Privacy and Security Policy

This Privacy and Security Policy regulates the use of digital platforms (website and App) owned by NEROES.

If you wish to contact Neroes regarding these digital platforms, you may do so using the following email address info@neroes.tech

Access and use of the website and App are the sole responsibility of the User, who is subject to the acceptance of this Privacy and Security Policy and the data processing described herein. The access and use of the services provided assume that the User has read, understood and accepted the Terms and Conditions of their use, that can be consulted here.

Neroes reserves the right to change and review this Privacy and Security Policy at any time, as well as the data processing described herein, whenever deemed appropriate, with or without prior notice.

This Privacy Policy constitutes an agreement between you, the User, and NEROES which applies to the use of these digital platforms. It is the sole responsibility of the user to read the Privacy and Security Policy whenever accessing the website or App, in order to be aware of any changes made, as it may affect its rights.

1. Scope

This policy intends to inform about the privacy rules in the scope of the services provided by NEROES, LDA (NEROES), Portuguese tax number 515917915, with headquarters at Centro Empresarial – Zona Industrial 6060-182 Idanha-a-Nova, Portugal, also designated as Responsible Entity. The personal data you provide is treated with the security and confidentiality guarantees required by the legal framework relating to the protection of personal data.

Any attempts to alter the information, or any other action that may cause damage and jeopardize the integrity of the system and services, are strictly prohibited under current legislation. The User undertakes to scrupulously comply with the applicable legislation, namely, in terms of computer crime and intellectual property rights, being solely responsible for the violation of these rules.

NEROES MENTAL TRAINING PLATFORM is a computational platform (App) that allows the User to improve performance through mental training and enhancement of emotional control.

This training makes use of the neurofeedback technique combined with a videogame that is controlled by the brain’s electrical activity signals of the User. These signals are collected through a wearable electroencephalography (EEG) device that is placed over the head of the User. In addition, the App allows qualitative and quantitative assessments of the mental abilities of the User before, during and after the referred mental training, by filling out questionnaires, testing specific game/assessments and from the signals of the brain’s electrical activity themselves.

However, it should be noted that the App is not a medical device and does not provide or can be used in order to obtain any diagnosis or mental health therapy.

The data collected is intended for the provision of the service requested by the User, with no personal data being collected that are not necessary to provide the service or without express consent of the User.

There are other types of information, non-personal and non-individualized, that are recorded keep website running appropriately and ensure a good browsing experience for visitors. This is statistical information that is usually by definition recorded through the browser window such as: the website address of the website that brought you directly to the neroes website, most visited website pages, type of browser, operating system, etc.

2. What is Personal Data?

Personal data is information relating to a living, identified or identifiable person. Personal data can also be considered the set of different information that can lead to the identification of a specific person. Personal data that has been uncharacterized, encoded or pseudonymised, but that can be used to re-identify a person, remains personal data.

Personal data that has been made anonymous so that the person is not or ceases to be identifiable are no longer considered personal data. For data to be truly anonymized, anonymization must be irreversible.

Therefore, the data collected and used by the App, related to the brain’s electrical activity, with questionnaires and specific tests/assessments available on the App, are only considered personal data if associated with a living, identified or identifiable person. Otherwise, the data is not considered as personal data.

Since the App service will use data encoding or pseudonymisation, it is necessary to obtain explicit consent for the treatment of such personal data for one or more specific purposes.

However, the data collected is subject to irreversible anonymization and used for the overall improvement of the service provided, namely in the optimization of the algorithms used in the App, for aggregate statistical evaluation of the usage of the service, and in case the retention period ends.

3. Typology, Purposes of Collection and Processing of Personal Data

3.1 Brain’s electrical activity signals: The collection and processing of data aims to do mental training through a video game, using the neurofeedback technique, and also to evaluate and monitor the mental abilities of the User associated with the training.

