Privacy Policy

Effective date: 24 May 2026 · Last updated: 24 May 2026

This Privacy Policy describes how NeuroPace (“we”, “us”, “our”), operated by Jonas Brodde (“Data Controller”), collects, uses, stores, and protects information when you use our web application at momentum.ditwebsite.dk, our optional desktop app, and related services (collectively, the “Service”).

We are committed to protecting your privacy and processing personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Contact

If you have questions about this policy or your data, contact us at:

Email: jonaskirkbrodde@gmail.com
Website: https://neuropace.io/

2. Information we collect

Depending on how you use the Service, we may process:

Account information — email address, password (stored as a secure hash), and account identifiers.
Planner data — tasks, weekly plans, rhythm tasks, notes, preferences, and usage state you create in NeuroPace.
Integration tokens — OAuth access tokens and related metadata for services you choose to connect (e.g. Google/Gmail, HubSpot). Tokens are encrypted at rest on our servers.
Google account information — if you connect Google, we may receive your name, email address, and profile information via Google OAuth, and Gmail data as described in Section 4.
HubSpot data — if you connect HubSpot with your Private App token, we may access CRM contacts and deals in your HubSpot account to fulfil Ghost Worker tasks you request.
Technical data — IP address, browser type, device information, and server logs needed for security, debugging, and service operation.
Payment information — if you subscribe, payments are processed by Stripe. We do not store full card numbers on our servers.

3. How we use your information

We use personal data to:

Provide, operate, and maintain the Service
Authenticate your account and sync your planner data
Run AI-assisted features (e.g. weekly analysis, day planning, Ghost Worker tasks)
Execute integrations you explicitly connect and authorize
Process subscriptions and communicate about your account
Improve reliability, security, and user experience
Comply with legal obligations

We do not sell your personal data. We do not use your data for third-party advertising or ad profiling.

4. Google user data & Gmail (Limited Use)

NeuroPace’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

If you choose to connect Google/Gmail, we request the following scopes:

gmail.readonly — read-only access to your Gmail messages
userinfo.email — your Google account email address
userinfo.profile — your name and basic profile information

What we use Gmail data for:

Fulfilling Ghost Worker tasks you explicitly request, such as summarising inbox threads, searching messages, or drafting reply suggestions shown to you in the app
Displaying which Google account is connected in your integration settings

What we do NOT do with Gmail data:

Sell, rent, or share Gmail content with third parties for marketing or advertising
Use Gmail data to train general-purpose AI models unrelated to your request
Send email on your behalf without your explicit action (we request read-only access)
Transfer Gmail data to third parties except as needed to provide the Service (see Section 6)

Gmail access is optional. The Service works without connecting Google. You can disconnect Google at any time in Settings → Integrations.

5. HubSpot integration

If you connect HubSpot, you provide your own Private App access token. We use it only to read CRM contacts and deals needed to complete tasks you request (e.g. lead counts, pipeline summaries). We do not modify your HubSpot data unless a future feature explicitly requests write access and you authorize it separately.

6. AI processing & subprocessors

Some features send relevant task or planner context to AI providers to generate responses for you. We currently use:

OpenAI — weekly analysis and day planning features

When Ghost Worker uses connected integrations, only the minimum data needed to complete your requested task is processed. We do not send your full Gmail mailbox to AI providers — only content relevant to the specific task you trigger.

Other infrastructure providers we use include:

Hetzner — server hosting (European Union)
Stripe — payment processing (if you subscribe)

7. Legal basis (GDPR)

Contract — to provide the Service you signed up for
Consent — for optional integrations (Google, HubSpot) that you connect
Legitimate interest — security, fraud prevention, and service improvement
Legal obligation — where required by law

8. Data storage & security

Account and planner data are stored on servers hosted in the European Union
Integration tokens are encrypted at rest using server-side encryption
Passwords are stored using industry-standard one-way hashing (bcrypt)
Connections to the Service use HTTPS/TLS
Access to production systems is restricted to authorized personnel

No method of transmission or storage is 100% secure. We work to protect your data but cannot guarantee absolute security.

9. Data retention

Account and planner data are kept while your account is active and for a reasonable period after deletion to support backups and legal requirements
Integration tokens are deleted when you disconnect an integration or delete your account
Server logs are retained for a limited period for security and troubleshooting

10. Your rights

If you are in the EU/EEA (or where applicable), you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data
Restrict or object to certain processing
Data portability where applicable
Withdraw consent for optional integrations at any time
Lodge a complaint with your local data protection authority

To exercise these rights, email jonaskirkbrodde@gmail.com. You can also revoke Google access at Google Account permissions.

11. Cookies & local storage

We use browser local storage and session storage to keep you signed in and save planner state on your device. We do not use third-party advertising cookies. Essential cookies or storage may be used for authentication and Service functionality.

12. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children.

13. International transfers

Primary data storage is in the EU. If data is processed outside the EU (e.g. by an AI provider), we rely on appropriate safeguards such as Standard Contractual Clauses where required.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last updated” date. Continued use of the Service after changes constitutes acceptance of the updated policy.