Privacy Policy

Cerebri AI Inc. Privacy Shield Privacy Policy

Cerebri AI Inc., (“Cerebri” or “Company”) complies with the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, respectively. Cerebri has certified to the Department of Commerce that it adheres to the Privacy Shield Principles and is in the process of having its certification reviewed for approval. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov.

Scope

This Privacy Shield Privacy Policy (the “Policy”) sets forth the privacy principles that Cerebri follows when processing Personal Data received from customers or prospective customers located in the European Economic Area (“EEA”) and Switzerland, while providing services. This Policy does not apply to information collected through cerebri.com or other Cerebri websites or to information collected during Cerebri sponsored sales and marketing activities. This Policy also does not apply to Personal Data collected through Cerebri’s recruiting process. For purposes of this Policy, Personal Data means information about an identified or identifiable individual that is received by Cerebri in the U.S. from the EEA or Switzerland and recorded in any form.

Cerebri’s Role as a Service Provider to its Customers and Prospective Customers

Cerebri is the creator of certain software products, and in connection with these software products, Cerebri provides product development services, solution engineering services, professional technical services, data migration services, and product technical support services (collectively “Services”) to its customers and prospective customers in the EEA and Switzerland through employees who may be located in the U.S. These U.S.-based employees may process Personal Data to provide Services to customers and prospective customers located in the EEA or Switzerland.

Customers determine the categories of Personal Data and other information that are made accessible by Cerebri, how that information will be used, to whom it will be disclosed, and for what purposes. Similarly, Cerebri’s customers and prospective customers who share data with Cerebri in connection with any of its Services determine which categories of Personal Data will be shared and for what purposes. Consequently, Cerebri does not know the categories of Personal Data to be processed or the purpose(s) of the processing unless and until Cerebri receives instructions from its customers or prospective customers.
When Cerebri processes Personal Data, Cerebri does so only for the purpose of providing Services pursuant to the customer’s or prospective customer’s instructions.

The Customer’s and Prospective Customer’s Responsibilities with respect to Personal Data

Cerebri customers and prospective customers may choose to include Personal Data among the data shared with Cerebri in connection with its provision of Services.

Cerebri processes only the Personal Data that its customers or prospective customers have chosen to share with Cerebri. Cerebri has no direct or contractual relationship with the subject of such Personal Data (a “Data Subject”). As a result, when a customer or prospective customer shares Personal Data, the customer or prospective customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.

It is the customer’s or prospective customer’s responsibility to ensure that Personal Data it collects can be legally collected in the country of origin. The customer or prospective customer is also responsible for providing to the Data Subject any notices required by applicable law and for responding appropriately to the Data Subject’s request to exercise his or her rights with respect to Personal Data. In addition, the customer or prospective customer is responsible for ensuring that its use of Cerebri’s Services is consistent with any privacy policy the customer or prospective customer has established and any notices it has provided to Data Subjects.

Cerebri is not responsible for its customers’ or prospective customers’ privacy policies or practices or for the customers’ or prospective customers’ compliance with such policies or practices. Cerebri does not review, comment upon, or monitor its customers’ or prospective customers’ privacy policies or their compliance with such policies. Cerebri also does not review instructions or authorizations provided to Cerebri to determine whether the instructions or authorizations are in compliance with, or conflict with, the terms of a customer’s or prospective customer’s published privacy policy or of any notice provided to Data Subjects. Customers and prospective customers are responsible for providing instructions and authorizations that comply with their policies, notices, and applicable laws.

Cerebri’s Compliance with the Privacy Shield Principles

Cerebri employees located in the U.S. may provide Services for customers and prospective customers located in the EEA or Switzerland. To provide such Services, Cerebri may access and use Personal Data. Cerebri will apply the following Privacy Shield Principles to Personal Data physically or remotely transferred from the EEA or Switzerland to the U.S.

ACCESS

Data Subjects have the right to access the Personal Data an organization holds about them. If such Personal Data is inaccurate or processed in violation of the Privacy Shield Principles, a Data Subject may also request that Personal Data be corrected, amended, or deleted.

When Cerebri receives Personal Data, it does so on its customer’s or prospective customer’s behalf. To request access to, or correction, amendment or deletion of, Personal Data, Data Subjects should contact the Cerebri customer or prospective customer that collected their Personal Data. Cerebri will cooperate with its customers’ and prospective customers’ reasonable requests to assist Data Subjects to exercise their rights under the Privacy Shield.

CHOICE

Data subjects have the right to opt out of (a) disclosures of their Personal Data to third parties not identified at the time of collection or subsequently authorized, and (b) uses of Personal Data for purposes materially different from those disclosed at the time of collection or subsequently authorized. Cerebri’s customers and prospective customers are responsible for informing Data Subjects when they have the right to opt out of such uses or disclosures.