3.2 Self-reported questionnaires or reported by institutional employee: The requested and collected data aim to assess mental abilities associated with training, personality trait, and also the mental health state of the User. These data will be aggregated and combined with the previous data to report the current status, to monitor mental training and to optimize the training process.

3.3 Data derived from specific tests/games: The collected data reflects the performance of specific tests/games that assesses mental abilities, which include the duration of the execution, rate of correct answers, and scores. These are intended to complement the evaluation of the mental abilities of the User, collected during the training. These data will be aggregated and combined with the previous data to report the current state of the User, monitor the mental training and to optimize the training process itself.

3.4 Demographic data: The requested and collected data aim, together with the previous data, to optimize the training process.

3.5 Contact details: The requested data is only intended to enable the creation of a personal and/or institutional User account. They can also be used to contact the User for operation notifications and to obtain feedback on the service provided.

3.6 Anonymization and aggregation of data for service optimization: The data collected is irreversibly anonymized and used by NEROES in an aggregated way to improve the service provided through the statistical evaluation of the usage, optimization of the algorithms or in case the retention period ends.

4. User Profile

The App enables users to create individual and institutional profiles by providing explicit consent during profile creation, by accepting the checkbox related to the agreement of the Terms and Conditions. This is done prior to using the App.

The individual User profile is intended for individuals, over 18 years old. When the user is a minor, he/she must be accompanied by the legal guardian, both when giving consent, and when using and filling in the App data.

The profile of the organization/institutional User (e.g. clubs, companies), allows institutions, being responsible for the collection and processing of data of their employees and assuming the responsibilities imposed by law in terms of protection of personal data, can, in a nominal, pseudonymised or anonymized way, enter and collect the data of their employees on the App. In this profile, institutions will be able to conduct and monitor the mental training of their employees on an individual basis and still have an aggregate view of the group of employees.

5. Entity Responsible for Data Collection and Processing

NEROES, in its role as the data controller, is responsible for the collection and processing of data in strict compliance with national and community legislation in force. In fulfilling this role, NEROES ensures that:

The processing of your personal data is carried out within the scope of the purposes for which they were collected or for purposes compatible with those.
Only the personal data necessary are collected, used, and retained for the specific, explicit and legitimate purpose in question.
Personal data is not transmitted to third parties for commercial or advertising purposes.
Personal data is handled for legally provided purposes or for the provision of services at your request.

In addition to the above, NEROES is committed to implementing appropriate technical and organizational measures to protect the personal data of its users against accidental, unlawful loss, alteration, dissemination, or unauthorized access. An appropriate level of security is considered to be in effect regarding the data handling risks, given the sensitive nature of the data to be protected.

NEROES utilizes Amazon Web Services (AWS) as a cloud service provider for the storage of data in databases. In this capacity, AWS acts as a data processor, processing data on behalf of NEROES. The responsibilities and roles in this relationship are as follows:

AWS’s Role as Data Processor:
- AWS is responsible for securely storing data provided by NEROES.
- AWS adheres to strict security measures and protocols to ensure the protection and confidentiality of data.
- AWS does not have permission to access or use the data for any purposes other than storage and maintenance as instructed by NEROES.
Data Security with AWS:
- AWS provides robust physical and digital security measures to protect data from unauthorized access, disclosure, alteration, and destruction.
- NEROES, in collaboration with AWS, ensures that all data stored in AWS databases are encrypted and securely managed.
Compliance and Auditing:
- AWS’s services are compliant with major data protection regulations and standards, ensuring that data stored on its servers meets the necessary legal and regulatory requirements.
- NEROES regularly reviews and audits the data processing and storage practices of AWS to ensure ongoing compliance with data protection laws.

By using AWS for data storage, NEROES ensures enhanced security and reliability in the management of user data. NEROES remains committed to the protection of personal data and will continue to uphold the highest standards of data privacy in all aspects of its data collection and processing activities.

