Skip to main content
Start
Legal

Privacy Policy

Effective date: June 1, 2026 · Plain-language summary followed by full detail.

The Short Version

🔒
Your data stays on your device
Assessment answers, journal entries, and profile data are stored locally in your browser. We never send them to our servers unless you create an account.
🚫
No third-party trackers
We use self-hosted analytics only. No Google Analytics, Meta Pixel, or advertising trackers of any kind.
💾
You own your data
Download everything as JSON, delete it all permanently, or port it to another app — anytime, from the Privacy Center.
🧒
Children's privacy protected
Child profiles (under 13) are never used for analytics or AI training. Guardian controls gate all AI interactions.

1. Who We Are

NeuroMirror™ is an educational self-reflection and personal-growth application ("the Service"). References to "we," "us," or "our" mean NeuroMirror and its operators. The Service is provided for educational and personal-growth purposes only.

2. What Data We Collect

Data you provide

Assessment answers, name, email address (for sign-in), family member profiles, journal entries, birth chart data, and any other content you voluntarily enter.

Device-local data

Unless you sign in and create an account, all data remains exclusively in your browser's localStorage. We have no access to it.

Account data (optional)

If you create an account, we store your email, hashed password, assessment results, and journal entries on our servers to enable cross-device sync.

Analytics (optional, opt-out available)

We run self-hosted analytics that track page views and feature usage events. No personal identifiers are attached. You can opt out from the Privacy Center.

Cookies

We use essential session cookies for sign-in. Optional analytics cookies require your consent. No advertising or cross-site tracking cookies are used.

3. How We Use Your Data

We use your data solely to provide the Service: generate your reports, sync your profile across devices (if signed in), improve the product via aggregate analytics, and communicate service-critical updates. We never use your data for advertising, profiling for third parties, or AI model training without explicit opt-in consent.

4. Data Sharing

We do not sell, rent, or trade your personal data. We may share data with: (a) service providers who process data on our behalf under strict data-processing agreements; (b) legal authorities when required by law; (c) successors in the event of a merger or acquisition (you will be notified in advance).

5. Children's Privacy (COPPA / GDPR-K)

The Service is not directed to children under 13 without verifiable parental consent. Child profiles created via Family Mode are stored on-device only. They are excluded from analytics, never used for AI training, and cannot access AI chat features without explicit parent approval via Guardian Controls. Parents can delete child profiles at any time from the Privacy Center.

6. Your Rights (GDPR / CCPA)

Right to access

Download all your data as JSON from the Privacy Center at any time.

Right to erasure

Delete your account and all associated data permanently from the Privacy Center. Deletion cascades to all related records.

Right to portability

Your data export is in standard JSON format, readable by any application.

Right to object

Opt out of analytics and marketing at any time from the Privacy Center → Consent tab.

Right to rectification

Update your profile and assessment data at any time within the app.

California residents (CCPA)

We do not sell personal information. You have the right to know what data we collect, delete it, and opt out of its "sale" (we do not sell, but this right applies regardless).

7. Data Retention

Device-local data persists until you clear your browser storage or delete it via the Privacy Center. Account data is retained while your account is active and for up to 30 days after deletion to allow for recovery. Analytics data is retained for 12 months in aggregate form.

8. Security

We use industry-standard security practices: HTTPS everywhere, bcrypt password hashing, HTTPOnly/SameSite session cookies, input sanitization, and rate limiting on all API endpoints. However, no system is perfectly secure. Please use a strong, unique password and enable two-factor authentication when available.

9. International Transfers

Your data may be processed in countries outside your own. Where we transfer data outside the EEA, we rely on Standard Contractual Clauses or equivalent mechanisms approved by the European Commission.

10. Changes to This Policy

We will notify you of material changes to this policy by email (if you have an account) and by a notice at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For privacy questions, data requests, or to report a concern, use our Feedback Center or the Abuse Report page. We aim to respond within 30 days.