Skip to main content
CerebelusCerebelus

Template — Review Before Launch

This is a comprehensive GDPR-aligned template. Replace all placeholders with your actual business details, confirm sub-processors, and have a qualified legal professional review it before going live.

Privacy Policy

Last updated: 5/15/2026

Introduction

This Privacy Policy explains how Cerebelus ("we", "us", or "our") collects, uses, shares, and protects your personal data when you use our website and services. We act as the data controller for the personal data described in this policy.

This policy applies to all users of our website, application, and related services, regardless of how they access them.

Personal Data We Collect

We collect personal data in the following categories:

Account Data

  • Email address — for account creation, login, and communication
  • Full name — for personalizing the service and communications
  • Password — stored as a cryptographic hash, never in plain text
  • Profile picture — optional, for personalizing your account

Billing Data

  • Payment method details — processed and stored exclusively by Stripe; we never see or store your full card number
  • Billing history — invoice amounts, dates, and subscription status
  • Currency preference — to display prices in your preferred currency

Usage Data

  • Pages visited and features used — to understand how the service is used and improve it
  • Device type, browser, and operating system — for compatibility and troubleshooting
  • IP address — for security, fraud prevention, and approximate geolocation (country level)
  • Timestamps of actions — login times, feature usage dates
  • Campaign and referral source — to measure marketing effectiveness and credit affiliate partners. With your marketing consent, this may be stored in a cookie for up to 30 days

Communication Data

  • Support ticket content — messages you send through our support system
  • Communication preferences — your choices about which emails to receive
  • Marketing consent — whether you opted in to promotional communications, and when

Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

  • Performance of a Contract (Art. 6(1)(b))
    Processing necessary to provide the service you signed up for: account management, subscription billing, customer support, and service delivery.
  • Consent (Art. 6(1)(a))
    Where you have given explicit consent: marketing emails, optional analytics cookies, and newsletter subscriptions. You can withdraw consent at any time.
  • Legitimate Interest (Art. 6(1)(f))
    Processing necessary for our legitimate business interests, balanced against your rights: service improvement through aggregated analytics, fraud prevention, and security monitoring.
  • Legal Obligation (Art. 6(1)(c))
    Processing required to comply with applicable laws: tax records, fraud investigation, and responding to lawful requests from authorities.

How We Use Your Data

We use your personal data for the following purposes:

  • Provide, operate, and maintain the service — account management, feature access, and technical support
  • Process payments and manage subscriptions — billing, invoicing, and subscription lifecycle
  • Communicate with you — transactional emails (password resets, security alerts, billing confirmations), and marketing emails if you opted in
  • Protect the service and users — detect and prevent fraud, abuse, and security threats
  • Improve the service — analyze aggregated usage patterns to identify bugs, optimize performance, and develop new features
  • Comply with legal obligations — maintain records required by tax and financial regulations, respond to lawful data requests

Artificial Intelligence

We use AI-powered features to enhance your experience, including an in-app chat assistant and personalized email communications. These AI features process your inputs in real time using third-party language model providers (such as OpenAI). We do not use your personal data to train AI models. AI-generated responses are provided for informational purposes and may not always be accurate.

Sub-Processors and Third Parties

We share your personal data only with trusted third-party service providers ("sub-processors") who process data on our behalf. Each sub-processor is bound by a Data Processing Agreement and processes only the data strictly necessary for the purpose described.

  • StripePayment processing and subscription management (United States (EU-US DPF certified))
  • SupabaseDatabase hosting and authentication (United States (SOC 2 Type II))
  • ResendTransactional and marketing email delivery (United States)
  • VercelApplication hosting and content delivery (Global CDN, primary region United States)
  • OpenAIAI chat assistant and content generation (United States)

Some sub-processors may process data outside the European Economic Area. In such cases, transfers are protected by the EU-US Data Privacy Framework, EU Standard Contractual Clauses, or an adequacy decision by the European Commission, as applicable.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

Update this list with your actual sub-processors before launch.

Data Retention

We retain personal data only as long as reasonably necessary for the purposes described in this policy. General retention criteria:

  • Account data — retained while your account is active, and for a reasonable period after account deletion to process pending requests
  • Billing records — retained for the period required by applicable tax and accounting regulations
  • Support tickets — retained for a reasonable period after resolution for quality assurance
  • Usage analytics — aggregated or deleted within a reasonable period; raw identifiers are not retained indefinitely
  • Email delivery logs — retained for operational and troubleshooting purposes, then deleted
  • Security logs — retained for a reasonable period for fraud detection and incident investigation

When data is no longer needed, it is securely deleted or irreversibly anonymized so that you can no longer be identified from it.

Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of Access (Art. 15)
    Request a copy of the personal data we hold about you, in a structured, machine-readable format.
  • Right to Rectification (Art. 16)
    Request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17)
    Request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.
  • Right to Restriction (Art. 18)
    Request that we limit processing of your data while a complaint or dispute is being resolved.
  • Right to Data Portability (Art. 20)
    Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to Object (Art. 21)
    Object to processing based on legitimate interests, in which case we must demonstrate compelling legitimate grounds to continue.
  • Right to Withdraw Consent (Art. 7(3))
    Withdraw consent at any time for consent-based processing (marketing emails, optional cookies). Withdrawal does not affect the lawfulness of prior processing.
  • Right to Lodge a Complaint (Art. 77)
    File a complaint with your local data protection authority if you believe your rights have been violated.

To exercise any of these rights, contact us through the support section in your account. If you cannot log in, you can use the support form on our website by providing your email address. We will respond within the timeframe required by applicable law.

Requests are free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests.

Children's Privacy

Our service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us through the support section on our website.

Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Access controls based on the principle of least privilege
  • Security monitoring and logging of access to systems containing personal data
  • Regular backups with recovery procedures

In the event of a personal data breach, we will notify the relevant supervisory authority and affected individuals as required by applicable data protection laws.

Commercial Communications

If you are an existing customer, we may send you communications about products or services similar to those you have purchased, in accordance with applicable electronic commerce laws (e.g., LSSI-CE Art. 21.2 in Spain). You may opt out at any time.

If you are not a customer, we will only send you commercial communications if you have given your explicit consent.

You can unsubscribe at any time using the link included in each message or through your account settings.

Government and Authority Requests

If we receive a request for access to personal data from a public authority, our policy is to:

  • Review the legality of each request before disclosing any data
  • Reserve the right to challenge requests that appear non-compliant with applicable law
  • Apply data minimization principles if disclosure is required

Data Controller

The identity and contact details of the data controller responsible for your personal data are available in our Legal Notice, in compliance with applicable regulations.

View Legal Notice

Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or want to file a complaint, you can contact us through the support section in your account. If you cannot log in, you can use the support form on our website by providing your email address.

You also have the right to lodge a complaint with your local supervisory authority.

Cookies

We use cookies and similar technologies. For detailed information about the cookies we use, their purposes, and how to manage them, please see our Cookie Policy. View Cookie Policy

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will post a notice on our website with reasonable advance notice. The "Last updated" date at the top of this page indicates when the policy was last revised.