Introduction & About This Policy
This Privacy Policy describes how CerebrumEdge Tech Pvt Ltd ("CerebrumEdge", "we", "us", or "our") collects, uses, discloses, and protects personal data in connection with the ErgoEdge® AI-powered Workplace Ergonomic Risk Assessment SaaS platform.
This Policy has been updated to comply with privacy and data protection laws across six jurisdictions: the EU/EEA (GDPR), the United Kingdom (UK GDPR), the United States (CCPA/CPRA and applicable state laws), South Africa (POPIA), Australia (Privacy Act 1988 / APPs), and India (DPDPA 2023). Where your local law provides rights or protections beyond the general provisions of this Policy, those jurisdiction-specific rights are described in Section 11.
Who We Are: Controller and Processor Roles
Understanding the roles of the parties involved is essential, particularly for users of the ErgoEdge® platform.
When ErgoEdge® is deployed by an employer or organisation (the "Customer"), CerebrumEdge acts as a Data Processor. The Customer (your employer) is the Data Controller and determines the purposes and means of processing your personal data through the platform. CerebrumEdge processes data solely on the Customer's documented instructions.
If you are a worker or employee whose data is processed via ErgoEdge®, your primary point of contact for data rights requests is your employer (the Data Controller). CerebrumEdge will assist your employer in responding to those requests.
CerebrumEdge acts as Data Controller for personal data collected directly from business contacts, website visitors, and prospective customers — such as enquiry forms, demo requests, and sales or support communications.
| Your Relationship | Applicable Role |
|---|---|
| Worker / employee using ErgoEdge® via your employer | CerebrumEdge = Data Processor; Your Employer = Data Controller |
| Business contact, prospect, or website visitor | CerebrumEdge = Data Controller |
| ErgoEdge® platform administrator at a Customer organisation | CerebrumEdge = Data Processor; Customer = Data Controller |
CerebrumEdge has appointed a Data Protection Officer as required under GDPR Article 37 and as best practice across all jurisdictions. The DPO may be contacted at:
- Email: dpo@cerebrumedge.com
- Post: Data Protection Officer, CerebrumEdge Tech Pvt Ltd, 3rd Floor, Evolve Work Studio, Doddanekundi Industrial Area, Bengaluru, Karnataka 560048, India
Information We Collect
| Data Category | Description | Privacy Safeguard |
|---|---|---|
| Workplace video footage | Video recordings of workers performing tasks at workstations, uploaded by the Customer | Encrypted at upload (AES-256). Original video deletion available on Customer request. |
| Facial imagery (transient) | Detected during AI frame analysis only | Faces are blurred (pseudonymised) before display. No facial recognition or identity matching. |
| Posture & movement metadata | Joint angles, movement patterns, ergonomic risk scores generated from video frames | Pseudonymised output. Not linked to individual identity in outputs. |
| User account data | Business email address only, used to create platform accounts for authorised users | Minimum data principle. No personal phone or address required. |
| Application & security logs | System access logs, authentication events, audit trail | Retained in EEA only (Germany West Central) regardless of Customer region selection. |
When you log in to or interact with the ErgoEdge® application, we may collect the following limited data:
- Session log data: IP address, browser type/version, pages visited within the application, time and date, duration of session
- Device data: device type, operating system — collected only to the extent necessary for application security and compatibility
- Account data: business email address only, used to authenticate your platform account. No personal phone number or home address is required or collected by the ErgoEdge® application.
ErgoEdge® processes video footage of workers that may contain biometric-adjacent data (posture, movement). We do not conduct facial recognition or create biometric profiles.
For users in jurisdictions where ergonomic/health-related data qualifies as sensitive (including CPRA "sensitive personal information" and POPIA "special personal information"), we process only the minimum data necessary and apply enhanced technical safeguards as described in Section 10.
- We do not collect or process sensitive personal data (health records, financial data, national ID numbers, passwords) beyond what is strictly necessary for service delivery.
