NeuroUX Research Platform Privacy Policy

‍

NeuroUX Inc. ("NeuroUX", "we", "us", or "our") is committed to protecting the privacy andconfidentiality of all data processed through the NeuroUX Research Platform. This PrivacyPolicy describes how we collect, use, store, and protect information on behalf of researchsponsors, institutions, and study teams. We take this responsibility seriously and comply with allapplicable data protection laws, including the Health Insurance Portability and Accountability Act(HIPAA), the U.S. Food and Drug Administration's 21 CFR Part 11, and the General DataProtection Regulation (GDPR), where applicable.

1. Definitions

• “User” means research sponsors, institutions, or study teams administering researchusing the NeuroUX Platform.
• “Participant” means an individual who provides data as part of a research study.
• “User-Generated Content” means any data entered, collected, or uploaded throughthe NeuroUX Platform in the course of conducting research studies. This includes, butis not limited to:
  
  • Participant responses to cognitive tasks, ecological momentary assessments (EMAs), or surveys
  • Information entered by Users during onboarding, scheduling, or managing participants (e.g., phone numbers, group assignments, time zones)
  • Study-specific fields determined by the research protocol (e.g., participant codes, visit windows, timestamps, outcome measures)
    ‍

2. Scope and Applicability

This Privacy Policy applies to all Users and Participants who interact with the NeuroUX Research Platform.
‍

3. Data Stewardship and Role

• Data Controller vs. Data Processor: NeuroUX acts as a data processor on behalf of the User, who serves as the data controller. We process study data solely based on User instructions.
• User ResponsibilitiesUsers are responsible for ensuring compliance with all ethical and legal requirements, including Institutional Review Board (IRB) approval and informed consent.
• No Direct Participant Relationship
  Participants interact with the Platform as part of studies administered by the User. NeuroUX does not directly enroll, manage, or communicate with Participants aside from technical operations directed by the User.
  ‍

4. Data Collection and Use

• Restricted Purpose NeuroUX processes User-Generated Content exclusively to support research studies initiated and managed by Users. All data remains the User’s property; NeuroUX does not claim ownership.
• No Sale or Sharing NeuroUX does not sell, rent, or share User-Generated Content with third parties except as directed by the User or required by law.
  ‍

5. Data Security and Storage

NeuroUX uses industry-leading safeguards to ensure the confidentiality, integrity, and availability of all data:

• Secure Hosting: Data is stored on encrypted servers within the United States using AWS S3. NeuroUX maintains a HIPAA-compliant BAA with AWS.
• Encryption: All User-Generated Content is encrypted at rest and in transit using AES-256 and TLS 1.2+.
• Access Controls: Access is restricted using role-based access, MFA, and least-privilege principles.
• Real-Time Access: Users may access and export data via an AWS Athena dashboard or approved API endpoints.
• Audit Logs: All access is logged with timestamps, methods, and user credentials. Logs are available upon request.
• Business Continuity: NeuroUX maintains disaster recovery and business continuity plans.
  ‍

6. Data De-identification and Minimization

NeuroUX encourages the use of de-identified or pseudonymized data and provides features to:

• Use coded identifiers instead of direct identifiers
• Exclude sensitive fields from exports or visualizations
• Minimize collection of personally identifiable information (PII)

NeuroUX does not attempt to re-identify individuals and safeguards against unauthorized linkage.
‍

7. Regulatory Compliance

HIPAA
NeuroUX supports HIPAA compliance for studies involving Protected Health Information (PHI).

21 CFR Part 11
The platform meets FDA requirements for validated systems, audit trails, secure access, and electronic signatures.

GDPR (Where Applicable)
NeuroUX supports GDPR compliance for studies involving EEA data subjects, including principles of purpose limitation, minimization, security, and facilitating data subject rights at the User’s direction.
‍

8. Data Retention and Deletion

• Retention: Data is retained for the duration of the study and according to User policies or legal requirements.
• Deletion: NeuroUX deletes data upon written User request following study conclusion, contract termination, or User decision.
• Execution Timeline: Data and backups are deleted within 60 days unless legally required otherwise.
• Proactive Follow-Up: If no request is made, NeuroUX will contact the User within six months of study conclusion to request deletion authorization.
  ‍

9. Participant Rights and Withdrawal

• Withdrawal: Participants should contact their research team to withdraw. No new data is collected after withdrawal.
• Rights: Participants must contact the study team to exercise privacy or ethical rights; Users remain responsible for compliance.
  ‍

10. Data Breach Notification

In the event of a confirmed data breach affecting study data, NeuroUX will notify the User promptly in accordance with regulatory and contractual requirements. NeuroUX follows a formal Incident Response Plan with defined roles, communication processes, and remediation steps.
‍

11. Subprocessors

NeuroUX uses trusted third-party subprocessors who:

• Maintain confidentiality and data protection standards
• Process data only as directed by NeuroUX and in accordance with this Privacy Policy

Users will be notified of any material subprocessor changes. A full list is available upon request.
‍

12. Audits and Regulatory Oversight

NeuroUX will cooperate with reasonable audits or inspections initiated by Users, sponsors, or regulatory authorities, subject to notice, scheduling, and confidentiality requirements. Audit scope is limited to systems and processes relevant to User-Generated Content.
‍

13. Contact Information

NeuroUX Inc.
4653 Carmel Mountain Rd, Ste 308 PMB 1114
San Diego, CA 92130
Email: anunay.raj@getneuroux.com
Website: www.getneuroux.com

‍