ErgoEdge® | Privacy Policy
Version 2.0 · April 2026 ISO/IEC 27001:2022 dpo@cerebrumedge.com
CerebrumEdge Tech Pvt Ltd

ErgoEdge® Privacy Policy

Version 2.0 · April 2026 ISO/IEC 27001:2022 Certified DPO: dpo@cerebrumedge.com
Section 1

Introduction & About This Policy

This Privacy Policy describes how CerebrumEdge Tech Pvt Ltd ("CerebrumEdge", "we", "us", or "our") collects, uses, discloses, and protects personal data in connection with the ErgoEdge® AI-powered Workplace Ergonomic Risk Assessment SaaS platform.

This Policy has been updated to comply with privacy and data protection laws across six jurisdictions: the EU/EEA (GDPR), the United Kingdom (UK GDPR), the United States (CCPA/CPRA and applicable state laws), South Africa (POPIA), Australia (Privacy Act 1988 / APPs), and India (DPDPA 2023). Where your local law provides rights or protections beyond the general provisions of this Policy, those jurisdiction-specific rights are described in Section 11.

Section 2

Who We Are: Controller and Processor Roles

Understanding the roles of the parties involved is essential, particularly for users of the ErgoEdge® platform.

2.1 CerebrumEdge as Data Processor (ErgoEdge Platform Users)

When ErgoEdge® is deployed by an employer or organisation (the "Customer"), CerebrumEdge acts as a Data Processor. The Customer (your employer) is the Data Controller and determines the purposes and means of processing your personal data through the platform. CerebrumEdge processes data solely on the Customer's documented instructions.

If you are a worker or employee whose data is processed via ErgoEdge®, your primary point of contact for data rights requests is your employer (the Data Controller). CerebrumEdge will assist your employer in responding to those requests.

2.2 CerebrumEdge as Data Controller (Business Contacts)

CerebrumEdge acts as Data Controller for personal data collected directly from business contacts, website visitors, and prospective customers — such as enquiry forms, demo requests, and sales or support communications.

Your RelationshipApplicable Role
Worker / employee using ErgoEdge® via your employerCerebrumEdge = Data Processor; Your Employer = Data Controller
Business contact, prospect, or website visitorCerebrumEdge = Data Controller
ErgoEdge® platform administrator at a Customer organisationCerebrumEdge = Data Processor; Customer = Data Controller
2.3 Data Protection Officer (DPO)

CerebrumEdge has appointed a Data Protection Officer as required under GDPR Article 37 and as best practice across all jurisdictions. The DPO may be contacted at:

  • Email: dpo@cerebrumedge.com
  • Post: Data Protection Officer, CerebrumEdge Tech Pvt Ltd, 3rd Floor, Evolve Work Studio, Doddanekundi Industrial Area, Bengaluru, Karnataka 560048, India
India: Our Grievance Officer (DPDPA 2023 §15) is the same contact: dpo@cerebrumedge.com. Grievances will be acknowledged and resolved within 30 days.
South Africa: Our Information Officer is registered with the Information Regulator. Contact: dpo@cerebrumedge.com.
Section 3

Information We Collect

3.1 ErgoEdge® Platform Data
Data CategoryDescriptionPrivacy Safeguard
Workplace video footageVideo recordings of workers performing tasks at workstations, uploaded by the CustomerEncrypted at upload (AES-256). Original video deletion available on Customer request.
Facial imagery (transient)Detected during AI frame analysis onlyFaces are blurred (pseudonymised) before display. No facial recognition or identity matching.
Posture & movement metadataJoint angles, movement patterns, ergonomic risk scores generated from video framesPseudonymised output. Not linked to individual identity in outputs.
User account dataBusiness email address only, used to create platform accounts for authorised usersMinimum data principle. No personal phone or address required.
Application & security logsSystem access logs, authentication events, audit trailRetained in EEA only (Germany West Central) regardless of Customer region selection.
3.2 ErgoEdge® Application Login Data

When you log in to or interact with the ErgoEdge® application, we may collect the following limited data:

  • Session log data: IP address, browser type/version, pages visited within the application, time and date, duration of session
  • Device data: device type, operating system — collected only to the extent necessary for application security and compatibility
  • Account data: business email address only, used to authenticate your platform account. No personal phone number or home address is required or collected by the ErgoEdge® application.
3.3 Special Category & Sensitive Data

ErgoEdge® processes video footage of workers that may contain biometric-adjacent data (posture, movement). We do not conduct facial recognition or create biometric profiles.

