Privacy Policy

NeuraXplore B.V. respects the privacy of everyone who visits our website, contacts us, works with us, or engages with our organisation.

This Privacy Policy explains how we collect, use, protect, store, and share personal data in connection with our website, contact forms, general business communication, partnership discussions, investor enquiries, pilot preparation, and related organisational activities.

NeuraXplore develops human-centred technologies at the intersection of artificial intelligence, immersive technologies, cognitive science, education, neurodiversity, rehabilitation, and human development. Our concepts include, among others, NeuroPALS, MindForge, and related research, prototype, demonstration, and pilot environments.

This Privacy Policy applies mainly to our public website and ordinary business communication. Specific school pilots, healthcare-related projects, research projects, XR demonstrations, product trials, or implementations may require separate privacy notices, data processing agreements, consent forms, or project-specific documentation.

The data controller for the general website and ordinary business communication is:

For privacy-related questions, GDPR requests, or data subject requests, please use our Privacy Request Form.

For general enquiries, legal matters, investor enquiries, or partnership-related questions, please use the relevant contact form on our website.

Based on our current general website and business communication activities, NeuraXplore does not currently consider itself required to appoint a formal Data Protection Officer under Article 37 of the General Data Protection Regulation, the GDPR.

We have designated an internal privacy contact responsible for handling privacy questions, GDPR requests, and communication with the Autoriteit Persoonsgegevens where necessary.

Privacy-related requests can be submitted through our Privacy Request Form.

As NeuraXplore scales its NeuroPALS, MindForge, pilot, research, school-related, healthcare-related, or XR activities, especially where children's data, special category data, biometric data, eye-tracking data, physiological signals, or systematic monitoring may be involved, we will reassess whether a formal Data Protection Officer is required.

This Privacy Policy applies to personal data processed in relation to:

• visits to our website;
• use of our contact forms;
• email, telephone, video call, and meeting communication;
• general enquiries;
• legal or contractual enquiries;
• partnership discussions;
• investor enquiries;
• grant, funding, or proposal discussions;
• supplier, contractor, advisor, and professional contact management;
• website security and administration;
• legal, tax, accounting, and compliance obligations.

This Privacy Policy does not automatically cover specific NeuroPALS pilots, MindForge pilots, school projects, healthcare projects, clinical studies, scientific research, or projects involving children, patients, special category data, sensor data, camera-based input, XR interaction data, or AI-supported analysis of individual users.

Those activities will be covered by separate project-specific documentation where required.

The personal data we process depends on how someone interacts with NeuraXplore.

5.1 Website and technical data

When someone visits our website, limited technical data may be processed automatically to display the website, maintain security, and ensure basic functionality.

This may include:

• IP address;
• browser type and version;
• device type;
• operating system;
• language setting;
• date and time of visit;
• technical error logs;
• basic server logs;
• cookie notice preference;
• language preference;
• theme or display preference.

We use this data only for website functionality, security, troubleshooting, and maintaining a reliable website.

We do not use website data for advertising, behavioural tracking, cross-site profiling, or automated decision-making.

5.2 Contact form and communication data

When someone contacts us through a form, email, phone call, video call, or meeting, we may process:

• name;
• organisation;
• job title or professional role;
• email address;
• phone number;
• message content;
• topic of enquiry;
• meeting notes;
• correspondence history;
• documents or attachments provided to us.

We use this data to respond to enquiries, manage communication, prepare proposals, follow up on discussions, and maintain professional relationships.

5.3 Business, investor, and partnership data

For business development, investment discussions, funding, partnerships, procurement, proposals, and collaboration, we may process:

• professional contact details;
• organisation details;
• role and responsibilities;
• project interests;
• investment or funding interest;
• partnership objectives;
• meeting summaries;
• proposal documents;
• contractual information;
• due diligence information where relevant;
• publicly available professional information, where relevant to the relationship.

5.4 Supplier, contractor, and advisor data

When we work with suppliers, freelancers, contractors, advisors, or professional service providers, we may process:

• name;
• business contact details;
• company details;
• payment and invoice details;
• contract details;
• communication history;
• work-related documentation.

5.5 Newsletter or update data

If we offer newsletters, updates, or event communication, we may process:

• name;
• email address;
• organisation;
• subscription preferences;
• unsubscribe status.

We only send newsletters or marketing communication where legally permitted. Recipients can unsubscribe at any time.

When you submit a contact form on our website, we process the information you provide to respond to your enquiry and maintain professional communication.

Depending on the form, this may include your name, email address, organisation, role, phone number, message content, and enquiry type.

Our contact forms are custom-built. Form submissions are currently sent to NeuraXplore by email and are not stored in a separate public website form database.

We use privacy-conscious anti-spam measures such as bot protection, honeypot fields, and rate limiting to protect our forms against spam, abuse, and automated submissions. We do not use Google reCAPTCHA.

Please do not submit sensitive personal data, children's data, patient data, health data, biometric data, or confidential third-party information through general website forms unless this is specifically requested as part of a defined project process.

