Cerebrum, LLC – Privacy Notice

Last updated January 16, 2026

This Privacy Notice explains how Cerebrum, LLC (“Cerebrum,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data when you use our products and services, including our vID mobile application and any other website, application, or service that links to this Privacy Notice (together, the “Services”).

By using the Services, you acknowledge that you have read this Privacy Notice.

1. Scope and relationships covered

Cerebrum, LLC (“Cerebrum”) provides digital identity verification and screening infrastructure, including our vID mobile application and related websites, APIs, and services.

When we determine what personal data to collect and how to use it for our own purposes—for example, to operate vID accounts, run and secure our Services, communicate with you, and comply with our legal obligations—we act as an independent “controller” (or “business” under the CCPA and similar U.S. state laws). When we handle personal data only on behalf of a customer or Consumer Reporting Agency and strictly in line with their written instructions—for example, by hosting verification workflows, capturing documents and images, and routing results and evidence back to them—we act as their “processor,” “service provider,” or “contractor.” This Privacy Notice explains how we handle personal data in each of those roles.

We process two broad categories of personal data under this Notice:

1. Non‑HR data. Personal data about individuals who use vID or our other Services (for example, to verify identity for a club, league, or landlord), website visitors, and other people who interact with us directly.

2. Employment‑related / HR data. Personal data about job applicants, employees, contractors, or similar staff of our customers (or of customers of our background‑screening partners) that we process to support employment‑related background checks and identity verification. We do not run a full HR program with this data and we do not make hiring, promotion, or termination decisions ourselves; those decisions are made by the employer or organization that engaged the background‑screening company.

For purposes of certain international data‑transfer frameworks, some of this employment‑related data is treated as “HR data” because it was originally collected in the context of an employment relationship and transferred to us as an HR service provider. Our specific commitments and transfer mechanisms for that HR data are described in Section 9.

2. Personal data we collect

The personal data we collect depends on who you are and how you interact with us.

2.1 Data you provide directly

You may provide personal data when you:

• create or use a vID account;
• complete an identity verification or background‑screening process;
• use our Services at the request of a club, league, employer, landlord, or other organization;
• complete forms hosted by us on behalf of a background screening company;
• contact us or otherwise communicate with us.

This can include:

Identification and contact data. Name, aliases, date of birth, email address, postal address, phone number, contact preferences, and similar identifiers.

Account and authentication data. Usernames, passwords, security credentials, account configuration, and settings.

Identity verification data. Identity document images (driver’s license, passport, national ID or similar); government identifiers (such as Social Security or other taxpayer or national IDs where legally permitted); photos or video you submit; and other information needed to verify your identity or generate a background‑screening report.

Biometric data. Facial images, measurements, templates, and vectors derived from those images, and related data used to verify liveness and match your face to an identity document. Details of how we handle biometric data are in Section 6 and our separate “Notice of Collection of Biometric Data and Consent.”

Employment‑screening / HR‑context data. For individuals undergoing background checks or employment‑related verification, we may process data such as:

• prior addresses, employment history, education, and other background details;
• information requested by a background‑screening company (Consumer Reporting Agency, or “CRA”) to generate a report;
• information that an employer, club, league, or other organization asks to have verified as part of an application or ongoing employment/engagement.

We handle this data as a service provider to CRAs and/or to the organization that requested the check. For DPF purposes this is treated as “HR data” because it relates to employees/applicants in the context of an employment relationship, even though Cerebrum is not the employer.

Financial and transaction data. Limited billing or payment information (usually handled by payment processors), references to orders or screening requests, and internal transaction IDs associated with your verification or background check.

Communications and support data. Information contained in emails, support tickets, in‑app messages, and other communications, including attachments or any additional personal data you choose to provide.

All personal data you provide must be accurate and kept up to date. You are responsible for notifying us of changes.

2.2 Data collected automatically

When you use the Services, we automatically collect certain device and usage information, for example:

• IP address and device identifiers;
• browser type, operating system, and language settings;
• device and network information (hardware model, mobile carrier or ISP, system configuration);
• log data (timestamps, pages or screens viewed, features used, referrer URLs, crash reports, performance metrics);
• approximate location inferred from IP address or device settings (we do not collect precise GPS location unless you explicitly enable it).

We use this data primarily to provide, secure, and improve the Services and to detect and prevent abuse or fraud.

2.3 App permissions and device features

If you use our mobile applications, we may request access to device features such as your camera, microphone, or certain sensors. We use these to:

• capture images and video as part of identity verification and liveness checks;
• perform fraud detection and anti‑spoofing measures.

