Privacy Policy
ThinkNEO AI Technology Co., Limited Last updated: 25 April 2026
1. Who We Are
ThinkNEO AI Technology Co., Limited ("ThinkNEO", "we", "us") is a company incorporated in Hong Kong SAR, founded in 2023. We operate an AI Control Plane and Gateway that routes API requests between your applications and third-party AI Providers. We do not host AI models.
- Data Controller: ThinkNEO AI Technology Co., Limited
- Data Protection contact: privacy@thinkneo.ai
2. What We Collect
2.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Company name (if provided)
- Billing information (processed and stored by Stripe; we do not store full card numbers)
2.2 Request Metadata
When you route API requests through the Service, we log:
- Timestamps
- Tool / endpoint names
- Response sizes and latency
- Status codes and error types
- Provider selected
We do NOT log prompt content or model outputs unless you explicitly enable the Audit Log feature in your Workspace settings.
2.3 Usage Analytics
We use privacy-first analytics (currently Plausible Analytics or equivalent) that:
- Does not use cookies
- Does not collect personal identifiers
- Does not track users across sites
We collect aggregate page-view and usage data solely to improve the Service.
2.4 Support & Communications
If you contact us, we retain your name, email, and the content of your communications to resolve your inquiry.
3. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal Basis |
|---|---|
| Providing the Service, managing your account and subscription | Contract performance (Art. 6(1)(b)) |
| Security monitoring, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Sending product updates and service notifications | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (only if you opt in) | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations (e.g., tax, anti-money-laundering) | Legal obligation (Art. 6(1)(c)) |
4. Your Rights by Jurisdiction
4.1 European Union & United Kingdom (GDPR / UK GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Port your data to another service
- Restrict processing
- Object to processing based on legitimate interest
- Withdraw consent at any time (where consent is the basis)
- Lodge a complaint with your local supervisory authority
4.2 Brazil (LGPD)
Under the Lei Geral de Proteção de Dados, you have equivalent rights to access, correction, anonymization, deletion, portability, and information about sharing. Contact us at privacy@thinkneo.ai to exercise these rights.
4.3 California, USA (CCPA / CPRA)
California residents have the right to:
- Know what personal information we collect and how it is used
- Delete personal information
- Opt out of the sale or sharing of personal information
We do not sell or share personal information as defined by the CCPA.
4.4 Hong Kong SAR (PDPO)
Under the Personal Data (Privacy) Ordinance, you have the right to:
- Access your personal data
- Request correction of inaccurate data
Requests may be made to privacy@thinkneo.ai.
Exercising Your Rights
To exercise any of the above rights, email privacy@thinkneo.ai. We respond within 30 days (or sooner where required by law). We may ask for identification to verify your request.
5. Sub-processors
We use the following sub-processors. This list is kept current; changes are communicated with 30 days' notice.
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Stripe | Payment processing & billing | USA / EU |
| Resend | Transactional email delivery | USA |
| DigitalOcean | Infrastructure hosting | USA (NYC/SFO) |
| AWS | Encrypted backups | USA |
| Plausible Analytics (or equivalent) | Privacy-first usage analytics | EU |
AI Providers (Customer-Directed)
The following providers process data only when you route requests to them. ThinkNEO acts as a gateway; your data is transmitted to the provider you select:
OpenAI, Anthropic, Google (Vertex AI / Gemini), NVIDIA (NIM), Meta (Llama API), Mistral, DeepSeek, Alibaba (Qwen), Cohere, xAI (Grok).
Each provider's own privacy policy and DPA governs their processing of your data. ThinkNEO is not a sub-processor of these providers.
6. Data Retention
| Scenario | Retention Period |
|---|---|
| Active account | Data retained for the duration of the subscription |
| Cancelled account | Data retained for 30 days, then permanently deleted |
| Audit logs (default) | 90 days, then automatically purged |
| Audit logs (Enterprise, if configured) | Up to 7 years, as set by Customer |
| Billing records | As required by Hong Kong tax law (currently 7 years) |
| Support communications | 2 years after resolution, then deleted |
7. International Data Transfers
ThinkNEO is based in Hong Kong SAR. If you are located in the EU/EEA or UK, your data may be transferred to jurisdictions that do not have an EU adequacy decision. In such cases, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor), attached to our Data Processing Agreement
- UK International Data Transfer Agreement (IDTA) where applicable
8. Cookies & Tracking
We use a minimal cookie approach:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
session_id |
Session authentication | Session (expires on browser close) | Essential |
billing_state |
Checkout flow state | 1 hour | Essential |
We do not use advertising cookies, third-party trackers, or fingerprinting. Our analytics (Plausible) are cookie-free.
9. Security
We implement technical and organizational measures to protect your data, including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Role-based access control (RBAC) with MFA for administrators
- Automated SAST scanning in CI/CD
- Incident response procedures with 72-hour notification
For full details, see our Security & Compliance Statement.
10. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@thinkneo.ai and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.
12. Contact
For any privacy-related questions, requests, or complaints:
ThinkNEO AI Technology Co., Limited Data Protection Contact Hong Kong SAR Email: privacy@thinkneo.ai
If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.