The NeuraXplore website uses only essential cookies and local preference storage that are necessary for basic website functionality, security, language preferences, and theme preferences.

We do not use advertising cookies, tracking cookies, behavioural profiling cookies, social media tracking pixels, or third-party marketing cookies on our website.

Because these cookies and local preferences are limited to essential functionality and user-requested preferences, they do not require prior consent under applicable cookie rules. We still provide a cookie notice for transparency.

The cookies and local preferences we use may include:

We do not use cookies to follow visitors across websites. We do not create advertising profiles. We do not sell cookie data or share cookie data with advertising networks.

If we introduce analytics, advertising, tracking, or other non-essential cookies in the future, we will update this Privacy Policy and our Cookie Policy. Where legally required, we will request consent before placing such cookies.

More information can be found in our Cookie Policy.

We may process personal data for the following purposes:

• operating and securing the website;
• remembering language, theme, or cookie notice preferences;
• responding to enquiries;
• communicating with clients, partners, investors, suppliers, and professional contacts;
• preparing proposals, meetings, pilot discussions, and collaboration documents;
• managing business relationships;
• assessing partnership, investor, or funding opportunities;
• managing contracts and supplier relationships;
• sending newsletters or updates, where applicable;
• complying with legal, tax, accounting, and administrative obligations;
• preventing fraud, misuse, spam, unauthorised access, or security incidents;
• protecting our legal rights and legitimate interests;
• improving our website, communication, and services in a privacy-conscious way.

We process personal data only where we have a valid legal basis under the GDPR.

Where we rely on legitimate interest, we consider the nature of the data, the expectations of the individual, the impact of the processing, and appropriate safeguards.

The general NeuraXplore website does not collect special category data such as health data, disability-related data, neurodiversity-related data, biometric data, physiological data, or data about children.

Visitors should not submit special category data through general website forms unless this is specifically requested as part of a clearly defined project process.

Some future or separate NeuraXplore projects, such as NeuroPALS, MindForge, XR pilots, school pilots, scientific research projects, or rehabilitation-related projects, may involve more sensitive categories of data. Such processing will not be carried out under this general website Privacy Policy alone.

Where special category data is processed, this will be covered by project-specific documentation, an appropriate legal basis, an applicable GDPR Article 9 condition, additional safeguards, and, where required, a data protection impact assessment.

The general NeuraXplore website is not directed at children and does not knowingly collect children's personal data for marketing or profiling purposes.

Some NeuraXplore projects may involve learners or young people in educational settings. Where children's data is processed in a school, pilot, research, or educational context, NeuraXplore will work with the responsible organisation to define the legal basis, parental or guardian information, consent or objection process where applicable, retention period, access rights, and safeguarding measures.

Children's personal data will not be used for general marketing or unrestricted AI model training.

NeuraXplore develops AI-supported and XR-related concepts. The general website does not use visitor data for AI profiling, automated decision-making, or AI model training.

NeuraXplore does not use personal data from website visitors, children, learners, patients, or pilot participants to train general-purpose AI models unless this is explicitly described in a project-specific notice and supported by a valid legal basis.

Where external AI services are used in a specific project, this will be assessed in advance and documented in the relevant project documentation, privacy notice, or processing agreement.

NeuraXplore designs its AI-supported systems with GDPR, privacy-by-design, human oversight, and relevant EU AI Act obligations in mind. Where an AI system falls within the scope of the EU AI Act, NeuraXplore will assess the applicable risk category and implement required safeguards before deployment.

Our systems are intended to support teachers, mentors, therapists, clinicians, and other authorised professionals. They are not intended to make autonomous educational, clinical, legal, or similarly significant decisions about individuals.

The general NeuraXplore website does not collect camera data, webcam data, biometric data, sensor data, XR interaction data, gaze data, micromovement data, or physiological data.

Some separate prototypes, demonstrations, pilots, or research projects may involve interaction signals, sensor data, camera-based input, XR interaction data, gaze interaction, movement indicators, response timing, or physiological proxies.

Such data will only be processed under specific project documentation and with appropriate safeguards.

Where camera-based processing is used in a specific project, our design preference is to process raw video locally on the user's device or within a controlled local environment wherever technically feasible. Unless a project-specific notice clearly states otherwise, NeuraXplore does not store raw webcam video or transmit raw webcam streams to third-party cloud services.

Only derived indicators that are necessary for the specific project purpose should be processed, such as task-related interaction patterns, accessibility indicators, usability signals, or cognitive-load proxies.

For the general website and ordinary business communication, NeuraXplore acts as data controller.

For pilots or implementations carried out on behalf of schools, healthcare organisations, rehabilitation centres, universities, research institutions, or other clients, NeuraXplore may act as processor, joint controller, or independent controller, depending on the project structure.

The applicable role division will be documented in the relevant agreement, such as a data processing agreement, research agreement, pilot agreement, project contract, or institutional collaboration agreement.

