Privacy Policy

Plain English summary

1. Who we are

NeuroNav is an Australian not-for-profit organisation based in New South Wales, building free AI-powered accessibility tools for people with disabilities and vulnerabilities. We operate the website at neuronav.com.au and the NeuroNav web application.

Contact: [email protected] · ABN: 78 956 079 096

2. Data stored on your device only

The following data is stored exclusively in your browser's local storage. It never leaves your device and is never sent to our servers:

• Mood logs and daily check-in history
• Medication names, schedules and completion records
• Daily routine items and progress
• Memory notes and saved entries
• Emergency contacts and emergency card information
• Handover notes and carer shift notes
• Carer profile and supported person profile
• App preferences (text size, dark mode, language, user role)
• Saved letter explanations and action reminders

We have no server-side database for personal app data and no ability to access any of this information. Clearing your browser's local storage removes it permanently.

3. Anonymous usage analytics

We use Plausible Analytics — a privacy-friendly, EU-based analytics tool. Plausible uses no cookies, does no fingerprinting, and collects no personal data. We receive only aggregate counts (e.g. "500 people visited the home page this week"). We use this solely to understand which features are most used so we can improve the app.

4. Contact form and email

If you contact us via our website form or by email, we receive your name, email address, and message. We use this only to respond to your enquiry. We do not add you to any mailing list without your separate consent. Contact form submissions are processed through Netlify Forms.

5. Account creation and authentication

If you create a NeuroNav account, we store your email address (hashed) in your browser's local storage for authentication purposes. Account data is not stored on our servers. Password reset and email verification are handled via temporary cryptographic tokens sent to your email through Resend (see Section 9). We never store your password in plain text.

6. Payments (Plus and Supporter plans)

If you subscribe to a Plus or Supporter plan, payments are processed by Stripe (Stripe, Inc., USA). NeuroNav does not receive or store your credit card details — all payment information is handled directly by Stripe. We receive only a subscription status confirmation. Stripe's privacy policy is available at stripe.com/au/privacy. Stripe is subject to the Payment Card Industry Data Security Standard (PCI-DSS).

7. AI features — how your data is processed

When you use an AI feature (such as "Explain this letter"), your text is processed through a secure server-side proxy operated by NeuroNav and hosted on Netlify. The data flow is:

Key facts about this process:

• Your text passes through our Netlify-hosted proxy server transiently but is never stored or logged by us
• The Anthropic API key used belongs to NeuroNav and is stored securely in our server environment — it is never exposed in your browser
• You do not need to supply your own API key
• AI responses are sent back to your browser and discarded from our servers immediately
• We receive no record of what letters or text you submitted

AI processing is governed by:

• Anthropic (Claude): anthropic.com/privacy

8. Browser notifications

If you enable medication reminders, NeuroNav requests permission to send browser notifications. These reminders are generated entirely on your device using the Web Notifications API — no notification content or timing data is sent to our servers.

9. What we do NOT collect

• We do not collect your name or email unless you contact us, sign up, or subscribe
• We do not use cookies for tracking or advertising
• We do not share data with advertisers or data brokers
• We do not track your location without your explicit permission
• We do not store AI conversation history on our servers
• We do not build advertising profiles
• We do not sell or rent your data to anyone, ever
• We do not log or retain the content of letters or documents you submit for explanation

10. Third-party services

• Anthropic Claude API — AI features. Requests pass through our secure proxy. Privacy policy
• Netlify — Website and serverless function hosting (USA). May collect server access logs including IP addresses. Privacy policy
• Stripe — Payment processing for Plus and Supporter subscriptions (USA). Handles all payment card data. Privacy policy
• Resend — Transactional email delivery for account verification, password resets, and system alerts (USA). Privacy policy
• Plausible Analytics — Anonymous analytics (EU). No personal data collected. Privacy policy
• Google Fonts — Web fonts. Google may log font requests. Privacy policy

10a. Cross-border data disclosure (APP 8)

Several of the services NeuroNav uses are based overseas, primarily in the United States. Under APP 8 of the Privacy Act 1988 (Cth), we are required to disclose cross-border data transfers:

• AI processing: When you use AI features, your text passes through our Netlify proxy server (USA) and is forwarded to Anthropic's Claude AI (USA) for processing. Neither service retains your conversation content.
• Hosting: Our website and serverless functions are hosted on Netlify (USA). Server access logs, including IP addresses, may be retained by Netlify per their own policy.
• Payments: If you subscribe, your payment data is processed by Stripe (USA). Stripe is PCI-DSS compliant and bound by its privacy policy.
• Email: Transactional emails (verification codes, password resets) are sent via Resend (USA).

These providers are bound by their own privacy policies and applicable US and international data protection frameworks. By using AI features or subscribing, you consent to these cross-border transfers. You can avoid all AI processing by using only the non-AI features of NeuroNav (medications, routines, emergency card, etc.) which never leave your device.

10b. Health information (HRIP Act 2002 NSW)

NeuroNav may be used to store health-related information such as medication names, mood logs, and disability-related notes. Under the Health Records and Information Privacy Act 2002 (NSW), we are committed to the Health Privacy Principles (HPPs). In particular:

• HPP 1 (Collection): We only collect health information that you choose to enter. Nothing is collected automatically.
• HPP 2 (Use and Disclosure): We do not use or disclose your health information for any purpose other than operating the app for you.
• HPP 3 (Data Quality): You are in full control of your health data and can edit or delete it at any time.
• HPP 5 (Storage and Security): All health data is stored locally on your device only, protected by your device's security. It is never transmitted to our servers.
• HPP 7 (Access and Correction): You have full access to your own health data and can correct or delete it at any time through the app.

10c. Data breach notification

Because NeuroNav stores your personal app data only on your own device and does not transmit it to our servers, the risk of a data breach on our end is very low. However, if we become aware of a data breach affecting any personal data we do hold (account email, payment records held by Stripe, or Netlify server logs) that is likely to result in serious harm, we will:

• Notify affected individuals as soon as practicable
• Report the breach to the Office of the Australian Information Commissioner (OAIC) within 30 days as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth)
• Take immediate steps to contain the breach and prevent further harm
• Provide guidance on steps you can take to protect yourself

To report a suspected data breach, contact us immediately at [email protected].

11. Data security

All communication between your browser and our website is encrypted via HTTPS/TLS. Our AI proxy uses server-side API keys stored as Netlify environment variables — these are never exposed in browser source code. Your locally stored app data is protected by your device's own security and browser sandbox.

12. Children's privacy

NeuroNav may be used by or on behalf of children with disabilities, always with parental or carer supervision. We do not knowingly collect personal information from children under 13. Our Kid Mode is designed for ages 8–17 with age-appropriate content and safeguards. If you believe we have inadvertently collected a child's personal information, contact us immediately at [email protected] and we will delete it promptly.

13. Your rights under Australian Privacy Law

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

• Know what personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Complain about a breach of your privacy rights
• Opt out of direct marketing at any time

To exercise any of these rights, email [email protected]. We will respond within 30 days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992. NSW residents may also contact the NSW Privacy Commissioner at the Information and Privacy Commission NSW at ipc.nsw.gov.au or 1800 472 679.

14. Changes to this policy

We may update this policy when our practices change. We will update the date at the top of this page and notify users of significant changes via the app.

15. Contact us

• Email: [email protected]
• Organisation: NeuroNav (Australian not-for-profit)
• ABN: 78 956 079 096
• Website: neuronav.com.au