Privacy Policy

NeoPower Digital, LLC Effective date: December 23, 2025 Version: 1.1

This Policy describes how NeoPower Digital, LLC ("NeoPower," "we," "us") processes personal data in connection with its B2B process-automation platform and integrations (the "Platform"). It applies to the neopower.digital domain and its related subdomains.

1. Who we are & how to contact us

Controller: NeoPower Digital, LLC (Delaware LLC) EIN: 36-5041139 Incorporation date: October 14, 2022 Registered agent: Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, US Privacy email: privacy@neopower.digital

2. Scope & target audience

B2B: we provide services to businesses and organizations ("Customers").
Customers' end-users' data: when a Customer subscribes to automation/integration services that require it, NeoPower may process personal data of third parties (e.g., name, email, phone, purchases, messages) as part of the service.
Minors: the Platform is not directed to individuals under 18 years old and their use is prohibited.

3. Role definitions (Controller / Processor)

Depending on the type of data and context, NeoPower may act as:

Controller: for account, administration, billing, security, abuse prevention, and Platform analytics/telemetry data.
Processor: for business data and content that the Customer processes through our automations/integrations, following Customer instructions.

4. Categories of personal data we process

Processing depends on the subscribed service. We may process:

Identity & contact: name, email, phone, job title, company.
Account & authentication: credentials, third-party IDs, OAuth tokens, roles/permissions.
Commercial/operational data (variable): orders, catalogs, inventory, billing, tickets, sales/purchase records.
Communications (variable): content and metadata of chats, messaging (e.g., WhatsApp Business), emails, notes; only if the Customer subscribes to those workflows.
Telemetry & technical analytics: IP address, user agent, usage events, logs, device/browser identifiers.
AI-related data: prompts, inputs, outputs, feedback, and quality signals associated with the use of AI features.

Sensitive data (special categories): the Platform is not designed to process sensitive data (health, biometric, etc.). The Customer must not submit such data unless there is a valid legal basis and contractual authorization; NeoPower may restrict or delete content if incompatible use is detected.

5. Sources of data

Direct input by the Customer's users via the admin panel and/or chat interfaces.
APIs and webhooks from third-party integrations, authorized by the Customer (e.g., OAuth).
Imports via files (CSV/spreadsheets).
Scraping: we do not perform scraping; we use official APIs and webhooks when available.

6. Processing purposes

We process data to:

Deliver the contracted service (automations, integrations, workflow orchestration).
Support & assistance (issue resolution, quality improvement).
Security (abuse, fraud, misuse detection, and Platform protection).
Analytics and product improvement (usage and performance metrics).
AI features requested by the Customer (see §8).

7. Legal bases (where applicable)

In contexts where a legal basis is required (e.g., certain U.S. jurisdictions), typical bases may include:

Contract performance (primary basis for B2B services).
Legitimate interest (security, abuse prevention, and technical analytics).
Consent (e.g., newsletter/marketing when applicable).

Automated decision-making: NeoPower does not, by default, make automated decisions with legal or similarly significant effects on individuals without human involvement.

8. AI processing (use of data)

NeoPower may offer AI functionalities within the Platform. In such cases:

We do not train proprietary models with Customer data.
Data may be used at runtime (prompts/context) to operate the requested functionality.
We may retain operational metrics and quality signals in aggregated or anonymized form to evaluate performance and reliability.
AI providers: we may use third-party APIs (e.g., Gemini API and potentially other APIs such as GPT, Anthropic, Meta, or others) for inference. When using Gemini API, Google indicates that data logged for abuse monitoring is used for policy enforcement and not for training or tuning models. (Google AI for Developers)
Customer responsibility: the Customer is responsible for not submitting unauthorized or sensitive data into AI inputs unless it has a valid legal basis and appropriate permissions.

9. Cookies & analytics

We may use analytics tools (e.g., Google Analytics and Microsoft Clarity) to understand usage and improve the service.
We do not engage in data selling or targeted advertising based on user profiles.
Users can manage cookies through browser settings. If future applicable regulations require prior consent for non-essential cookies in the context of Platform use, we will implement appropriate mechanisms.

