Privacy Policy

Effective Date: May 17, 2026 · Last Updated: June 16, 2026

This Privacy Policy explains how Jose D. Cure ("we", "us", or "our") collects, uses, shares, and protects personal information when you use the web applications operated under the NeuralRun brand — including Infinite (the trivia engine formerly named "Neural Run Trivia"), NeuralRun Quizzes, Override, Mind Print, Smart Lists, Daily Sprint, Synapse, Discover, and our utility tools (together, the "Services"). We are committed to handling your data lawfully, transparently, and securely, in accordance with the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"). Please read this policy carefully.

1.Who We Are (Data Controller)

The data controller responsible for your personal information is the sole proprietor operating the Services:

Controller Jose D. Cure

Address 66 W Flagler Street, Suite 900, PMB 11939, Miami, FL 33130, USA

Privacy Contact admin@neuralrun.app

For users in the European Economic Area ("EEA") and the United Kingdom, our designated representative under Article 27 GDPR is Eduardo E. Cure, who may be contacted at admin@neuralrun.app or in writing at Calle Athos 2, 2B, 28011 Madrid, Spain. EEA/UK users may contact our representative on any matter related to the processing of their personal data.

2.Scope of This Policy

This policy applies to personal information we process through any of the Services listed above, including account registration, gameplay, AI-assisted quiz and scenario generation, content authoring, social and chat features, public leaderboards and the Discover Feed, and billing. It does not apply to third-party websites or services that we link to but do not operate. Where a third party (such as our payment provider) acts as an independent controller of your data, that party's own privacy policy governs its processing, and we identify those parties in Section 7.

3.Information We Collect

3.1 Information you provide directly

Account credentials. When you create an account with an email and password, we collect your email address and your password. Passwords are never stored in plain text — they are stored in securely hashed (irreversible) form by our authentication provider. If you register using Google Sign-In (OAuth), we receive your email address and a unique account identifier from Google, and we never receive or store a password for your account.
Quiz, trivia, and scenario inputs. Text you enter to generate content — including topics, prompts, themes, gameplay choices in trivia and Override scenarios, and PDF source material uploaded to NeuralRun Quizzes (parsed in your browser to extract text, with only the extracted text sent to our servers) — is collected and processed to produce your quizzes, trivia questions, and scenarios.
User-authored content. Quizzes you build manually in Mind Print (titles, questions, answer choices, explanations), rosters and team labels you build in Smart Lists, and similar content you author through the Services.
Display name and avatar. Display names, codenames, profile names, and avatar choices you select. These may be shown publicly on leaderboards, scoreboards, share cards, the Discover Feed, and shareable challenge URLs — see Section 3.5 for what is public.
Social and chat content. Connection requests, accepted connections, and messages or content you exchange with connected users in Synapse (real-time chat). When you search for connections by email or name, we use the search term to return masked-email matches.
Feedback and challenges. Reports, flags, and Challenge AI disputes you submit about generated content (e.g., a trivia question you believe is wrong).
Communications. If you email us for support, we collect the contents of your message and your contact details.

3.2 Information generated through your use of the Services

Usage and account activity. We record usage metrics tied to your account, including your in-app Neurons balance, Neurons spent, the history of quizzes, trivia sets, and Override sessions you generate, scores, streaks, and gameplay outcomes.
Public-shared content. When you publish a challenge, Mind Print play link, Daily Sprint result, share card, or other shareable output, we host that output (together with your display name and score) on a public URL or feed for as long as the feature is active — see Section 3.5.
Administrative audit logs. When sensitive administrative actions occur (for example, an account deletion or a moderation event), we record an audit row identifying the action, the affected account, and a timestamp. These logs support security and compliance.
Billing records. When you purchase Neurons or a paid plan, we receive and retain transaction records (e.g., purchase date, amount, product, and an order/transaction identifier) from our payment provider. We do not collect or store your full payment-card number, card expiry, or security code — see Section 3.4.

3.3 Information collected automatically

Technical and log data. Our hosting infrastructure automatically records standard server log data, which may include your IP address, browser type, device and operating-system information, referring pages, and timestamps. This data supports security, abuse prevention, and reliability.
Security & abuse prevention. We log IP addresses associated with your account and sessions to detect and prevent fraudulent activity, including the creation of multiple accounts to abuse free credits. This data is accessible only to administrators and is retained for security purposes.
Anti-bot signals. Our sign-in flow uses Google reCAPTCHA to distinguish humans from automated abuse. reCAPTCHA collects device and behavioral information for this purpose — see Sections 4 and 7.
Essential cookies. We use strictly necessary cookies and equivalent local storage to keep you signed in — see Section 4.
Topic-suggestion queries to Wikipedia. When you type a topic in the trivia setup autocomplete, your in-progress query is sent to the Wikipedia OpenSearch API to return suggestions. This is a third-party request from your browser — see Section 7.
Aggregate usage analytics (public pages only). On our public marketing and landing pages — not inside the signed-in app, and not on the dashboard, profile, settings, or any game or tool — we use Google Analytics 4 to measure aggregate traffic, such as page views, referring sites, approximate (IP-derived) location, and device and browser type. We tag each session only as an anonymous visitor or a returning member so we can understand how people first reach us; we do not use this to build advertising profiles or identify you individually — see Sections 4 and 7.

