At a glance
- NeuralShift processes personal data under two distinct regimes: as Controller (this Notice) and as Processor on behalf of the Client (governed by a separate Data Processing Addendum).
- NeuralShift is expressly prohibited from using personal data or User Content to train or fine-tune LLMs or foundational AI models, or to create individual profiles of Authorised Users.
- All processing carried out by NeuralShift in its capacity as Controller takes place within the European Economic Area.
- This Notice now covers the Affine for Microsoft 365 Copilot Add-in — see §2 and §6.
- Data subjects may exercise rights of access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and complaint — see §8.
This Privacy Notice ("Notice") describes how NeuralShift, Deep Learning Services, Lda. ("NeuralShift") processes personal data in connection with the Affine platform and the Affine for Microsoft 365 add-in (the "Copilot Add-in"), in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR") and applicable Portuguese data protection law (collectively, "Applicable Law").
This Notice does not constitute a contractual document. Where NeuralShift has entered into a specifically negotiated written agreement with a Client (including a master services agreement, order form, or data processing addendum), the terms of that agreement prevail over this Notice to the extent of any conflict, and this Notice applies only to the extent not in conflict with, and as may be modified by, those negotiated terms.
NeuralShift processes personal data under two distinct regimes: as Controller and as Processor. This Notice describes the processing for which NeuralShift acts as Controller. Processing carried out by NeuralShift as Processor on behalf of the Client is governed by a separate data processing addendum between NeuralShift and the Client.
This Notice is without prejudice to the Client's own obligation to inform data subjects (including Authorised Users and third parties whose personal data is processed through the Service) in accordance with Applicable Law.
§ 1Glossary
For the purposes of this Privacy Notice, the following terms have the meanings set out below:
- Affine / Software / Service
- NeuralShift's web-based AI-powered platform for document analysis and legal research, made available on a Software-as-a-Service (SaaS) basis.
- Authorised User
- Any natural person authorised to access and use Affine under a valid Subscription Plan.
- Client
- The natural or legal person that has purchased an Affine's Subscription Plan.
- Public Data
- Information freely available and accessible to the general public, such as legislation, officially published case law of superior courts, and administrative doctrine.
- User Content
- Data, documents, and materials uploaded by an Authorised User to the Platform while using the Software.
§ 2Data we process
Acting as Controller, NeuralShift processes the following categories of Client or Authorised Users' personal data. Where the personal data of the Client's representatives or Authorised Users is not collected directly from the data subject, it is obtained from the Client in the context of the formation and performance of the contractual relationship, pursuant to Article 14 GDPR:
| Category | Type of Personal Data | Purposes | Lawful Basis | Mandatory / Voluntary |
|---|---|---|---|---|
| Identification Data | Name, job title, professional email address, telephone number, and identification details of the Client's authorised representatives. Where the Copilot Add-in is used, this category also includes the Microsoft 365 sign-in identity claims released to NeuralShift through Microsoft Entra authentication (the user principal name or email address and the tenant (directory) identifier). | Contract formation and management; user account administration; service delivery; communication in connection with the contractual relationship. | Legitimate interests; Compliance with legal obligations. | Provision of identification data is a necessary condition for entering into and performing the service agreement. Without this data, NeuralShift is unable to provide the Service or fulfil its legal obligations. |
| Billing Data | Client's name and tax identification number; invoicing address; payment method details; transaction and invoicing records. | Invoicing; payment processing; compliance with fiscal, accounting, and commercial record-keeping obligations. | Compliance with legal obligations. | Provision of billing data is a necessary condition for entering into and performing the service agreement. |
| Feedback & Product-Improvement Communications | Content of communications exchanged with NeuralShift (in the course of support interactions, product feedback channels, or direct correspondence) that NeuralShift uses to diagnose recurring issues, inform product improvements, and guide internal learning, separately from the handling of the underlying support request. | Friction points; diagnostics; product and Service improvement; internal learning and quality assurance. | Legitimate interests. | Provision of feedback communications data is voluntary. Data subjects may object to the use of their communications for improvement purposes at any time under Article 21 GDPR, in which case NeuralShift shall cease such processing unless it demonstrates compelling legitimate grounds that override the data subject's interests. |
| Platform Analytics Data | Internet Protocol (IP) addresses, session identifiers, access logs, authentication events, and event timestamps generated by the Software and by NeuralShift's public-facing websites, together with feature-usage patterns processed in aggregate form. Where the Copilot Add-in is used, this category also includes usage telemetry, such as feature usage, command invocations, session timing, and error or diagnostic events. | Identification of recurring usage patterns; analysis of performance bottlenecks; prioritisation of Service enhancements; product improvement. | Legitimate interests (processing is limited to pseudonymised data; data subjects are not re-identified). | The collection of Platform Analytics Data occurs automatically and is technically necessary to establish and maintain the connection. |
§ 3Data protection principles
NeuralShift structures its data protection commitments around the following fundamental principles, in accordance with Applicable Law:
- Lawfulness, Fairness, and Transparency: NeuralShift ensures that all processing of personal data is grounded in a lawful basis under Applicable Law, is conducted fairly, and is transparent as regards the rights and freedoms of data subjects.