You can manage these permissions through your device settings. If you disable certain permissions, some features of the Services may not function properly.

2.4 Data from other sources

We may receive personal data about you from:

• Customers and organizations that ask you to complete verification or background screening.
• Background screening companies / CRAs that collect data and generate reports, where Cerebrum provides the technical rails or user interface.
• Public and commercial sources, such as public records, watchlists, and other data sources relevant to identity verification or screening.
• Service providers and partners, including fraud‑detection, identity‑verification, and other risk‑management vendors.

When we receive data from third parties, we treat it in accordance with this Privacy Notice and any additional contractual or legal restrictions.

3. Purposes for using personal data

3.1 Core purposes

We use personal data to:

• Provide and operate the Services – including creating and managing accounts, authenticating users, performing identity verification and liveness checks, facilitating background screening by CRAs, and delivering results and evidence back to the organization that requested them.
• Support employment‑related screening – by capturing and routing applicant/employee information to the relevant background‑screening company and organization, generating and returning verification evidence, and maintaining logs and audit trails. We do not make hiring or employment decisions ourselves.
• Communicate with you – by sending confirmations, receipts, security alerts, support responses, and information about changes to our terms or policies.
• Protect security and prevent fraud – detecting and investigating suspicious or malicious activity; preventing identity theft, account takeover, and abuse; and enforcing our terms and agreements.
• Improve and develop the Services – troubleshooting, analytics, product development, and research to enhance performance, accuracy, usability, and security.
• Support business operations – including accounting, auditing, compliance, and corporate governance.

Where required by law, we rely on your consent for specific processing. You may withdraw consent at any time, but it will not affect processing that has already occurred.

3.2 Legal bases for processing (EU/EEA, UK, Switzerland)

When EU/EEA, UK, or Swiss data protection law applies, we process personal data based on one or more of the following legal bases:

• Performance of a contract – for example, operating your vID account, performing a verification or screening requested by you or on your behalf, or fulfilling obligations in our contracts with customers/CRAs.
• Compliance with legal obligations – including identity‑verification, fair credit reporting, financial, tax, and recordkeeping obligations.
• Legitimate interests – such as securing the Services, preventing fraud and abuse, improving our products, and supporting customers, where these interests are not overridden by your rights and interests.

You can contact us if you would like more detail on how a particular processing activity is justified in your situation.

4. Data retention & handling

This Section 4 of this Privacy Notice is the “Section 4” referenced in our separate Notice of Collection of Biometric Data and Consent.

4.1 General retention principles

We keep personal data only for as long as reasonably necessary to:

• provide the Services and complete the verification or screening workflows;
• support the organizations and background‑screening companies that use our Services;
• comply with legal, regulatory, accounting, and reporting obligations; and
• resolve disputes, enforce agreements, and protect our rights and those of our customers and users.

When personal data is no longer needed, we delete it or de‑identify it so it can no longer reasonably be linked to an individual, unless we are required by law or have a strong legitimate interest (such as a legal hold) to keep it longer.

4.2 Identity verification and screening data

For identity verification and background‑screening data, we generally retain:

• identity and verification records for as long as the relevant account or customer relationship remains active, and
• any additional period required by law, industry rules, or our contractual obligations to the organization or CRA that requested the verification or screening.

After those periods, we delete or de‑identify the data, subject to backup and archival constraints and legal holds.

4.3 Biometric templates and facial images

For biometric data, we apply more specific retention rules, consistent with our separate Notice of Collection of Biometric Data and Consent. Further details of how we handle biometric data may be found in Section 6.

4.4 Employment‑related / HR‑context data

For HR‑context data about applicants, employees, and other staff of our customers or of customers of our background screening partners:

• Retention periods are driven by the background screening company and/or the customer organization (for example, an employer) and by applicable law.
• We keep HR‑context data only as long as needed to perform the services, comply with legal and contractual obligations, and maintain appropriate audit logs and records.
• When our obligations end, we delete or de‑identify the data, subject to backup and legal‑hold constraints.

We do not use HR‑context data to operate our own HR program or to make employment decisions about those individuals.

4.5 Backups and deletion

When we delete data from active systems, copies may persist in encrypted backups for a limited period. Those backups are tightly access‑controlled and used only for business continuity, security, and compliance. They are deleted in accordance with our backup retention schedule.

5. How we share personal data

We do not sell your personal data.

