How Cerebrum collects, uses, and protects your personal data.
This document explains what personal data Cerebrum collects, why we collect it, who we share it with, how we protect it, and what you can ask us to do with it. It applies to everyone who uses cerebrumiq.com, regardless of where you are in the world.
In this policy, "Cerebrum," "we," "us," and "our" refer to the operator of cerebrumiq.com. "You" and "your" refer to anyone who uses the Service. "Personal data" means information that identifies you or could be used to identify you. "Processing" is any action we take with that data. For purposes of the EU and UK General Data Protection Regulation we act as the data controller for the data described here.
When you create an account. We receive the email address you sign in with, the name supplied by your payment processor, an internal account identifier, the timestamp of your last sign-in, and the IP address your device uses to connect. If a payment processor passes us your phone number we keep it with the rest of your account record. We also remember the preferences and communication settings you choose.
When you take a test. We store your final IQ score, the timestamp when you completed the assessment, and basic performance metrics. Individual answers are processed in real time and are not stored.
When you use the platform. We log which features you use, how long you spend in the product, the paths you take through it, and the device you connect from (operating system and version, browser and version, screen size, time zone, language).
When you pay. Our payment processors handle the card itself. We receive only a tokenized reference, the first six and the last four digits of the card, and its expiration. We never see, store, or have access to the full card number.
Automatically from your device. From ordinary web technologies we collect your IP address, an approximate geographic location derived from it, technical performance data (latency, error rates, load times), and cookies or similar identifiers.
We use this data to run the Service: to create and manage your account, to authenticate you, to give you access to the features you subscribed to, to take payment and prevent fraud, to respond when you contact support, and to keep the product working. We use it to communicate with you about the Service - confirmations, security alerts, product updates, legal notices. Where you opt in, we may send you optional product marketing. Separately, we use aggregated and anonymized data to understand how the product is used, to spot bugs and regressions, to benchmark performance, and to decide what to build next.
We process personal data on the basis of contractual necessity (to deliver the subscription you bought), legal obligations (to keep tax and financial records), legitimate interests (to secure the Service and improve it), and your consent (for non-essential marketing and analytics). You can withdraw consent at any time without affecting the lawfulness of prior processing.
We use third-party tools to run the Service - cloud hosting, payment processing, customer-support ticketing, error monitoring, product analytics, and session recording for bug investigation (with user inputs masked and interactions anonymized). These providers process data on our behalf under written agreements that restrict what they can do with it.
We work with advertising partners - including Facebook, Google, SnapChat, TikTok, Taboola, Outbrain, AppLovin, and Pinterest - to reach prospective customers and measure whether our ads work. These partners may receive anonymous identifiers, email addresses (for advertising purposes), usage data, device information, and interaction metrics.
You can limit tracking through browser cookie settings, ad-blocker extensions, device settings, and platform-specific controls. Opt-out options include the Digital Advertising Alliance (DAA), the Network Advertising Initiative (NAI), platform-specific advertising settings, and individual advertising partner opt-outs.
Cerebrum uses administrative, technical, and physical safeguards appropriate to the sensitivity of the data. Transport is encrypted; stored data is encrypted at rest; access is limited to staff who need it and logged when used. Our payment stack is PCI-DSS compliant, and we hold only tokenized payment references. Backups are encrypted, geographically redundant, and tested for recovery. We run security reviews on our infrastructure on a regular cadence.
If we ever discover a breach, we will contain it, assess its scope and the risk it poses, notify affected users by email as soon as we reasonably can, and notify the relevant supervisory authorities as required by law.
We keep account data while your account is active and for a reasonable period afterward. Payment records are retained for as long as applicable tax and financial-reporting rules require. Analytics data is retained in anonymized or aggregated form. Communication, security, and audit records are kept for as long as reasonably necessary to run support, ensure security, and investigate incidents.
When you ask us to delete your account, we remove it from our active systems, purge it from routine backups within a commercially reasonable timeframe, and confirm completion.
Our primary data centers are in Europe, but the Service is global, and data can travel. For transfers outside the European Economic Area we rely on the safeguards the GDPR recognizes - typically the Standard Contractual Clauses - together with technical and organizational measures designed to keep the data protected.
Everyone who uses Cerebrum has the same baseline rights: to access the personal data we hold about you, to correct it, to ask us to delete it, to object to or restrict processing, to receive it in a portable format, and to withdraw any consent you previously gave.
Depending on where you live, additional rights apply. If you are in the European Union or the United Kingdom, the GDPR gives you the rights to be informed, to access, to rectify, to erase, to restrict processing, to data portability, to object, and rights regarding automated decision-making. If you are a California resident, the CCPA/CPRA gives you the right to know what personal information is collected and shared, the right to opt out of the sale of personal information, and the right to non-discrimination. If you are in Canada, PIPEDA gives you the right to challenge our compliance and to expect adequate data protection. If you are in Australia, the Privacy Act gives you rights around collection notification, purpose specification, and use limitation.
To exercise any of these rights, contact us through our official channels. We verify your identity before processing requests. We respond within the timeframes required by applicable law, and provide your data in a commonly used, machine-readable format where portability applies. Appeals may be submitted within thirty days of our response.
Cerebrum is intended for adults. The minimum age requirement is 18 years. We do not intentionally collect data from minors; if we discover that an account has been created by someone under that age, we close it and remove the data.
We may update this policy from time to time. Material changes are notified by email; continued use of the Service after notification constitutes acceptance. Routine changes - fixing typos, adding a new service provider to the list, reformatting - can take effect immediately, and we note the effective date at the top of this page.
This privacy policy is governed by the laws of the State of Delaware, United States. Any legal proceedings shall be exclusively resolved through binding arbitration conducted by the American Arbitration Association. All claims must be brought within six months of the incident date.
© 2026 Cerebrum. All rights reserved. "Cerebrum" is a registered trademark. The test is an educational-entertainment product and is not a clinical or diagnostic tool.