The purpose of this Privacy Policy is to inform clients, subscribers, employees, contractors, and the general public of Cerebral’s practices regarding the collection, use, retention, transfer, and protection of personal information. Cerebral is committed to safeguarding privacy in accordance with applicable laws, including the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, the Swiss-U.S. DPF, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA).

Cerebral has certified to the U.S. Department of Commerce that it adheres to the DPF Principles. In the event of a conflict between this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program and to view our certification, please visit: www.dataprivacyframework.gov. Cerebral is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

1. Scope and Applicability
This Privacy Policy applies to all personal information (“Personal Information” or “PI/PII”) collected by Cerebral, whether in electronic, paper, or verbal format, that allows for the identification of an individual. This includes, but is not limited to: names, email addresses, phone numbers, and mailing or billing addresses; login credentials and account identifiers; subscription and payment information (processed securely via Stripe; Cerebral does not store full payment card numbers); usage and technical data (IP address, browser type, device identifiers, analytics, cookies); preferences and profile data; content data submitted by users (comments, posts, or other contributions); employee and candidate data (resumes, employment records, disciplinary information, benefits and HR-related information); and publicly available or third-party data (social media handles, analytics, publicly available sources).

2. DPF Principles

A. Notice
Cerebral provides notice to individuals regarding the categories of Personal Information it collects, the purposes for which it is used, and the types of third parties with whom it may be shared. Cerebral may disclose Personal Information to comply with lawful requests by public authorities, including requirements to meet national security or law enforcement obligations. Cerebral does not sell or rent Personal Information.

B. Choice
Cerebral provides individuals with the right to opt-out of (i) the disclosure of Personal Information to a third party not acting as an agent of Cerebral, and (ii) the use of Personal Information for a purpose materially different from the purpose for which it was originally collected. Individuals may exercise opt-out rights by contacting [email protected]. For sensitive information (including HR or health-related records), Cerebral will obtain explicit opt-in consent where required by law, unless processing falls under legal exceptions, such as vital interests, employment law obligations, medical necessity, or information already made public by the individual.

C. Accountability for Onward Transfer
Cerebral shall not transfer Personal Information originating from the EU, UK, or Switzerland to third parties unless such third parties have agreed in writing to provide at least the same level of privacy protection required under the DPF Principles. Cerebral remains liable for the processing of Personal Information it transfers to third parties acting as agents unless it proves it is not responsible for the event giving rise to the damage.

D. Security
Cerebral employs technical, administrative, and organizational security measures to protect Personal Information against loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures include encryption, secure AWS hosting, access controls, and incident response procedures.

E. Data Integrity and Purpose Limitation
Cerebral shall only collect Personal Information that is relevant to the purposes for which it is to be used and shall not process it in a manner incompatible with such purposes. Cerebral will take reasonable steps to ensure that Personal Information is reliable, accurate, complete, and current. Cerebral retains Personal Information only as long as necessary to fulfill legitimate business purposes or as required by law, including tax, employment, and contractual obligations.

F. Access
Individuals have the right to access their Personal Information held by Cerebral and to correct, amend, or delete information that is inaccurate or processed in violation of the DPF Principles. Requests may be made by contacting [email protected]. Cerebral may limit access rights where providing access would be disproportionate to the risks to privacy or where the rights of other persons would be violated.

G. Recourse, Enforcement, and Liability
Individuals with questions or complaints regarding Cerebral’s compliance with this Privacy Policy or the DPF Principles should first contact [email protected]. Cerebral will investigate and respond within forty-five (45) days. Cerebral has committed to cooperate with the EU Data Protection Authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities. If concerns cannot be resolved, individuals may have the option to invoke binding arbitration. Cerebral remains subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

3. Supplemental Principles

A. Sensitive Data
Cerebral will obtain explicit consent before collecting or using sensitive Personal Information, except where one of the following exceptions applies: (i) processing is in the vital interest of the data subject or another person; (ii) processing is required by law; (iii) processing is necessary for the establishment, exercise, or defense of legal claims; (iv) processing is necessary to provide medical care or diagnosis; or (v) the data has been made public by the individual.

B. Onward Transfer for Accountability
Third parties receiving Personal Information from Cerebral must agree to provide an equivalent level of protection consistent with the DPF Principles. Cerebral shall remain responsible for onward transfers unless it can demonstrate it was not responsible for the event giving rise to damages.

C. Dispute Resolution and Arbitration
If complaints cannot be resolved directly with Cerebral or through DPAs, individuals may invoke binding arbitration before the Data Privacy Framework Panel. This arbitration is available at no cost to the individual.

D. Enforcement and Compliance
Cerebral is committed to ensuring compliance with the DPF Principles through regular internal assessments. Violations of this Privacy Policy by employees may result in disciplinary action.

E. Obligations to Provide Access
Access to Personal Information shall not be provided where the burden or expense of providing access would be disproportionate to the risks to privacy, or where the rights of other individuals would be violated.

F. Retention
Cerebral will retain Personal Information only for as long as necessary to achieve the purposes for which it was collected or as required by law.

4. California Consumer Privacy Act (CCPA/CPRA)
California residents have the right to request access to the categories and specific pieces of Personal Information collected, request deletion of Personal Information, request correction of inaccurate data, and opt out of the “sharing” of Personal Information for cross-context behavioral advertising. Cerebral does not sell Personal Information. Requests may be submitted to [email protected].

5. Employee and Candidate Data
Cerebral collects and processes employee and candidate Personal Information solely for legitimate HR purposes, including payroll, benefits administration, recruitment, performance management, compliance with employment law, and workplace safety. Such data is accessible only to HR personnel and other employees with a legitimate business need to know.

6. Minors
Cerebral does not knowingly collect Personal Information from individuals under 18. If such data is inadvertently collected, Cerebral will promptly delete it.

7. International Transfers
Cerebral may transfer Personal Information across jurisdictions where it operates. All such transfers shall be conducted in accordance with the DPF Principles, GDPR, and applicable data protection laws.

8. Enforcement and Supervisory Contacts
European Data Protection Supervisor (EDPS), Rue Wiertz 60, 1047 Bruxelles/Brussel, Tel. +32 2 283 19 00, Email: [email protected]. UK Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England, Tel. +0303 123 1113, Website: ico.org.uk. Swiss Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland, Tel. +41 (0)58 462 43 95, Website: www.edoeb.admin.ch.

9. Right to Amend Policy
Cerebral reserves the right to amend this Privacy Policy and related business procedures at any time, including to comply with evolving legal requirements. Updated versions will be posted with a new “Last Updated” date.

10. Contact Information
Cerebral Privacy Office /  [email protected]