We share personal data only in the ways described below, and only to the extent reasonably necessary.

5.1 Service providers and vendors

We share personal data with carefully selected service providers that perform services for us or on our behalf, under written contracts that limit their use of the data to the services they provide. These include:

• Hosting and infrastructure providers.
• Identity verification, liveness detection, and anti‑fraud vendors.
• Background screening and Consumer Reporting Agencies.
• HR, payroll, and benefits administration providers for HR data.
• Analytics, logging, communications, and customer support tools.
• Professional advisers such as auditors, lawyers, and consultants.

You can find a list of our Subprocessors here: https://trust.cerebrum.com/subprocessors.

The list of Consumer Reporting Agencies we work with may change over time. Rather than listing them exhaustively here, we maintain an up‑to‑date list of CRAs that use Cerebrum as a technology provider on our trust center at: https://trust.cerebrum.com/faq?s=78xv6qluhb7ne1k9oro4vh. The fact that a given CRA appears on that list does not necessarily mean it has collected information about you; it means that we may process data on its behalf when it engages us for a particular workflow.

5.2 Customers and organizations that requested verification or screening

If you use vID or another Service because an organization asked you to, we may share the relevant results with that organization. The organization’s own privacy notice describes how it uses the data we provide.

5.3 Facial images shared with organizations

After verification is complete, we may provide your facial portrait image (but not the underlying biometric vectors or templates) to the organization that requested your verification. That organization is responsible for obtaining any separate consent required to use your image for its own purposes, such as displaying it on a profile, account, employee badge, or similar context. Cerebrum does not control that organization’s subsequent use of the image; their use is governed by their own policies and agreements with you.

5.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of some or all of our assets, personal data may be transferred as part of that transaction, subject to confidentiality obligations and applicable law.

5.5 Legal and regulatory disclosures

We may disclose personal data when we reasonably believe it is necessary to:

• comply with laws, regulations, legal processes, or government requests;
• respond to lawful requests from law enforcement or regulatory authorities;
• protect the rights, property, or safety of Cerebrum, our customers, our users, or others;
• detect, prevent, or address suspected fraud, security, or technical issues.

Where not prohibited by law or the requesting authority, we may notify you of such disclosures.

6. How we collect and use biometric information

This section summarizes how we handle biometric data and works together with our separate Notice of Collection of Biometric Data and Consent, which is presented at the point of collection. It should also be read together with Section 4 (How we retain and handle personal data), which describes our general retention practices, and Section 5.3 (Facial images shared with organizations), which describes when we provide facial portrait images to organizations that requested your verification.

6.1 What we collect

For some identity verification workflows we collect and process biometric identifiers and biometric information—specifically facial images and scans of facial geometry—solely to:

• verify your identity;
• verify that a live person is present; and
• match your face to the identity document you provide.

For purposes of this Privacy Notice and, where applicable, certain biometric privacy laws, when we refer to “biometric data” we mean the measurements, templates, and vectors derived from your facial geometry that our systems use to perform automated matching and liveness checks.

The static facial portrait images we retain as part of your verification or screening record, and that we may share with organizations under Section 5.3, are treated as photographic images and not as biometric identifiers or biometric information, even though they depict your face. We still protect those images as personal data and apply the security and retention practices described in this Notice.

6.2 How we use biometric data

We use biometric data only for the limited purposes of:

• generating a biometric vector or template from your facial image;
• comparing that vector to your identity document image or other reference image to verify your identity;
• verifying that a live person is present during the verification process; and
• detecting fraud, spoofing, and misuse of the Services.

We do not use your biometric data for generalized surveillance, emotion detection, or unrelated profiling. Biometric data is encrypted in transit and at rest, as described in Section 8 (Security).

6.3 Retention and deletion

We apply specific retention rules for biometric data, consistent with our separate Notice of Collection of Biometric Data and Consent and the general principles in Section 4:

• Your biometric vector (or similar derived representation of your facial geometry) is used only to perform the comparison and liveness checks for a specific verification transaction and is permanently deleted immediately after your order or verification request is processed.
• Your facial portrait image and your identity document image may be retained longer as part of your verification, screening, or HR record, in line with Section 4—for example, while your account or the relevant customer relationship remains active and for any legally required retention periods afterward.

We do not retain biometric vectors or templates beyond the completion of the specific verification transaction, and we do not sell, lease, or trade your biometric data or use it for any purpose inconsistent with this Privacy Notice and our Notice of Collection of Biometric Data and Consent.

