Privacy Policy

Last updated: March 22, 2026

What This Policy Covers

This policy describes how Neither ("we", "us", "our") collects, uses, and protects your information when you use our application at neither.online. Neither is a management intelligence platform that imports documents, emails, and messages from connected services to help teams make better decisions.

Information We Collect

Account information. When you sign up, we collect your email address and name via Supabase Auth. If you sign in with Google, we receive your name, email, and profile picture from your Google account.

Connected service data. When you connect third-party services (Google Drive, Gmail, Microsoft OneDrive, Outlook, Slack, Teams, or messaging platforms), we access data from those services based on the permissions you grant. This includes:

  • Google Drive: file metadata and document contents from folders you select
  • Gmail: email threads and metadata from labels you select
  • OneDrive/SharePoint: file metadata and document contents
  • Outlook: email threads and metadata
  • Messaging platforms: message content from channels or conversations you connect

Usage data. We collect basic usage information such as pages visited and features used, to improve the product.

How We Use Your Information

  • To provide the core service: importing, analyzing, and organizing your documents and communications into actionable project intelligence
  • To generate AI-powered briefs, suggestions, and decision support using the content you import
  • To maintain and improve the platform
  • To communicate with you about your account or service updates

We do not sell your data. We do not use your data for advertising. We do not use your content to train AI models.

Google User Data

Neither's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we only use Google user data to provide the features you explicitly request (importing Drive files or Gmail threads into your workspace). We do not use Google data for advertising, and we do not transfer it to third parties except as necessary to provide the service (see "Third-Party Services" below).

Sub-processors register

Procurement teams use this register alongside our Trust & Security page. Categories describe why each vendor touches data; regions follow the project or deployment you select during onboarding. Updates follow vendor substitutions consistent with our agreements — email privacy@neither.online for notifications when your agreement requires them.

  • Supabase — category: database, authentication, storage policies; region: Supabase project region (EU/US cloud options); purpose: persist structured workspace data and enforce row-level security.
  • Railway — category: application hosting and routing; region: Railway region chosen for the deployment; purpose: run API and web workloads that serve your workspace.
  • Nango — category: OAuth token broker; region: Nango's cloud per their documentation; purpose: maintain integration tokens you authorize for connected SaaS tools.
  • OpenAI — category: model inference; region: OpenAI API regions per their policy; purpose: generate structured outputs from prompts you trigger in-product under OpenAI's Data Processing terms (your API content is not used to train OpenAI models through our integration posture).
  • Google (Gemini API) — category: model inference when enabled for extended-tier routing; region: per Google AI Studio / Gemini policy; purpose: optional alternate inference path where configured for your workspace or tenant.

These vendors process data solely to deliver Neither. We do not sell personal data and we do not allow subprocessors to use your workspace content for advertising.

Data flows (high level)

Operators connect SaaS systems through OAuth (Nango). Neither copies or indexes the slices you authorize into Supabase-backed tables scoped by workspace. Browser and API traffic terminate at Railway-hosted services over HTTPS. Model providers receive only the prompts and retrieval bundles required for a given feature, not your entire datastore in bulk.

Context API integrators send structured payloads directly to the API gateway — JSON over HTTPS — where bearer keys scope responses to a single workspace as documented in OpenAPI.

Data residency and portability

Pick the Supabase region when provisioning the workspace where the product allows region selection. Railway regions should align with your latency and residency expectations for the pilot. Neither does not operate customer-managed BYOS clusters in the default Track A path; ask sales if your procurement packet requires dedicated tenancy.

Export or delete structured workspace data using in-product controls described under Your Rights. Raw uploads follow the extraction retention posture noted elsewhere in this policy.

Network controls

Customer-facing HTTP APIs require TLS. Integration webhooks you configure must use HTTPS endpoints so neither transport exposes plaintext payloads. Rate limiting and abuse controls are described in the hosted OpenAPI reference.

Data Security

All data is encrypted with TLS 1.3 in transit and AES-256 at rest. Every workspace is isolated with row-level security (RLS) policies — no cross-workspace access is possible. See our Trust & Security page for more detail.

API customer lifecycle signals

Use these stubs as starting points for buyer-specific wording. Replace bracketed fields; keep support intake on workspace id, key prefix, request id, job id, and source id — never full bearer tokens.

1. Workspace access decision

Subject: Workspace access — decision for [workspace label]

Body: Your workspace access request was [approved | denied]. Workspace id: [id]. If approved, next step: [key creation | console link]. If denied, reason: [short reason]. Support: support@neither.online (include workspace id only).

2. Context API key mint, rotation, or revocation

Subject: Context API key [created | rotated | revoked] — prefix [key_prefix]

Body: A Context API key for workspace [id] was [created | rotated | revoked]. Store the secret in your vault; we cannot reshow it. If rotation: old prefix [old_prefix] loses access at [grace_expires_at or immediate]. Support intake: prefix + request id only.

3. First ingest outcome

Subject: First ingest [succeeded | failed] — job [job_id]

Body: Ingest job [job_id] for workspace [id] [completed successfully | failed]. Request id: [request_id]. Source id: [source_id]. Error code (if any): [code]. Next step: [retry guidance | docs link]. Escalate with job id + request id.

4. Quota or rate-limit warning

Subject: Approaching rate limit — workspace [id]

Body: Recent API traffic returned HTTP 429 with retry hints headers. Workspace id: [id]. Key prefix: [prefix]. Request id (sample): [request_id]. Integrators should backoff per OpenAPI; contact support if sustained limits block pilot milestones.

5. Webhook delivery failure

Subject: Webhook delivery issue — endpoint [host or path redacted]

Body: Delivery to your HTTPS endpoint failed [N] times (last status [http_status]). Job id: [job_id]. Verify signature with your signing secret; check TLS and 2xx response window. We will retry per [policy]; replay idempotently if needed. Include job id + workspace id in tickets.

6. Pilot health check

Subject: Pilot health review — week of [date]

Body: Summary for workspace [id]: ingest success rate [range], p95 latency [range], webhook failure rate [range]. Open risks: [bullets]. Scheduled review / decision: [date or contact]. Request ids sampled: [ids].

Support intake should include workspace ID, key prefix, request ID, job ID, or source ID rather than full bearer tokens — mirror the guidance in /docs/api and the API Console links.

Data Retention

Your data is retained as long as your account is active. Raw uploaded files are processed and not retained after extraction — we keep only the structured data. When you delete your account or data, it is removed within 30 days (backup retention window). Request IDs and audit-facing metadata align with operational troubleshooting windows described to enterprise buyers — ask support@neither.online if your retention questionnaire requires field-level answers.

Your Rights

You can at any time:

  • Access the data stored in your workspace
  • Export your data
  • Delete specific items or your entire workspace
  • Disconnect any third-party integration, which stops further data access
  • Delete your account, which removes all associated data

To exercise any of these rights, use the in-app settings or contact us at the email below.

Changes to This Policy

If we make material changes, we will notify you via the email associated with your account. Continued use of Neither after changes constitutes acceptance.

Contact

For privacy-related questions or requests, email us at privacy@neither.online.

← Back to home