If NeuraXplore acts as processor, we process personal data only according to the documented instructions of the relevant controller, unless required otherwise by law.

We do not sell personal data.

We use trusted service providers to operate our website, communication, infrastructure, forms, document storage, development, security, administration, and business operations.

These providers may process personal data only where necessary for the relevant purpose. Where required, we use appropriate contractual, technical, and organisational safeguards.

Categories of service providers and recipients may include:

• website hosting and infrastructure providers;
• domain, DNS, and deployment providers;
• email and communication providers;
• contact form and anti-spam providers;
• database and backend infrastructure providers, where applicable;
• document and file storage providers;
• video call and calendar providers;
• accounting and administrative service providers;
• legal, tax, or professional advisors;
• software development and code management providers;
• project partners, where relevant and agreed;
• public authorities, courts, or regulators where legally required.

Service providers used for specific NeuroPALS, MindForge, school, healthcare, research, XR, or pilot projects may be described separately in the relevant project-specific documentation, privacy notice, data processing agreement, or pilot agreement.

Where possible, NeuraXplore aims to use service providers located in the European Economic Area or providers that offer appropriate GDPR safeguards.

If personal data is transferred outside the European Economic Area, we will ensure that appropriate safeguards are in place. These may include:

• an adequacy decision;
• standard contractual clauses;
• a transfer impact assessment;
• encryption;
• pseudonymisation;
• access restrictions;
• other appropriate technical and organisational measures.

Specific international transfer arrangements may be described in project-specific documentation where relevant.

We take appropriate technical and organisational measures to protect personal data against unauthorised access, misuse, loss, alteration, or disclosure.

These measures may include:

• access control;
• strong authentication;
• encryption in transit;
• secure hosting;
• role-based permissions;
• data minimisation;
• secure development practices;
• backups where appropriate;
• logging and monitoring;
• confidentiality obligations;
• supplier review;
• incident response procedures.

No digital system can be guaranteed to be completely secure. However, we take reasonable steps to reduce risks and respond appropriately to potential incidents.

We keep personal data only as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law or necessary for legal, security, or accountability reasons.

Indicative retention periods:

When data is no longer needed, it will be deleted, anonymised, or securely archived.

Under the GDPR, individuals may have the following rights:

• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restriction of processing;
• the right to data portability;
• the right to object;
• the right to withdraw consent, where processing is based on consent;
• rights relating to certain automated decision-making.

To exercise these rights, please use our Privacy Request Form.

We may need to verify your identity before responding. If NeuraXplore processes personal data as processor for another organisation, we may refer the request to the relevant controller, such as a school, clinic, university, research institution, or client organisation.

We take all data subject rights requests seriously and handle them in accordance with our obligations under the GDPR.

We will respond to your request without undue delay and in any event within one calendar month of receiving your request.

Where your request is complex, involves multiple data processing activities, or where we receive a high number of requests simultaneously, we may extend this period by a further two months. If we need to extend the response period, we will inform you within the first month and explain the reason for the delay.

To protect the privacy and security of the data subject, we may need to verify your identity before processing your request. We will ask for the minimum information reasonably necessary to confirm who you are. We will not use the information provided for identity verification for any other purpose.

We do not charge a fee for handling data subject rights requests unless a request is manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable administrative fee or decline to act on the request. If we intend to charge a fee or decline to act, we will tell you before doing so.

In some cases, we may not be able to fully comply with a request. For example, this may be the case where doing so would conflict with a legal obligation, prejudice an ongoing legal proceeding, affect the rights and freedoms of others, or where the data is no longer held. We will explain our reasons where required.

If NeuraXplore acts as data processor for another organisation, such as a school, university, healthcare organisation, research institution, or client, we may need to forward your request to that organisation as the relevant data controller. We will inform you if this is the case.

If you believe that we have not handled your personal data correctly, you can contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with the Dutch supervisory authority:

Our website may contain links to third-party websites, platforms, tools, or services.

NeuraXplore is not responsible for the content, availability, security, privacy practices, or terms of third-party websites or services.

Users should review the privacy policies and terms of third-party services before using them.

Where we collect personal data directly through a form, we aim to provide a short privacy notice at or near the point of data collection.

This notice may explain:

• who is collecting the data;
• why the data is collected;
• the legal basis for processing;
• how long the data is kept;
• where to find the full Privacy Policy;
• how to exercise privacy rights.

These short notices do not replace this Privacy Policy. They are intended to provide clear information at the moment personal data is submitted.

We may update this Privacy Policy from time to time to reflect changes in our organisation, website, technology, services, legal obligations, or privacy practices.

The latest version will be published on our website. Where changes are significant, we may provide additional notice.

For privacy-related questions, GDPR requests, or data subject requests, please use our Privacy Request Form.

You may also contact us by post at:

Please include enough information for us to understand and respond to your request. If you are contacting us about a data subject request, we may ask for additional information to verify your identity.

For non-privacy matters, please use the relevant contact form on our contact page for general enquiries, investor enquiries, partnership discussions, or legal matters.