NEROES undertakes to only allow access to the employees or entities under confidentiality agreements, as the company’s current practice. NEROES may, with express and prior consent, only transmit the data to this entities for the purpose of scientific and research studies. The transmission of this data will be done in compliance with the rules on the irreversible anonymization of personal data.

6. Personal Data Security Measures and Data Breach Response

6.1 Security Measures: In carrying out its activities, the Responsible Entity employs a comprehensive set of technologies and security procedures to protect personal data from unauthorized access or disclosure. These include:

Physical security measures, such as controlled access by employees, collaborators, and visitors to the headquarters’ facilities, and robust mechanisms on NEROES servers to prevent intrusion, fire hazards, with 24 x 7 equipment monitoring and secure accommodation.
Logical security measures, including identity management, authentication, and privilege controls for systems and workstations; use of firewalls and intrusion detection systems; segregation of networks and application environments; and encryption of information through secure communication channels.

NEROES maintains its own database for storing all personal data registered by the User, ensuring the protection of this data through both physical and logical security measures.

6.2 Safety Procedures for Special Category Data: NEROES recognizes that physiological signals and self-reported mental health data fall under ‘special category data’ as defined by GDPR, which requires heightened protective measures:

Strict Access Control: Access to special category data will be strictly controlled and limited to personnel who require such access as part of their job responsibilities. Regular access reviews will be conducted to ensure minimal access privileges.
Advanced Encryption: Special category data will be encrypted in transit and at rest using advanced encryption standards, providing an additional layer of security against unauthorized access or breaches.
Data Minimization and Anonymization: Wherever possible, NEROES will apply data minimization principles and Anonymizes special category data to reduce the risk of harm to individuals in the event of a data breach. This involves processing data in a way that it cannot be attributed to a specific individual.
Employee Training: Employees handling special category data will receive specific training on the legal requirements, risks, and protective measures associated with processing such data.

6.3 Data Breach Notification Procedures: In the event of a data breach, NEROES has established comprehensive procedures to promptly and effectively respond, especially when special category data is involved:

Breach Detection and Assessment: Upon discovering a data breach, NEROES will immediately initiate an investigation to assess the scope and impact of the breach. This includes identifying the data involved, the individuals affected, and the potential risks associated with the breach.
Notification to Users: If the breach is likely to result in a high risk to the rights and freedoms of the users, NEROES will inform affected individuals without undue delay. This notification will include the nature of the data breach, the categories and approximate number of individuals and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach.
Notification to Authorities: Consistent with legal requirements, NEROES will also notify the relevant data protection authorities within 72 hours of becoming aware of the data breach, providing details of the breach and the steps taken to mitigate its effects.
Post-Breach Actions: NEROES will take immediate steps to mitigate the breach, prevent further unauthorized access, and strengthen security measures to prevent future breaches, as well as, accompany and implement all necessary counter measures indicated by the authorities. This may include, but is not limited to, reviewing and updating security protocols, conducting a thorough security audit, and providing additional training to employees.
Documentation and Review: All data breaches will be documented, including the facts relating to the breach, its effects, and the remedial actions taken. This documentation will be used to review the effectiveness of NEROES’s response and to make necessary improvements to security measures and practices.

6.4 Commitment to Data Integrity and Confidentiality: NEROES is dedicated to maintaining the highest standards of confidentiality and integrity in all personal data processing, with a special emphasis on special category data. All necessary steps will be taken to safeguard this sensitive information, ensuring it is used only for its intended purpose and protected against unauthorized access or disclosure.

NEROES may, with your express and prior consent, transmit the data for the purpose of scientific studies. The transmission of this data will be done in compliance with the rules on the anonymization of personal data, as well as, under the protection of Non-Disclosure Agreement.

7. Cross-Border Data Transfers

In the course of providing services, NEROES may transfer personal data across borders, including to regions outside the European Union (EU) and the European Economic Area (EEA). The regions where data transfers are expected to occur include, but are not limited to, the EU/EEA, North America (specifically the United States and Canada), Brazil, and Australia.

