Neuramerce ("we", "us", or "our") is operated by Daalder Concepts B.V., based in Breitnerstraat 9, 5613LA Eindhoven, Nederland. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our website (https://neuramerce.com) and platform (https://app.neuramerce.com).

By using Neuramerce, you agree to the practices described in this policy. If you do not agree, please stop using our services. We comply with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Who We Are (Data Controller)

Company: Daalder Concepts B.V.

Address: Breitnerstraat 9, 5613LA Eindhoven, Nederland

KvK: 82385424

VAT: NL862446624B01

Email: hallo@neuramerce.com

Website: https://neuramerce.com

2. Data We Collect

2.1 Account & Profile Data

When you register, we collect your name, email address, and password (hashed). If you upgrade to a paid plan, we also store your billing name and company name. We do not store credit card numbers — these are handled by our payment processors (Mollie / Stripe).

2.2 Meta (Facebook/Instagram) Ads Data

When you connect your Meta Ads account, we request access via Meta's official API using OAuth 2.0. We store your Meta access token (encrypted) to perform actions on your behalf, such as fetching campaign performance data, creating campaigns, and publishing ads. We access:

Ad account IDs and names
Campaign, ad set, and ad data (names, budgets, performance metrics)
Audience insights and targeting data
Creative assets (images, videos) you upload or that exist in your ad account
Billing and spend data from your ad account

We never share your Meta data with third parties outside of what is necessary to operate the service. You can disconnect your Meta account at any time from your workspace settings.

2.3 Google Ads Data

When you connect your Google Ads account via OAuth 2.0, we store your Google access token and refresh token (encrypted). We use these to read campaign performance, manage budgets, and create/publish Google Ads campaigns on your behalf. We access:

Google Ads customer account IDs and names
Campaign, ad group, and ad performance metrics
Budget and spend data
Keyword and audience data

Google Ads data is used exclusively to provide the Neuramerce service to you. We comply with Google's API Services User Data Policy.

2.4 WooCommerce & E-commerce Data

If you connect your WooCommerce store, we synchronise product catalogue data, inventory levels, order data, and customer records for the purpose of ROAS tracking, campaign targeting, and inventory management. This data is stored in your isolated workspace database and is never shared with other users or workspaces.

2.5 Email & Inbox Data

If you connect an email account (via IMAP/SMTP or Google/Microsoft OAuth), we access your inbox to power the customer inbox feature. We read and store email metadata (sender, subject, date) and message bodies solely to display them within Neuramerce and to power AI-assisted reply drafting. We do not read or process emails for advertising or profiling purposes.

2.6 AI Processing (Claude / Anthropic)

Neuramerce uses Claude AI (Anthropic) to generate ad copy, audiences, campaign strategies, and other content. When you use AI features, we send relevant context (such as your product descriptions, target audience parameters, and campaign goals) to Anthropic's API. We do not send personally identifiable information about your customers to Anthropic. Anthropic's privacy policy applies to data processed by their API.

2.7 Usage & Technical Data

We collect technical data to improve the platform and monitor errors, including: IP address, browser type, pages visited, feature usage, API response times, and error logs. We use Sentry for error tracking and may use analytics tools. This data is pseudonymised where possible.

2.8 Payment Data

Subscription payments are processed by Mollie or Stripe. We store transaction IDs, subscription status, plan type, and payment history for billing purposes. Full payment card details are never stored on our servers.

2.9 Domain & Site Management Data

If you use our domain registration or website management features, we process domain names, DNS records, hosting configuration, and website content you provide. Domain registrations are processed via OpenSRS; their privacy policy also applies.

2.10 WhatsApp Business Messaging Data

If you connect a WhatsApp Business account via the WhatsApp Cloud API (Meta Embedded Sign-Up), we store configuration data including your WhatsApp Business Account ID (WABA ID), Phone Number ID, and a System User Token (encrypted). When your end customers contact you via WhatsApp, we process:

The sender's WhatsApp phone number (used as a pseudonymous contact identifier)
Message content (text, images, documents) sent and received within your inbox
Message timestamps and delivery status

This data is stored in your isolated workspace database and is used solely to provide the inbox functionality. We do not use message content for advertising, profiling, or training AI models. Meta independently processes transmission data as an independent data controller under their own privacy policy (WhatsApp Privacy Policy). You can disconnect your WhatsApp account and request deletion of associated data at any time.

2.11 Facebook Messenger & Instagram Direct Messages

If you connect a Facebook Page or Instagram Business account, we request a Page Access Token via OAuth 2.0 and store your Facebook Page ID and Page Access Token (encrypted). When end users message you via Messenger or Instagram DM, we process:

Page-Scoped User IDs (PSID) or Instagram-Scoped User IDs — pseudonymous identifiers assigned by Meta
Display names retrieved from the Messenger Profile API (where permitted)
Message content (text, attachments, story mentions) sent and received in your inbox
Message timestamps

PSIDs and Instagram-Scoped User IDs are platform-specific and cannot be used to identify individuals across other platforms. This data is stored in your isolated workspace database solely to provide the inbox functionality. Meta is an independent data controller for the transmission of messages; their privacy policy (Meta Privacy Policy) applies to that processing. You can disconnect your Facebook/Instagram account and request deletion of associated data at any time.

