1. Introduction
Welcome to Neko Engineering Ltd. (ADGM, UAE) ("Neko," "we," "us," or "our"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website neko.engineering, use our hardware device ("Neko Device"), mobile application, cloud services, or make a reservation payment (collectively, "Services").Please read this policy carefully. If you disagree with its terms, please discontinue use of our Services.
2. Corporate Structure and Data Controller Identity
The data controller responsible for your personal information is Neko Engineering Ltd. (ADGM, UAE), a company incorporated under the laws of the Abu Dhabi Global Market (ADGM), United Arab Emirates, Registration No.32980, with registered address at Sky Tower Shams, 1801-C7, Al Reem, Adu Dhabi, UAE.
ADGM Data Protection Framework: Neko operates under the ADGM Data Protection Regulations 2021 ("ADGM DPR"), which are substantially aligned with the EU General Data Protection Regulation (GDPR). Our processing of personal data is governed by the ADGM DPR as the primary applicable law.
Global Operations: While incorporated in ADGM, Neko provides Services globally, including to users in the United States, the European Economic Area (EEA), the United Kingdom, and other jurisdictions. To the extent our activities fall within the territorial scope of the EU GDPR, UK GDPR, or US state privacy laws (including CCPA/CPRA), we additionally comply with those frameworks as described in Section 10 of this Policy.
Future Entities: Neko may establish additional legal entities in other jurisdictions (including a US entity) as our business grows. This Policy will be updated to reflect any structural changes. At the time of this Policy's effective date, all Services are operated solely by Neko Engineering Ltd. (ADGM, UAE).
Data Protection Officer (DPO) / Privacy Contact: We have designated a privacy point of contact for all data protection inquiries. Contact: privacy@neko.engineering. We do not currently have a mandatory DPO appointment obligation, but we have voluntarily designated a privacy responsible person. For EEA users, we are in the process of appointing an EU Representative as required under Article 27 GDPR; please contact privacy@neko.engineering for the current representative details.
3. Information We Collect
3.1 Information You Provide Directly
Identity and Contact Data: full name, email address, billing address, and phone number provided at checkout or account registration.
Payment Data: payment card details processed securely by Stripe, Inc. Neko does not store full card numbers. We retain only the last four digits and card type for reference. All payment processing is subject to Stripe's Privacy Policy.
Reservation Data: records of your $1 early-access reservation, including timestamp, reservation ID, and campaign source attribution (UTM parameters, referral codes).
Account Credentials: username and hashed password (bcrypt) when you create a Neko account.
Communications: content of emails, support tickets, survey responses, or any messages you send us.
User-Generated Content (UGC): audio recordings, riffs, musical compositions, tabs, stems, and any other content you create, store, process, or share using the Neko Device and app. See Section 5 for your content ownership rights and our license.
3.2 Information Collected Automatically
Device & Usage Data: IP address, browser type and version, operating system, device identifiers, pages visited, time spent, referring URLs, and click-stream data.
Hardware Telemetry: diagnostic data transmitted by the Neko Device to our servers for device health and performance purposes, including: firmware version and update status; wireless connection quality metrics; battery level and charging cycles; error logs and crash reports; feature usage frequency (e.g., which processing modes are used). Telemetry is transmitted no more frequently than once every 15 minutes during active use and once per connection event. You may opt out of non-essential telemetry in the Neko app under Settings > Privacy > Device Telemetry.
Location Data: general geographic location inferred from IP address (city/country level). We do not collect precise GPS data unless you explicitly grant permission in your device settings.
Cookies and Tracking Technologies: see Section 9 for full details.
3.3 Information From Third Parties
Payment Processors: Stripe provides us with tokenized payment confirmation, transaction IDs, and fraud-risk signals.
Analytics Providers: aggregated and anonymized behavioral data from services including Mixpanel and/or PostHog (hosted in the EU or US, subject to SCCs where applicable).
Referral Sources: campaign attribution data from marketing partners.
Social Sign-On: if you register via Google or Apple, we receive your name, email, and profile photo as permitted by that provider's terms.
4. User Content: Ownership, License, and Copyright Responsibility
4.1 You Own Your Content
You retain full ownership of all audio recordings, riffs, musical compositions, tabs, stems, generated tracks, and other content you create using the Neko Device and Services ("Your Content"). Nothing in this Policy or our Terms of Service transfers ownership of Your Content to Neko.
