GDPR

Updated 06.26.2018

Summary

On May 25, 2018, the General Data Protection Regulation (“GDPR”) became fully applicable in the European Union (EU). The ability to enable end users to control how and when their personal information is used is a cornerstone of Neura. We take privacy seriously and welcome the transparency of GDPR. This GDPR Whitepaper provides an overview of Neura’s GDPR-related efforts.

This is a high-level summary of Neura’s Privacy Practices and what Neura has added to its privacy approach to comply with GDPR. For further information please review Neura’s Privacy Policy at https://www.theneura.com/privacy-policy/:

Data Collected

The Neura SDK collects raw sensory data from the user’s mobile device and from devices in the physical environment around the device. The data is collected in dynamically to minimize the impact on memory and battery consumption. It is collected in real-time, only when it is needed, based on decisions made by Neura’s machine learning algorithms.

A detailed list of the device sensors and services Neura accesses to, as well as the data collected through the device, is attached as Exhibit A.

Neura Insights are used to make a product or a service more personalized and contextually aware. With User consent, Neura may share User Insights with Neura’s customers according to the API services to which the customer has subscribed. Raw data is never shared with Neura’s customers.

Neura may also use aggregated data from several end users to improve its algorithms, measure service usage, publish summaries online or offline, and develop new features.

Acquiring User's Consent

Neura as a data controller, processes data on the legal basis of consent. Therefore, we require our customers who are subject to the GDPR to enable Neura to obtain the user’s consent in a manner that is compliant with the GDPR principles while demonstrating the value user receives in exchange.

Users are required to provide consent to the activation of Neura SDK in their Neura-enabled product. Consenting to the activation of the Neura SDK will indicate that the User agrees to the terms set forth in Neura’s Privacy Policy.

Please note that customers that are not subject to the GDPR are also required to notify the user about the use of Neura and to include Neura’s privacy policy in their legal documentation.

Users' Rights

Neura respects all user’s rights protected by GDPR as detailed in Neura’s Privacy Policy.

GDPR Strategy

We retained outside counsel to help us interpret the GDPR and prepare a GDPR compliance plan.

We built an internal task force with members of different departments (security, sales, product development, and others) to implement the GDPR compliance plan internally.

Data Mapping

We mapped Neura’s data collection practices, including the data we collect, where we store it, with whom we share it, etc. We identify as a “data controller.”

Privacy Policy

We updated our global Privacy Policy which was also localized and translated into local languages of various EU jurisdictions.

Legal Basis and Consent

We identified the appropriate legal bases for our operations and updated our consent-collection practices with respect to the operations that require consent.

Data Transfers

Amazon Web Services. We host all the personal data with AWS, which announced it is compliant the GDPR. AWS is also registered with the EU-US Privacy Shield (see: https://www.privacyshield.gov/list).

Neura’s staff. Our staff sits in:

Other service providers. We only share personal data that is subject to the GDPR with vendors and partners who, like Amazon Web Services, have announced that they are compliant with the GDPR. For example, as indicated in our Privacy Policy (https://www.theneura.com/privacy-policy/), we share personal data with CRM companies (such as Salesforce or HubSpot), and with companies for ETL-data processing and queue management purposes.

Data Processing Agreement with Service Providers

We have executed Data Processing Agreements in accordance with Article 28 of the GDPR with all our service providers that have access to personal data subject to the GDPR.

Policy for Handling Data-subject Rights

We implemented an internal policy for recognizing and handling requests and claims related to data-subject rights (such as the right of access, right to be forgotten, etc.).

Privacy by Design and Default

We have implemented various technical and organizational measures that are designed to support the principle of data minimization and specifically ensure only personal data, which are necessary for each specific purpose of the processing, are processed.

Recordkeeping

Neura keeps an updated document describing Neura’s data-collection and data-processing practices. Neura periodically reviews this document to make sure that it is always fully updated.

Data Protection Officer

Gali Sokol Kamerman is Neura’s data protection officer. You can contact her via gali@theneura.com.

Security Measures

Neura’s security management system is certificated by ISO270001. Neura is hosted in Amazon EC2 cloud services platform and all Amazon security groups, security zones and best practices are applied in the servers’ implementations. Our Data Center (managed by Amazon Web Services) is SAS 70 Type II certified, SSAE16 (SOC 2) Compliant, and features proximity security badge access and digital security video surveillance. Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. Additionally, our network can only be accessed via multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption.

Ongoing Compliance

 We are not approaching GDPR compliance as a one-time exercise. Therefore, we are committed to periodically reviewing our roadmap and ensuring ongoing compliance.

As a Neura customer, where should you start your "GDPR journey"?

If the GDPR applies to your company, we highly recommend conducting internal due diligence to map your specific data collection practices. This includes, among other matters, understanding what specific personal data (including sensitive personal data) of individuals protected by the GDPR your company is collecting (e.g. end-users, customers, employees, etc.), from whom is the data collected, where is it being hosted, for what purposes is it being used, with whom is it being disclosed, and whether the personal data is transferred outside of the European Union or European Economic Area.

Where can I learn more about GDPR?

Additional information is available on the European Commission’s website here (http://ec.europa.eu/justice/data-protection/reform/index_en.htm).

I have more questions. Who should I contact?

If you have any additional questions about the GDPR you are welcome to contact us at  privacy@theneura.com.

In the mobile device, Neura accesses the following device sensors and services:

  • Accelerometer
  • Gyroscope
  • Magnetometer (where available)
  • Barometer (where available)
  • GPS and geolocation data (location changes, Visits, Geofencing)
  • Wi-Fi
  • Bluetooth

The data that is collected through the device is as follows:

  • Android ID
  • Vendor ID (iOS)
  • Device model
  • Operating system version
  • Satellites data
  • Wi-Fi signals and routers
  • Bluetooth – connections and devices
  • Activity – steps, minutes, and recognition
  • Surrounding device’s data – Mac address, IP address, ID, manufacture, brand, model
  • Device States – Power (on / off), Airplane Mode, Battery Saver/Optimization, Idle Mode, Interactive Mode
  • Charger (connected / disconnected)
  • Application state (foreground / background)
  • Headphones (connected / disconnected) (Android)
  • Screen (on / off) (Android)
  • Background Data Restrictions (Android)
  • Engagement Data – Neura SDK hosted application opened timestamp (foreground), User has  received  push  notification
  • In cases where there is a phone based optional authentication process chosen by the customer, Neura will collect the phone number that was sent.

 

Neura does not collect or hold any medical or healthcare related data and therefore does not handle any “protected health information” (PHI).

Disclaimer

Disclaimer: The information in this document may not be construed as legal advice about the interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law on their processing of personal data.