Privacy Policy
TABLE OF CONTENTS
- Definitions and Key Terms
- Introduction and Scope
- Personal Data Collection
- Data Processing and Usage
- Data Storage and Security
- Analytics, Advertising, and Third-Party Services
- Your Rights and Choices
- Data Retention and Deletion
- International Data Transfers and Legal Jurisdiction
- Children's Privacy
- Changes to This Policy
- Legal Information and Contact Details
1. DEFINITIONS AND KEY TERMS
1.1 Company and Service Terms
- Cerebrum: WinTech Digital LLC, operating as Cerebrum ("we," "us," or "our")
- Service: All features, functionalities, programs, and content available through Cerebrum
- Platform: Our website and related services accessible via any device
- User: Any individual accessing or using our services ("you" or "your")
1.2 Data and Privacy Terms
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data
- Data Controller: Cerebrum, determining the purposes and means of processing personal data
- Data Processor: Third parties that process personal data on our behalf
- Cookie: Small text file stored on your device containing data about your platform usage
1.3 Security Terms
- Authentication: Process of verifying user identity
- Encryption: Process of encoding information to prevent unauthorized access
- Token: Unique identifier used for secure authentication
- SSL/TLS: Security protocols for encrypted data transmission
2. INTRODUCTION AND SCOPE
2.1 Policy Overview This privacy policy explains how Cerebrum collects, uses, and protects your personal data. It provides detailed information about your privacy rights and how you can exercise them.
2.2 Policy Application This policy applies to:
- All users of Cerebrum globally
- All data collection methods
- All service features and functionalities
- All platform versions and updates
2.3 Policy Updates
- We reserve the right to update this policy
- Material changes will be notified via email
- Continued use after changes constitutes acceptance
3. PERSONAL DATA COLLECTION
3.1 Account Information A. Essential Data
- Email address (required for authentication)
- Name (collected during payment processing)
- Last sign-in timestamp
- Unique account identifiers
- IP addresses
B. Optional Data
- Phone number (if provided through payment processors)
- User preferences and settings
- Communication preferences
3.2 Service Usage Data A. Test Results
- Final IQ scores
- Completion timestamps
- Performance metrics Note: Individual test answers are processed in real-time and are not stored
B. Interaction Data
- Features accessed
- Time spent on platform
- Navigation patterns
- Device information
3.3 Payment Information and Processing
3.3.1 Payment Data We Receive We only receive and store limited payment information:
- Tokenized payment method identifiers
- Last four digits of payment cards
- First six digits of payment cards
- Card expiration dates
3.4 Technical and Device Data A. Device Information
- Operating system and version
- Browser type and version
- Screen resolution
- Device type and model
- Language preferences
B. Connection Data
- IP address
- Network information
- Connection type
- Geographic location (derived from IP)
- Time zone settings
C. Performance Data
- Load times
- Error messages
- System performance metrics
- Network latency
- Application response times
4. DATA PROCESSING AND USAGE
4.1 Primary Processing Purposes A. Service Provision
- Account creation and management
- Authentication and security
- Feature access and customization
- Customer support
- Service optimization
B. Payment Processing
- Subscription management
- Payment authorization
- Fraud prevention
- Transaction records
- Billing support
C. Communication
- Service updates and notifications
- Security alerts
- Product information
- Support responses
- Legal notices
4.2 Secondary Processing Purposes A. Service Improvement
- Usage pattern analysis
- Feature optimization
- Performance monitoring
- User experience enhancement
- Bug identification and resolution
B. Analytics and Research
- Aggregate usage statistics
- Trend analysis
- Platform optimization
- Feature development
- Performance benchmarking
4.3 Legal Bases for Processing A. Contractual Necessity
- Account management
- Service provision
- Payment processing
- Feature access
- Support services
B. Legal Obligations
- Tax compliance
- Financial records
- Legal requirements
- Regulatory compliance
- Safety and security
C. Legitimate Interests
- Service improvement
- Fraud prevention
- Security maintenance
- Technical optimization
- Business development
D. Consent-Based Processing
- Marketing communications
- Optional features
- Third-party integrations
- Analytics participation
- Feature testing
5. DATA STORAGE AND SECURITY
5.1 Storage Location and Data Transfers
- All personal data is stored in secure European data centers
- Data is transmitted globally using encrypted channels
- We employ appropriate safeguards for international data transfers
- Continuous compliance monitoring and security measures are in place
5.2 Security Measures
5.2.1 Infrastructure Security A. Authentication and Access
- Multi-factor Authentication capability
- Passwordless authentication via email
- Single-use verification codes
- Session management with automatic termination
- Role-based access control
- Principle of least privilege
- Access logging and monitoring
- Regular access reviews
- Automated access termination
B. Data Protection
- SOC2 Type 2 compliance
- AES-256 encryption for data at rest
- TLS encryption for data in transit
- Security protocols for all data transmission
- Regular security audits
C. System Security
- DDoS Protection via Cloudflare
- Intrusion detection systems
- Regular security patching
- Infrastructure monitoring
5.2.2 Payment Security
- PCI DSS compliant payment processing
- Tokenized payment information storage