- Purpose Limitation: Personal data is collected exclusively for specified, explicit, and legitimate purposes and is not processed in a manner incompatible with those purposes, except where processing is carried out for archiving purposes in the public interest, scientific or historical research, or statistical purposes, with appropriate technical safeguards in place.
- Data Minimisation: NeuralShift processes only the personal data that is strictly necessary for the defined processing purposes, ensuring a direct and proportionate relationship between the data processed and the Service provided.
- Accuracy: NeuralShift takes reasonable steps to keep personal data accurate and up to date and, where data is found to be inaccurate or incomplete, rectifies or deletes it without undue delay.
- Storage Limitation: NeuralShift retains personal data only for as long as necessary for the purposes for which it was collected. Specific retention periods are established for each data category, after which data is deleted, pseudonymised, or anonymised, so as to safeguard the fundamental rights and freedoms of data subjects.
- Integrity and Confidentiality: NeuralShift ensures the integrity and confidentiality of personal data through the adoption of appropriate technical and organisational measures, preventing unauthorised processing, accidental loss, destruction, or damage.
- Accountability: NeuralShift implements and maintains appropriate technical and organisational measures to demonstrate compliance with the principles set out above and with Applicable Law, incorporating data protection requirements from the outset of system design (Privacy by Design) and as the default configuration (Privacy by Default).
§ 4Technical & organisational measures
Acting as Controller, NeuralShift implements the following technical and organisational measures for the protection of Client personal data:
| Measure | Description |
|---|---|
| Authorised Communication Channels | Processing and transmission of Client personal data is carried out exclusively through NeuralShift's authorised systems and channels (comprising communication and collaboration tools, a customer relationship management (CRM) platform, invoicing and accounting software, and a contract management platform) selected on the basis of their security guarantees. Use of non-approved channels for communication or storage of Client personal data is prohibited. |
| Access Controls | Access to Client personal data held in internal systems (CRM, invoicing platform, contract management) is restricted, on a role-based basis, to teams with a justified operational need, through named user accounts. Access is revoked immediately upon termination of employment or change of role. |
| Audit Records | Records of access and modifications to systems in which Client personal data is stored are maintained, in accordance with the audit functionality provided by the relevant Processors. |
| Sub-processor Management | Sub-processors are selected following a prior assessment of their security practices, and processing agreements are formalised in accordance with Article 28 GDPR. NeuralShift gives preference to primary processing within the EEA. Any transfers outside the EEA are covered by appropriate safeguards recognised under Applicable Law (adequacy decision of the European Commission; Standard Contractual Clauses; Binding Corporate Rules). |
| Data Segregation | Client personal data processed in the controller regime is maintained in systems separate from Authorised User data processed in the processor regime, preventing cross-access between the two processing regimes. |
Acting as Controller, NeuralShift maintains procedures for the detection, recording, and response to personal data breaches. Where a breach results in a risk to the rights and freedoms of data subjects, NeuralShift notifies the competent supervisory authority (CNPD) without undue delay and, where feasible, within 72 (seventy-two) hours of becoming aware of it, pursuant to Article 33 GDPR; where the breach is likely to result in a high risk, NeuralShift also communicates it to the affected data subjects pursuant to Article 34 GDPR. Acting as Processor, NeuralShift notifies the Client in accordance with the DPA.