6.4 Sharing, consent, and choices

We do not share biometric vectors or templates with the organizations that requested your verification. We may provide your facial portrait image to those organizations as evidence of verification, as described in Section 5.3. Those organizations are responsible for any additional consents required to use your portrait image for their own purposes (for example, displaying it on a profile, account, employee badge, or similar context).

We will present a separate Notice of Collection of Biometric Data and Consent at the point where biometric data is collected. That notice explains what biometric data we collect, the purposes and legal bases for processing it, how long we retain it, and your choices. By proceeding with the verification or application process after being presented with that notice, you acknowledge and consent to Cerebrum’s collection, use, storage, and limited sharing of your facial image and biometric data as described there and in this Privacy Notice.

You may decline to provide biometric data. If you do, we and the relevant organization or Consumer Reporting Agency may be unable to complete your identity verification, application, or background‑screening process.

7. How we handle data collection from minors

Cerebrum does not knowingly collect personal data directly from minors without appropriate authorization. Any minors using vID or related Services must have approval from their parent or legal guardian, and any disclosures or consents for a minor’s use of the Services must be agreed to and/or signed by that parent or legal guardian.

If we become aware that we have collected personal data from a minor without appropriate authorization or consent, we will take steps to delete that information or obtain the necessary consent.

8. Security information

We maintain a security program designed to protect personal data from unauthorized access, use, disclosure, alteration, or destruction.

8.1 Technical and organizational safeguards

Our safeguards include layered access controls, network and application security measures, logging and monitoring, security testing, and formal policies and training for employees and contractors who handle personal data.

All data we process is encrypted both in transit and at rest. All stored personal data is encrypted at rest using managed encryption services. Data in transit is protected using industry‑standard transport encryption.

8.2 Independent assessments and trust portal

Cerebrum’s security and compliance posture is evaluated by independent third parties. Cerebrum has undergone a SOC 2 Type II examination, and we maintain a dedicated security and compliance portal where you can review information about our penetration testing, SOC reporting status, and related controls: https://trust.cerebrum.com.

8.3 Residual risk

No security program is impenetrable, and no method of electronic transmission or storage is perfectly secure, but we continuously review and improve our controls to reduce risk. If we become aware of a data breach affecting your personal data in a way that requires notice under applicable law, we will notify you and/or the relevant authorities as required.

9. International transfers and the Data Privacy Framework

Cerebrum is headquartered in the United States, and we may store and process personal data in the United States and other countries where we or our service providers operate. These countries may have data protection laws that differ from those in your country.

9.1 Transfer mechanisms

For personal data originating in the EU/EEA, UK, or Switzerland, we rely on appropriate transfer mechanisms recognized under applicable law, which may include:

• Standard Contractual Clauses; and/or
• the Data Privacy Framework, where applicable.

9.2 EU‑U.S. DPF, UK Extension, and Swiss‑U.S. DPF (HR and non‑HR data)

Cerebrum, LLC complies with the EU‑U.S. Data Privacy Framework (EU‑U.S. DPF), the UK Extension to the EU‑U.S. DPF, and the Swiss‑U.S. Data Privacy Framework (Swiss‑U.S. DPF), as set forth by the U.S. Department of Commerce.

Cerebrum, LLC has certified to the U.S. Department of Commerce that it adheres to the EU‑U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU‑U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU‑U.S. DPF. Cerebrum, LLC has also certified to the U.S. Department of Commerce that it adheres to the Swiss‑U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss‑U.S. DPF.

Our participation in the Data Privacy Framework is effective as of the date the U.S. Department of Commerce places Cerebrum, LLC on the Data Privacy Framework List. If there is any conflict between the terms in this Privacy Notice and the EU‑U.S. DPF Principles (and, as applicable, the UK Extension to the EU‑U.S. DPF) and/or the Swiss‑U.S. DPF Principles, the applicable Principles shall govern.

To learn more about the Data Privacy Framework program, and to view our certification, please visit the Data Privacy Framework website at https://www.dataprivacyframework.gov/ and the Data Privacy Framework List athttps://www.dataprivacyframework.gov/list.

For purposes of the Data Privacy Framework, Cerebrum’s self‑certification covers personal data that we receive in the United States in reliance on the Data Privacy Framework, including:

• non‑HR data about users, customers, and other individuals; and
• HR data, understood in the DPF sense as personal data about employees, applicants, or other staff collected in the context of an employment relationship and transferred to us as an unaffiliated HR service provider (for example, to support employment‑related background checks and identity verification).

