1. Introduction
This Privacy Policy explains how Tabempa Engineering Limited ("Tabempa Engineering," "we," "us," or "our"), a company registered and headquartered in Freetown, Sierra Leone (Registration No. SL110326TABEM29256, 82 Devil Hole, Waterloo), collects, uses, stores, shares, and protects your personal information when you use NeuraLaunch, an AI-powered startup validation and execution platform available at startupvalidator.app and through the NeuraLaunch mobile applications (collectively, the "Platform").
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, do not use the Platform.
This Privacy Policy should be read alongside our Terms of Service and Cookie Policy.
2. Who We Are
NeuraLaunch is operated by Tabempa Engineering Limited. For the purposes of data protection law, Tabempa Engineering Limited is the data controller responsible for your personal information.
Contact details:
Tabempa Engineering Limited 82 Devil Hole, Waterloo Freetown, Sierra Leone Email: info@tabempa.com Website: tabempa.com
All payments for the Platform are processed by Paddle.com Market Limited ("Paddle"), which acts as the Merchant of Record. For payment-related personal data, Paddle operates as an independent data controller under its own privacy policy, available at paddle.com/privacy.
3. What Information We Collect
We collect information in three ways: information you provide directly, information generated through your use of the Platform, and information collected automatically.
3.1 Information You Provide
Account information. When you create an account via Google or GitHub OAuth, we receive your name, email address, and profile image from the authentication provider. We do not receive or store your Google or GitHub password.
Discovery interview responses. During the discovery interview, you share information about your personal situation, professional background, skills, business ideas, goals, constraints, financial circumstances, available time, team composition, fears, and motivations. This information is processed by our AI agents and stored as structured data (the "belief state") and as a complete interview transcript.
Check-in messages. When you check in on roadmap tasks, you provide free-text descriptions of your progress, challenges, results, and questions. These are stored as part of your check-in history.
Tool session inputs. When using the Platform's internal tools, you provide:
- Conversation Coach: details about upcoming conversations, the parties involved, your relationship to them, your goals, and your concerns
- Outreach Composer: descriptions of recipients, your relationship to them, the purpose of outreach, and channel preferences
- Research Tool: research questions, plan adjustments, and follow-up questions
- Service Packager: service descriptions, pricing preferences, and adjustment requests
Voice input. When using voice mode, your spoken words are captured, transmitted to a third-party speech-to-text service for transcription, and the resulting text is processed and stored. We do not permanently store raw audio recordings. Audio data is processed in transit for transcription purposes only.
Feedback and communications. If you contact us for support or provide feedback, we collect the content of those communications along with your email address.
3.2 Information Generated Through Platform Use
AI-generated outputs. The Platform's AI agents generate content based on your inputs, including: recommendations, roadmap tasks, conversation scripts, outreach messages, research reports, service packages, check-in responses, continuation briefs, and recalibration analyses. These outputs are stored as part of your account data.
Belief state. A structured data representation of your situation, extracted from your interview and updated through subsequent interactions. This includes dimensions such as your goals, market, budget, technical ability, available time, team size, motivation, and other contextual factors.
Cross-session memory. If you subscribe to the Compound tier, accumulated context from your prior discovery and execution cycles is maintained and used to inform future AI interactions. This memory grows as you complete more cycles.
Parking lot ideas. Ideas and observations you surface during execution that are captured for future reference.
Outcome data. If you complete the optional outcome capture (opt-in only), your self-reported assessment of whether a recommendation led to success, partial success, or did not work.
3.3 Information Collected Automatically
Device and access information. We collect your IP address, browser type, operating system, device type, screen resolution, and referring URL when you access the Platform. On mobile, we additionally collect device model and operating system version.
Usage data. The Platform does not use third-party analytics services to track your usage. General usage data is derived from server-side API request logs and database records generated through normal Platform operation.
Push notification tokens. If you use the mobile application and enable push notifications, we collect your device push notification token to deliver nudge reminders and system notifications.
Validation page analytics. If you create a validation landing page, we collect anonymous analytics from visitors to that page using our self-built, first-party analytics system. Visitor identity is derived from a salted, one-way cryptographic hash of the request IP address and user agent — no cookies are set on visitors' devices and visitors cannot be personally identified. Analytics include page views, scroll depth, time on page, email signups, survey responses, and feature interest clicks.