§ 5Generative AI & personal data
Overview
NeuralShift acknowledges the particular sensitivity associated with the processing of personal data through Generative AI, especially in the legal sector, and accordingly implements the technical and organisational measures set out in this Privacy Notice and the applicable Data Processing Addendum ("DPA"), consistent with Article 32 GDPR, to protect the personal data of its Clients and Authorised Users.
Data flow
NeuralShift integrates Generative AI models into the Software's functionality, in particular for document analysis, semantic search, text generation, and audio-to-text transcription (Speech-to-Text). In NeuralShift's capacity as Processor, the applicable processing conditions, security measures, and guarantees are governed by the DPA executed between NeuralShift and the Client. Personal data processing in the context of Generative AI features follows the sequence described below:
- User Input. The Authorised User interacts with Generative AI models through prompts (questions, instructions) or by requesting actions on files uploaded to the Platform.
- Context Retrieval. Where files have been uploaded, the system identifies and extracts the relevant segments from the Authorised User's documents, which are incorporated as additional context into the input submitted to the model. Where no files have been uploaded, context is retrieved from Affine's Public Data sources.
- Secure Transmission. The Authorised User's prompt, the retrieved context, and the system instructions are combined into a structured input and transmitted via API, with encryption in transit (TLS 1.2 or higher), to the AI models in use.
- Output Generation. The model processes the received input and generates a response (in the form of analysis, synthesis, text generation, or content extraction) without using the data for purposes other than generating the response, pursuant to the contractual terms applicable to NeuralShift's sub-processors providing the AI models.
- Presentation and Storage. The Output is presented to the Authorised User and stored in that user's account history.
No-training commitment
NeuralShift does not use personal data or User Content for purposes other than the provision of the Service. NeuralShift is expressly prohibited from using personal data or User Content to train or fine-tune Large Language Models (LLMs) or foundational artificial intelligence models, or to create individual profiles of Authorised Users that would permit their direct identification. This is without prejudice to usage analysis and Software performance monitoring operations carried out using technical pseudonymisation measures, and to the conditions relating to the use of public data and aggregated Platform Analytics Data described below.
Use of public data and aggregated Platform Analytics Data
Public Data (such as legislation and published case law) and aggregated and anonymised Platform Analytics Data (such as search patterns containing no personal information, or features' utility inferred from how frequently they are used) may be used for the following purposes:
- Improving discriminative algorithms, in particular for tasks such as classification and entity extraction from public data, with a view to optimising their accuracy, relevance, and responsiveness; and
- Conducting internal performance benchmarking to evaluate the quality of deployed models.
§ 6Copilot Add-in
NeuralShift makes available the Affine for the Copilot Add-in, which connects Microsoft 365 Copilot to the Affine knowledge layer. When an Authorised User invokes the Copilot Add-in, Microsoft 365 Copilot generates a search query from the user's prompt and context and, subject to the user's consent at first use, transmits it to NeuralShift's server, which returns a grounded, cited answer drawn from Affine.
In connection with the Copilot Add-in, the personal data that NeuralShift processes as Controller under this Notice is limited exclusively to (i) the Microsoft 365 sign-in identity claims described under Identification Data above, released through OAuth 2.0 / Microsoft Entra authentication to the NeuralShift service and used solely to authenticate the Authorised User and to operate the Copilot Add-in; and (ii) the Copilot Add-in usage telemetry described under Platform Analytics Data above. Authentication is performed against NeuralShift's own application registration.
The content exchanged through the Copilot Add-in (the queries derived from your prompts and the answers returned) constitutes User Content that NeuralShift processes solely as Processor, on the documented instructions of the Client, and which is governed exclusively by the applicable Data Processing Addendum and not by this Notice.