4.2 License You Grant to Neko
By uploading, storing, or processing Your Content through the Services, you grant Neko Engineering Ltd. a limited, worldwide, non-exclusive, royalty-free license to:
store, reproduce, and transmit Your Content solely to provide the Services to you;
create technical derivatives (e.g., compressed formats, waveform previews, stem separations) as necessary to operate the Services;
use anonymized, de-identified, or aggregated representations of Your Content to improve our AI models and Services, subject to the restrictions in Section 4.3 below.
This license is limited to the purposes described above and terminates when you delete Your Content or close your account, subject to our data retention schedule in Section 6.
4.3 AI Training — Explicit Restrictions
We take the use of your musical content for AI training seriously. The following rules apply:
We will NEVER use identifiable recordings, riffs, or compositions that can be linked to your account to train AI models without your explicit, separate, affirmative opt-in consent.
Opt-in for AI training is entirely voluntary and is not a condition of using the Services.
If you opt in, you may withdraw consent at any time via Settings > Privacy > AI Training Consent. Withdrawal does not affect processing already completed.
We may use fully anonymized, aggregated audio feature data (e.g., statistical patterns, not raw audio) for model improvement without opt-in, as this data cannot be linked back to you or your recordings.
Any AI training program will be described in a separate, plainly worded consent form presented to you before enrollment.
4.4 Your Copyright Responsibility
You represent and warrant that You own or have obtained all necessary rights, licenses, consents, and permissions to upload, store, and process Your Content through the Services. Specifically:
You must not upload, record through, or process any copyrighted material (including but not limited to commercially released songs, compositions, sound recordings, or samples) through the Neko Device or app without a valid license from the rights holder.
Neko is not responsible or liable for any copyright infringement arising from Your Content. You agree to indemnify and hold harmless Neko from any claims, damages, or expenses arising from your infringement of third-party intellectual property rights.
Neko operates a notice-and-takedown procedure in compliance with the Digital Millennium Copyright Act (DMCA) and equivalent laws. Copyright infringement notices should be sent to: copyright@neko.engineering.
Neko's stem-splitting and AI-generation features are tools provided for lawful use. Use of these features to circumvent digital rights management (DRM) or to infringe copyright is prohibited and may result in account termination.
5. How We Use Your Information
We use the information we collect for the following purposes, each supported by a lawful basis:
To Process Reservations and Transactions: fulfilling your $1 reservation, issuing receipts, and crediting your account upon device purchase. (Lawful basis: Contractual necessity)
To Provide and Operate the Services: enabling core features including wireless audio transmission, AI-powered recording, riff tagging, stem splitting, tab generation, and generative track creation. (Contractual necessity)
To Improve and Develop the Services: analyzing usage patterns, running A/B tests, and improving our AI models using anonymized or aggregated data subject to Section 4.3. (Legitimate interest)
To Communicate With You: transactional emails (receipts, shipping updates, Kickstarter launch notifications), product announcements, and support responses. You may opt out of marketing at any time. (Consent / Legitimate interest)
To Personalize Your Experience: recommending settings, tones, or features based on your usage patterns. (Legitimate interest)
To Ensure Security and Prevent Fraud: monitoring for unauthorized access, detecting abuse, and protecting platform integrity. (Legitimate interest / Legal obligation)
To Comply With Legal Obligations: responding to lawful requests, maintaining required tax and financial records under UAE and applicable international law. (Legal obligation)
To Enforce Our Terms: investigating and acting on violations of our Terms of Service. (Legitimate interest)
6. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy, subject to legal obligations. Our retention schedule distinguishes between content types given the nature of our Services:
Account Data: retained for the life of your account plus 3 years after account deletion.
Reservation and Payment Records: retained for 7 years to comply with financial recordkeeping requirements under UAE Commercial Companies Law and applicable tax regulations.
Raw Audio Recordings: retained until you delete them or close your account. Deleted recordings are purged from production servers within 30 days and from backups within 90 days.
Processed Audio (stems, generated tracks, compressed previews): retained until deleted by you or on account closure. Derived files are deleted within 30 days of deletion of the source recording.
Audio Feature Embeddings and Metadata (e.g., riff tags, tempo/key analysis): if anonymized and unlinked from your identity, may be retained for up to 3 years for model improvement purposes, subject to Section 4.3 restrictions.
Hardware Telemetry and Log Data: raw logs retained for 12 months, then automatically deleted or irreversibly anonymized.
Marketing Communications: suppression lists maintained indefinitely; opt-out requests honored within 10 business days.