No other U.S. entities or U.S. subsidiaries are currently covered by Cerebrum, LLC’s DPF self‑certification.

9.3 DPF disclosures, choices, and enforcement

Where to find more details in this Privacy Notice. The types of personal data we collect are described in Section 2, the purposes for which we collect and use personal data are described in Section 3, and the types of third parties to which we disclose personal data (and the purposes for such disclosures) are described in Section 5.

How to contact us. For DPF‑related questions, complaints, or access requests, you can contact us using the details in Section 16. Cerebrum does not have an establishment in the EU/EEA, UK, or Switzerland that is responsible for responding to such inquiries; our U.S. contact points handle them.

U.S. statutory body with jurisdiction. Cerebrum, LLC is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Choice. For personal data we receive in reliance on the Data Privacy Framework, you may opt out of (i) disclosure of your personal data to a third party acting as a controller (i.e., not acting as our agent) and (ii) use of your personal data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you, unless the DPF Principles permit the disclosure or use without offering opt‑out. Where the DPF Principles require opt‑in (affirmative express consent) for disclosure of sensitive information to a third party or for use of sensitive information for a materially different purpose, we will obtain your opt‑in consent. To exercise your opt‑out or opt‑in choices, please contact us using the details in Section 16.

Access. You have the right to access personal data about you that we hold and, where appropriate, to correct, amend, or delete it, as described in Section 10.

Accountability for onward transfer. For personal data received in reliance on the DPF and transferred onward to a third party that processes personal data on our behalf, Cerebrum remains responsible under the DPF Principles if that third party processes such personal data in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Public authorities. As described in Section 5.5, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Independent dispute resolution. If a DPF‑related complaint cannot be resolved through our internal process, you may submit a complaint to VeraSafe, a U.S.‑based independent dispute resolution provider, free of charge, as described in Section 9.4. We will respond to your complaint within 45 days of receiving it.

Human resources data. For HR data transferred under the DPF in the context of an employment relationship, we will cooperate with and comply with the advice of the relevant EU/EEA data protection authorities, the UK Information Commissioner’s Office, and the Swiss Federal Data Protection and Information Commissioner, as required by the DPF’s Supplemental Principle on Human Resources Data.

Binding arbitration. Under certain conditions, you may have the right to invoke binding arbitration, as described in Section 9.5.

9.4 VeraSafe Data Privacy Framework Dispute Resolution

If a privacy complaint or dispute relating to personal data received by Cerebrum, LLC in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure.

Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.

If a complaint or dispute cannot be resolved through our internal process, we have also agreed to cooperate with the EU and UK data protection authorities and the Swiss Federal Data Protection and Information Commissioner and to participate in the dispute resolution procedures of the panel established by such data protection authorities.

9.5 Binding arbitration

If your dispute or complaint related to your personal data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanisms described above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework.

10. Your rights and choices

Your rights depend on where you live and the laws that apply. In general, you may have the right to:

• Request access to personal data we hold about you.
• Request that we correct inaccurate or incomplete personal data.
• Request deletion of personal data, subject to legal and contractual limitations.
• Object to or request restriction of certain processing.
• Withdraw consent where processing is based on consent, without affecting processing that has already occurred.
• Request a portable copy of certain personal data you have provided to us.

To exercise these rights, contact us using the details in Section 16 and indicate the jurisdiction you are in. We may need to verify your identity and, if you are acting on behalf of someone else, your authority to make the request.

If we decline your request, we will explain why, unless we are legally restricted from doing so.

10.1 Your rights when we are acting on behalf of another organization

In many workflows, Cerebrum is acting on behalf of another organization—such as a Consumer Reporting Agency, employer, club, league, or landlord—that is responsible for the underlying decision or background report. The name of the organization that requested your verification or screening, and where possible its contact information or a link to its privacy notice, will be shown within the vID app or other user interface you use to complete the workflow. In some cases, that organization will be the “controller” or “business” for your data, and we may need to coordinate your request with them or direct you to exercise certain rights directly with them. If you are unsure which organization is responsible for your workflow, or if you cannot find their contact information in vID, you can contact us using the details in Section 16 and we will help route your request to the appropriate organization where possible.

10.2 Your rights as a resident of the United States

Several U.S. states have enacted privacy laws that give residents rights similar to those described in this Privacy Notice (for example, rights to access, correct, delete, or obtain a copy of certain personal data, and to opt out of certain types of processing). If you live in one of those states and that state’s law applies to our processing of your personal data, we will honor your rights under that law. Unless we specifically say otherwise in this Privacy Notice, Cerebrum does not sell personal data and does not process personal data for targeted advertising or profiling that produces legal or similarly significant effects, as those terms are defined in these state laws. Where such laws require it, we also provide a way to appeal our response to your request.