§ 7Retention periods
Without prejudice to the rights of data subjects, in particular, the right to erasure, NeuralShift retains personal data only for as long as strictly necessary for the purposes for which it was collected and processed, or for the minimum period required to comply with applicable legal or regulatory obligations. Upon expiry of the applicable retention period, data is deleted or securely anonymised.
The following retention periods apply exclusively to personal data processed by NeuralShift in its capacity as Controller. Retention periods applicable to personal data of Authorised Users are set out in the DPA executed between NeuralShift and the Client.
| Data Category | Retention Period | Criterion | Lawful Basis | Deletion Criterion |
|---|---|---|---|---|
| Identification Data | 5 years from the date of termination of the contractual relationship with the Client | Statutory limitation period under Portuguese law | Legitimate interests | Automated script with logging |
| Billing Data | 10 years from the date of invoice issuance | Compliance with legal accounting and invoicing obligations under Portuguese law | Legal obligation | Automated script with logging |
| Feedback & Product-Improvement Communications | 2 years from the date of submission, or until termination of the contractual relationship with the Client, whichever occurs earlier | Limited to the period necessary for product-improvement purposes | Legitimate interests | Automated script with logging |
| Platform Analytics Data | Pseudonymised analytics data is retained for 12 (twelve) months on a rolling basis. The underlying technical records (access logs and related telemetry) are retained in accordance with the data processing addendum between NeuralShift and the Client. | Limited to the period necessary for product-improvement purposes | Legitimate interests | Automated script with logging |
Retention periods are determined by reference to the following criteria:
- Legal obligation: personal data required for compliance with legal obligations (such as billing data for fiscal and accounting purposes) is retained for the legally applicable periods.
- Statutory limitation periods: personal data may be retained for the period necessary for the declaration, exercise, or defence of rights in judicial, administrative, or arbitral proceedings, for as long as such exercise or defence remains possible, including until a final, unappealable judgment has been issued, or until the applicable statutory limitation period has expired.
- Residual cases: in all other cases, data is retained only for as long as necessary to fulfil the purposes for which it was collected.
§ 8Data subject rights
NeuralShift facilitates the exercise of the following data subject rights under Applicable Law:
| Right | Description | Conditions / Exceptions | Response |
|---|---|---|---|
| Access | Obtain confirmation as to whether personal data is being processed and access the data processed, the purposes, categories of recipients, and retention periods. | No restrictions. | 1 month |
| Rectification | Obtain the rectification of inaccurate or incomplete personal data. | No restrictions. | 1 month |
| Erasure | Obtain the erasure of personal data where it is no longer necessary for the processing purposes, the processing is unlawful, or there is a legal obligation to delete. | May be refused to comply with legal retention obligations or for the establishment, exercise, or defence of legal claims. | 1 month |
| Restriction | Obtain restriction of processing to the mere storage of personal data. | Exercisable where the accuracy of the data is contested, the processing is unlawful and the data subject prefers restriction to erasure, the data is required by the data subject for the defence of legal claims, or an objection is pending verification of overriding grounds. | 1 month |
| Portability | Receive personal data provided to NeuralShift in a structured, commonly used, and machine-readable format, and transmit it to another controller. | Applicable where processing is based on contract performance and is carried out by automated means. Does not extend to personal data derived or inferred by NeuralShift. | 1 month |
| Objection | Object to processing on grounds relating to the data subject's particular situation. | NeuralShift shall cease processing unless it demonstrates compelling legitimate grounds that override the data subject's interests, or that processing is necessary for the establishment, exercise, or defence of legal claims. | 1 month |
| Withdrawal of Consent | Withdraw consent at any time, where consent constitutes the lawful basis for processing. | Does not affect the lawfulness of processing carried out prior to withdrawal. | 1 month |
| Complaint | Lodge a complaint with the CNPD or with the supervisory authority of the data subject's habitual residence, place of work, or place of the alleged infringement. | No restrictions. | N/A |
NeuralShift does not process personal data for direct marketing purposes.
NeuralShift shall reply to data subjects' requests within a maximum period of 1 (one) month from the date of receipt, extendable by a further 2 (two) additional months in cases of particular complexity or high request volume, subject to prior notification to the data subject.
