NEURO Business SchoolBack to home
Legal · NEURO Business School

Privacy Policy

NEURO Business School (NBS) believes privacy is the foundation of a school's relationship with its students, faculty and alumni. This policy explains, in plain language, what personal data we collect on insight, why we collect it, how we protect it, and the rights you have under the EU General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).

Last updated · 27 May 2026

1. Who we are (Data Controller)

NEURO Business School, S.L. (operating as "NBS" and "insight"), a private institution registered in Barcelona, Spain, is the Data Controller of the personal data processed on this platform.

  • Registered office: [Street, Postal code, Barcelona, Spain — to be confirmed by NBS legal]
  • Tax ID (NIF / CIF): [NIF to be confirmed by NBS legal]
  • Contact: hello@eunbs.com
  • Data Protection Officer (DPO): dpo@eunbs.com

2. What data we collect

2.1 Data you give us directly

  • Identity: full name, email, phone, date of birth, nationality, country.
  • Academic record: programme, cohort group, start and end dates, grades, attendance, assignments, submissions, feedback.
  • Profile content: avatar photo, biography, LinkedIn URL, Instagram handle.
  • Communications: messages exchanged with NBS staff, professors, mentors and peers; support tickets; document requests.
  • Career data: uploaded CV link, skills, applications you submit through insight.

2.2 Data we generate from your use of the platform

  • Attendance: QR scans + Zoom join events recorded against each class session.
  • Engagement: course materials viewed, assignments submitted, mentor sessions booked.
  • Technical: IP address, browser/user-agent, session timestamps — used for security and audit.
  • NeuroCoin (internal credit): wallet balance, transaction ledger.

2.3 Data from third parties

  • Authentication providers (Google, Facebook) — only the basic profile fields you authorize us to receive at sign-in.
  • Zoom Meetings — meeting join/leave events for online class attendance.

3. Why we process your data (legal bases)

Each category of data has at least one legal basis under GDPR Article 6:

  • Performance of an educational contract (Art. 6.1.b) — managing your enrolment, grades, attendance, mentoring, certificates.
  • Legal obligation (Art. 6.1.c) — tax, accounting, academic record retention required by Spanish education law.
  • Legitimate interests (Art. 6.1.f) — securing the platform, preventing fraud, defending claims, anonymous usage analytics.
  • Your explicit consent (Art. 6.1.a) — non-essential cookies, marketing communications, sharing your profile in the alumni directory.

4. How long we keep your data (retention)

  • Active student / staff / mentor records: kept while you are linked to NBS plus 5 years.
  • Academic records and certificates: retained indefinitely as required by Spanish education law (NBS must be able to re-issue diplomas).
  • Financial records: 6 years per Spanish General Accounting Plan.
  • Server access logs: 12 months.
  • Cookies: see Cookies Policy for per-cookie expiry.

5. Who we share your data with

We never sell your data. We share it only with:

  • Service providers acting on our instructions (data processors under signed agreements): hosting (Vercel / Neon), email delivery, Zoom for class meetings, error-monitoring, analytics if you've consented.
  • NBS staff and faculty — only the academic and contact data they need to do their job (a professor sees grades for their own course; a mentor sees the mentee they're paired with; the registrar sees enrolment).
  • Competent authorities when legally required (tax authority, courts).

Our processors may be located in the European Economic Area (EEA). If we ever transfer data outside the EEA we will only do so under the safeguards required by GDPR Chapter V (e.g. Standard Contractual Clauses).

6. Your rights under GDPR

You may, free of charge, exercise the following rights at any time:

  • Access — receive a copy of the data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure ("right to be forgotten") — request deletion when the data is no longer necessary, subject to legal retention obligations.
  • Restriction — limit processing while a dispute is resolved.
  • Portability — receive your data in a machine-readable format.
  • Object — to processing based on legitimate interests, including profiling.
  • Withdraw consent at any time for processing based on consent. Withdrawal does not affect the lawfulness of past processing.
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD — aepd.es) if you believe we are not handling your data correctly.

To exercise any right, email dpo@eunbs.com with a copy of an ID document (so we can verify your identity). We respond within one month, extendable by two months for complex requests as permitted by GDPR Art. 12.

7. How we keep your data secure

  • Passwords are stored as one-way bcrypt hashes; we never see them in clear text.
  • All traffic between your browser and insight is encrypted with TLS.
  • Database access is restricted to designated NBS staff under audit log.
  • Backups are encrypted at rest. Backup retention follows the same rules as live data.
  • Every commercial write (delete student, change role, etc.) is recorded in an immutable audit log.
  • We perform regular dependency updates and security reviews.

8. Minors

Insight is designed for university-level students (typically 18+) and adult professional learners. We do not knowingly collect data from children under 14 (Spain's minimum digital consent age per LOPDGDD Art. 7). Bachelor applicants under 14 must have parental authorization, processed offline by NBS Admissions before any data is entered into insight.

9. Changes to this policy

We may update this policy to reflect changes in law or in how we operate insight. The "Last updated" date at the top of this page always shows when we last changed anything material. We will notify you in-app (and by email if the change is material) at least 30 days before it takes effect.

10. Questions?

Write to dpo@eunbs.com. We will reply within five business days for general questions and within one month for formal rights requests.

This document is provided in English for clarity. Where local law requires a Spanish version, the Spanish translation prevails.