For users in jurisdictions where ergonomic/health-related data qualifies as sensitive (including CPRA "sensitive personal information" and POPIA "special personal information"), we process only the minimum data necessary and apply enhanced technical safeguards as described in Section 10.

3.4 Data We Do Not Collect
  • We do not collect or process sensitive personal data (health records, financial data, national ID numbers, passwords) beyond what is strictly necessary for service delivery.
  • We do not sell or share personal data for cross-context behavioural advertising.
  • ErgoEdge® is a workplace B2B tool and is not directed at individuals under the age of 18. We do not knowingly collect data from minors.
Section 4

Legal Basis for Processing

We process personal data only where we have a valid legal basis. The applicable basis depends on your jurisdiction and the nature of the processing activity.

Processing ActivityLegal Basis (GDPR / UK GDPR)Equivalent Basis (Other Jurisdictions)
Delivering the ErgoEdge® platform serviceArt. 6(1)(b) — Contract performancePOPIA §11(1)(b); DPDPA Deemed Consent §7; APPs
Ergonomic risk video analysisArt. 6(1)(b) — Contract; Art. 9(2)(b) — Employment context for workplace health & safetyPOPIA §11(1)(b) & §26(1)(a); CCPA service provider; DPDPA §7(a)
User account managementArt. 6(1)(b) — Contract performancePOPIA §11(1)(b); DPDPA Consent §6
Platform analytics & improvementArt. 6(1)(f) — Legitimate interestsPOPIA §11(1)(f); APP 3; CCPA business purpose
Security monitoring & audit logsArt. 6(1)(c) — Legal obligation; Art. 6(1)(f) — Legitimate interests (ISO 27001)POPIA §11(1)(c); DPDPA §7(e)
Marketing & business development communicationsArt. 6(1)(a) — Consent; or Art. 6(1)(f) — Legitimate interests (existing B2B customers)POPIA §69 — opt-in consent required; CCPA opt-out right applies; DPDPA §6 consent
Compliance with legal obligationsArt. 6(1)(c) — Legal obligationAll jurisdictions: applicable local law

Where we rely on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. To withdraw consent, contact dpo@cerebrumedge.com or use the opt-out mechanism in the relevant communication.

Section 5

How We Use Your Information

We collect and use personal data strictly for the purposes listed below. We will not process your data in a manner incompatible with these purposes.

  • To deliver, operate, and improve the ErgoEdge® platform and its ergonomic risk assessment features
  • To generate ergonomic risk scores and safety reports for your employer (Data Controller)
  • To manage user accounts and provide platform access for authorised personnel
  • To communicate with you regarding your account, service updates, and support requests
  • To conduct platform performance analytics and security monitoring (ISO 27001:2022 requirement)
  • To comply with legal and regulatory obligations in applicable jurisdictions
  • For legitimate B2B marketing communications to business contacts, subject to applicable opt-out rights
  • To protect the legal rights and interests of CerebrumEdge and our customers
5.1 Automated Processing & AI Decision-Making

ErgoEdge® uses AI and Computer Vision to automatically analyse video footage and generate ergonomic risk scores. This constitutes automated processing under GDPR Article 22, POPIA Section 71, and India DPDPA Section 8.

Important: No automated decision with a legal or similarly significant effect on a worker is made solely by the AI system. All ergonomic risk outputs are presented to qualified Health, Safety & Environment (HSE/EHS) professionals, who conduct human review before any workplace action is taken. You have the right to request human review of any automated assessment output. Contact your employer (Data Controller) to exercise this right.
Section 6

Disclosure of Personal Information to Third Parties

6.1 Sub-Processors

CerebrumEdge engages the following sub-processors to deliver the ErgoEdge® service. All sub-processors are bound by Data Processing Agreements incorporating appropriate contractual safeguards:

Sub-ProcessorRole & Data ProcessedData Location & Transfer Basis
Microsoft AzureCloud infrastructure, storage (Blob, SQL, Cosmos DB), AKS, Key Vault, Redis Cache, WAF. Processes workplace video, ergonomic analytics, user account data, application logs.EEA-always tier: Germany West Central / West Europe. Customer-selectable tier: per DPA Schedule 5. Transfer basis: Microsoft Products & Services DPA incorporating 2021 SCCs Module 3; EU-UK Adequacy; EU-US DPF.

We will notify Customers of any intended changes to our sub-processor list (additions or replacements) and provide Customers the opportunity to object to such changes as per our Data Processing Agreement v1.2.

