ThinkNEO Privacy Policy

This Privacy Policy explains how ThinkNEO collects, uses, stores, shares, and protects personal data and related information in connection with its AI Governance and Orchestration platform, websites, APIs, admin interfaces, integrations, billing, support, security operations, and related services.

1. Scope

This Privacy Policy applies to ThinkNEO’s processing of personal data and related information when individuals or organizations visit our websites, evaluate our services, contract with us, access our dashboards, admin panels, tenants, APIs, or workspaces, configure integrations, or otherwise interact with our platform and related teams.

It is designed for an enterprise SaaS context in which ThinkNEO provides AI governance, routing, observability, policy enforcement, auditability, security controls, and operational tooling for organizations using artificial intelligence.

This Policy does not replace negotiated contractual terms such as a Master Services Agreement (MSA), Data Processing Addendum (DPA), Security Addendum, Service Level Agreement (SLA), or Order Form. Where an executed contract expressly governs a specific privacy or data processing issue, that contract may prevail to the extent of the conflict.

2. Who We Are

For purposes of this Policy, “ThinkNEO,” “we,” “our,” or “us” means the entity operating the Services, as identified in the applicable commercial documentation, agreement, invoice, order form, or proposal.

Depending on the context, ThinkNEO may act as a data controller for certain categories of data, such as account registration, commercial relationship management, billing, website operation, service security, and support administration.

In other contexts, ThinkNEO may act as a processor or service provider on behalf of enterprise customers when handling customer-submitted data in accordance with their instructions and the applicable agreement.

3. Privacy Contact

For privacy, data protection, or security-related inquiries, please contact:

thinkneo@thinkneo.ai

4. Categories of Data We May Process

We may collect, receive, generate, or process the following categories of data, depending on the services used and the configuration chosen by the customer:

4.1 Account and Profile Data

Examples include name, business email address, job title, employer or organization name, phone number, country, timezone, user role, account identifiers, tenant or workspace identifiers, and account preferences.

4.2 Authentication and Access Data

Examples include login events, session identifiers, IP address, approximate geolocation inferred from IP, user agent, device information, security tokens, authentication status, MFA or SSO usage, access timestamps, and related audit trails.

4.3 Service Usage and Operational Data

Examples include dashboard activity, API calls, model routing configurations, policy changes, webhook events, integration configurations, rate-limit events, latency and failure data, system status, and metering or usage information.

4.4 Customer Content

Examples include prompts, instructions, text, files, documents, datasets, tickets, workflow inputs, model outputs, metadata, classifications, tags, and logs submitted to or generated within the Services.

4.5 Support, Commercial, and Relationship Data

Examples include information exchanged in emails, forms, meetings, onboarding processes, security questionnaires, due diligence reviews, customer success interactions, and support tickets.

4.6 Technical Telemetry and Audit Data

Examples include error logs, traces, request identifiers, timestamps, operational events, security alerts, performance metrics, integrity checks, and audit evidence.

4.7 Billing and Contract Data

Examples include subscription plans, consumption records, invoice data, payment status, tax-related business information, and records required for reconciliation, accounting, and audit.

4.8 Cookies and Similar Technologies

Our websites and interfaces may use cookies, local storage, session tokens, and similar technologies for authentication, security, preferences, performance, analytics, and service operation.

5. Sources of Data

We may obtain data directly from you, from your employer or organization, from workspace or tenant administrators, from integrations configured by a customer, from identity providers, from infrastructure or security providers, from third-party AI providers connected through the platform, and automatically through the use of the Services.

6. Purposes of Processing

• to provide, host, operate, maintain, and support the Services;

• to authenticate users and administer accounts, tenants, workspaces, and permissions;

• to enable AI governance, routing, policy enforcement, observability, and auditing;

• to execute model calls, workflows, and integrations authorized by the customer;

• to enforce security controls, prevent abuse or fraud, and respond to incidents;

• to monitor performance, availability, reliability, capacity, and cost;

• to generate operational evidence, audit trails, and compliance records;

• to provide technical support, onboarding, and customer success services;

• to bill, invoice, reconcile consumption, and manage financial obligations;

• to communicate important service, security, legal, and contractual notices; and

• to comply with legal obligations and protect our rights, users, customers, and services.

7. Legal Bases

Where required by applicable law, we rely on appropriate legal bases for processing, which may include performance of a contract, compliance with legal obligations, legitimate interests, exercise or defense of legal claims, consent where required, and other lawful bases recognized by the applicable jurisdiction.

In an enterprise context, many categories of processing are commonly based on contract performance, legitimate interests related to security and service operation, and legal or regulatory obligations. The exact legal basis may vary depending on the nature of the data, the applicable law, and the specific customer relationship.

8. ThinkNEO’s Role in Customer Data

When an enterprise customer uses ThinkNEO to process prompts, files, workflows, datasets, logs, or other customer-submitted content, ThinkNEO generally acts as a processor or service provider on behalf of that customer.

In that context, the customer typically determines the purposes and means of the submission of data to the platform and remains responsible for establishing an appropriate legal basis, providing required notices, handling data subject requests where applicable, and configuring the service in a compliant manner.

