GDPR & EU/UK/Swiss data protection

1. Roles

Under the GDPR, the UK GDPR, and the Swiss FADP, CentralbrAIn typically acts as a processor on behalf of the Customer, who is the controller of the personal data they bring into the Service. For our own account-holder data (administrators, billing contacts, support correspondents), we act as a controller.

2. Lawful bases

We process personal data on the lawful bases of (a) performance of a contract, (b) compliance with a legal obligation, or (c) legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights. We do not rely on consent for the operation of the Service itself; consent is used only for non-essential cookies and marketing communications, where applicable.

3. International transfers

Where personal data is transferred outside the EEA, the UK, or Switzerland, we rely on one of the following safeguards: (a) an adequacy decision; (b) Standard Contractual Clauses (the EU 2021 SCCs and, where applicable, the UK International Data Transfer Addendum); or (c) other lawful transfer mechanisms.

Enterprise-tier customers can elect Iceland-only hosting, eliminating most cross-border transfer questions for the bulk of operational data.

4. Sub-processors

A current list of sub-processors and the function each performs is published at /data-processing. Material additions are announced at least 30 days in advance, and you may object during that window.

5. Data-subject rights

Where applicable law grants you rights as a data subject, you may exercise them at any time. Common rights include:

• Access - receive a copy of personal data we hold about you.
• Rectification - correct inaccurate or incomplete data.
• Erasure - request deletion, subject to lawful retention requirements.
• Restriction - limit our processing of your data while a dispute is resolved.
• Portability - receive a structured, machine-readable export.
• Objection - object to processing based on legitimate interests.
• Automated decisions - request human review of any solely-automated decision producing legal or similarly significant effects.

6. How to exercise rights

If you are a CentralbrAIn end-user, contact us at privacy@centralbrain.io from the email address on the account. If you are an end-user of one of our customers, please contact that customer first - they are the controller for their data. We will assist them in responding within the regulatory deadline.

We aim to respond to data-subject requests within 30 days, and at the latest within the time limits required by applicable law. We may extend that period by two further months for complex or numerous requests, in which case we will tell you why.

7. Data Protection Officer

The Company has appointed a Data Protection Officer who can be reached at dpo@centralbrain.io.

8. Supervisory authority

You have the right to lodge a complaint with the data-protection authority in your country of residence, place of work, or place of the alleged infringement. Without prejudice to that right, we ask that you contact us first so we can try to resolve the matter directly.

9. Security incidents

Where a personal-data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected data subjects without undue delay where the risk is high.

10. Records of processing

We maintain Article-30 records of our processing activities and make them available to supervisory authorities on request. Customers acting as controllers are responsible for their own Article-30 records and may rely on the disclosures in this page and the DPA as a building block.