6.2 Other Disclosures

We may also disclose personal information to:

  • Our employees and contractors, strictly on a need-to-know basis and bound by confidentiality obligations
  • Courts, tribunals, regulatory authorities, and law enforcement agencies, as required by applicable law or to defend our legal rights
  • Professional advisors (legal, accounting, insurance), subject to binding confidentiality obligations
  • A successor entity in the event of a merger, acquisition, or business transfer (see Section 14)

We do NOT disclose personal data to advertising networks, data brokers, or third parties for direct marketing without your consent. We do NOT sell personal data.

Section 7

International Data Transfers

7.1 Split-Residency Architecture

CerebrumEdge operates a split-residency data architecture. The following data categories remain in the EEA (Germany West Central) at all times, regardless of your Customer's selected region:

  • Application and security logs
  • User account data and credentials
  • Platform analytics and ISMS monitoring data

Workplace video footage (primary processing data) is hosted in the Customer's selected region, chosen at onboarding and fixed for the contract term. Available regions: EEA (default), UK, US/Canada, Australia, India.

7.2 Transfer Mechanisms by Region
RegionTransfer MechanismApplicable Law
🇪🇺 EEA (default)No transfer — all primary data within EEAGDPR (EU) 2016/679
🇬🇧 United KingdomEU–UK Adequacy Decision (primary); Microsoft DPA / SCCs Module 3 (contractual backstop)UK GDPR; Data Protection Act 2018
🇺🇸 United States / CanadaEU–US Data Privacy Framework (DPF-certified Microsoft entities); Canada Adequacy Decision (PIPEDA); Microsoft DPA / SCCs Module 3 backstopApplicable US state laws; PIPEDA (Canada)
🇦🇺 AustraliaMicrosoft Products & Services DPA incorporating 2021 SCCs Module 3 (no EU adequacy decision)Privacy Act 1988 (APPs); NDB Scheme
🇮🇳 IndiaMicrosoft Products & Services DPA incorporating 2021 SCCs Module 3 (no EU adequacy decision)DPDPA 2023
🇿🇦 South AfricaBinding agreement enforceable by data subjects (per POPIA §72); Microsoft DPA / SCCs Module 3POPIA

For the Customer-to-CerebrumEdge (Controller-to-Processor) leg, non-EEA Customers must ensure Module 2 SCCs (Controller-to-Processor) are in place where required under GDPR Chapter V. This is addressed in Data Processing Agreement v1.2, Section 7.

Section 8

Data Retention and Deletion

8.1 Retention Schedule
Data CategoryRetention PeriodDeletion Trigger
POC / Demo dataMaximum 30 days from completion of POC/demo activityCompletion of POC. DPO confirms deletion.
Processed video & ergonomic assessment results90 days from contract end, or upon Controller erasure request (whichever is earlier)Contract termination or erasure request
Post-contract personal data (all categories)30 days from contract expiry/terminationContract end date
Backup copies30-day rolling backup retention window (automatic)Auto-expired by Azure Backup services
Audit & access logs12 months from creation (ISO 27001:2022 A.8.15)Rolling deletion
Authentication logs90 days from creationRolling deletion
Financial / accounting records7 years (applicable tax and company law)Statutory period expiry
8.2 Deletion Process
  • Primary storage: data is permanently and irreversibly deleted using Azure storage secure deletion, which overwrites data and prevents recovery.
  • Backup copies: backup snapshots are automatically expired and deleted within the 30-day backup window. On a Controller-directed erasure request under GDPR Art. 17, backup copies are deleted from both primary and backup storage.
  • Deletion certificate: a written deletion confirmation is issued to the Controller upon request.
8.3 Your Right to Request Deletion

Platform Users (Workers/Employees): Submit deletion requests to your employer (Data Controller), who will coordinate with CerebrumEdge as Processor.

Business Contacts: Submit requests directly to dpo@cerebrumedge.com with subject line "Data Deletion Request". We will respond within the timeframe applicable to your jurisdiction (see Section 11).

Retention Exceptions: We may retain data where required by applicable law (e.g., financial records), for legitimate security purposes (audit logs under ISO 27001), or to establish, exercise, or defend legal claims.

