Privacy Policy

Last updated: 7 March 2026

1. Data controller

Catalyst Neuromorphic Ltd (Company No. 17054540) is the data controller responsible for your personal data. We are registered at 71-75 Shelton Street, London WC2H 9JQ, United Kingdom.

ICO Registration: C1884018

Data protection contact: [email protected]

We operate the Catalyst Cloud platform at catalyst-neuromorphic.com and api.catalyst-neuromorphic.com, providing cloud neuromorphic computing, FPGA bitstream downloads, CLI tools, and SDK licensing.

2. What personal data we collect

We collect and process the following categories of personal data:

Account information

  • Email address
  • Display name
  • Hashed password (if registering with email/password)
  • GitHub or Google user ID and email (if you sign up via OAuth)

Payment information

  • Stripe customer ID, subscription ID, and payment method metadata
  • We do not store your card number, CVV, or full payment details — these are held exclusively by Stripe

Usage data

  • Job submissions: network configurations, job parameters, results, timestamps, compute time consumed
  • API key usage and request counts
  • Subscription tier and billing history

Technical data

  • IP address
  • Browser user-agent string
  • Session tokens (stored as SHA-256 hashes)
  • Request metadata (endpoint, method, timestamp, response status)

Job metadata

  • Network definitions and simulation configurations you submit
  • Job status, duration, and output data
  • Processor generation used (N1, N2, N3, etc.)

3. Lawful basis for processing

We process your personal data under the following lawful bases as defined by UK GDPR:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Service to you, including account management, job execution, billing, and sending transactional communications (verification codes, password resets, payment receipts, service updates).
  • Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including platform security (rate limiting, fraud detection, abuse prevention), aggregate anonymised analytics to improve Service performance, and infrastructure monitoring. We have conducted balancing tests to ensure these interests do not override your rights.
  • Legal obligation (Article 6(1)(c)): Retaining payment records as required by UK tax law (HMRC).
  • Consent (Article 6(1)(a)): Where we rely on consent, you can withdraw it at any time by contacting us.

4. How we use your data

  • To provide the Service: Run your simulations, manage your account, process payments, deliver FPGA bitstreams, and provide SDK access
  • To communicate with you: Send verification codes, password resets, payment receipts, usage alerts, and important service updates
  • To improve the Service: Aggregate, anonymised usage statistics to understand platform performance and capacity planning
  • To prevent abuse: Rate limiting by IP address, detecting anomalous usage patterns, and fraud prevention
  • To comply with law: Responding to lawful requests from authorities and retaining records where legally required

We do not sell your personal data to anyone. We do not use your network definitions, simulation configurations, or job results for any purpose other than providing the Service to you. We do not use your data for automated decision-making or profiling.

5. Third-party processors

We use the following third-party services to operate the platform. Each acts as a data processor under our instruction:

  • Stripe (stripe.com) — Payment processing. Processes card details, billing, invoices, and subscription management. Stripe is PCI DSS Level 1 certified. Stripe's privacy policy applies to payment data. Stripe may process data in the US and EU.
  • Fly.io (fly.io) — API hosting and application infrastructure. Our API runs in the London (LHR) region. Fly.io processes request data and application logs.
  • Amazon Web Services (AWS) — S3 object storage for FPGA bitstreams, job artefacts, and backups. Data stored in eu-west-2 (London) where possible. AWS may also process data in us-east-1 for certain services.
  • Cloudflare (cloudflare.com) — Website hosting, CDN, DNS, and DDoS protection. Cloudflare may cache static content at global edge locations but does not cache personal data. Cloudflare may set security cookies for bot detection.
  • Resend (resend.com) — Transactional email delivery. Processes email addresses and email content for verification codes, receipts, and service notifications.
  • GitHub / Google — OAuth authentication providers (only if you choose to sign in via these services). We receive your user ID and email address; we do not access other account data.

We have data processing agreements in place with our sub-processors as required by UK GDPR. We do not share your personal data with any other third parties except where required by law.

6. Data retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Job results and network definitions: Retained for 90 days after job completion, then automatically purged.
  • Server logs (IP addresses, request metadata): Retained for 12 months, then deleted.
  • Payment records: Retained for 7 years as required by UK tax law (HMRC record-keeping obligations).
  • Email communications: Transactional email records retained for 12 months.

When data is deleted, it is permanently removed from our systems and backups within 30 days of the retention period expiring.

7. Your rights under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights:

  • Right of access (Article 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Article 16): Correct inaccurate personal data. You can update your name and email through the console account settings.
  • Right to erasure (Article 17): Request deletion of your personal data. You can delete your account from the console, which removes all associated data (subject to legal retention requirements).
  • Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON). Export available from the console account page.
  • Right to restrict processing (Article 18): Request that we limit how we process your data in certain circumstances.
  • Right to object (Article 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, use the Account page in the console or email [email protected]. We will respond within one calendar month as required by UK GDPR. There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.

8. Data export and deletion

You can export all your data as a JSON file from the Account page in the console. This includes your profile, API keys (hashed), job history, network definitions, usage data, and billing records.

You can delete your account at any time, which will permanently remove all your data including networks, jobs, API keys, usage history, and billing records — except where retention is required by law (e.g., payment records for 7 years under UK tax law).

9. Security measures

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords hashed with bcrypt (cost factor 12)
  • API keys stored as SHA-256 hashes (plaintext never stored)
  • Session tokens hashed before database storage
  • HTTPS/TLS encryption for all connections
  • IP-based rate limiting on authentication endpoints
  • WAL-mode SQLite with foreign key constraints and integrity checks
  • Infrastructure access restricted to authorised personnel only

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users without undue delay, as required by Articles 33 and 34 of UK GDPR.

10. International transfers

Your data is processed on servers in the United Kingdom (London). Encrypted backups are replicated to secure storage in the United States (Virginia) for disaster recovery. Some of our sub-processors also operate in the United States:

  • Stripe: May process payment data in the US and EU. Transfers are covered by Stripe's data processing agreement and EU Standard Contractual Clauses (SCCs).
  • AWS: FPGA bitstreams, job artefacts, and encrypted backups are stored in us-east-1 (Virginia). Transfers are covered by AWS's DPA and SCCs.
  • Cloudflare: CDN may cache static content globally. Personal data is not cached. Transfers covered by Cloudflare's DPA and SCCs.
  • Resend: Email processing may occur in the US. Covered by their DPA and SCCs.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including EU/UK Standard Contractual Clauses and supplementary measures where required, in accordance with Article 46 of UK GDPR.

11. Cookies and local storage

We use minimal cookies and browser storage. Our session authentication uses localStorage (not cookies). Cloudflare may set security cookies for bot detection. For full details, see our Cookie Policy.

12. Children

The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has created an account, please contact us and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes that affect how we process your personal data, we will notify you by email or through the console at least 30 days before the changes take effect. The "Last updated" date at the top indicates the most recent revision.

14. Contact and complaints

For any questions about this Privacy Policy or how we handle your data, contact our data protection lead:

Henry Shulayev Barnes
Director, Catalyst Neuromorphic Ltd
71-75 Shelton Street, London WC2H 9JQ
[email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
ico.org.uk/make-a-complaint