Requests that are manifestly unfounded or excessive may be refused or subject to a reasonable administrative fee, or refuse to act on the request, provided that NeuralShift demonstrates the manifestly unfounded or excessive character of the request in accordance with Article 12(5) GDPR.
Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with the competent supervisory authority.
In Portugal, that Authority is the National Data Protection Commission (CNPD):
Address: Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa
Telephone: +351 213 928 400
Email: geral@cnpd.pt
Website: www.cnpd.pt
NeuralShift remains available to analyse and respond directly to any questions relating to the processing of personal data prior to the lodging of a formal complaint. For this purpose, data subjects may contact NeuralShift via the means set out in Section 13. Without prejudice to the right to lodge a complaint with the CNPD, data subjects may also address complaints to the supervisory authority of the Member State of their habitual residence, place of work, or the place where the alleged infringement occurred, pursuant to Article 77(1) GDPR.
§ 9International data transfers
In respect of personal data of Authorised Users, the conditions and mechanisms governing any international transfers carried out by NeuralShift's Processors are regulated by the DPA executed between NeuralShift and the Client.
In respect of personal data processed by NeuralShift in its capacity as Controller, all processing operations take place within the European Economic Area, through authorised Processors operating communication and collaboration tools, a customer relationship management (CRM) platform, invoicing and accounting software, the platform's observability and analytics suite, logging and auditing a contract management platform, each with data centres located within the EEA.
§ 10Cookies & similar technologies
The Software and NeuralShift's websites use cookies and similar technologies that are strictly necessary for authentication, session maintenance, and security. Any non-essential cookies (in particular analytics or preference cookies) are used only with the user's prior consent, obtained through an appropriate mechanism and freely withdrawable at any time with the same ease as it was given, in accordance with applicable electronic communications law. Detailed information on the cookies used, their purposes, and retention periods is set out in our Cookie Policy.
§ 11Automated decision-making & profiling
NeuralShift does not make decisions based solely on automated processing of personal data (including profiling) that produce legal effects or similarly significantly affect the rights and freedoms of data subjects.
NeuralShift does not use automated decision-making within the meaning of Article 22 GDPR. The Software's AI features produce recommendations that must be reviewed by qualified legal professionals before any decision is taken.
§ 12Notice updates & version control
Without prejudice to the provisions of this section, NeuralShift commits, in respect of this Privacy Notice, to:
- Carry out a review at least annually;
- Propose updates whenever relevant changes occur to Applicable Law; and
- Submit proposed amendments to the Client with a minimum advance notice of 10 (ten) business days prior to their entry into force.
Exceptionally, where changes to Applicable Law or determinations by competent authorities (such as national supervisory authorities) require immediate modifications:
- NeuralShift shall notify the Client as promptly as possible;
- Such changes, by reason of their mandatory character, shall be deemed automatically incorporated into this Privacy Notice by operation of Applicable Law (as amended or superseded); and
- The parties commit to formalising such changes by means of a written addendum to be executed within 30 (thirty) days following implementation of the legally required measures, without prejudice to their immediate application by operation of Applicable Law (as amended or superseded).
Where it is necessary to introduce significant changes to this Privacy Notice, NeuralShift shall notify the Client at least 10 (ten) business days before the changes enter into force, by means of:
- Notification via the provided details upon subscription to the Service; or
- An in-Software banner or pop-up displayed upon login.
§ 13Contact
NeuralShift has not designated a Data Protection Officer (DPO) under Article 37 GDPR, as the legal conditions that would make such designation mandatory do not apply. NeuralShift has documented its assessment of the conditions set out in Article 37(1) GDPR, which assessment is maintained on file and available to the competent supervisory authority upon request.
For the exercise of any of the rights described in Section 8, or for any other enquiry relating to the processing of personal data by NeuralShift, data subjects and Clients may contact NeuralShift through the following means:
Rua João Saraiva, 38, 4.º andar, 405 AI HUB
1700-051 Lisboa
Attn. António Lopes dos Santos