Safeguards for Data Transfers:

To ensure the protection of personal data when transferred outside the EU/EEA, NEROES adheres to the GDPR’s stringent data protection standards.
Transfers to countries outside the EU/EEA are carried out under the following safeguards:
- Adequacy Decisions: Where possible, data is transferred to countries that have been deemed by the European Commission to provide an adequate level of data protection.
- Standard Contractual Clauses: For transfers to countries without an adequacy decision, NEROES relies on Standard Contractual Clauses approved by the European Commission, which contractually oblige the recipient to protect the data to the same standard required within the EU/EEA.

User Consent and Notification:

Users will be informed about any cross-border data transfers and the safeguards in place through the App or via direct communication.
By accepting the terms and conditions checkbox upon signing up for the App, users explicitly consent to such cross-border data transfers, acknowledging and agreeing that they are fully aware of where and how their data is being processed.

Review and Compliance:

NEROES regularly reviews its data transfer practices ensuring they remain in compliance with GDPR and other relevant data protection laws.
We are committed to working only with partners and third-party service providers who can ensure the secure and lawful processing of personal data in line with our privacy standards.

This section ensures transparency regarding the international transfer of personal data and at providing users with the assurance that their data is protected, irrespective of where it is processed.

8. Access and Control of Personal Data

NEROES is committed to ensuring that Users have full control over their personal data. To this end, the following mechanisms are in place:

8.1 Providing Consent:

When a User signs up for the NEROES App, they will encounter a clear consent checkbox. This checkbox is a unified consent action for agreeing to the Terms and Conditions and, consequently, to the Privacy Policy of the App.
The checkbox will be accompanied by a clear and concise statement that by checking it, the User is providing explicit consent to the processing of their personal data in accordance with the practices described in the Privacy Policy, including the handling of sensitive data.
The Privacy Policy is easily accessible at the point of signing up, allowing Users to review it in full before giving their consent.

8.2 Withdrawing Consent:

Users have the right to withdraw their consent at any time. This can be done through the App by deleting the account, or by contacting NEROES at info@neroes.tech.
Withdrawal of consent will halt processing of the user’s data for the withdrawn purposes, unless another legal ground for processing is applicable.
The lawfulness of processing based on consent before its withdrawal remains unaffected.

8.3 Access to Personal Data:

Users can request access to their personal data held by NEROES, including how their data is being used and for what purposes.
Access requests can be made directly through the App or by contacting info@neroes.tech.

8.4 Rectification, Erasure, Objection, and Restriction:

Users have the right to request rectification of inaccurate personal data, and erasure of their data via the App or by account deletion.
Users also have the right to object to certain types of data processing and to request a restriction on processing in specific circumstances.
Requests for objection and restriction can be made by contacting info@neroes.tech .

8.5 Response Time:

NEROES will respond to all personal data rights requests within 5 business days, adhering to the timeframes stipulated by applicable data protection laws.
In cases where immediate action is not feasible due to legal or technical constraints, users will be informed of the measures taken as soon as possible.

8.6 Right to Lodge a Complaint:

Users have the right to lodge a complaint with the National Data Protection Commission (CNPD) via www.cnpd.pt.

By providing these mechanisms, NEROES ensures complete transparency and control for Users over their personal data, in compliance with data protection regulations.

9. Personal Data Retention Period

Your personal data is retained for the period necessary to fulfill the purposes for which it was collected. The specific retention periods are as follows:

Personal data Information: If an account remains inactive for 2 years, NEROES reserves the right to irreversibly anonymize all personal and special category data, hence stop being sensitive, as it is not associated with a living, identified or identifiable person. This data will be retained for as long as necessary to maintain active research purposes and used to improve the models and algorithms that run within the App.
User Profile Information: Contact data related to user accounts, such as email addresses or phone numbers, will be retained for the duration of the user’s active engagement with the services, to maintain communication with you. If the account remains inactive for 2 years, the user profile storing the contact information will be deleted. Before the stipulated time, the User can delete their account, directly erasing the information form the system.
Transaction Data: Data related to transactions, including purchase history, will be retained for a period of 10 years in compliance with financial and accounting regulations.