- We do not sell or share personal data for cross-context behavioural advertising.
- ErgoEdge® is a workplace B2B tool and is not directed at individuals under the age of 18. We do not knowingly collect data from minors.
Legal Basis for Processing
We process personal data only where we have a valid legal basis. The applicable basis depends on your jurisdiction and the nature of the processing activity.
| Processing Activity | Legal Basis (GDPR / UK GDPR) | Equivalent Basis (Other Jurisdictions) |
|---|---|---|
| Delivering the ErgoEdge® platform service | Art. 6(1)(b) — Contract performance | POPIA §11(1)(b); DPDPA Deemed Consent §7; APPs |
| Ergonomic risk video analysis | Art. 6(1)(b) — Contract; Art. 9(2)(b) — Employment context for workplace health & safety | POPIA §11(1)(b) & §26(1)(a); CCPA service provider; DPDPA §7(a) |
| User account management | Art. 6(1)(b) — Contract performance | POPIA §11(1)(b); DPDPA Consent §6 |
| Platform analytics & improvement | Art. 6(1)(f) — Legitimate interests | POPIA §11(1)(f); APP 3; CCPA business purpose |
| Security monitoring & audit logs | Art. 6(1)(c) — Legal obligation; Art. 6(1)(f) — Legitimate interests (ISO 27001) | POPIA §11(1)(c); DPDPA §7(e) |
| Marketing & business development communications | Art. 6(1)(a) — Consent; or Art. 6(1)(f) — Legitimate interests (existing B2B customers) | POPIA §69 — opt-in consent required; CCPA opt-out right applies; DPDPA §6 consent |
| Compliance with legal obligations | Art. 6(1)(c) — Legal obligation | All jurisdictions: applicable local law |
Where we rely on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. To withdraw consent, contact dpo@cerebrumedge.com or use the opt-out mechanism in the relevant communication.
How We Use Your Information
We collect and use personal data strictly for the purposes listed below. We will not process your data in a manner incompatible with these purposes.
- To deliver, operate, and improve the ErgoEdge® platform and its ergonomic risk assessment features
- To generate ergonomic risk scores and safety reports for your employer (Data Controller)
- To manage user accounts and provide platform access for authorised personnel
- To communicate with you regarding your account, service updates, and support requests
- To conduct platform performance analytics and security monitoring (ISO 27001:2022 requirement)
- To comply with legal and regulatory obligations in applicable jurisdictions
- For legitimate B2B marketing communications to business contacts, subject to applicable opt-out rights
- To protect the legal rights and interests of CerebrumEdge and our customers
ErgoEdge® uses AI and Computer Vision to automatically analyse video footage and generate ergonomic risk scores. This constitutes automated processing under GDPR Article 22, POPIA Section 71, and India DPDPA Section 8.
Disclosure of Personal Information to Third Parties
CerebrumEdge engages the following sub-processors to deliver the ErgoEdge® service. All sub-processors are bound by Data Processing Agreements incorporating appropriate contractual safeguards:
| Sub-Processor | Role & Data Processed | Data Location & Transfer Basis |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, storage (Blob, SQL, Cosmos DB), AKS, Key Vault, Redis Cache, WAF. Processes workplace video, ergonomic analytics, user account data, application logs. | EEA-always tier: Germany West Central / West Europe. Customer-selectable tier: per DPA Schedule 5. Transfer basis: Microsoft Products & Services DPA incorporating 2021 SCCs Module 3; EU-UK Adequacy; EU-US DPF. |
We will notify Customers of any intended changes to our sub-processor list (additions or replacements) and provide Customers the opportunity to object to such changes as per our Data Processing Agreement v1.2.
We may also disclose personal information to:
- Our employees and contractors, strictly on a need-to-know basis and bound by confidentiality obligations
- Courts, tribunals, regulatory authorities, and law enforcement agencies, as required by applicable law or to defend our legal rights
- Professional advisors (legal, accounting, insurance), subject to binding confidentiality obligations
- A successor entity in the event of a merger, acquisition, or business transfer (see Section 14)
We do NOT disclose personal data to advertising networks, data brokers, or third parties for direct marketing without your consent. We do NOT sell personal data.
