Your data. Full stop.
This audience reads privacy policies. So we wrote one that actually says something.
Non-PHI architecture — by design.
NoirNeuro is not a medical product and does not collect Protected Health Information (PHI). This is a deliberate architectural choice, not a gap.
The advantage: your data is never classified as health information. It is not subject to HIPAA's research exemptions, which allow third parties to access PHI under certain conditions without your explicit consent. Non-PHI data is subject to stricter general privacy law (CCPA, GDPR) — not looser health exemptions.
Data residency.
All data is stored and processed in us-east1 (Google Cloud, South Carolina, USA). Data does not move across regions unless you explicitly migrate.
Encryption.
AES-256 at rest. TLS 1.3 in transit. Google Cloud's key management infrastructure. No exceptions, no unencrypted data paths.
Deletion.
You request deletion. We honor it within 30 days. Period. No "we retain anonymized data" carve-outs buried in the fine print.
Sovereign tier: deletion comes with an audit trail confirming what was removed and when.
Biometric data — honest scope.
NoirNeuro does not collect raw biometric readings, EEG data, fMRI data, or continuous physiological monitoring. The “biometric” component is coarse, derived wellbeing bands — computed from your self-reported energy and load inputs, not from a sensor.
These bands are: consent-gated (you turn them on), revocable (you turn them off and the data is purged), and derived-only (no raw reading is stored).
AI outputs — advisory only.
Every AI output in NoirNeuro is labeled as advisory. Nothing is applied to your calendar, task list, or plan without your explicit acceptance. AI-generated content is attributed (model, prompt context) and is never auto-filed or auto-applied.
No data monetization.
NoirNeuro does not sell, license, or share your personal data with third parties for advertising, research, or commercial purposes. Your data is used to operate the platform for you — nothing else.
Collective Intelligence — k-anonymity protected.
Sovereign tier peer benchmarks use k-anonymity suppression — no result is shown if it could identify an individual. The system suppresses outputs where the cohort is too small to provide anonymity.
Google Cloud compliance — verified and linked.
NoirNeuro is built on Google Cloud's certified infrastructure. These certifications belong to GCP, not to NoirNeuro — but they are the floor of what your data environment guarantees.
| Certification | Scope | Relevance | Source |
|---|---|---|---|
| SOC 2 Type II | Google Cloud Platform and Google Workspace | Data security + availability audit. Strongest trust signal for US enterprise buyers. | Verify |
| ISO 27001 | Systems, applications, people, technology, processes, and data centers serving GCP | Baseline international security standard. Recognized globally. | Verify |
| ISO 27017 | GCP products and Google Workspace | Cloud-specific security controls standard. | Verify |
| ISO 27018 | GCP products and Google Workspace | PII protection in the cloud. Directly supports "your data, your control." | Verify |
| ISO 27701 | GCP and Google Workspace | Privacy Information Management System. Directly supports GDPR/CCPA claims. | Verify |
| CSA STAR Level 2 | Cloud Security Alliance third-party audited assessment | Cloud-native security. Third-party validated. | Verify |
| FedRAMP ATO | GCP and Google Workspace | Federal Authorization to Operate. Highest US government security vetting. | Verify |
Certifications verified July 2026 from cloud.google.com/compliance. Re-verify against the live page before making compliance decisions.
What “sovereign” actually means here.
“Sovereign” in the context of this platform means: you have meaningful control over your data — where it lives, who can see it, and when it is deleted. It does not mean NoirNeuro operates outside of law or that your data is mathematically guaranteed private from all possible adversaries.
It means: we chose a non-PHI architecture deliberately. We chose a certified GCP infrastructure deliberately. We built deletion and k-anonymity in from the start. We do not sell your data, do not use it to train models without your consent, and do not retain it after you leave.
That is what “sovereign” means in practice. The rest is marketing language we are deliberately not using.