Privacy Policy
This Privacy Policy ("Policy") explains how Cerebra AI collects, uses, and protects information when you use cerebra-ai.tech ("Service"). It is designed to comply with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and other applicable data-protection laws.
By using the Service and uploading data, you acknowledge that you have read this Policy and consent to the processing described herein. If you do not agree, please stop using the Service.
1. Data Controller
The controller responsible for your personal data is:
[COMPANY / SOLE PROPRIETOR NAME]
Registration No.: [REGISTRATION No.]
Registered address: [REGISTERED ADDRESS]
Data Protection contact: [CONTACT EMAIL]
Jurisdiction: [JURISDICTION]
For GDPR-related inquiries (including Data Subject Access Requests), contact us at the email above. We aim to respond within 30 calendar days.
2. What Data We Collect
The Service is built on a data-minimisation principle. We only collect what is genuinely needed to produce your report.
2.1 Business data you provide voluntarily
- Uploaded documents — financial statements, P&L spreadsheets, pricing tables, or other business files you choose to upload for analysis.
- Free-form text — a description of your business niche, size, and the specific questions or pain points you want the report to address.
Important: we ask you to remove or anonymise personal data of third parties (names, phone numbers, national IDs, email addresses) from your files before uploading. The analysis works on financial figures and business metrics — individual personal data is not needed and should not be included.
2.2 Technical data collected automatically
- Anonymous usage counters — number of visits and reports generated, without any link to your identity.
- IP address and browser metadata — processed automatically by our infrastructure solely to ensure security, prevent abuse, and maintain service stability. We do not build profiles from this data.
- Session identifiers — a randomly generated, anonymous ID stored in your browser session to let you download your report. It is not linked to any personal account.
2.3 What we do NOT collect
- We do not collect your name, phone number, or email unless you contact us directly.
- The Report does not contain your personal data — it is an analytical document based on the business metrics you submitted.
- We do not use cookies for tracking or advertising.
3. How We Process Your Files
Your files go through a controlled, automated pipeline — no human analyst reads them:
- Your file is received over an encrypted HTTPS connection and stored in temporary memory only for the duration of processing.
- Text is extracted and sent to AI language models via Anthropic's API, which operates under a no-training policy — your data is never used to train or improve AI models.
- The AI generates a structured Report in JSON, which is then rendered into a PDF.
- Source files are deleted immediately after your Report is ready for download.
- The generated Report is automatically deleted within 12 hours of creation, whether or not you download it.
4. Legal Basis for Processing (GDPR Art. 6)
- Consent (Art. 6(1)(a)) — you voluntarily upload your data and use the Service. You may withdraw consent at any time (see Section 8).
- Performance of a contract (Art. 6(1)(b)) — processing is necessary to deliver the Service you requested (producing and providing the Report).
- Legitimate interests (Art. 6(1)(f)) — processing technical data (logs, IP) to maintain security and prevent abuse, where this does not override your rights.
5. International Transfers
The AI processing pipeline uses Anthropic's API infrastructure, which may be hosted outside the European Economic Area. Anthropic maintains appropriate data-protection safeguards (including Standard Contractual Clauses where applicable). Your files are transmitted only to the extent necessary to generate your Report and are not retained by the model provider.
No other international transfers of your data take place.
6. Sharing with Third Parties
We do not sell your data. We do not share it for marketing purposes. Data may be shared with:
- Payment processors — when you purchase a paid tier, your payment data is handled by the payment provider under its own privacy policy. We receive only a transaction confirmation; we do not store card details.
- Infrastructure providers — hosting and CDN providers that process data solely on our behalf and under contractual confidentiality obligations.
- Law enforcement — if required by law or a valid court order.
7. Data Retention
- Uploaded files: deleted immediately after the Report is generated and ready for download.
- Generated Reports: deleted automatically within 12 hours of creation.
- Anonymous counters and logs: retained for up to 90 days for operational and security purposes, with no link to your identity.
- Payment records: retained for the period required by applicable accounting and tax law (typically 5–7 years), limited to transaction metadata only.
8. Your Rights Under GDPR
If you are located in the EEA or the UK, you have the following rights regarding your personal data. To exercise any of them, contact us at [CONTACT EMAIL]:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — ask us to correct inaccurate data.
- Right to erasure (Art. 17) — ask us to delete your personal data ("right to be forgotten").
- Right to restrict processing (Art. 18) — ask us to limit how we use your data in certain circumstances.
- Right to data portability (Art. 20) — request your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent — you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint — you have the right to complain to your local supervisory authority (e.g., your national Data Protection Authority).
Given that uploaded files and Reports are deleted within hours, erasure requests may already be automatically fulfilled by the time you submit them.
9. Cookies
The Service uses only technically necessary cookies (e.g., session token to retrieve your Report) and anonymous analytics counters. No advertising or tracking cookies are used. You may disable cookies in your browser settings; this may affect your ability to download your Report.
10. Data Security
We implement appropriate technical and organisational measures to protect your data:
- All data in transit is encrypted via HTTPS/TLS.
- Files are processed in an isolated, access-controlled environment.
- Automatic deletion ensures data does not accumulate on our servers.
- Access to production systems is restricted to authorised personnel only.
11. Children's Privacy
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through the Service, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Policy from time to time to reflect changes in the Service or applicable law. The current version is always available on this page. Where changes are material, we will make reasonable efforts to notify users. Continued use of the Service after the effective date of an update constitutes acceptance of the revised Policy.