International Data Transfers
CerebrumEdge operates a split-residency data architecture. The following data categories remain in the EEA (Germany West Central) at all times, regardless of your Customer's selected region:
- Application and security logs
- User account data and credentials
- Platform analytics and ISMS monitoring data
Workplace video footage (primary processing data) is hosted in the Customer's selected region, chosen at onboarding and fixed for the contract term. Available regions: EEA (default), UK, US/Canada, Australia, India.
| Region | Transfer Mechanism | Applicable Law |
|---|---|---|
| 🇪🇺 EEA (default) | No transfer — all primary data within EEA | GDPR (EU) 2016/679 |
| 🇬🇧 United Kingdom | EU–UK Adequacy Decision (primary); Microsoft DPA / SCCs Module 3 (contractual backstop) | UK GDPR; Data Protection Act 2018 |
| 🇺🇸 United States / Canada | EU–US Data Privacy Framework (DPF-certified Microsoft entities); Canada Adequacy Decision (PIPEDA); Microsoft DPA / SCCs Module 3 backstop | Applicable US state laws; PIPEDA (Canada) |
| 🇦🇺 Australia | Microsoft Products & Services DPA incorporating 2021 SCCs Module 3 (no EU adequacy decision) | Privacy Act 1988 (APPs); NDB Scheme |
| 🇮🇳 India | Microsoft Products & Services DPA incorporating 2021 SCCs Module 3 (no EU adequacy decision) | DPDPA 2023 |
| 🇿🇦 South Africa | Binding agreement enforceable by data subjects (per POPIA §72); Microsoft DPA / SCCs Module 3 | POPIA |
For the Customer-to-CerebrumEdge (Controller-to-Processor) leg, non-EEA Customers must ensure Module 2 SCCs (Controller-to-Processor) are in place where required under GDPR Chapter V. This is addressed in Data Processing Agreement v1.2, Section 7.
Data Retention and Deletion
| Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| POC / Demo data | Maximum 30 days from completion of POC/demo activity | Completion of POC. DPO confirms deletion. |
| Processed video & ergonomic assessment results | 90 days from contract end, or upon Controller erasure request (whichever is earlier) | Contract termination or erasure request |
| Post-contract personal data (all categories) | 30 days from contract expiry/termination | Contract end date |
| Backup copies | 30-day rolling backup retention window (automatic) | Auto-expired by Azure Backup services |
| Audit & access logs | 12 months from creation (ISO 27001:2022 A.8.15) | Rolling deletion |
| Authentication logs | 90 days from creation | Rolling deletion |
| Financial / accounting records | 7 years (applicable tax and company law) | Statutory period expiry |
- Primary storage: data is permanently and irreversibly deleted using Azure storage secure deletion, which overwrites data and prevents recovery.
- Backup copies: backup snapshots are automatically expired and deleted within the 30-day backup window. On a Controller-directed erasure request under GDPR Art. 17, backup copies are deleted from both primary and backup storage.
- Deletion certificate: a written deletion confirmation is issued to the Controller upon request.
Platform Users (Workers/Employees): Submit deletion requests to your employer (Data Controller), who will coordinate with CerebrumEdge as Processor.
Business Contacts: Submit requests directly to dpo@cerebrumedge.com with subject line "Data Deletion Request". We will respond within the timeframe applicable to your jurisdiction (see Section 11).
Retention Exceptions: We may retain data where required by applicable law (e.g., financial records), for legitimate security purposes (audit logs under ISO 27001), or to establish, exercise, or defend legal claims.