To exercise your rights under the laws of your state, contact us using the details in Section 16 and tell us which state you reside in. We may need to verify your identity and, in some cases, may need to coordinate your request with the Consumer Reporting Agency or organization that requested your verification or screening if they are the primary controller or “business” for your data.

11. Additional information for EU/EEA, UK, and Swiss residents

If you are located in the European Union and/or European Economic Area, United Kingdom, or Switzerland, in addition to any rights described elsewhere in this Privacy Notice, you have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates applicable law.

You can find contact details for:

• EU/EEA authorities on the website of the European Data Protection Board.
  • Use the EDPB’s “Contact us / Supervisory authorities” page, which links out to all national data protection authorities in the EU/EEA: https://www.edpb.europa.eu/about-edpb/contact-us_en
• The UK Information Commissioner’s Office (ICO).
  • Main contact page (all channels, including phone, live chat, and forms): https://ico.org.uk/global/contact-us/
• The Swiss Federal Data Protection and Information Commissioner.
  • Dedicated contact page (hotline, postal address, etc.): https://www.edoeb.admin.ch/en/contact-2

We encourage you to contact us first at support@cerebrum.com so we can try to resolve your concerns.

For HR data transferred under the DPF in the context of an employment relationship, you may also raise issues through your local data protection authority, who may coordinate with us and the U.S. Department of Commerce.

12. Additional information for California residents

If you are a resident of the State of California, you may have additional rights under the California Consumer Privacy Act (CCPA) and related laws. For applicable personal information, you may have the right to:

• Request to know the categories and specific pieces of personal information we have collected about you, the categories of sources, our purposes for collecting or disclosing it, and the categories of third parties to whom we disclose it.
• Request deletion of personal information we hold about you, subject to legal and contractual exceptions.
• Request correction of inaccurate personal information.
• Direct us to limit the use and disclosure of certain sensitive personal information to what is necessary to provide the Services or reasonably expected by an average consumer.
• Be free from unlawful discrimination for exercising your privacy rights.

We do not "sell" personal information or "share" personal information for cross‑context behavioral advertising as those terms are defined under the CCPA.

To exercise your California rights, contact us using the details in Section 16 and specify that you are making a request under California law. If you use an authorized agent, we may require proof of authorization and may require you to verify your identity directly with us.

13. Additional information for Virginia residents

If you are a resident of the Commonwealth of Virginia and the Virginia Consumer Data Protection Act (VCDPA or CDPA) applies to our processing of your data, you may have rights similar to those described above, including rights to:

• Confirm whether we process your personal data and access such data.
• Correct inaccuracies in your personal data.
• Delete personal data you provided or that we obtained about you.
• Obtain a portable copy of personal data you previously provided to us.
• Opt out of processing of your personal data for targeted advertising, sale of personal data, or certain profiling that produces legal or similarly significant effects.

Cerebrum does not sell personal data as defined under Virginia law and does not engage in targeted advertising that would require an opt‑out under that law.

To exercise your Virginia rights, contact us using the details in Section 16 and specify that you are making a request under Virginia law. If we deny your request, you may appeal by replying to our response and stating that you wish to appeal. If your appeal is denied, you may contact the Virginia Attorney General.

14. Do‑Not‑Track and similar signals

Some browsers and devices send “Do‑Not‑Track” (DNT) signals. There is currently no widely accepted standard for how to respond to DNT, and we do not respond to these signals today.

Where required by law (for example, for certain advertising‑related cookies in specific jurisdictions), we will honor browser or device‑based consent and opt‑out signals in line with applicable regulations.

15. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. When we do, we will change the “Last updated” date at the top. If we make material changes, we may also provide additional notice, such as emailing you or displaying a notice within the Services.

Your continued use of the Services after an updated Privacy Notice is posted means you acknowledge the revised Notice.

16. How to contact us

For questions, concerns, or requests relating to this Privacy Notice or our handling of personal data, you can contact us at:

Email: support@cerebrum.com

Mail: Cerebrum, LLC
1000 Main St, Unit 1057
Pittsburgh, PA 15215
United States

For issues related to personal data transferred in reliance on the Data Privacy Framework, you may also contact VeraSafe or the relevant data protection authority as described in Section 9.