Support Communications: retained for 3 years after ticket closure.
7. Sharing and Disclosure of Your Information
We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy, subject to legal obligations. Our retention schedule distinguishes between content types given the nature of our Services:
Service Providers: trusted vendors bound by data processing agreements, including: Stripe, Inc. (payment processing, US) — subject to Stripe's Privacy Policy and PCI-DSS; Amazon Web Services (cloud hosting, primary region: [INSERT AWS REGION, e.g., eu-west-1]); SendGrid / similar (email delivery); Mixpanel or PostHog (analytics, anonymized data only). All service providers are prohibited from using your data for their own purposes beyond providing services to us.
Business Transfers: in connection with a merger, acquisition, or sale of assets. We will provide 30 days' notice before your data is transferred and becomes subject to a different privacy policy.
Legal Requirements: when required by law, court order, UAE regulatory authority, or when necessary to protect the rights, safety, or property of Neko, our users, or the public.
With Your Consent: for any other purpose with your explicit prior consent.
Aggregated or De-identified Data: anonymized, aggregated data that cannot reasonably identify you may be shared with research partners or published publicly.
8. Data Security
We implement industry-standard technical and organizational measures including:
Encryption in transit: TLS 1.2 or higher for all data transmitted between the Neko Device, app, and our servers.
Encryption at rest: AES-256 for sensitive data stored in our databases.
Access controls: role-based access controls; access to personal data restricted to those with a legitimate need.
Payment security: PCI-DSS compliance through Stripe integration; raw card data never processed or stored on Neko servers.
Vulnerability management: regular security assessments and prompt patching of identified vulnerabilities.
In the event of a data breach affecting your rights and freedoms, we will notify affected users and applicable regulators (including the ADGM Registration Authority and, where applicable, EU/UK supervisory authorities) within 72 hours of becoming aware.
9. Cookies and Tracking Technologies
We use cookies and similar technologies on our website. We operate a layered consent model as required by the GDPR, ADGM DPR, and equivalent laws:
9.1 Cookie Categories
Strictly Necessary Cookies: essential for the website to function (e.g., session management, security tokens). These are always active and do not require consent.
Performance and Analytics Cookies: help us understand visitor interactions (e.g., page load times, navigation paths). Used in anonymized form only. Require consent for EEA/UK visitors.
Functional Cookies: remember your preferences (language, region, settings). Require consent.
Marketing and Advertising Cookies: track visitors across websites to deliver targeted advertisements. We will only deploy these with your explicit, granular opt-in consent obtained via our cookie consent banner.
9.2 Consent Management
On your first visit, our cookie consent banner will allow you to accept or reject each non-essential category individually. You may change your preferences at any time by clicking "Cookie Settings" in the footer of our website. Withdrawing consent will take effect immediately for future tracking and within 24 hours for existing cookies.
For users who do not interact with the cookie banner, only Strictly Necessary Cookies will be set. We do not interpret banner non-interaction as consent.
9.3 Third-Party Tracking
Some analytics and marketing cookies are set by third parties (e.g., Google Analytics, Meta Pixel, if used). These third parties have their own privacy policies governing their use of such data. A full list of third-party cookies and their purposes is available in our Cookie Policy at neko.engineering/cookies.
10. Your Privacy Rights
Depending on your location, you may have the following rights. To exercise any right, contact privacy@neko.engineering with subject line "Privacy Rights Request." We will respond within the applicable statutory period.
10.1 Rights Under ADGM DPR (All Users)
Right of Access: obtain confirmation of processing and a copy of your personal data.
Right to Rectification: correct inaccurate or incomplete personal data.
Right to Erasure: request deletion of your personal data where it is no longer necessary, or where you withdraw consent (subject to legal retention obligations).
Right to Restriction: request we restrict processing of your data in certain circumstances.
Right to Data Portability: receive your personal data in a structured, machine-readable format (JSON or CSV).
Right to Object: object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Rights Related to Automated Decision-Making: where we use automated processing (including AI) that produces legal or significant effects, you have the right to human review, to express your point of view, and to contest the decision.
10.2 California Residents (CCPA/CPRA)
California residents have additional rights under CCPA/CPRA. We do not sell personal information and do not share it for cross-context behavioral advertising. Additional rights include:
Right to Know: categories and specific pieces of personal information collected, purposes, and third parties with whom shared.
Right to Delete: subject to certain exceptions under CCPA Section 1798.105.
