๐ Data Controller โ Identification
Neurolix Protocol
Operating as an unincorporated developer collective. No registered legal entity at this stage of development.
Email: info@neurolixprotocol.com
Website: neurolixprotocol.com
For all questions concerning the processing of personal data described in this Policy, including the exercise of your rights under Articles 15โ22 GDPR, please contact us at the email above. We will respond within thirty (30) days as required by Article 12(3) GDPR.
1. Introduction and Scope
This Privacy Policy describes how Neurolix Protocol ("Neurolix", "We", "Us") processes personal data in connection with:
- The website neurolixprotocol.com (the "Website").
- Direct communications with users via email or social channels.
- The Neurolix Protocol smart contracts deployed on Base L2 (the "Smart Contracts").
- The confidential compute infrastructure operating in Trusted Execution Environments (the "TEE Infrastructure").
This Policy is published in compliance with Articles 13 and 14 GDPR.
2. Categories of Personal Data Processed
| Category | Examples | Source |
|---|---|---|
| Navigation data | IP address, browser type, device type, referrer URL, pages visited, timestamps, language preference | Automatic โ collected on visit to the Website |
| Contact data | Email address, name (if provided), content of communications | Voluntary โ submitted by you via email or contact form |
| Wallet addresses | Public blockchain addresses interacting with the Smart Contracts | On-chain โ recorded immutably on Base L2 |
| Cookie data | Technical session identifiers (no advertising or profiling cookies) | Automatic โ see Cookie section |
| Workload metadata | Commitment hashes, model identifiers, attestation tokens, timestamps (not raw input data) | Generated by the TEE Infrastructure |
Wallet addresses are personal data. Although blockchain addresses are pseudonymous, the European Data Protection Board and the Court of Justice of the European Union have confirmed that pseudonymous identifiers may constitute personal data under Article 4(1) GDPR when the data subject is identifiable directly or indirectly. We treat wallet addresses interacting with our Smart Contracts as personal data accordingly.
3. Two-Tier Controller / Processor Model
It is critical to distinguish between two distinct data flows, governed by different responsibilities under the GDPR.
3.1 Data for which Neurolix is Controller
Neurolix acts as Data Controller within the meaning of Article 4(7) GDPR for:
- Navigation data collected from the Website;
- Contact data submitted via email, contact forms, or social channels;
- Wallet addresses identified through interactions with the official Website and Smart Contracts that Neurolix actively monitors for compliance and operational purposes;
- Workload metadata used for protocol-level analytics and SLA enforcement.
3.2 Data for which Neurolix is NOT Controller
For data that you, the User, submit to the TEE Infrastructure for confidential processing (for example: medical records, financial transactions, legal documents, proprietary datasets):
- You are the Data Controller within the meaning of Article 4(7) GDPR. You determine the purposes and means of processing that data.
- Neurolix and the relevant Node Operators act, at most, as Data Processors under Article 4(8) and Article 28 GDPR โ strictly providing technical processing on your instructions, inside a hardware-isolated enclave that prevents Neurolix and Node Operators from seeing your data.
- You alone are responsible for: (i) identifying a valid legal basis under Article 6 GDPR (and Article 9 GDPR for special categories); (ii) informing your own data subjects; (iii) executing any required Data Processing Agreement with us prior to processing personal data through the TEE Infrastructure; (iv) carrying out a Data Protection Impact Assessment (Article 35) where required.
Compliance obligation: You must not submit personal data (and especially special categories of personal data under Article 9 GDPR โ health, biometric, genetic, religious, etc.) to the TEE Infrastructure without first executing a Data Processing Agreement with Neurolix and ensuring you have a valid legal basis for the processing.
