Halo NeuroAI

This Privacy Policy explains how Halo NeuroAI, Lda ("Halo", "we", "us", "our") collects, uses, shares, protects, and retains information when you use: (a) our websites and web apps; (b) our software and services including Home (with Voice Studio), Talk, Sidebar (browser extension), and Agent; and (c) our compatible hardware including the Halo Headband (collectively, the "Services").

By using the Services, you acknowledge this Privacy Policy. Where we rely on consent, you may withdraw it at any time.

1)Who is the data controller and how to contact us

Controller: Halo NeuroAI, Lda

Address: Rua Alfredo Allen, UPTEC, Asp. I, 455/461, 4200-135 Porto, Portugal

Email (privacy & data rights): [email protected]

EU representative / DPO: Paulo Dimas

2)Scope

This Policy applies to the Services we operate and control. It does not apply to third-party services that have their own privacy policies (e.g., WhatsApp, mobile app stores, carriers, or hardware/OS vendors), even when accessed through our Services.

3)What we collect

We collect information directly from you, automatically from your devices, and from third parties you connect. The categories below include representative examples.

3.1 Account & profile data

Identifiers (name, email, phone), authentication and security credentials, profile photo, language, timezone, accessibility settings, caregiver contacts, and organization/project affiliations (if applicable).

3.2 Voice & communication data

Voice samples and restored voice artifacts you create in Voice Studio (e.g., recordings, text prompts, acoustic features/embeddings, synthesis settings).

Transcripts and audio you capture or generate in Talk, Home, Agent, or other apps, including message logs, delivery metadata, and usage context you choose to store.

Disclosures

Voice and related artifacts are personal data and may be treated as sensitive in some jurisdictions (see §7). We request explicit consent where required.

3.3 EMG & device signal data (Halo Headband)

Device identifiers, firmware, Bluetooth pairing info, battery/connection status, and—if you choose to enable it—EMG and related physiological signals captured by the headband and companion apps.

3.4 Usage, diagnostics & cookies

App and web usage data (feature clicks, session timestamps, referrers), crash reports, performance metrics, device/OS/browser info, IP address, coarse location (derived from IP), and cookies or similar technologies. See our Cookie Notice for details.

3.5 Integrations & third-party sources

If you enable Sidebar with WhatsApp or connect external tools (e.g., phone, contacts, calendars, MCP-integrated services), we may process the minimum necessary metadata to complete your request (e.g., message send status, contact IDs). The third party processes your data under its own terms.

3.6 Payments & commercial info

Plan tier, billing address, VAT/Tax IDs, transaction history, and payment method tokens processed by our payment providers. We do not store full card numbers on Halo systems.

3.7 Support & research

Support tickets, recordings (if you consent), survey responses, beta feedback, and research participation data (if you opt in).

4)Why we process your data (purposes & legal bases)

We identify a legal basis under the GDPR (or equivalent laws) for each purpose.

Provide the Services

Examples: Account creation; session management; voice restoration; sending messages; connecting the Headband; delivering Agent actions; customer support.

Legal bases: Contract (performance of contract); Legitimate interests (operate and secure the service).

Personalization

Examples: Remembering your preferences; accessibility options; voice settings.

Legal bases: Legitimate interests; Consent (where required).

Safety & security

Examples: Authentication; fraud and abuse detection; preventing misuse (e.g., deceptive audio); incident response.

Legal bases: Legitimate interests; Legal obligation.

Improve and develop

Examples: Diagnostics; analytics; quality assurance; feature testing.

Legal bases: Legitimate interests; Consent for any use of your content beyond service delivery.

Research (optional)

Examples: Studies to evaluate usability or performance; aggregated statistics.

Legal bases: Consent (explicit where required); Public interest/legitimate interests (de-identified/aggregated).

Marketing

Examples: Service announcements; optional newsletters.

Legal bases: Legitimate interests (existing customers) or Consent (where required); opt-out anytime.

Compliance

Examples: Tax, accounting, regulatory requests, enforcing Terms.