- No access to complete card numbers
- Encrypted payment data transmission
- Immediate security incident response
- Regular compliance monitoring
5.2.3 Backup and Recovery
- Regular automated backups
- Encrypted backup storage
- Disaster recovery planning
- Business continuity measures
- Data restoration procedures
- Geographic redundancy measures
5.2.4 Organizational Security
- Incident response procedures and protocols
- Access control policies and enforcement
- Security incident reporting framework
- Change management procedures
5.2.5 Monitoring and Maintenance
- Real-time system monitoring and security event logging
- Performance tracking and analysis
- Regular security reviews and assessments
- Continuous compliance monitoring
- Regular system updates
- Vulnerability assessments
- Security patch management
5.3 Data Breach Notification Procedures
5.3.1 Definition and Scope A data breach is defined as:
- Unauthorized access to personal data
- Accidental loss or destruction of personal data
- Unauthorized disclosure of personal data
- Any incident compromising data confidentiality, integrity, or availability
5.3.2 Internal Response Upon discovering a potential breach, we will:
- Immediately initiate our incident response plan
- Assess the nature and scope of the breach
- Take immediate steps to contain the breach
- Document all aspects of the incident
- Evaluate the risks to affected individuals
5.3.3 User Notification We will notify affected users:
- Within 72 hours of breach confirmation
- Through email notification
5.3.4 Notification Content Our breach notifications will include:
- Description of the incident
- Types of data affected
- Potential impact on users
- Steps we've taken to address the breach
- Recommended user actions
- Contact information for questions
- Resources for additional support
5.3.5 Regulatory Compliance Where required by law, we will:
- Notify relevant supervisory authorities
- Comply with jurisdiction-specific requirements
- Provide mandatory documentation
- Cooperate with investigations
- Implement required remedial measures
5.3.6 Post-Breach Measures Following any breach, we will:
- Conduct a thorough investigation
- Implement additional security measures
- Update procedures as necessary
- Provide ongoing updates to affected users
- Review and enhance security protocols
6. ANALYTICS, ADVERTISING, AND THIRD-PARTY SERVICES
6.1 Analytics and Infrastructure Partners
6.1.1 Analytics Services We utilize the following services to monitor and improve our platform:
- Google Tag Manager: For managing analytics and marketing tags
- Google Analytics: For user behavior analysis and service optimization
- MixPanel: For user interaction tracking and feature usage analysis
- Google BigQuery: For large-scale data analysis and reporting
- Sentry: For error monitoring, performance tracking, and session recording
- Cloudflare: For performance analytics and security monitoring
6.1.2 Session Recording Details Through Sentry, we implement session recording with the following safeguards:
- Automatic masking of all user inputs
- No collection of personally identifiable information
- Exclusion of all data entry fields
- Anonymization of all user interactions
- Usage limited to bug investigation and performance optimization
6.1.3 Data Collection Scope These services may collect:
- Usage patterns
- Feature interaction data
- Performance metrics
- Error information
- Anonymized user flows
- Aggregate statistics
6.2 Advertising Partners and Data Sharing
6.2.1 Advertising Partners We work with various advertising partners, including:
- SnapChat
- TikTok
- Taboola
- Outbrain
- AppLovin
6.2.2 Data Sharing Practices These partners may receive:
- Anonymous identifiers
- Email addresses (for advertising purposes)
- Usage data
- Device information
- Interaction metrics
6.2.3 Partner Data Usage Our advertising partners may:
- Track user interactions
- Measure ad performance
- Optimize ad targeting
- Create audience segments
- Analyze campaign effectiveness
6.3 User Control Over Tracking
6.3.1 Tracking Limitations Users can limit tracking through:
- Browser cookie settings
- Ad-blocker extensions
- Device settings
- Platform-specific controls
6.3.2 Opt-Out Options
- Digital Advertising Alliance (DAA) opt-out tools
- Network Advertising Initiative (NAI) opt-out platform
- Platform-specific advertising settings
- Individual advertising partner opt-outs
6.3.3 Impact of Tracking Limitations Limiting tracking may affect:
- Platform functionality
- Service personalization
- Feature availability
- User experience Note: Core service features will remain functional
7. YOUR RIGHTS AND CHOICES
7.1 Universal Rights All users have the following basic rights:
- Access their personal data
- Correct inaccurate data
- Request data deletion (see Section 8.2 for procedures)
- Object to processing
- Data portability
- Withdraw consent
7.2 Regional Privacy Rights
7.2.1 European Union and UK Residents (GDPR)
A. Core Rights
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights regarding automated decision-making 7.2.2 California Residents (CCPA/CPRA)
A. Additional Rights
- Knowledge of personal information collection
- Knowledge of information sharing
- Deletion rights
- Correction rights
- Opt-out rights
- Non-discrimination rights
- Portability rights
7.2.3 Australian Residents
A. Privacy Act Rights
- Collection notification
- Access rights
- Correction rights
- Purpose specification
- Use limitation
- Disclosure transparency
7.2.4 Canadian Residents
A. PIPEDA Rights
- Access rights
- Accuracy rights
- Consent withdrawal
- Use transparency
- Protection expectations
7.3 How to Exercise Your Rights
7.3.1 Submission Methods All privacy rights requests can be submitted through any of our official contact channels listed in Section 12.2.