Your Rights and How to Exercise Them
You have rights in relation to your personal data. The specific rights available to you depend on your jurisdiction and are set out in detail in Section 11. The following general rights apply across all jurisdictions we operate in:
Submit a Data Subject Request (DSR) by emailing dpo@cerebrumedge.com with:
- Your full name and, for platform users, your employer organisation name
- The specific right(s) you wish to exercise
- Sufficient information to identify the data in question
We may request additional verification of your identity to process the request. We will not charge a fee for reasonable requests. Response timelines vary by jurisdiction — see Section 11.
Security Measures
CerebrumEdge is certified to ISO/IEC 27001:2022 and implements the following technical and organisational measures (TOMs) to protect your personal data:
Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute data security. In the event of a personal data breach, we will notify affected parties and supervisory authorities as required by applicable law (see Section 13).
Jurisdiction-Specific Privacy Rights
This section sets out the specific rights and obligations that apply based on your location. Select the section applicable to you.
If you are located in the EU/EEA, you benefit from the full suite of rights under the General Data Protection Regulation (GDPR):
- Art. 15 — Right of access to your personal data
- Art. 16 — Right to rectification
- Art. 17 — Right to erasure ("right to be forgotten")
- Art. 18 — Right to restriction of processing
- Art. 20 — Right to data portability
- Art. 21 — Right to object (including to direct marketing)
- Art. 22 — Rights related to automated decision-making
Response timeline: 30 days (extendable by a further 60 days for complex requests, with notice).
Supervisory Authority: You have the right to lodge a complaint with your national Data Protection Authority. Relevant authorities include: BfDI (Germany) · CNIL (France) · DPC (Ireland). A full list of EU DPAs is available at edpb.europa.eu.
UK residents are protected by UK GDPR (retained EU law) and the Data Protection Act 2018, which mirror GDPR rights with UK-specific modifications. The same rights listed in Section 11.1 apply.
Transfer mechanism: Data flows between the UK and EEA are covered by the EU–UK Adequacy Decision. Transfers to other countries use the UK International Data Transfer Addendum (IDTA) to the EU SCCs.
Response timeline: 30 days.
Supervisory Authority: Information Commissioner's Office (ICO) — ico.org.uk | 0303 123 1113.
The United States does not have a single federal privacy law. CerebrumEdge complies with applicable federal obligations (including FTC Act §5 unfair/deceptive practices standards) and the following state laws:
California — CCPA / CPRA: California residents have the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected, sources, business purposes, and third parties with whom data is shared.
- Right to Delete: Request deletion of personal information (subject to exceptions). See Section 8.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell personal information. We do not share personal information for cross-context behavioural advertising. You may submit a "Do Not Sell or Share" request to dpo@cerebrumedge.com.
- Right to Limit Use of Sensitive Personal Information: You may direct us to limit the use of sensitive personal information (including biometric-adjacent data) to only what is necessary to provide the service.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Response timeline: 45 days (extendable by a further 45 days with notice). Enforcement: California Attorney General; California Privacy Protection Agency (CPPA).
Other State Laws (Virginia VCDPA, Colorado CPA, Texas TDPSA): Residents of Virginia, Colorado, and Texas have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt-out of profiling. Response timeline: 30 days (Virginia, Colorado); 45 days (Texas).
To exercise any US state privacy right, contact: dpo@cerebrumedge.com with subject line "US Privacy Rights Request — [Your State]".
- Section 23 — Right to be notified that personal information is being collected
- Section 24 — Right to access your personal information
- Section 24 — Right to request correction or deletion of inaccurate, irrelevant, or unlawfully processed personal information
- Section 11(3) — Right to object to processing based on legitimate grounds
- Section 69 — Right to opt-out of direct marketing communications
Lawful grounds for processing (POPIA §11): We process your personal data on the following grounds: performance of a contract, compliance with a legal obligation, legitimate interest (where not overridden by your interests), or consent where specifically required.
Special personal information (POPIA §26): Processing of special personal information (including health-related or biometric data) is conducted only where an applicable exception applies (employment context, workplace health & safety) or with explicit consent.
