Privacy Policy

NEUROVIA FZ-LLC
Where Mind Finds Harmony — The Art of Mental Clarity

Last updated: 20 October 2025
Scope: website, online forms, booking systems, marketing communications, and delivery of individual and corporate services, including the Home Experience Kit.

This policy explains how NEUROVIA collects, uses, shares, and protects your personal data in accordance with applicable laws of the United Arab Emirates (UAE PDPL), the EU General Data Protection Regulation (GDPR) for data subjects in the EU/EEA, and — where relevant — the DIFC Data Protection Law.

1) Data Controller

Controller: NEUROVIA FZ-LLC (“NEUROVIA”, “we”, “us”)

Registered address: [To be completed – Dubai address]
Trade licence / Free zone: [Free zone & licence number]
Privacy contact (DPO/contact point): [privacy@neurovia.ae]
Phone: [+971 …]
EU Representative (GDPR Art. 27, if required): [To be completed]

2) What data do we collect?

We collect only what is necessary, relevant, and proportionate to deliver a secure, high‑quality experience:

A. Identification & contact
First/last name, company, role, email, phone, country, language.

B. Client relationship & booking
Preferred timeslots, appointment history, selected programmes (Reset, Flow, Home Kit, Workshops), non‑medical notes related to service delivery (e.g., personal well‑being goals, session comfort), communications with our team.

C. Digital usage data
Technical logs, IP addresses, cookie identifiers, browser/device, pages viewed, audience metrics, consent records.

D. Payments & invoicing
Amount, date, payment method, status (full card data are processed by certified providers and are not stored by NEUROVIA).

E. Neuro‑adaptive session data (non‑medical)
Timestamps, session duration, generic software parameters, self‑reported progress indicators, well‑being and satisfaction questionnaires. We do not collect diagnoses, medical records, or raw EEG data. Our services are non‑invasive and non‑therapeutic.

F. Corporate programme data
Participants registered by the employer (name, corporate email), team/unit, entity, aggregated and anonymised outcomes for impact reporting (no measurement of individual performance).

Sensitive data: We do not require health data. If you voluntarily share well‑being information, we will process it with enhanced protection and, where required, based on your explicit consent.

3) Why do we process your data? (purposes & legal bases)

Purpose Examples Legal basis
Provide and schedule services bookings, session delivery, Home Kit assistance Contract performance
Client care & support responding to queries, post‑session follow‑up Legitimate interests or contract
Payments & invoicing invoices, receipts, tax compliance Legal obligation & contract
Experience improvement usage measurement, quality, anonymised analytics Legitimate interests (UX/quality)
Service communications & content transactional emails, programme updates Legitimate interests
Marketing (opt‑in) newsletters, offers, events Consent
Security & fraud prevention abuse detection, logs Legitimate interests
Regulatory compliance responding to authorities, record‑keeping Legal obligation

You can withdraw consent at any time (marketing/cookies). Withdrawal does not affect the lawfulness of prior processing.

4) Cookies & similar technologies

We use:

  • Essential cookies: required for core functionality (e.g., booking).

  • Audience measurement: aggregated statistics.

  • Marketing/remarketing: only with your consent, if enabled.

Manage preferences via our consent banner and your browser settings. Some essential cookies cannot be disabled without degrading service quality.

5) Who do we share your data with?

  • Technical providers (hosting, CRM, email, payments, analytics, booking) under data‑processing agreements and confidentiality obligations.

  • Operational partners (mobile session facilitators, Home Kit couriers) with strictly necessary details.

  • Client companies (Corporate programmes): aggregated, anonymised reports only — no detailed individual data unless a separate lawful basis applies.

  • Authorities where required by law.

We do not sell your personal data.

6) International transfers

Our systems and some providers may be located in the UAE, EU/EEA, UK, or the USA. Where required by law, we use:

  • Standard Contractual Clauses (SCC/UK IDTA),

  • Transfer impact assessments and supplementary measures,

  • or rely on an adequacy decision.

7) Retention periods

We apply limited, proportionate retention:

  • Account & client relationship: while the account is active + 24 months of inactivity.

  • Bookings & sessions: 24 months after the last session unless longer is required.

  • Billing records: 7–10 years, per applicable law.

  • Marketing: until consent is withdrawn or after 24 months of inactivity.

  • Security logs: 12 months.
    Anonymised data may be retained for quality and analytics.

8) Your rights

Depending on your jurisdiction (UAE PDPL / GDPR / DIFC), you may have the right to:

  • Access your data and obtain a copy.

  • Rectify inaccurate data.

  • Erase data (right to be forgotten) in applicable cases.

  • Restrict processing.

  • Portability (GDPR) for data you provided.

  • Object to direct marketing and to certain processing based on legitimate interests.

  • Withdraw consent at any time.

To exercise your rights, contact [contact@neurovia.ae]. We may ask you to verify your identity. You can also lodge a complaint with the competent authority (UAE Data Office, your EU/EEA supervisory authority, or the DIFC Commissioner of Data Protection).

9) Security

We protect your data with appropriate technical and organisational measures: encryption in transit and at rest (where applicable), access controls, logging, security testing, incident management, vendor reviews, and data‑minimisation by design.

10) NEUROVIA service specifics

  • Non‑medical services: our dynamic neurofeedback programmes are not a medical diagnosis or treatment. No medical data are required to use our services.

  • Well‑being questionnaires (optional): designed to track your subjective experience; they do not replace medical advice.

  • Sessions & Home Kit: no invasive stimulation; no forced action on the brain. Audio/software provide adaptive feedback.

  • Minors: services are for individuals 18+. Any exception requires verified parental/guardian consent.

11) Automated decision‑making

We do not make decisions producing legal or similarly significant effects based solely on automated processing. In‑session algorithmic adjustments personalise real‑time experience and do not constitute external marketing profiling.

12) Social media, external links, events

When interacting with NEUROVIA on third‑party platforms (e.g., Instagram, LinkedIn, events), their privacy notices apply. We encourage you to review them.

13) Changes to this policy

We may update this policy to reflect legal, technical, or operational changes. If changes are material, we will notify you visibly (email/banner). The “Last updated” date will be adjusted accordingly.

14) Contact

For any privacy questions:
Email: [privacy@neurovia.ae]
Address: [Full address – Dubai]
Supervisory authority:

  • UAE Data Office (PDPL)

  • Your national supervisory authority (GDPR) if you are in the EU/EEA

  • DIFC Commissioner of Data Protection (where applicable)

15) Annex — Compliance & References

Covered frameworks:

  • UAE PDPL: Federal Decree‑Law No. 45 of 2021 & implementing regulations.

  • GDPR (EU): Regulation (EU) 2016/679.

  • DIFC DP Law: Data Protection Law No. 5 of 2020.

Supplemental notices (provided separately as applicable):

  • Cookie Notice & Preference Center.

  • Corporate Participant Notice.

  • Data Subject Rights Request Form (UAE/GDPR/DIFC).

Template clauses (examples):

  • Data Processing Addendum with processors.

  • Standard Contractual Clauses (SCC/UK IDTA).

Versioning

  • v1.0 — 20/10/2025 — Initial publication.

Brand mentions

NeurOptimal®, Dynamical Neurofeedback®, Zengar® are registered trademarks of their respective owners. NEUROVIA uses them within a general well‑being, non‑therapeutic context.