3.4 Information we do not collect

We do not use advertising trackers, the Meta Pixel, retargeting pixels, or any cross-site / cross-context behavioral advertising technology. Our use of Google Analytics is limited to aggregate, first-party traffic measurement on public pages and is described in Sections 3.3, 4, and 7. We do not collect or store raw payment-card data — all card data is handled directly by our payment provider (see Section 7). We do not sell or "share" your personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.

3.5 What is public

Important — some features publish your information. When you use the features listed below, your display name (or codename) and the listed metadata are exposed on a public URL or feed that does not require sign-in to view:

Discover Feed (/discover) — an indexable feed of trending trivia challenges and the Daily Sprint leaderboard.
Daily Sprint leaderboard — display name + score.
Shareable challenge URLs (/challenge/<id>) — display name + score + the original game setup.
Shareable Mind Print play URLs (/mind-print?play=<id>) — the quiz you authored + title + creator name.
Multiplayer scoreboards — visible to other players in the same game.
Synapse messages and share cards — visible to your connections, and any duel result cards you generate.
Challenge replay outputs — Override replay links carry the same scenario seed but not your private game state.

You can avoid public exposure by not publishing a challenge, not playing Daily Sprint, and choosing a codename that does not identify you. Display-name conduct rules are in Terms of Service § 3.3.

4.Cookies & Similar Technologies

Across the Services we rely on strictly necessary (essential) cookies and local storage — these keep you signed in and cannot be switched off without breaking core functionality, and are exempt from prior consent under the EU ePrivacy Directive. In addition, on our public marketing and landing pages only, Google Analytics 4 sets first-party analytics cookies to measure aggregate traffic. Analytics cookies are not strictly necessary, so in jurisdictions that require prior consent for them (such as the EU/EEA and UK), they are subject to the applicable consent rules. You can decline or remove these at any time through your browser settings or Google's opt-out tools (see below), and the signed-in app does not load analytics at all. We disclose every technology here for full transparency:

Technology	Purpose	Set by
Session / authentication token	Keeps you securely signed in and maintains your session between pages.	Us / Supabase (auth)
Google reCAPTCHA cookies	Fraud prevention and bot detection on the sign-in flow.	Google
Google Analytics cookies (`_ga`, `_ga_*`)	Aggregate traffic measurement on public marketing/landing pages only. Distinguishes unique sessions; not used for advertising. Set only on public pages, never in the signed-in app.	Google

We do not use advertising or cross-site behavioral-tracking cookies. The only analytics cookies are first-party Google Analytics cookies on public pages, as listed above.

You can block or delete cookies through your browser settings, but doing so for essential cookies will prevent you from signing in and using the Services. To opt out of Google Analytics specifically, install the Google Analytics Opt-out Browser Add-on or block analytics cookies in your browser; this does not affect your ability to use the Services.

5.How & Why We Use Your Information

We process personal information only for the purposes below. For users protected by the GDPR, the applicable legal basis is identified for each purpose.

Purpose	Data used	GDPR legal basis
Create and maintain your account; authenticate sign-in	Email, hashed password / Google account ID	Performance of a contract (Art. 6(1)(b))
Generate quizzes and trivia from your inputs	Quiz/trivia text inputs	Performance of a contract (Art. 6(1)(b))
Track and display your Neurons balance and usage	Usage metrics, generation history	Performance of a contract (Art. 6(1)(b))
Process purchases and maintain billing history	Transaction records, email	Contract (Art. 6(1)(b)); legal obligation for tax/accounting records (Art. 6(1)(c))
Provide customer support and debug issues	Email, account activity, communications	Legitimate interests (Art. 6(1)(f)) — operating a reliable service
Secure the Services; prevent fraud, abuse, and bots	Log data, IP address, reCAPTCHA signals	Legitimate interests (Art. 6(1)(f)) — protecting the Services and users
Comply with legal obligations and respond to lawful requests	As required by applicable law	Legal obligation (Art. 6(1)(c))

We do not use your personal information for automated decision-making that produces legal or similarly significant effects, and we do not use it for marketing or advertising profiling.

