Privacy Policy

Last updated: March 12, 2026

This translation is provided for your convenience. In case of any discrepancy, the English version prevails.

Cerebro Technologies, Inc. ("Cerebro," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

1. Who We Are

Cerebro is operated by Cerebro Technologies, Inc., a Delaware corporation.

We provide AI-powered infrastructure that enables businesses, creators, freelancers, and individuals to manage their operations through conversational AI on WhatsApp. Customers interact with businesses through WhatsApp and the web (cerebro.one) to discover, book, and purchase services and products through natural conversation.

For the purposes of the EU General Data Protection Regulation (GDPR) and UK data protection laws, Cerebro Technologies, Inc. is the data controller for personal data collected through the Service. You can contact us at privacy@cerebro.one.

2. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide the Service, process transactions, and manage your account (Article 6(1)(b) GDPR).
• Legitimate interests: Improving our services, fraud prevention, and security (Article 6(1)(f) GDPR). You may object to processing based on legitimate interests at any time.
• Legal obligation: Retaining transaction records for tax and regulatory compliance (Article 6(1)(c) GDPR).
• Consent: For optional communications and where required for AI-based voice transcription (Article 6(1)(a) GDPR). You may withdraw consent at any time without affecting the lawfulness of prior processing.

3. Information We Collect

We collect different information depending on how you interact with Cerebro:

a. Owners (via WhatsApp):

• Account information: WhatsApp phone number, business name, business category, city, and country.
• Business data: services, products, prices, availability, schedules, and descriptions you create through conversation.
• Transaction data: sales, bookings, customer interactions, and revenue information.
• Payment information: Stripe account details for owners who use Stripe Connect for digital product fulfillment.
• Conversation data: WhatsApp messages (text and voice) exchanged with Cerebro to manage your business.
• Voice messages: audio messages sent via WhatsApp are transcribed using AI speech recognition to process your requests. Audio files are processed in real time and are not permanently stored after transcription.
• Memories: preferences, goals, and facts you share that Cerebro remembers across conversations to provide personalized service. You can ask Cerebro to forget any memory at any time.

b. Customers (via WhatsApp and cerebro.one):

• Account information: name, email address, and WhatsApp phone number when you interact with a business.
• Transaction data: purchases, bookings, order history, and preferences.
• Payment information: payment method details for booking deposits (processed via Stripe — we do not store full card numbers, CVVs, or other sensitive payment credentials).
• Conversation data: WhatsApp messages exchanged with a business's Cerebro to discover and purchase services and products.
• Profile data: preferences, dietary requirements, relationships, and other details you share during conversations that help personalize your experience.
• Voice messages: audio messages sent via WhatsApp are transcribed using AI speech recognition. Audio files are processed in real time and are not permanently stored after transcription.

c. Website Visitors (cerebro.one):

• Contact information if you reach out for support or inquiries.
• Standard analytics data (pages visited, referral source) via cookies. See Section 11 (Cookies) for details.
• Booking and purchase information when you use the web booking flow.

d. Information We Do Not Collect:

• We do not collect biometric data, government-issued ID numbers, or financial account numbers (other than through Stripe for payment processing).
• We do not track your location beyond the city and country you voluntarily provide.

4. How We Use Your Information

We use the information we collect to:

• Create and manage your Cerebro account (owner or customer);
• Process transactions, bookings, and payments;
• Enable AI-powered conversations for business management and customer purchases;
• Send transaction confirmations, receipts, reminders, and important service notifications via email;
• Provide customer support and respond to inquiries;
• Remember your preferences and personalize your experience across conversations;
• Improve and optimize our services, including AI response quality, using aggregated and anonymized data;
• Detect and prevent fraud, abuse, and security threats;
• Comply with legal obligations and enforce our Terms of Service.

We never sell or rent your personal data to third parties for marketing purposes.

5. How We Share Information

We share your information only when necessary to provide our services:

• Stripe: Processes all online payments securely. Owners using Stripe Connect for digital fulfillment connect their accounts directly. See Stripe's Privacy Policy.
• Anthropic: Powers AI conversations through Claude. Conversation data is processed according to Anthropic's usage policies and data processing agreements. See Anthropic's Privacy Policy.
• OpenAI: Provides voice transcription (Whisper) for voice messages sent via WhatsApp. Audio is processed in real time and is not retained by OpenAI for training. See OpenAI's Privacy Policy.
• Twilio: Provides WhatsApp Business API infrastructure for messaging. See Twilio's Privacy Policy.
• Meta / WhatsApp: Enables customer and owner conversations via WhatsApp Business API. See Meta's Privacy Policy.
• Supabase: Provides secure database storage for user data, transactions, and business information.
• Google Cloud: Provides hosting infrastructure (europe-west1, Belgium), file storage, and web application deployment.
• Email providers: We use transactional email services to send booking confirmations, receipts, and notifications.
• Between owners and customers: When a customer makes a purchase, relevant transaction details (name, email, booking details) are shared with the business to fulfill the order. The business is independently responsible for their handling of your data.