4. Purposes and Legal Bases of Processing
Where Neurolix acts as Controller, we process personal data on the following bases:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Operating the Website and ensuring its security | Legitimate interest โ Art. 6(1)(f) |
| Responding to enquiries you submit by email | Pre-contractual measures / consent โ Art. 6(1)(b) and 6(1)(a) |
| Sending technical updates or build-log notifications (only if you have explicitly opted in) | Consent โ Art. 6(1)(a) |
| Compliance with legal obligations (including AML, sanctions screening where applicable) | Legal obligation โ Art. 6(1)(c) |
| Anchoring attestation hashes on Base L2 for protocol integrity | Legitimate interest โ Art. 6(1)(f) |
| Defending against fraud, abuse, or security threats | Legitimate interest โ Art. 6(1)(f) |
5. Privacy by Design โ The TEE Architecture
Neurolix Protocol is designed in accordance with the principle of Privacy by Design and by Default (Article 25 GDPR). The technical and organisational measures (Article 32 GDPR) implemented include:
- Hardware-level memory encryption through AMD SEV (and, in subsequent phases, AMD SEV-SNP, Intel TDX, and confidential GPU TEEs). Memory contents inside the enclave are encrypted at the silicon level and inaccessible to the host operating system, the cloud provider, the Node Operator, or Neurolix.
- Cryptographic attestation proving, on a per-session basis, that the enclave was active and that a specific computation occurred inside it.
- Hashed commitments recorded on the blockchain rather than raw data. No personal data submitted to the TEE Infrastructure is ever written directly on-chain.
- Pseudonymisation of identifiers within the protocol layer where technically feasible.
- Data minimisation: Neurolix collects only what is strictly necessary for the operation of the Protocol and the Website.
Honest limit: No security technology offers absolute protection. TEE hardware may be vulnerable to side-channel attacks (Spectre, Meltdown and their variants), microarchitectural data sampling, firmware vulnerabilities, or undisclosed manufacturer defects. The Protocol's confidentiality guarantees depend on the integrity of third-party hardware vendors (AMD, Intel, NVIDIA) and cloud providers (Google Cloud, AWS, Azure) which Neurolix does not control.
6. Cookies
The Website uses only strictly necessary technical cookies required for the functioning of the site (session identifiers, language preference, security tokens). These cookies do not require prior consent under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive) as amended.
The Website does not use:
- Profiling cookies.
- Third-party advertising cookies.
- Tracking pixels or fingerprinting techniques.
- Cross-site tracking technologies.
If this changes in the future, we will request your prior consent through a compliant cookie banner.
7. Data Sharing and Recipients
We do not sell personal data. We may share data with the following categories of recipients, only as strictly necessary:
- Cloud infrastructure providers hosting the TEE Infrastructure (currently Google Cloud Confidential Computing; future phases may include AWS and Microsoft Azure).
- Email and communication providers handling our official inbox (info@neurolixprotocol.com).
- Domain and DNS providers, including content-delivery networks where applicable.
- Public blockchain infrastructure (Base L2, operated by Coinbase / OP Stack), where data anchored on-chain becomes publicly accessible by design.
- Professional advisors (legal, accounting, security) bound by confidentiality.
- Public authorities when required by law, court order, or valid administrative request.
All third-party processors are engaged under written agreements compliant with Article 28 GDPR.
8. International Data Transfers
Some of our service providers โ in particular Google Cloud and other cloud infrastructure suppliers โ may process data outside the European Economic Area, including in the United States.
Such transfers are carried out on the basis of:
- The European Commission's adequacy decision for the EUโU.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023), where the recipient is certified under the Framework; or
- The Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, supplemented by additional technical and organisational measures where required by the EDPB's recommendations following Schrems II (Case C-311/18).
You may request a copy of the relevant transfer safeguards by writing to info@neurolixprotocol.com.
9. Data Retention
| Category | Retention period |
|---|---|
| Navigation logs (IP, user agent) | Up to 12 months for security and analytics, then deleted or anonymised |
| Email communications | Up to 24 months after last interaction, unless longer retention is required by law |
| Contractual records (where applicable) | Up to 10 years as required by tax and accounting obligations |
| Wallet addresses anchored on Base L2 | Indefinite โ by design, blockchain data cannot be deleted (see Section 10) |
| Workload data submitted to TEE | Deleted from enclave memory immediately upon session termination โ never persisted |
10. Blockchain Immutability โ A Material Limit on Your Rights
Important disclosure: Data written to a public blockchain (including the Base L2 network) is permanent and cannot be deleted, modified, or "forgotten" by Neurolix or by any party. This is a structural property of blockchain technology, not a choice by Neurolix.
