Neurameet Limited – Data Protection Policy

Last updated: October 01, 2025

1. Purpose

This policy sets out how Neurameet Limited ("we", "our", "us") complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It explains the principles we follow, the responsibilities of our staff, and the measures we take to protect personal data.

2. Scope

This policy applies to all personal data processed by Neurameet in the course of providing our services, including:

• Customer account data
• Meeting recordings, transcripts, and minutes
• AI-generated outputs (summaries, reports)
• Support and billing information

It applies to all employees, contractors, and sub-processors acting on our behalf.

3. Data Protection Principles

We comply with the UK GDPR principles:

• Lawfulness, fairness and transparency – we process data lawfully and explain clearly how it is used.
• Purpose limitation – we only use personal data for the purposes agreed with the school.
• Data minimisation – we only collect the minimum data necessary to provide the service.
• Accuracy – we take reasonable steps to ensure data is accurate and up to date.
• Storage limitation – we only keep data for as long as necessary (see retention schedule).
• Integrity and confidentiality – we protect data using appropriate technical and organisational measures.
• Accountability – we can demonstrate compliance with these principles.

4. Roles and Responsibilities

• Schools (Customers) – act as the Data Controller, deciding what data is processed and why.
• Neurameet – acts as a Data Processor, processing data on behalf of schools.
• Data Protection Lead – responsibility within Neurameet for compliance, breach response, and staff training.

5. Lawful Basis for Processing

We process data on behalf of schools under the lawful bases determined by them (usually public task or legitimate interests). For our own business purposes (e.g. billing, marketing to staff users), we rely on consent or contract.

6. Children's Data

Neurameet is not used directly by children, but meetings may include information about pupils. Where this occurs, the school remains the controller. Neurameet processes this data only as required to provide the service and does not use it for any other purpose.

7. Data Security

We implement technical and organisational measures including:

• Encrypted transmission and storage of meeting data.
• Access controls and authentication.
• Regular security testing and monitoring.
• Staff confidentiality agreements and training.

8. Sub-processors

We use the following sub-processors:

• Speechmatics Ltd (UK): speech-to-text transcription.
• OpenAI, L.L.C. (US): AI summarisation and report generation.

All sub-processors are bound by data processing agreements. Where data is transferred outside the UK, appropriate safeguards (e.g. SCCs with UK Addendum) are in place.

9. Data Retention

• Meeting recordings: deleted after 30 days.
• Transcripts and minutes: retained up to 2 years (or earlier on school request).
• AI-generated outputs: retained in line with transcripts/minutes.
• Account data: retained while account is active; deleted within 30 days of closure.
• Billing data: retained for 6 years.
• Support tickets: retained up to 2 years.

10. Data Subject Rights

We assist schools in responding to requests under UK GDPR, including:

• Access
• Rectification
• Erasure
• Restriction
• Objection
• Data portability

Requests must be submitted to the relevant school (controller), and we will support them in fulfilling their obligations.

11. Breach Management

We will notify the relevant school (controller) without undue delay if we become aware of a personal data breach. We maintain internal incident response procedures to investigate and remediate any breaches.

12. Training and Awareness

All Neurameet staff receive training on data protection principles and their responsibilities under this policy.

13. Review

This policy is reviewed annually, or sooner if regulations or our practices change.