4. How We Use Your Information
We use your information for the following purposes:
4.1 Providing the Platform's Services
This is the primary purpose of all data collection. Your interview responses, belief state, check-in messages, and tool inputs are processed by our AI agents to generate recommendations, roadmaps, tool outputs, check-in responses, and continuation briefs. Without this data, the Platform cannot function.
Legal basis: Performance of a contract (the Terms of Service you agreed to when creating your account).
4.2 Maintaining Cross-Session Memory
For Compound tier subscribers, your historical session data is used to inform future AI interactions within your account. This enables the Platform's AI agents to reference your prior execution history, outcomes, and learnings.
Legal basis: Performance of a contract (the Compound tier subscription).
4.3 Delivering Notifications
We use your email address and push notification token to send essential account notifications, including subscription changes, payment confirmations, service updates, security alerts, and nudge reminders for in-progress tasks.
Legal basis: Performance of a contract and legitimate interest in maintaining the service relationship.
4.4 Improving the Platform (Anonymised and Aggregated)
We analyse anonymised, aggregated patterns across all users to improve the quality of the Platform's AI agents, interview question selection, recommendation accuracy, tool outputs, and overall user experience. This analysis uses statistical trends across the user base, not individual session content.
Legal basis: Legitimate interest in improving our services.
4.5 Training Data Improvement (Opt-In Only)
If you explicitly opt in through your account settings, anonymised versions of your outcome data may be used to improve the Platform's recommendation accuracy. Anonymisation removes all personally identifiable information (names, emails, phone numbers), replaces specific locations with country-level buckets, and removes specific business names. This is entirely optional and disabled by default.
Legal basis: Your explicit consent, which may be withdrawn at any time.
4.6 Fraud Prevention and Security
We use device information, IP addresses, and usage patterns to detect and prevent fraudulent activity, abuse, and security threats to the Platform.
Legal basis: Legitimate interest in protecting our services and users.
4.7 Legal Compliance
We may process your data where required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
Legal basis: Legal obligation.
5. How We Share Your Information
We do not sell your personal information to any third party. We share your information only in the following circumstances:
5.1 Third-Party Service Providers
To deliver the Platform's services, your data is processed by the following third-party providers. Each provider processes data only for the specific purpose described and is required to maintain appropriate security measures.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic (Claude API) | AI agent processing — generates recommendations, roadmaps, tool outputs, check-in responses | Interview responses, belief state, session context, check-in messages, tool inputs | United States |
| Exa | Semantic search for the Research Tool | Search queries formulated by AI agents on your behalf | United States |
| Tavily | Factual search for the Research Tool | Search queries formulated by AI agents on your behalf | United States |
| Neon | PostgreSQL database hosting | All persistent Platform data (encrypted at rest) | United States |
| Upstash | Redis caching and rate limiting | Session tokens, temporary cached data | United States |
| Vercel | Application hosting and serverless functions | Application requests and responses | United States / Global CDN |
| Inngest | Background job processing | Asynchronous task payloads (nudge scheduling, synthesis jobs) | United States |
| Paddle | Payment processing (Merchant of Record) | Name, email, payment information, billing address | United Kingdom |
| Expo | Mobile push notifications | Device push tokens, notification content | United States |
| Speech-to-text provider | Voice transcription | Voice audio (temporarily during transcription) | United States |
| Text-to-speech provider | Voice response generation | Generated text for audio conversion | United States |
| Google / GitHub | OAuth authentication | Authentication tokens (we receive name, email, profile image) | United States |
5.2 Research Tool — External Data Retrieval
When you use the Research Tool or when AI agents conduct research on your behalf, search queries are sent to Exa and Tavily. These queries are formulated by the AI agents based on your context — they may include information about your business idea, target market, geographic location, or industry. The research providers return publicly available information and do not receive your personal identity, account details, or complete session data.
5.3 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request. We may also disclose information if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Tabempa Engineering, our users, or the public.
5.4 Business Transfers
If Tabempa Engineering is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy.
6. International Data Transfers
Tabempa Engineering is based in Sierra Leone. However, the third-party services we use to deliver the Platform are primarily located in the United States, the United Kingdom, and the European Union. By using the Platform, your data is transferred to and processed in these jurisdictions.
For users in the European Economic Area (EEA), United Kingdom, or other regions with data protection laws governing international transfers, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): Where required, we ensure our third-party processors maintain appropriate contractual commitments for cross-border data transfers.
- Adequacy decisions: Where the European Commission has recognised a jurisdiction as providing adequate data protection, transfers proceed on that basis.