Right to Correct: rectify inaccurate personal information.
Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information beyond service provision.
Right to Non-Discrimination: we will not deny, charge different prices, or provide different quality of service for exercising CCPA rights.
Submit CCPA requests to privacy@neko.engineering. Response within 45 calendar days (extendable by 45 days with notice).
10.3 EEA, UK, and Swiss Residents (GDPR / UK GDPR)
In addition to rights under Section 10.1, EEA/UK/Swiss residents may lodge a complaint with their local supervisory authority. For EEA users, we are in the process of appointing an EU Article 27 Representative; current contact: privacy@neko.engineering. Our legal bases for processing are contractual necessity, legitimate interests, legal obligation, and consent (where specified). We will not rely on legitimate interests where your interests or rights override ours.
International transfers from the EEA/UK to countries without an adequacy decision (including the UAE and, where applicable, the US) are made under Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK's International Data Transfer Agreement (IDTA), as applicable. Copies of applicable SCCs are available upon request.
11. International Data Transfers
Neko Engineering Ltd. is incorporated in the ADGM, UAE. Our Services involve data processing in multiple jurisdictions. Your data may be transferred to and processed in:
United Arab Emirates (ADGM): primary jurisdiction of our data controller entity.
United States: our primary cloud hosting infrastructure is on Amazon Web Services ([INSERT REGION, e.g., us-east-1 or eu-west-1]). Stripe, Inc. processes payment data in the US. Where applicable, SCCs or other appropriate safeguards govern these transfers.
European Union / EEA: analytics providers may process anonymized data within the EU.
We take all reasonable steps to ensure that transfers of personal data are made in accordance with applicable law and that personal data remains protected to the standards described in this Policy wherever it is processed.
Sub-processor Chain: our key sub-processors include Stripe (payments), AWS (hosting), SendGrid or equivalent (email), and Mixpanel/PostHog (analytics). A full and current sub-processor list is maintained at neko.engineering/subprocessors.
12. Minors and Age Restrictions
The Neko Device and Services are designed for general audiences including aspiring and professional guitarists of all ages. We recognize that teenagers are a key user group (guitars are commonly gifted to and used by young people). Our age policy is as follows:
Minimum Age — United States: users must be at least 13 years of age to create an account. Users under 13 are not permitted to use the Services without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).
Minimum Age — European Economic Area and UK: consistent with GDPR Article 8, users in the EEA must be at least 16 years of age to provide consent to data processing independently. Users aged 13-15 in the EEA must have verifiable parental or guardian consent before creating an account or using the Services.
Minimum Age — Other Jurisdictions: the age of digital consent varies by country. Where local law sets a higher minimum age, that age applies.
Users aged 13-17 (or the applicable minimum age through 17) may use the Services with parental or guardian consent. We encourage parents and guardians to actively supervise their children's use of the Services and to contact us at privacy@neko.engineering if they believe their child has registered without appropriate consent.
We do not knowingly collect personal information from children below the applicable minimum age. If we become aware of such collection, we will delete the data promptly and notify the parent or guardian if contact information is available.
13. Third-Party Links and Services
Our Services may contain links to third-party websites including Kickstarter, social media platforms, and partner services. This Privacy Policy does not apply to those third-party sites. We encourage you to review their privacy policies independently. We are not responsible for the content or privacy practices of third-party sites or services.
14. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or business structure. When we make material changes, we will:
Post the updated policy on neko.engineering/privacy with a new effective date.
Send an email notification to registered users at least 14 days before the changes take effect.
Display a prominent notice on our website for 30 days following the update.
Your continued use of our Services after the effective date constitutes acceptance of the updated policy. If you disagree, you may delete your account at any time.
15. Contact and Data Controller Details
For questions, concerns, or rights requests regarding this Privacy Policy:
Data Controller: Neko Engineering Ltd. (ADGM, UAE)
Registered Address: Sky Tower Shams, 1801-C7, Al Reem, Adu Dhabi, UAE
ADGM Registration No.: 32980
Privacy / DPO Contact: privacy@neko.engineering
Copyright Notices (DMCA): copyright@neko.engineering
Website: neko.engineering
EU Representative (Article 27 GDPR): [To be appointed — contact privacy@neko.engineering for current details]
We will acknowledge all Privacy Rights Requests within 5 business days and provide a substantive response within the applicable statutory period (45 days for CCPA; 30 days for GDPR/ADGM DPR, extendable by 2 months for complex requests).
