72 hours under GDPR when required) and contractual terms.

11. Data subject rights

Subject to applicable laws (USA, LATAM, and where relevant GDPR/EU), data subjects may exercise:

Access, rectification, erasure, restriction, portability, and objection.
Opt-out from marketing (newsletter).

Channel: privacy@neopower.digital Target response time: 30 days.

Where we act as a processor for a customer, we will forward the request to the controller, as appropriate.

12. Marketing & communications

We send newsletter and marketing communications only with prior consent (opt-in).
Recipients may withdraw consent and unsubscribe at any time.

13. Third-party data & integrations responsibilities

The customer is responsible for having a valid legal basis and permissions to connect its tools (via OAuth or other mechanisms) and to transfer data to NeoPower.
Mixed role model:
- NeoPower acts as controller for account, billing, security, and our own analytics data.
- NeoPower acts as processor for the business data that the customer processes through our automations/integrations.

14. Minors

The service is not intended for individuals under 18. Use is prohibited and data will be deleted if inadvertently processed.

15. Changes to this Policy

We may update this Policy. We will notify material changes via in-app banner, email, or official channels. The “Effective date” reflects the latest update.

16. Governing law & jurisdiction

This Policy is governed by the laws of the State of Delaware, USA.
Any dispute will be submitted to the state or federal courts located in Delaware, without prejudice to mandatory rights of the business user in its jurisdiction, where applicable.

17. How to contact us

For questions, rights requests, or privacy matters: Email: privacy@neopower.digital

Annex A — Summary of sub-processor categories (non-nominal)

Compute & storage infrastructure (US/EU regions).
Managed relational database (US/EU regions).
Analytics & telemetry (usage measurement tools).
Tracing & observability (logs, metrics, traces).
AI services (model inference APIs).
Transactional email (system notifications).

Extended information (e.g., specific regions and security measures) available upon request at privacy@neopower.digital.

Annex B — Retention (illustrative detail)

Account & authentication: contract term + 3 months of inactivity.
Operational/commercial data: contract term + 3 months of inactivity (or earlier deletion upon request).
Logs & telemetry: limited operational retention; deletion per rotation policies.
Backups: deletion upon rotation expiry; deletion requests reflect when the corresponding backup expires.
AI data (prompts/outputs/feedback): minimum retention necessary to operate, debug, and evaluate features, with no model training on customer data.

Last updated: October 7, 2025