Legal bases: Legal obligation; Legitimate interests.

Special note on voice & EMG data

Where local law treats voice features/embeddings or EMG-derived signals as special category/sensitive data, we rely on explicit consent (in addition to one of the Article 6 bases above) for the specific functionality you opt into (e.g., creating a Restored Voice, enabling EMG capture). We do not use biometric or health-related data for unique identification or for automated decisions with legal effects.

5)Do we train models on your content?

By default, no. We do not use your voice samples, restored voices, transcripts, or EMG signals to train or improve our models unless you opt in (e.g., a clear toggle such as "Share to improve Halo’s models").

If you opt in, we may use de-identified copies and apply technical and organizational safeguards. You can withdraw consent at any time in settings or by contacting us.

7)Sensitive data (voice, biometric, EMG, health)

Voice & biometrics. Voice recordings and derived features can be considered biometric data if processed to uniquely identify a person. Halo does not process voice data for unique identification. Nevertheless, we apply safeguards comparable to those for special category data and obtain explicit consent where required.

EMG/physiological signals. EMG and related signals may reveal health-related information. We collect them only if you opt in and use them to power accessibility features; we do not offer medical diagnosis or treatment.

Deceptive or harmful uses are prohibited. Using a restored voice to impersonate others or deceive people violates our Terms.

8)International data transfers

Your data may be processed outside your country (including outside the EEA/UK). Where required, we use European Commission Standard Contractual Clauses (SCCs) and implement supplementary safeguards. You may request a copy of the applicable transfer mechanism by contacting us.

9)Security

We use administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit and at rest (where applicable), access controls, network isolation, audit logging, and staff training. No system is 100% secure; we maintain incident response procedures and will notify you and/or regulators as required by law.

10)Retention

We retain personal data only for as long as necessary for the purposes described in this Policy:

Account/profile — While your account is active and 3 months after closure for compliance and backup.
Voice samples & restored voices — Until you delete them or your account, or after 3 months of inactivity (we will notify you before deletion).
EMG & device signals — Retained only while features are enabled; 3 months for raw signals unless you choose to store longer.
Usage/diagnostics — 1 year.
Support & contract records — 3 years to comply with legal obligations.

You can request earlier deletion (see §12). Backup copies may persist temporarily.

11)Your rights

Depending on your location, you may have the following rights over your personal data:

Access to a copy of your data
Rectification (correction) of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Portability of certain data
Objection to processing based on legitimate interests or direct marketing
Withdraw consent at any time (does not affect prior processing)
Complaint to a supervisory authority

To exercise your rights, use in-app settings where available or email [email protected]. We may need to verify your identity.

12)Children

Our Services are not directed to children. Where parental consent is required by local law for information society services, we will seek it and will not knowingly process children’s data without appropriate authorization.

13)Cookies & similar technologies

We use cookies, SDKs, and similar technologies for authentication, security, preferences, analytics, and (with your consent) marketing. See our Cookie Notice for details on types, providers, and choices.

14)Region-specific terms

14.1 EEA/UK

Legal bases. See §4. For processing of sensitive categories (e.g., biometric/health), we rely on explicit consent unless another Article 9 condition applies.

Supervisory authority. You may contact your local authority. In Portugal: CNPD.

14.2 California (CCPA/CPRA)

Rights. California residents have the rights to know, access, delete, correct, port, and opt out of sale/share of personal information, and to limit the use of sensitive personal information. You will not be discriminated against for exercising these rights.

Do Not Sell/Share. We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide the required notice and opt-out mechanisms.

Submitting a request. Email [email protected] and indicate you are a California resident. We will verify and respond as required by law.

15)Changes to this Policy

We may update this Policy from time to time. If changes are material, we will provide reasonable notice (e.g., by email or in-product). The "Last updated" date shows when this Policy last changed.

Contact

Halo NeuroAI, Lda

Rua Alfredo Allen, UPTEC, Asp. I, 455/461, 4200-135 Porto, Portugal

Email: [email protected]