Legal

GDPR Compliance

How NeuroGen acts as a data processor under GDPR, the safeguards we implement, and how WebTranslate supports your compliance obligations when serving EU visitors.

Effective

1 March 2025

Last updated

1 March 2026

Applies to

web.neurogenhq.com

01

Overview

The General Data Protection Regulation (GDPR) is a European data protection law that applies to organisations processing the personal data of EU residents. If your website serves visitors in the European Union, GDPR compliance is a legal obligation.

NeuroGen takes GDPR obligations seriously — both our own as a data processor, and the obligations we help you fulfil as a data controller. This document explains our GDPR posture, your responsibilities when using WebTranslate, and the tools and safeguards we provide.

02

Our Role: Data Processor

When WebTranslate processes your website's content to deliver translations, the relationship is:

  • You (the Customer) are the data controller — you determine the purposes and means of processing your website visitors' personal data.
  • NeuroGen is the data processor — we process data on your behalf, under your instructions, solely for the purpose of providing the translation service.

This distinction matters. As the data controller, you are responsible for ensuring you have appropriate legal bases for processing visitor data and for maintaining your own privacy notice. As the data processor, we are bound by your instructions and our contractual obligations under the Data Processing Agreement (DPA).

For internal operational data (your account data, billing data), NeuroGen acts as an independent data controller, governed by our Privacy Policy.

03

Data Processing Agreement (DPA)

Article 28 of the GDPR requires that data controllers use only data processors who provide sufficient guarantees via a written data processing agreement. NeuroGen provides a GDPR-compliant DPA to all customers operating under European data requirements.

Our DPA includes:

  • Subject matter, nature, and duration of processing.
  • Types of personal data processed and categories of data subjects.
  • Obligations and rights of the data controller.
  • Processor commitments: process only on documented instructions, ensure confidentiality, implement technical and organisational security measures.
  • Conditions for engaging sub-processors.
  • Assistance with data subject rights requests.
  • Breach notification obligations.
  • Deletion or return of data upon termination.
  • Audit rights.

To request a DPA, contact legal@neurogenhq.com. Enterprise customers receive a DPA as part of their standard agreement.

04

Lawful Basis for Processing

As a data controller, you must have a valid lawful basis for processing your website visitors' personal data. WebTranslate itself does not introduce new personal data processing — it proxies and translates content that your website already generates.

Common lawful bases applicable when using WebTranslate include:

  • Legitimate interests: delivering your website in a language your visitor understands is a reasonable legitimate interest, provided it does not override visitors' rights.
  • Contractual necessity: if language localisation is necessary to provide a service your visitor is purchasing.
  • Consent: if you rely on consent for cookies or personalisation, ensure your consent mechanism covers translation-related activity.

You should review your privacy notice to ensure it accurately describes how WebTranslate processes content on your site.

05

Data Subject Rights

GDPR grants EU residents ('data subjects') a set of rights over their personal data. As the data controller, you are primarily responsible for handling requests from your website visitors. WebTranslate supports your compliance obligations by:

  • Right of access (Article 15): our translation logs do not contain identifiable visitor data that would be subject to access requests. Logs are aggregated and anonymised at the session level.
  • Right to erasure (Article 17): WebTranslate does not persistently store visitor personal data. Page content is processed in real-time and cached temporarily. Cache invalidation is available on request.
  • Right to restriction and objection: as we do not maintain visitor profiles, these rights are most relevant to your Customer account data. Contact privacy@neurogenhq.com for requests related to your own data.
  • Right to data portability (Article 20): your account configuration data and translated glossary terms can be exported on request.

For assistance with data subject requests relating to your use of WebTranslate, contact privacy@neurogenhq.com.

06

International Data Transfers

GDPR restricts the transfer of personal data outside the European Economic Area (EEA) unless appropriate safeguards are in place.

By default, WebTranslate operates on global infrastructure. For customers requiring EU data residency, we offer EU-only infrastructure under Enterprise agreements where all translation processing and caching occurs within EEA data centres.

Where data is transferred outside the EEA (for example, to our Indian infrastructure), we rely on:

  • Standard Contractual Clauses (SCCs): EU-approved contractual safeguards included in our DPA.
  • Adequacy decisions: where applicable, transfers to countries the European Commission has determined provide adequate protection.
  • Binding Corporate Rules (BCRs): applicable for intra-group transfers as we scale.
07

Sub-processors

NeuroGen uses a limited set of sub-processors to deliver the WebTranslate service. All sub-processors are bound by data processing agreements that impose the same data protection obligations as our DPA with you.

Our current sub-processors include cloud infrastructure providers, content delivery network (CDN) operators, and monitoring and logging services. A current list of sub-processors is available to customers upon request.

We will provide at least 30 days' advance notice before adding new sub-processors. You have the right to object to new sub-processors. If a change is necessary and you object, either party may terminate the affected service without penalty.

08

Technical and Organisational Security Measures

Article 32 of GDPR requires appropriate technical and organisational measures to protect personal data. Our measures include:

  • Encryption in transit: all data transmitted between your website, our edge network, and your visitors is encrypted using TLS 1.2 or higher.
  • Encryption at rest: stored data (configuration, logs, glossary terms) is encrypted at rest using AES-256.
  • Access controls: access to production systems is restricted to authorised personnel using multi-factor authentication (MFA) and role-based access control (RBAC).
  • Data minimisation: we process only the data necessary to deliver translations. Visitor PII (if present on translated pages) is not extracted or indexed.
  • Audit logging: all administrative access to production systems is logged and retained for security review purposes.
  • Regular testing: we conduct periodic penetration testing and vulnerability assessments of our infrastructure.
09

Data Breach Notification

GDPR requires notification of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware, and to affected data subjects without undue delay where the breach is likely to result in high risk.

Our obligations as data processor:

  • We will notify you of any personal data breach affecting your data without undue delay and in any event within 48 hours of becoming aware.
  • Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
  • We will cooperate fully with your investigation and provide all information required for your supervisory authority notification.

To report a suspected security incident, contact security@neurogenhq.com immediately.

10

Data Retention

We retain personal data for no longer than necessary for the purpose for which it was collected. Specific retention periods:

  • Real-time translation cache: pages are cached at the edge for performance. Cache TTL is configurable (default: 24 hours). Caches are purged on your website content changes.
  • Translation proxy logs: anonymised logs are retained for 90 days for debugging and quality monitoring purposes.
  • Customer account data: retained for the duration of the agreement and up to 3 years post-termination for legal and financial compliance.
  • Support communications: retained for up to 2 years.

Upon written request or contract termination, we will delete or return all personal data processed on your behalf within 30 days, subject to legal retention requirements.

11

Contact and DPO

For GDPR-related enquiries, DPA requests, or to exercise data subject rights, contact:

  • Email: privacy@neurogenhq.com
  • Subject line: GDPR Enquiry — WebTranslate
  • Response time: within 10 business days

NeuroGen does not currently have a formal Data Protection Officer (DPO) appointment under Article 37 GDPR. Enterprise customers requiring a named DPO contact for their compliance documentation should raise this during contract negotiations.