Data Subjects who wish to limit the use or disclosure of their Personal Data should submit that request to Cerebri’s customer or prospective customer that controls the use and disclosure of their Personal Data. Cerebri will cooperate with its customers’ and prospective customers’ instructions regarding Data Subjects’ choices.

SECURITY

Cerebri is committed to safeguarding the Personal Data that it receives from the EEA and Switzerland. While Cerebri cannot guarantee the security of Personal Data, Cerebri takes reasonable and appropriate measures to protect Personal Data in Cerebri’s possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Cerebri utilizes a combination of online and offline security technologies, procedures and organizational measures to help safeguard Personal Data. For example, facility security is designed to prevent unauthorized access to Cerebri computers. Electronic security measures — including, for example, network access controls, passwords and access logging — provide protection from hacking and other unauthorized access. Cerebri also protects Personal Data through the use of firewalls, role-based restrictions and, where appropriate, encryption technology. Cerebri limits access to Personal Data to employees, subcontractors, and third-party agents that have a specific business reason for accessing such Personal Data. Individuals granted access to Personal Data are aware of their responsibilities to protect such information and are provided appropriate training and instruction.

PURPOSE LIMITATION AND DATA INTEGRITY

Cerebri’s customers and prospective customers are responsible for limiting their collection of Personal Data to that which is necessary to accomplish the purposes disclosed to Data Subjects and compatible purposes. They also are responsible for providing Cerebri with instructions for the processing of Personal Data consistent with such purposes. Cerebri will process Personal Data only in accordance with the customer’s or prospective customer’s instructions.

Cerebri’s customers and prospective customers also are responsible for ensuring that (a) Personal Data they collect is accurate, complete, current and reliable for its intended uses; and (b) Personal Data is retained only for as long as is necessary to accomplish the customer’s or prospective customer’s legitimate business purposes disclosed to the Data Subject and for compatible purposes. Cerebri will cooperate with customers’ and prospective customers’ reasonable requests for assistance in meeting these obligations.

In the performance of Services, Cerebri will request only the minimum amount of information required to perform the applicable Services and will retain such information only for as long as necessary to provide the Services or for compatible purposes, such as to provide additional Services, to comply with legal requirements, or to preserve or defend Cerebri’s legal rights.

ONWARD TRANSFER

Cerebri will not disclose Personal Data to a third party, except as stated below:

Cerebri may disclose, subject to its agreements with is customers, Personal Data to subcontractors and third-party agents who assist Cerebri in providing Services to its customers and prospective customers. Before disclosing Personal Data to a subcontractor or third-party agent, Cerebri will obtain assurances from the recipient that it will: (a) use the Personal Data only to assist Cerebri in providing the Services; (b) provide at least the same level of protection for Personal Data as required by the Principles; and (c) notify Cerebri if the recipient is no longer able to provide the required protections. Upon notice, Cerebri will act promptly to stop and remediate unauthorized processing of Personal Data by a recipient. Cerebri will remain liable for onward transfers to its subcontractors and third-party agents.

Cerebri may also be required to disclose, and may disclose, Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. To the extent permitted, Cerebri will inform its relevant customer or prospective customer before making such disclosure and provide it with a reasonable opportunity to object to such disclosure.

RECOURSE, ENFORCEMENT & LIABILITY

In compliance with the EU-US and Swiss-US Privacy Shield Principles, Cerebri commits to resolve complaints concerning its processing of Personal Data in accordance with the Privacy Shield Principles.

Any Data Subject who has a complaint about Cerebri’s processing of his/her Personal Data should first contact Cerebri’s Chief Security Officer by emailing cso@cerebri.com.

Cerebri has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles and Swiss-US Privacy Shield Principles to independent recourse mechanisms, EU data protection authorities (DPAs) under the EU-U.S. Privacy Shield Framework and with the Swiss Federal Data Protection and Information Commissioner under the Swiss-U.S. Privacy Shield Framework. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Cerebri, please visit https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint for more information on how to file a complaint at no cost to you.

In addition to the above dispute resolution mechanisms, Data Subjects may invoke binding arbitration if their complaint is not resolved by the DPA, the SFDPIC, or by the Department of Commerce after referral from the relevant data protection authority in the EEA or Switzerland. For more information about binding arbitration, visit https://www.privacyshield.gov.

Cerebri is subject to the investigatory and enforcement powers of the Federal Trade Commission.

For More Information

Data Subjects with questions about how Cerebri processes Personal Data should first contact the Cerebri customer or prospective customer that collected the Personal Data. Cerebri’s Security Department can be contacted by emailing cso@cerebri.com.

This policy is executed in English and can be translated into other languages upon request. In the event of any conflict or discrepancy between the English language version and a translated version, the English language version of this policy shall control.

Changes to this Privacy Policy

Cerebri may revise this Policy at any time. If Cerebri decides to materially change this Policy, Cerebri will post the revised Policy at this location.

Effective Date: June 1, 2018. Last revised: June 12, 2018.