3. How We Use Your Data

▸Providing the service: Operating your account, workspaces, and all platform features.
▸AI campaign generation: Sending context to Claude AI to generate ad copy, strategies, and creative briefs on your behalf.
▸Publishing to ad platforms: Creating and publishing campaigns to Meta Ads and Google Ads using your connected accounts.
▸Performance analytics: Fetching and displaying your campaign performance data in your dashboard.
▸Billing & subscriptions: Processing payments and managing your subscription.
▸Support & communication: Responding to your requests and sending important service updates.
▸Messaging inbox: Routing WhatsApp, Messenger, and Instagram DM messages to your inbox; enabling AI-assisted reply drafting and chatbot responses.
▸Security & fraud prevention: Monitoring for abuse and protecting accounts.
▸Product improvement: Analysing aggregated, anonymised usage data to improve platform features.

4. Legal Basis for Processing (GDPR)

Contract performance (Art. 6(1)(b)): Processing necessary to provide the service you signed up for.

Legitimate interests (Art. 6(1)(f)): Security monitoring, error tracking, and product improvement.

Legal obligation (Art. 6(1)(c)): Storing invoices and financial records as required by Dutch tax law.

Consent (Art. 6(1)(a)): Marketing emails and optional analytics (you can withdraw consent at any time).

5. Data Sharing & Third Parties

We do not sell your data. We share data only with the following processors to operate the service:

Processor	Purpose	Location
Railway	Cloud hosting & database	EU (Europe West)
Anthropic (Claude)	AI content generation	USA
Meta (Facebook)	Ad campaign management	USA
Google	Google Ads management, OAuth	USA
Mollie / Stripe	Payment processing	EU / USA
Sentry	Error tracking	EU
OpenSRS	Domain registration	Canada
Upstash	Rate limiting (Redis)	EU
Resend	Transactional email delivery	USA
Hetzner (VPS)	Inbound email processing (Postal)	EU (Germany)
Meta (WhatsApp Cloud API)	WhatsApp Business messaging — independent controller for transmission	USA
Meta (Messenger Platform)	Facebook/Instagram DM inbox — independent controller for transmission	USA

For transfers outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as required by GDPR.

6. Data Retention

Account data: Retained for the duration of your account plus 30 days after deletion.

Campaign & performance data: Retained for up to 2 years to enable historical reporting.

Financial records (invoices): Retained for 7 years as required by Dutch tax law.

Error & API logs: Automatically deleted after 90 days.

Email inbox data: Messages are retained while your account is active. Disconnecting your email account removes cached messages within 30 days.

AI-generated content: Stored in your workspace until you delete it or close your account.

WhatsApp & Messenger/Instagram message data: Retained while your account is active. Disconnecting the channel removes conversation data within 30 days. Meta retains transmission logs independently under their own retention policy.

7. Security

We take security seriously. Measures we implement include:

All data transmitted via HTTPS/TLS
Access tokens (Meta, Google) stored encrypted in the database
Passwords hashed using bcrypt
Per-workspace PostgreSQL schema isolation — workspaces cannot access each other's data
API rate limiting on all endpoints
Automated error monitoring via Sentry
Regular dependency updates and security patches

Despite these measures, no system is 100% secure. In the event of a data breach affecting your rights, we will notify you and relevant authorities as required by GDPR (within 72 hours).

8. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

Right of access: Request a copy of all personal data we hold about you.
Right to rectification: Correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): Request deletion of your data, subject to legal retention obligations.
Right to restriction: Request that we limit how we process your data.
Right to data portability: Receive your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests or direct marketing.
Right to withdraw consent: Withdraw consent at any time where processing is consent-based.

To exercise any of these rights, email us at hallo@neuramerce.com. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

9. Cookies

We use the following types of cookies:

Strictly necessary: Session cookies for authentication and CSRF protection. These cannot be disabled.
Functional: Remembering your workspace, UI preferences, and language settings.
Analytics (optional): Anonymised usage data to understand how the platform is used. You can opt out.

We do not use third-party advertising cookies or tracking pixels for cross-site profiling.

10. Children's Privacy

Neuramerce is a business tool intended for users aged 16 and over. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us immediately at hallo@neuramerce.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a notice in the platform. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Neuramerce after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or to exercise your GDPR rights:

Email: hallo@neuramerce.com

Company: Daalder Concepts B.V., Breitnerstraat 9, 5613LA Eindhoven, Nederland

We aim to respond to all privacy inquiries within 5 business days, and no later than 30 days as required by GDPR.