The following implications follow:
- The right to erasure (Article 17 GDPR) and the right to rectification (Article 16 GDPR) cannot be exercised in respect of data already recorded on-chain (such as your wallet address as the registrant of an attestation, or a commitment hash).
- To minimise this impact, Neurolix architecturally limits on-chain data to commitment hashes, pseudonymous wallet addresses, and technical metadata (TEE type, cloud provider, timestamp). Raw personal data is never written on-chain.
- If you do not wish your wallet address to be associated with on-chain attestations, you must refrain from interacting with the Smart Contracts using that address.
11. User-Submitted Content โ Limit of Neurolix Responsibility
The TEE Infrastructure may be used by you to process data on your own behalf. Neurolix does not validate, review, or have visibility into the content you submit to the enclave โ that is precisely the privacy guarantee of the architecture.
Consequently, Neurolix accepts no responsibility for:
- The lawfulness of the data you submit (including whether you have a valid legal basis under Article 6 or Article 9 GDPR);
- Your compliance with sector-specific regulations (HIPAA, MiFID II, AI Act, etc.) applicable to the data;
- The accuracy or quality of the data;
- Any third-party rights (data subject rights, intellectual property, trade secrets) affected by your processing;
- The outputs of any AI model executed on the data.
You indemnify Neurolix from any claim arising from your use of the TEE Infrastructure for unlawful or unauthorised data processing, as further detailed in the Terms of Use.
12. Your Rights Under the GDPR
Subject to the conditions of the GDPR and to the structural limits described in Section 10, you have the following rights in respect of personal data of which Neurolix is the Controller:
- Right of access (Article 15) โ obtain confirmation of processing and a copy of your data;
- Right to rectification (Article 16) โ correct inaccurate data (subject to blockchain immutability);
- Right to erasure (Article 17) โ request deletion of data we hold off-chain;
- Right to restriction of processing (Article 18);
- Right to data portability (Article 20) โ for data processed on the basis of consent or contract;
- Right to object (Article 21) โ including objection to processing based on legitimate interest;
- Right not to be subject to automated decision-making (Article 22), where applicable;
- Right to withdraw consent at any time, where processing is based on consent (Article 7(3)), without affecting the lawfulness of processing carried out before withdrawal.
To exercise these rights, contact info@neurolixprotocol.com. We will respond within thirty (30) days of receipt of a verifiable request, in accordance with Article 12(3) GDPR.
13. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).
The Italian supervisory authority is:
Garante per la protezione dei dati personali
Piazza Venezia 11 โ 00187 Roma, Italy
Website: www.garanteprivacy.it
Email: protocollo@gpdp.it
14. Children
The Protocol and the Website are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact info@neurolixprotocol.com so that we may take appropriate action.
15. Data Security
We implement technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage (Article 32 GDPR), including encryption in transit (TLS) and at rest where applicable, access controls, logging, and the TEE-based privacy-by-design architecture described in Section 5.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where feasible (Article 33 GDPR) and, where the risk is high, we will inform affected data subjects without undue delay (Article 34 GDPR).
16. Changes to This Policy
This Privacy Policy may be updated to reflect changes in the Protocol, in applicable law, or in our processing practices. Material changes will be announced via the Website and our official channels at least thirty (30) days before they take effect, where reasonably practicable. The version and date at the top of this document indicate the latest revision.
17. Contact
For any questions, requests, or concerns regarding the processing of your personal data:
Neurolix Protocol
Email: info@neurolixprotocol.com
Website: neurolixprotocol.com
This Privacy Policy is provided in English. An Italian-language version may be made available upon request. In case of discrepancy between language versions, the English text shall prevail.