6.Internal Administrative Access

We maintain an internal administrative dashboard accessible only to authorized personnel ("superuser" access). Through this dashboard, authorized staff may view user email addresses, usage metrics (such as Neurons spent), and the history of generated quizzes.

This internal access is used solely for the following purposes: providing customer support, diagnosing and debugging technical issues, and maintaining accurate billing history. Administrative access is limited to what is necessary for these purposes, and we do not use it for marketing, profiling, or any unrelated activity. This processing relies on our legitimate interests in operating, supporting, and securing the Services (GDPR Art. 6(1)(f)).

7.How We Share Information & Third-Party Processors

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We disclose personal information only to the carefully selected service providers below, who process it on our behalf (or, in the case of our payment provider, as an independent controller) to deliver the Services. Each is bound by contractual data-protection obligations.

Provider	Role	Data disclosed	Location
Supabase Privacy Policy	Authentication, database & real-time messaging (processor)	Email addresses, hashed passwords / auth identifiers, authentication tokens, usage metrics, generated quiz / scenario data, Mind Print and Smart Lists content, Synapse chat messages (over WebSocket), connection-graph data, audit logs	United States
Vercel Privacy Policy	Serverless hosting & infrastructure (processor)	Server log data, including IP addresses and request metadata	United States
Payment Provider (Merchant of Record)	Payments — Merchant of Record (independent controller)	Email, billing details, and payment-card data, which you provide directly to our payment provider. As Merchant of Record, our provider is the seller of record and handles global tax compliance and payment processing. The specific provider is identified on your purchase receipt and its privacy policy applies to that processing.	United States / global
Google LLC — Gemini API Privacy Policy	AI sub-processor — quiz, trivia, and Override scenario generation; Challenge AI judging	The text inputs you submit to generate quizzes, trivia, and scenarios; topic strings forwarded to Google Search via Gemini's grounding feature for trivia Medium/Hard questions and Challenge AI judging	United States / global
Wikimedia Foundation — Wikipedia Privacy Policy	Source-verification sub-processor (NeuralRun Quizzes RAG) & topic autocomplete	Topic strings and search queries used to retrieve Wikipedia articles for source-grounded NeuralRun Quizzes generation; in-progress topic queries from the trivia setup autocomplete	United States / global
Google LLC — reCAPTCHA Privacy Policy	Bot detection & fraud prevention on sign-in	Device, browser, and behavioral signals collected during sign-in	United States / global
Google LLC — Google Analytics 4 Privacy Policy	Aggregate, first-party traffic analytics on public marketing/landing pages only (processor)	Page views, referrer, approximate (IP-derived) location, device/browser type, and an anonymous-visitor vs. returning-member session flag. No advertising profiles; not collected in the signed-in app	United States / global

Sub-processors may change as the Services evolve; material changes will be reflected in updates to this policy.

We may also disclose personal information where required to do so by law, to respond to valid legal process, to enforce our terms, or to protect the rights, safety, and security of our users, the public, or our Services. If the Services are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction; we will notify affected users and this policy will continue to govern that data.

8.AI Processing of Your Inputs

Several Services dynamically generate quiz, trivia, and scenario content using artificial intelligence. To do this, the text inputs you submit (such as topics, prompts, PDF-extracted source text in NeuralRun Quizzes, and choices you make in Override) are transmitted over an encrypted connection to the Google Gemini API, operated by Google LLC, which acts as our AI sub-processor.

For some features, additional third-party retrieval or grounding services are invoked on top of the Gemini call:

NeuralRun Quizzes source verification (Wikipedia RAG). When you give NeuralRun Quizzes a topic, the topic string is sent to the Wikipedia / Wikimedia API to retrieve articles used as evidence for the generated quiz; the retrieved excerpt and your topic string are then included in the Gemini request that produces the quiz.
Trivia and Challenge AI Google Search grounding. For Medium-difficulty and Hard-difficulty trivia questions, and for Challenge AI judging of disputed questions, the Gemini call is configured to use Google Search grounding. The topic or question text is therefore forwarded by Google through its Search infrastructure as part of producing or judging the answer.
Trivia topic autocomplete. The in-progress topic text you type in the trivia setup is sent to the Wikipedia OpenSearch API to return autocomplete suggestions.

We send only the inputs needed to operate these features. We do not send your email address, password, or billing information to the Gemini API, to Wikipedia, or to Google Search. Google's processing of API inputs is governed by Google's applicable API and privacy terms; Wikipedia's by the Wikimedia Foundation privacy policy. Please avoid entering sensitive personal information into quiz prompts, Override decisions, or Mind Print quizzes, because those inputs may be processed by a third-party AI service and, if you share the resulting output, may be publicly visible.