The Responsible Entity undertakes to adopt appropriate conservation and safety measures throughout the retention period. NEROES remains committed to regular reviews of data retention practices to ensure compliance with industry standards and applicable regulations.

If you have any specific concerns or questions about the retention period for your personal data, please contact info@neroes.tech

10. Cookie Policy

NEROES uses cookies and similar technologies to enhance user experience and improve performance, as detailed below.

10.1 What are Cookies?

Cookies are small text files with relevant information that your access device (computer, mobile phone, smartphone, or tablet) carries through the browser when a site is visited. The use of cookies optimizes navigation by adapting information and services to user interests, providing a better experience with each visit.

Cookies used by NEROES do not collect personal information that identifies the user but store generic information, such as the form or place/country of access and user preferences. NEROES uses cookies for the following purposes:

Ensuring proper page functionality.
Storing user preferences, language, and font size.
Analyzing anonymous statistical information about user interactions with the website.
Customizing, adapting, and improving users’ browsing experience.

Users can choose to be notified of and block cookies at any time through their browser. Note that refusing cookies may limit access to certain areas of the site and affect the overall browsing experience.

10.2 Types of Cookies

Permanent Cookies: Stored on the device and used whenever the user revisits the site for personalized navigation.
Session Cookies: Temporary cookies available until the session ends, providing a better browsing experience.

10.3 Functions of Cookies

Essential Cookies: Necessary for specific website areas, navigation, and application use.
Feature Cookies: Recall user preferences for a customized browsing experience.
Analytic Cookies: Analyze user site interactions for statistical purposes without collecting personal information.

10.4 Cookies in Newsletters/Emails

Newsletters/emails may contain a small image for statistical purposes, allowing users to unsubscribe if desired.

10.5 Disable the Use of Cookies

Users can disable cookies at any time through browser settings. However, note that disabling cookies may affect web service functionality. For example, in Google Chrome you may do it by accessing the following link: Google Chrome

10.6 Cookies and Similar Technologies in the App

The App uses cookies for Functionality and Performance, excluding targeted advertising. Users can control cookie preferences. The following cookies are used:

Cookie	Lifetime	Description
_ga	2 years	Used to distinguish users
_gid	24 hours	Used to distinguish users
_gat	1 minute	Used to control request rate
Token	Session	Used to identify the user
Session	–	Used to maintain user session
AWSALB	6 days	Used to control connections and request rate
AWSALBCORS	6 days	Used to prevent fraudulent attacks

To opt out of non-essential cookies, change browser settings. Most browsers accept cookies, but preferences can be adjusted in privacy settings.

For more information about cookies, including how to disable them, visit https://aboutcookies.org/.

11. Questions and Contacts

You can contact us to clarify any doubts or questions at the following addresses:

Email: info@neroes.tech
Address: Institute of Biophysics and Biomedical Engineering, Faculty of Sciences, University of Lisbon, Campo Grande, 1749-016 Lisbon, Portugal

12. Applicable Law and Competent Forum

This Privacy and Security Policy is governed and interpreted in accordance with Portuguese law. The Lisbon area court is competent, to the exclusion of any other, to settle any conflicts that result from the interpretation and application of this Privacy and Security Policy.

13. Amendment to the Privacy and Security Policy

This Privacy and Security Policy, which you must read carefully may be changed considering that the changes come into effect as of the date of its publication on this website, with express reference to the date of update.

Date of the last update of the Privacy and Security Policy: November 11, 2023

Institute of Biophysics and Biomedical Engineering Faculty of Sciences, University of Lisbon Campo Grande – 1749-016 Lisbon