Cross-border transfers: Transfers outside South Africa are conducted under binding agreements enforceable by data subjects (POPIA §72), implemented through Microsoft's Data Protection Addendum incorporating 2021 SCCs.
Response timeline: 30 days. Information Officer: dpo@cerebrumedge.com. Registered with the Information Regulator of South Africa.
Supervisory Authority: Information Regulator of South Africa — inforegulator.org.za | inforeg@justice.gov.za.
Data breach notification: In the event of a data breach, we will notify both the Information Regulator and affected data subjects as soon as reasonably possible (POPIA §22).
CerebrumEdge does not meet the threshold for mandatory application of the Australian Privacy Act 1988 (annual turnover below AUD 3M). The mandatory Australian Privacy Principles (APPs) therefore do not apply to CerebrumEdge directly. However, CerebrumEdge is committed to handling personal data of Australian individuals responsibly in line with good privacy practice.
Cross-border disclosure: CerebrumEdge takes reasonable steps to ensure that overseas recipients (Microsoft Azure) handle personal information in a manner consistent with the APPs (APP 8.1). Our engagement with Microsoft is governed by the Microsoft Products & Services Data Processing Addendum.
Notifiable Data Breaches (NDB) Scheme: Eligible data breaches (those likely to result in serious harm) will be reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals as required.
India's Digital Personal Data Protection Act 2023 (DPDPA) applies to the processing of personal data of individuals located in India. Under the DPDPA, CerebrumEdge may act as a Data Fiduciary (where acting as Data Controller) or Data Processor (when processing data on behalf of a Customer).
Rights of Indian Data Principals (DPDPA §§11–14):
- Section 11 — Right to obtain a summary of personal data processed and information about third parties with whom it has been shared
- Section 12 — Right to correction, completion, updating, and erasure of personal data
- Section 13 — Right to grievance redressal — grievances will be addressed within 30 days
- Section 14 — Right to nominate another individual to exercise rights on your behalf in case of death or incapacity (a right unique to DPDPA)
Consent (DPDPA §5–6): Before processing personal data of Indian data principals, we provide a consent notice in English describing: what data is collected, the purpose of processing, and the rights available. Consent may be given, managed, reviewed, and withdrawn through our DPO contact or, once operationalised, through a registered Consent Manager.
Withdrawal of consent: You may withdraw consent at any time by contacting dpo@cerebrumedge.com. Upon withdrawal, CerebrumEdge will cease processing and delete your personal data unless retention is required by applicable law or for the ongoing performance of a contract.
Deemed Consent for Workplace Processing (DPDPA §7): Where ErgoEdge® is deployed by an employer for legitimate workplace ergonomic safety purposes, processing may be conducted under deemed consent provisions (§7) — specifically employment, workplace health & safety, and obligations under applicable labour law.
Grievance Officer: dpo@cerebrumedge.com. Grievances will be acknowledged and resolved within 30 days. If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India.
Cross-Border Transfers (DPDPA §16): Transfer of personal data of Indian data principals outside India is permissible unless the Indian government restricts transfer to a specific country. Currently, no restricted countries list has been published. Our transfers are conducted via Microsoft's Data Protection Addendum incorporating 2021 SCCs Module 3.
Children's Data (DPDPA §9): Processing personal data of individuals under 18 years requires verifiable parental consent. ErgoEdge® is a B2B workplace tool and is not intended for use by minors. Customers must ensure the platform is not used to process data of workers under 18 without applicable consent.
Supervisory Authority: Data Protection Board of India (DPBI) — dpboard.gov.in.
Cookies and Tracking Technologies
The ErgoEdge® application uses only strictly necessary cookies essential for secure login and session management. No analytics, tracking, or marketing cookies are used. A "cookie" is a small data file stored on your device to maintain your secure session within the ErgoEdge® application.
| Cookie Category | Purpose & Basis |
|---|---|
| Strictly Necessary | Essential for application operation and security. Cannot be disabled. Legal basis: legitimate interests. |
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, CerebrumEdge will:
- As Data Processor: notify the relevant Data Controller (your employer) within 24 hours of becoming aware of a confirmed or suspected breach, to enable the Controller to meet its 72-hour GDPR Article 33 notification obligation.