9.International Data Transfers

We operate from the United States, and our service providers are located in the United States and other countries. If you access the Services from the EEA, the United Kingdom, or another region with data-protection laws, your personal information will be transferred to, and processed in, the United States and potentially other jurisdictions whose laws may differ from those of your home country.

Where personal information of EEA/UK users is transferred internationally, we rely on appropriate safeguards as required by the GDPR — principally the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), incorporated into our agreements with the relevant providers. You may request more information about these safeguards using the contact details in Section 16.

10.Data Retention

We retain personal information only for as long as necessary for the purposes set out in this policy:

Account data (email, hashed credentials, usage metrics, generated quiz history) — retained for as long as your account remains active.
After account deletion — we delete or irreversibly anonymize your account data within 30 days of a verified deletion request or account closure, except where a longer retention period is required by law (see below).
Billing and transaction records — retained for the period required by applicable tax, accounting, and financial-reporting laws (which may be up to seven (7) years), even after account deletion. Note that payment records held by our Merchant of Record are subject to that provider's own retention practices.
Security and log data — retained for a limited period for security, abuse-prevention, and reliability purposes, then deleted or aggregated.

When retention periods expire, we securely delete or anonymize the relevant personal information.

11.Your Privacy Rights

11.1 Rights under the GDPR (EEA / UK users)

If you are located in the EEA or the UK, you have the right to:

Access — obtain confirmation of whether we process your data and a copy of it;
Rectification — correct inaccurate or incomplete personal data;
Erasure ("Right to be Forgotten") — request deletion of your personal data;
Restriction — request that we limit processing in certain circumstances;
Data portability — receive your data in a structured, commonly used, machine-readable format;
Object — object to processing based on our legitimate interests;
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing;
Lodge a complaint — file a complaint with your local supervisory authority (data protection authority).

11.2 Rights under the CCPA / CPRA (California residents)

If you are a California resident, you have the right to:

Know / access — request the categories and specific pieces of personal information we have collected about you;
Delete — request deletion of personal information we collected from you;
Correct — request correction of inaccurate personal information;
Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of;
Limit use of sensitive personal information — we do not use or disclose sensitive personal information for purposes beyond those permitted by the CPRA;
Non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

Notice at collection. The categories of personal information we collect are: identifiers (email address, account ID, IP address), account credentials, commercial/transaction information (billing history), internet activity (usage metrics, log data), and user-generated content (quiz inputs and generated quizzes). We collect this information for the business purposes described in Section 5. We do not sell or share this information.

12.How to Exercise Your Rights

To exercise any of the rights described above — including a data-deletion request — contact us at admin@neuralrun.app. EEA/UK users may also contact our Article 27 representative (see Section 1).

To protect your privacy, we will take reasonable steps to verify your identity before acting on a request — typically by confirming control of the email address associated with your account. You may use an authorized agent to submit a request on your behalf where permitted by law.

We will acknowledge and respond to verified requests within 30 days. Where a request is complex or numerous, we may extend this period as permitted by applicable law and will inform you if we do. Exercising your rights is free of charge, unless a request is manifestly unfounded or excessive. Please note that some data — such as billing records — may need to be retained to comply with legal obligations even after a deletion request (see Section 10).

13.Data Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, loss, misuse, or alteration. These measures include encryption of data in transit (HTTPS/TLS), irreversible hashing of passwords, access controls limiting administrative access to authorized personnel, and reliance on reputable infrastructure and security providers.

No method of transmission or storage is completely secure. While we work to protect your information, we cannot guarantee absolute security. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected users as required by applicable law.

14.Children's Privacy

The Services are not directed to, and are not intended for use by, children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you are under 16, please do not create an account or submit any personal information. If you believe a child under 16 has provided us with personal information, please contact us at admin@neuralrun.app and we will promptly delete that information.

15.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or service providers. When we make changes, we will revise the "Last Updated" date at the top of this page. If the changes are material, we will provide a more prominent notice (such as an in-app notice or email) before the changes take effect. We encourage you to review this policy periodically.

16.Contact & Governing Law

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

Controller Jose D. Cure

Address 66 W Flagler Street, Suite 900, PMB 11939, Miami, FL 33130, USA

Privacy Email admin@neuralrun.app

EU/UK Rep. Eduardo E. Cure — Calle Athos 2, 2B, 28011 Madrid, Spain — admin@neuralrun.app

This Privacy Policy and any dispute arising from it are governed by the laws of the State of Florida, United States, without regard to its conflict-of-laws principles, and the courts located in Miami-Dade County, Florida shall have jurisdiction — except where applicable mandatory consumer-protection or data-protection law (including the GDPR for EEA/UK users) grants you the right to bring proceedings, or have them governed, elsewhere.