9. Third-Party AI Providers and Other Service Providers

ThinkNEO may transmit or make available certain data, prompts, metadata, instructions, and outputs to third-party AI providers and other subprocessors where this is necessary to deliver the Services, to support a customer-configured integration, or to satisfy the agreed architecture of the platform.

Such providers may include foundation model vendors, cloud hosting providers, observability and logging providers, identity and SSO providers, messaging and email providers, support systems, and billing providers.

Although ThinkNEO takes reasonable steps to evaluate and manage these providers in light of the services being delivered, third-party services operate under their own terms, policies, and technical constraints.

10. Model Training and Improvement

Unless expressly agreed otherwise in writing, ThinkNEO does not use Customer Content to train general-purpose foundation models of its own in an unrestricted manner.

If a customer authorizes a specific training, fine-tuning, evaluation, or improvement workflow, the scope and handling of such data should be governed by the applicable contract, statement of work, or product configuration.

Customers should also evaluate the policies of third-party AI providers that may apply to retention, abuse monitoring, safety review, or limited service improvement, where relevant to the customer’s chosen architecture.

11. Sharing of Data

• with affiliates or group entities where necessary to operate the Services;

• with subprocessors, vendors, and professional advisors supporting service delivery;

• with third-party AI providers and integrations enabled by the customer or service configuration;

• where required by law, regulation, court order, or lawful governmental request;

• in connection with a merger, financing, acquisition, reorganization, or sale of assets; and

• with the instruction, authorization, or consent of the customer or the relevant individual, where applicable.

ThinkNEO does not position this enterprise platform as a consumer advertising business and does not sell personal data to advertisers as its core business model.

12. International Data Transfers

Data may be processed in jurisdictions other than the one in which the individual or customer is located, including wherever ThinkNEO, its affiliates, subprocessors, cloud providers, or AI providers operate.

Where required by applicable law, we will implement reasonable transfer safeguards, which may include contractual protections, recognized transfer mechanisms, and risk-based technical and organizational measures.

13. Data Retention

We retain data only for as long as necessary for the purposes described in this Policy, including service delivery, security, abuse prevention, troubleshooting, billing, auditing, legal compliance, and defense of rights.

Retention periods may vary depending on the type of data, customer configuration, contractual obligations, legal requirements, backup architecture, and legitimate operational needs.

14. Security Measures

ThinkNEO implements reasonable technical, administrative, and organizational safeguards designed to protect data against unauthorized access, disclosure, alteration, destruction, or loss.

These safeguards may include access controls, role-based permissions, encryption in transit and, where appropriate, at rest, authentication controls, monitoring, logging, audit trails, environment segregation, backup and recovery measures, vulnerability management, and incident response procedures.

No system can be guaranteed to be completely secure, and we do not promise absolute security or uninterrupted availability.

15. Logs, Auditing, and Governance Records

As an AI Governance and Orchestration platform, ThinkNEO may maintain detailed operational and audit records relating to account access, policy changes, administrative actions, API activity, model-routing decisions, rate limits, billing signals, security events, and system performance.

These records support security, troubleshooting, service administration, governance, compliance evidence, cost control, and defense of legal rights.

16. Data Subject Rights

Where provided by applicable law, individuals may have rights such as the right to request access, correction, deletion, restriction, portability, objection, withdrawal of consent where consent is the basis, and information about certain categories of processing or sharing.

To exercise applicable rights, contact thinkneo@thinkneo.ai.

When ThinkNEO acts as a processor or service provider for an enterprise customer, we may direct the request to the appropriate customer or tenant administrator, since that customer may be the party best positioned to respond.

17. Communications

We may send operational, security, billing, support, contractual, and service-related communications that are necessary for the administration of the customer relationship or the operation of the Services.

Promotional communications, where applicable, will be handled in accordance with applicable law and available preference controls.

18. Cookies and Analytics

We may use cookies and similar technologies to authenticate users, maintain secure sessions, store preferences, measure performance, detect abuse, support analytics, and improve the reliability and usability of the Services.

Depending on jurisdiction and the category of technology used, we may provide a consent banner, preference center, or similar controls.

19. Children’s Data

ThinkNEO’s Services are intended primarily for businesses, professionals, and enterprise users, and are not directed to children.

We do not knowingly collect personal data from children in a consumer-child context. If you believe data has been submitted improperly, contact us so that we can assess and take appropriate steps.

20. Security Incidents

We maintain processes reasonably designed to identify, contain, investigate, and respond to security incidents.

Where required by law, contract, or risk assessment, we will notify affected customers and, where applicable, relevant authorities of qualifying incidents in accordance with our legal and contractual obligations.

21. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, regulatory, operational, technical, or business changes.

The revised version will become effective on the date stated at the top of the policy unless a different process is required by applicable law.

22. Contact

For questions about this Privacy Policy, privacy rights, data processing, security, or compliance, contact:

thinkneo@thinkneo.ai

This English version is a refactored enterprise draft for publication and should be reviewed by qualified counsel before final adoption in production.