- Necessity for contract performance: Data transfers are necessary to provide the Platform's services as described in our Terms of Service.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
- Encryption at rest: Database storage is encrypted at rest through our database provider (Neon).
- Access controls: Platform data is scoped to individual user accounts. Each API request is authenticated and authorised to ensure users can only access their own data.
- Ownership-scoped queries: All database queries are scoped to the authenticated user's account, preventing cross-account data access.
- Rate limiting: API endpoints are rate-limited to prevent abuse and protect against denial-of-service attacks.
- Input sanitisation: All user-provided text is sanitised before being processed by AI agents to mitigate prompt injection attacks.
- Secure authentication: Authentication is handled through industry-standard OAuth 2.0 providers (Google and GitHub). We do not store passwords.
- Minimal data retention: We collect only the data necessary to provide the Platform's services.
While we take reasonable precautions to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security and accept no liability for unauthorised access resulting from circumstances beyond our reasonable control.
8. Data Retention
8.1 Active Accounts
Your data is retained for as long as your account remains active. All session data (interviews, recommendations, roadmaps, check-ins, tool sessions, continuation briefs) is retained to provide continuity of service, particularly for cross-session memory functionality.
8.2 Cancelled Subscriptions
If you cancel your paid subscription, your account reverts to the Free tier. Your historical data remains accessible in read-only mode for 90 days. After 90 days of inactivity following cancellation, we may delete execution data (roadmaps, check-ins, tool sessions) while retaining your core account data (discovery sessions, recommendations) until you request deletion.
8.3 Deleted Accounts
If you request account deletion (see Section 9), all data is removed from our primary database within 30 days and from backup systems within 90 days. Data that has been processed by third-party AI providers (Anthropic, Exa, Tavily) is subject to those providers' own retention policies.
8.4 Anonymised Data
Anonymised, aggregated data that cannot be used to identify any individual may be retained indefinitely for the purpose of Platform improvement and research, even after your account is deleted.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
9.1 Right of Access
You may request a copy of the personal information we hold about you. Most of this information is directly accessible through the Platform (your interview transcripts, recommendations, roadmaps, check-in history, and tool sessions are all viewable in your account).
9.2 Right to Correction
You may request that we correct any inaccurate personal information. Account information can be updated through your OAuth provider (Google or GitHub). For corrections to session data, contact us at info@tabempa.com.
9.3 Right to Deletion
You may request complete deletion of your account and all associated data at any time by contacting us at info@tabempa.com. Deletion will be completed within 30 days of receiving a verified request. This right is subject to any legal obligations that may require us to retain certain data.
9.4 Right to Data Portability
You may request a machine-readable export of your personal data, including your interview transcripts, belief state, recommendations, roadmaps, check-in history, and tool session data. Export requests will be fulfilled in JSON format within 30 days.
9.5 Right to Restrict Processing
You may request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of the data or object to our processing.
9.6 Right to Object
You may object to the processing of your personal information where we rely on legitimate interest as the legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
9.7 Right to Withdraw Consent
Where processing is based on your consent (such as the training data opt-in), you may withdraw consent at any time through your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
9.8 Exercising Your Rights
To exercise any of these rights, contact us at info@tabempa.com. We will respond to all requests within 30 days. We may request verification of your identity before processing a request.
9.9 Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction. For users in the European Union, this is the supervisory authority in your member state. For users in Sierra Leone, this will be the Data Protection Commission once established under forthcoming legislation.
10. Children's Privacy
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at info@tabempa.com.
11. Cookies and Tracking Technologies
Our use of cookies and similar tracking technologies is described in our Cookie Policy. In summary:
- Essential cookies: Required for authentication, session management, and security. These are the only cookies set by the Platform.
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. All analytics are handled through first-party, server-side systems that do not set cookies on your device.
12. Third-Party Links
The Platform may contain links to third-party websites or services, including links in research findings generated by the Research Tool. We are not responsible for the privacy practices or content of third-party websites. We encourage you to read the privacy policies of any third-party service you visit through links on the Platform.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you via the email address associated with your account or through a prominent notice on the Platform at least 30 days before the changes take effect.
The "Last Updated" date at the top of this Privacy Policy indicates when it was most recently revised.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us:
Tabempa Engineering Limited 82 Devil Hole, Waterloo Freetown, Sierra Leone
Email: info@tabempa.com Website: tabempa.com
This Privacy Policy is effective as of May 1, 2026. NeuraLaunch is a product of Tabempa Engineering Limited.
Related documents