NeuroStrike
Back

Privacy Policy

Last updated: February 18, 2026

NeuroStrike AS ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered security testing platform and services.

NeuroStrike AS is a Norwegian company and the data controller for the personal data processed through this Service. We are subject to the Norwegian Personal Data Act (Personopplysningsloven) and the EU General Data Protection Regulation (GDPR).

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, password, organization name
  • Waitlist Information: Name, email address, company name (if applicable)
  • Billing Information: Payment method, billing address (processed by Stripe)
  • Target Information: URLs, domains, and IP addresses you submit for scanning
  • Authentication Data: Headers, cookies, or credentials you provide for authenticated scanning (encrypted at rest)
  • Communications: Support requests, feedback, and correspondence

1.2 Information Collected Automatically

  • Usage Data: Features used, scans performed, pages visited
  • Device Information: Browser type, operating system, device identifiers
  • Log Data: IP address, access times, referring URLs
  • Cookies: Session cookies, preference cookies (see our Cookie section)

1.3 Administrative Access Data

When platform administrators access your account information for operational, security, or support purposes, we log the following:

  • Administrator identity and action performed
  • Timestamp and IP address of the administrative action
  • Entity type and identifier accessed or modified
  • Details of any changes made to your account or data

All administrative actions are recorded in an immutable audit log and are subject to internal review. This processing is necessary for our legitimate interests in platform security and integrity (GDPR Art. 6(1)(f)).

1.4 Scan Results

When you use our Service, we process and store:

  • Vulnerability findings and security assessments
  • Attack chain analyses
  • Remediation recommendations
  • Compliance reports

2. How We Use Your Information

We use the collected information to:

  • Provide and maintain the Service
  • Process transactions and send billing information
  • Respond to your requests and support inquiries
  • Send security alerts and service notifications
  • Improve and optimize the Service
  • Detect and prevent fraud or abuse
  • Comply with legal obligations
  • Analyze usage patterns to improve our AI models (in aggregate, anonymized form)

3. Legal Basis for Processing (GDPR)

As a Norwegian company operating within the EEA, we process personal data based on:

  • Contract Performance (Art. 6(1)(b)): To provide the Service you requested
  • Legitimate Interests (Art. 6(1)(f)): To improve our services, prevent fraud, and ensure security
  • Legal Obligations (Art. 6(1)(c)): To comply with applicable Norwegian and EU laws
  • Consent (Art. 6(1)(a)): Where you have explicitly agreed to specific processing (e.g., marketing communications)

4. Data Sharing and Disclosure

We may share your information with:

4.1 Service Providers

  • Stripe: Payment processing (USA)
  • DigitalOcean: Hosting and infrastructure (USA/EU)
  • AI Providers: Third-party AI processing for scan analysis (scan data is processed but not stored for model training)
  • Resend: Email communications

All service providers are bound by data processing agreements in accordance with GDPR Article 28.

4.2 Internal Administrative Access

Authorized NeuroStrike administrators may access your account data, organization information, and usage statistics for the purposes of platform operation, security monitoring, billing support, and customer assistance. All administrative access is:

  • Restricted to personnel with verified administrator roles
  • Logged in a comprehensive audit trail with administrator identity, action, and timestamp
  • Subject to the principle of least privilege and need-to-know basis
  • Reviewed periodically for appropriateness and compliance

4.3 Legal Requirements

We may disclose information if required by law or to:

  • Comply with legal process or government requests
  • Enforce our Terms of Service
  • Protect the rights, property, or safety of NeuroStrike AS, our users, or others

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. You will be notified of any such change.

5. International Data Transfers

Some of our service providers are located outside the EEA (primarily in the USA). For these transfers, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with our service providers
  • Adequacy decisions where applicable

6. Data Retention

We retain your information for:

  • Account Data: Duration of your account plus 90 days
  • Waitlist Data: Until you request removal or register for the Service
  • Scan Results: According to your plan (7–90 days, or as agreed for Enterprise)
  • Billing Records: 5 years for compliance with Norwegian accounting law (Bokføringsloven)
  • Support Communications: 3 years after resolution

You may request earlier deletion subject to our legal obligations.

7. Your Rights Under GDPR

As a data subject, you have the right to:

  • Access (Art. 15): Request a copy of your personal data
  • Rectification (Art. 16): Correct inaccurate or incomplete data
  • Erasure (Art. 17): Request deletion of your personal data
  • Restriction (Art. 18): Limit how we use your data
  • Data Portability (Art. 20): Receive your data in a portable format
  • Object (Art. 21): Object to certain processing activities
  • Withdraw Consent: Withdraw previously given consent at any time

To exercise these rights, contact us at [email protected] or through your account settings. We will respond within 30 days as required by GDPR.

8. Data Security

We implement robust security measures including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Authentication credentials encrypted with AES-256-GCM
  • Access controls and audit logging
  • Regular security assessments

While we strive to protect your data, no method of transmission or storage is 100% secure.

9. Data Breach Notification

In accordance with GDPR Articles 33 and 34, in the event of a personal data breach:

  • We will notify the Norwegian Data Protection Authority (Datatilsynet) within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms
  • If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay
  • Notification will include the nature of the breach, likely consequences, measures taken or proposed to address the breach, and contact information for our data protection point of contact

10. Cookies and Tracking

9.1 Cookies We Use

CategoryPurposeDuration
Strictly NecessaryAuthentication, security, session managementSession
FunctionalPreferences, language settings1 year

9.2 Managing Cookies

You can control cookies through your browser settings. Disabling certain cookies may affect Service functionality.

11. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or through the Service. Your continued use after such notice constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related inquiries or to exercise your rights:

Supervisory Authority

You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at www.datatilsynet.no, or with your local data protection authority if you are located in another EEA country.

Privacy Policy | NeuroStrike