10. Retention & deletion

Default rule (standard customers):

After subscription termination or sustained account inactivity, we delete or disassociate account data and Customer operational data within a target period of up to 3 months, unless:
- there is a legal obligation to retain (e.g., accounting/tax records), or
- retention is necessary to defend against claims, or
- the Customer requests longer retention for operational requirements.

Deletion upon request: the Customer may request deletion before that period, subject to reasonable legal and technical limitations.

Backups: backup copies are rotated; deletions are reflected when the corresponding backup expires.

11. Disclosures, processors & sub-processors

We may share data with providers acting as processors/sub-processors (hosting, databases, analytics/observability, AI services, messaging, transactional email), solely to deliver the service and under confidentiality and security obligations.

Sub-processor list: for operational security reasons, we do not publish a nominal list in this Policy. Upon reasonable request, we will provide updated information about sub-processors (categories, functions, and regions).

Hosting and regions: we currently operate infrastructure in the United States and Europe (e.g., via Hetzner, which has locations in Europe and the U.S.). (Hetzner)

12. International transfers

Since we operate in US and Europe, data may be processed in those regions depending on the architecture and contracted service. NeoPower applies reasonable measures to ensure cross-border processing in accordance with applicable legal frameworks.

13. Security

We apply reasonable security measures, including:

Encryption in transit (TLS) and encryption at rest when available based on underlying technology.
Least privilege, access controls, logical isolation by organization/tenant, logs, and operational monitoring.
Incident management: we will notify security incidents in accordance with applicable regulations and contractual terms.
Certifications: we currently do not hold certifications (e.g., ISO 27001 / SOC 2).

14. Data subject rights

Subject to applicable laws (e.g., certain U.S. state laws), data subjects may have rights such as access, rectification, erasure, portability, restriction, objection, and opt-out from marketing.

Channel: privacy@neopower.digital
Verification: we may request reasonable information to verify the identity and/or authority of the requester.
Timelines: we will respond within reasonable timelines and in accordance with applicable regulations.
Appeal: if we deny a request when an applicable law provides for appeal, the data subject may appeal; and, where appropriate, we will inform of avenues to file a complaint with the competent authority. (For example, Delaware law provides for response to appeals and a mechanism to contact the Department of Justice if denied). (Delaware Code Online)

When NeoPower acts as processor: if the request concerns data we process on behalf of a Customer, we may forward it to the Customer (controller) for handling.

15. Marketing & communications

We send newsletter/marketing communications only with prior consent (opt-in) when applicable.
Recipients may unsubscribe at any time.

16. Customer responsibilities for third-party data & integrations

The Customer is responsible for having a valid legal basis and permissions to:

Connect tools (OAuth or other mechanisms),
Transfer data to NeoPower, and
Define what data is processed in automations, including messages and content.

17. Minors

The service is not directed to individuals under 18. If we detect inadvertent processing, we may delete data and/or restrict access.

18. Changes to this Policy

We may update this Policy. We will notify material changes through reasonable mechanisms (e.g., in-app or email). The "Effective date" indicates the latest modification.

19. Governing law & jurisdiction

This Policy is governed by the laws of the State of Delaware, USA, without prejudice to mandatory rules applicable in the jurisdiction of the data subject or the Customer when appropriate.

20. How to contact us

For questions, rights requests, or privacy matters: privacy@neopower.digital

Annex A — Summary of sub-processor categories (illustrative)

Compute & storage infrastructure (US/EU).
Managed database (US/EU).
Analytics & telemetry (usage and performance measurement).
Observability (logs, metrics, traces).
AI services (model inference APIs).
Transactional email (system notifications).

Extended information (e.g., specific regions) available upon request at privacy@neopower.digital.

Annex B — Retention (illustrative detail)

Account & authentication: contract term + up to 3 months after inactivity/termination (unless legal obligation).
Operational/commercial data: contract term + up to 3 months (or deletion upon request).
Logs & telemetry: limited operational retention per rotation policies.
Backups: deletion upon rotation expiry; deletion requests are reflected when the corresponding backup expires.
AI data (prompts/outputs/feedback): minimum retention necessary to operate, debug, and evaluate features; no training of proprietary models.

Last updated: December 23, 2025