- As Data Controller (for business contacts): notify the relevant supervisory authority within 72 hours of awareness where required (GDPR Art. 33; POPIA §22; Australian NDB Scheme; DPDPA §8(6)).
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights (GDPR Art. 34; POPIA §22; Australian NDB Scheme).
All breach notifications and responses are documented in our Personal Data Breach Register per ISO/IEC 27001:2022 A.5.24–A.5.28.
Business Transfers
If CerebrumEdge is involved in a merger, acquisition, asset sale, or similar corporate transaction, personal data may be transferred to the acquiring entity as part of that transaction. We will:
- Notify affected data subjects of any material change in the identity of the Data Controller as a result of the transaction
- Provide affected data subjects with the opportunity to withdraw consent or exercise applicable rights prior to data being processed under any materially different privacy policy
- Ensure any acquiring entity is bound by data protection obligations at least equivalent to those in this Policy
Children's Privacy
ErgoEdge® is a B2B workplace SaaS platform intended exclusively for use by adults in a professional/employment context. It is not directed at, and should not be used to process data of, individuals under the following age thresholds:
| Jurisdiction | Minimum Age Threshold |
|---|---|
| 🇪🇺 EU / EEA | 16 years (or lower threshold set by Member State, minimum 13) |
| 🇬🇧 United Kingdom | 13 years |
| 🇺🇸 United States (COPPA) | 13 years for general online services |
| 🇺🇸 United States (state laws — sensitive/health data) | 18 years for sensitive/health data processing |
| 🇿🇦 South Africa (POPIA) | 18 years |
| 🇦🇺 Australia | 18 years (practical standard for workplace data) |
| 🇮🇳 India (DPDPA) | 18 years |
Customers are responsible for ensuring ErgoEdge® is not used to process data of workers below these age thresholds without applicable parental consent. CerebrumEdge does not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected without appropriate consent, we will delete it promptly.
Third-Party Links
Our website may contain links to external websites not operated by CerebrumEdge. We have no control over the content or privacy practices of those sites and accept no responsibility for them. We encourage you to review the privacy policy of any third-party site you visit.
Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will:
- Update the "Last Updated" date at the top of this Policy
- Post the updated Policy on our website at ergoedge.cerebrumedge.com/privacy.html
- For material changes (e.g., new processing activities, change in Data Controller identity, or new lawful basis), provide at least 30 days' advance notice via email to affected data subjects and request re-consent where required by applicable law
Your continued use of the ErgoEdge® platform or our website after the effective date of an updated Policy constitutes acceptance of the changes, to the extent permitted by applicable law.
Contact Us & Supervisory Authorities
For all privacy-related enquiries, requests, or complaints:
You have the right to lodge a complaint with the data protection supervisory authority in your jurisdiction:
| Jurisdiction | Supervisory Authority & Contact |
|---|---|
| EU / EEA | Your national DPA. Full list: edpb.europa.eu/about-edpb/board/members_en |
| Germany | Federal Commissioner for Data Protection (BfDI) — www.bfdi.bund.de |
| France | CNIL — www.cnil.fr |
| Ireland | Data Protection Commission (DPC) — www.dataprotection.ie |
| United Kingdom | Information Commissioner's Office (ICO) — ico.org.uk | 0303 123 1113 |
| United States (CA) | California Privacy Protection Agency (CPPA) — cppa.ca.gov |
| South Africa | Information Regulator — inforegulator.org.za | inforeg@justice.gov.za |
| Australia | Office of the Australian Information Commissioner (OAIC) — oaic.gov.au (for information only; mandatory APPs do not apply to CerebrumEdge) |
| India | Data Protection Board of India (DPBI) — dpboard.gov.in |