7.3.2 Verification Process To protect your privacy, we require: A. Initial Verification
- Email verification
- Account authentication (if applicable)
- Identity documentation (if needed for sensitive requests)
B. Additional Verification For sensitive requests or authorized agents:
- Government-issued ID
- Proof of authority (for agents)
- Additional security checks as needed
7.3.3 Response Timelines We follow these standard response times for all requests:
- Initial acknowledgment: Within 72 hours
- Standard response time: 30 days
- Maximum extension period: 45 days (with notification)
- Appeal decisions: 30 days
Note: California residents receive acknowledgment within 10 days per CCPA requirements.
7.3.4 Data Delivery All personal data will be provided in:
- Machine-readable format (CSV or JSON)
- With complete data inventory
- Via encrypted transmission
7.3.5 Appeal Process If you're unsatisfied with our response:
- Submit appeal within 30 days
- Include reason for appeal
- Provide any additional information
- Receive decision within 30 days
8. DATA RETENTION AND DELETION
8.1 Retention Periods
- Account data: While account is active
- Payment records: As required by law
- Analytics data: For service improvement
- Communication records: 2 years
- Security logs: 13 months
8.2 Deletion Procedures
- Account deletion: 30-day process
- Data removal: Systematic process
- Backup removal: 90-day maximum
- Verification process: Complete removal check
9. INTERNATIONAL DATA TRANSFERS AND LEGAL JURISDICTION
9.1 International Data Transfers For users outside the European Union, we ensure appropriate data protection through:
- Standard contractual clauses for international data transfers
- Technical and organizational security measures
- Regular compliance monitoring and assessments
- Adherence to international data protection requirements
- Continuous evaluation of data protection mechanisms
9.2 Legal Jurisdiction and Dispute Resolution
9.2.1 Escalation Process Before pursuing legal action, users must follow our escalation procedure:
A. First-Level Escalation:
- Submit to [email protected]
- Include reference number and prior communication history
- Response provided within 5 business days
B. Second-Level Escalation:
- If unsatisfied, escalate to [email protected]
- Senior management review
- Final decision within 15 business days
C. Informal Dispute Resolution:
- Following escalation process, parties will attempt informal resolution
- 30-day good-faith negotiation period
- Direct communication to resolve disputes
9.2.2 Formal Legal Proceedings If escalation and informal resolution are unsuccessful:
- This privacy policy is governed by the laws of the State of Wyoming, United States
- Any legal proceedings shall be exclusively resolved through binding arbitration as detailed in Section 14 of our Terms and Conditions
- Arbitration shall be conducted by the American Arbitration Association
- Users expressly consent to the personal jurisdiction of Wyoming courts for matters exempt from arbitration
- All claims must be brought within six months of the incident date
For complete dispute resolution procedures, including arbitration rules, exceptions, and class action waiver, please refer to Section 14 of our Terms and Conditions.
10. CHILDREN'S PRIVACY
10.1 Age Restrictions
- Minimum age: 18 years
- No intentional collection from minors
- Account termination if underage discovered
11. CHANGES TO THIS POLICY
11.1 Modification Rights We reserve the right to modify this privacy policy at any time.
11.2 Types of Changes
A. Material Changes Changes that significantly affect your rights or our obligations:
- Major changes to data sharing with third parties
- Fundamental changes to data processing purposes
- Significant changes to user privacy rights
B. Non-Material Changes Changes that don't substantially affect your rights, including but not limited to:
- Updates to reflect current practices
- Adding new product features or services
- Changes to contact information
- Clarifications of existing terms
- Grammatical or formatting updates
- Security enhancements
- Technical documentation updates
- Service improvement descriptions
- Analytics and tracking updates
- Changes to advertising partners and analytics providers
- Updates to third-party integrations
- Regional compliance updates
11.3 Notice Requirements
A. Material Changes
- Email notification 5 days before implementation
- Changes effective upon notification date
- Continued use constitutes acceptance
B. Non-Material Changes
- May be implemented immediately
- No advance notice required
- Updated policy posted on website
11.4 Your Options
- Review current privacy policy on our website
- Discontinue service use if you disagree with changes
- Continued use indicates acceptance of changes
12. LEGAL INFORMATION AND CONTACT DETAILS
12.1 Company Information Entity: WinTech Digital LLC Registered Address: 30 N Gould St Ste R, Sheridan, WY 82801, United States
12.2 Contact Information For all inquiries including privacy-related matters:
- Email: [email protected]
- Help Center: https://help.cerebrumiq.com
- Postal Address: 30 N Gould St Ste R, Sheridan, WY 82801, United States
All inquiries will be handled according to the response timelines detailed in Section 7.3.3.