All third-party providers are contractually required to protect your data and process it only for the purposes described above, in compliance with applicable privacy laws.

We may also disclose your information if required by law, court order, or governmental regulation, or if necessary to protect the rights, property, or safety of Cerebro, our users, or the public.

6. AI and Conversation Data

Cerebro uses artificial intelligence (powered by Anthropic Claude) to enable conversations:

• Owner conversations via WhatsApp are processed to understand commands and manage services, bookings, and business operations.
• Customer conversations via WhatsApp or the web are processed to understand requests and facilitate purchases.
• Voice messages are transcribed using AI speech recognition (OpenAI Whisper) to enable voice-based interactions. Audio files are not permanently stored after transcription.
• We may use aggregated, anonymized conversation data to improve our AI systems. Individual conversations are not used for this purpose without anonymization.
• We do not use your personal conversations to train third-party AI models.
• Owner memories (preferences, goals, facts shared during conversations) are stored persistently to provide continuity across conversations. You can ask Cerebro to forget any memory at any time by saying so in conversation.

7. Data Retention

We retain your data according to the following schedule:

Data Type	Retention Period
Account information	Duration of account + 30 days after deletion request
Transaction records	7 years (as required by law)
Conversation data	Duration of account + 30 days after deletion request
Voice message audio	Not stored — processed in real time and discarded after transcription
Owner memories	Until you ask Cerebro to forget, or until account deletion
Analytics data	26 months

You may request deletion of your account and personal data at any time by contacting privacy@cerebro.one. Upon receiving a verified deletion request, we will delete or anonymize your data within 30 days, except where retention is required by law.

8. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption in transit (TLS 1.2+) and at rest;
• Secure authentication and access controls;
• Rate limiting and abuse prevention;
• Regular security assessments;
• Database query timeouts and input sanitization;
• Structured logging with no sensitive data in logs.

Payment data is handled entirely by Stripe (a PCI DSS Level 1 certified provider) and never touches our servers. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of your personal data in a structured, commonly used format.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your data ("right to be forgotten").
• Portability: Request your data be transferred to another service provider in a machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests, including profiling.
• Withdraw consent: Withdraw consent for optional processing at any time.
• Lodge a complaint: File a complaint with your local data protection authority (e.g., the CNIL in France, the ICO in the UK, or the AEPD in Spain).

To exercise these rights, contact us at privacy@cerebro.one. We will verify your identity and respond within 30 days (or as required by applicable law). We will not charge a fee for reasonable requests.

For California residents: Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact privacy@cerebro.one.

10. International Data Transfers

Your data is primarily stored and processed in the European Union (Google Cloud Belgium, europe-west1). Some of our service providers operate in the United States, which means your data may be transferred internationally.

For transfers from the EEA or UK to countries without an adequacy decision, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Data processing agreements with all sub-processors;
• Technical and organizational measures to protect transferred data.

11. Cookies

The cerebro.one website uses the following types of cookies:

• Essential cookies: Required for the booking flow to function (session management, payment processing). These cannot be disabled.
• Analytics cookies: Help us understand how visitors use our website. We use privacy-respecting analytics with no cross-site tracking.

We do not use advertising cookies or third-party tracking pixels. You can manage cookie preferences through your browser settings. The WhatsApp-based service does not use cookies.

12. Children's Privacy

Cerebro is not intended for children under 16 years of age (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@cerebro.one.

13. Third-Party Links

Our services may contain links to third-party websites or services (including Stripe checkout pages). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

14. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new "last updated" date and, where practicable, by notifying you through the Service. Continued use of our services after changes constitutes acceptance.

For material changes that affect how we process your data, we will provide at least 30 days' notice before the changes take effect.

15. Contact Us

For privacy questions, concerns, data access requests, or to exercise any of your rights:

• Email: privacy@cerebro.one
• Mail: Cerebro Technologies, Inc., Avenida José Manuel Vallés 39, 29603 Marbella, Spain

We aim to respond to all inquiries within 30 days.