Section 9

Your Rights and How to Exercise Them

You have rights in relation to your personal data. The specific rights available to you depend on your jurisdiction and are set out in detail in Section 11. The following general rights apply across all jurisdictions we operate in:

Right of Access
Request confirmation of whether we process your data and obtain a copy.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your data (subject to retention exceptions). See Section 8.
Right to Restriction
Request that we limit processing of your data in certain circumstances.
Right to Portability
Receive your data in a structured, machine-readable format (GDPR / UK GDPR).
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent
Withdraw consent at any time where processing is consent-based.
Automated Decisions
Request human review of automated ergonomic assessments.
9.1 How to Exercise Your Rights

Submit a Data Subject Request (DSR) by emailing dpo@cerebrumedge.com with:

  • Your full name and, for platform users, your employer organisation name
  • The specific right(s) you wish to exercise
  • Sufficient information to identify the data in question

We may request additional verification of your identity to process the request. We will not charge a fee for reasonable requests. Response timelines vary by jurisdiction — see Section 11.

Section 10

Security Measures

🛡️ ISO/IEC 27001:2022 Certified

CerebrumEdge is certified to ISO/IEC 27001:2022 and implements the following technical and organisational measures (TOMs) to protect your personal data:

🔐
Encryption at Rest
AES-256 (FIPS 140-2 compliant) for all stored data, including video footage, databases, and backup copies
🔒
Encryption in Transit
TLS 1.2 or higher for all data transmitted between components and end users
👤
Pseudonymisation
Facial images blurred before display; ergonomic outputs not linked to individual identities in reports
🎛️
Access Controls
RBAC; Multi-Factor Authentication (MFA) enforced for all platform accounts; principle of least privilege
📋
Audit Logging
All access to personal data logged and monitored; logs retained per ISO 27001:2022 A.8.15
🔍
Penetration Testing
Regular vulnerability assessments and penetration tests conducted by independent third parties
💾
Backup & Recovery
Daily automated backups; RTO 12 hours; RPO 24 hours; geo-redundant storage
🧑‍💼
Personnel Security
All staff handling personal data bound by NDA; annual information security training mandatory
🏗️
Privacy by Design
Privacy impact assessed at design stage for every new feature; DPO consulted on new processing activities (GDPR Art. 25)

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute data security. In the event of a personal data breach, we will notify affected parties and supervisory authorities as required by applicable law (see Section 13).

Section 11

Jurisdiction-Specific Privacy Rights

This section sets out the specific rights and obligations that apply based on your location. Select the section applicable to you.

🇪🇺
11.1 European Union / EEA
GDPR (EU) 2016/679

If you are located in the EU/EEA, you benefit from the full suite of rights under the General Data Protection Regulation (GDPR):

  • Art. 15 — Right of access to your personal data
  • Art. 16 — Right to rectification
  • Art. 17 — Right to erasure ("right to be forgotten")
  • Art. 18 — Right to restriction of processing
  • Art. 20 — Right to data portability
  • Art. 21 — Right to object (including to direct marketing)
  • Art. 22 — Rights related to automated decision-making

Response timeline: 30 days (extendable by a further 60 days for complex requests, with notice).

Supervisory Authority: You have the right to lodge a complaint with your national Data Protection Authority. Relevant authorities include: BfDI (Germany) · CNIL (France) · DPC (Ireland). A full list of EU DPAs is available at edpb.europa.eu.

🇬🇧
11.2 United Kingdom
UK GDPR & Data Protection Act 2018

UK residents are protected by UK GDPR (retained EU law) and the Data Protection Act 2018, which mirror GDPR rights with UK-specific modifications. The same rights listed in Section 11.1 apply.

Transfer mechanism: Data flows between the UK and EEA are covered by the EU–UK Adequacy Decision. Transfers to other countries use the UK International Data Transfer Addendum (IDTA) to the EU SCCs.

Response timeline: 30 days.

Supervisory Authority: Information Commissioner's Office (ICO) — ico.org.uk | 0303 123 1113.

🇺🇸
11.3 United States
Federal & State Privacy Laws (CCPA / CPRA)

The United States does not have a single federal privacy law. CerebrumEdge complies with applicable federal obligations (including FTC Act §5 unfair/deceptive practices standards) and the following state laws:

California — CCPA / CPRA: California residents have the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected, sources, business purposes, and third parties with whom data is shared.
  • Right to Delete: Request deletion of personal information (subject to exceptions). See Section 8.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information. We do not share personal information for cross-context behavioural advertising. You may submit a "Do Not Sell or Share" request to dpo@cerebrumedge.com.
  • Right to Limit Use of Sensitive Personal Information: You may direct us to limit the use of sensitive personal information (including biometric-adjacent data) to only what is necessary to provide the service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Categories of personal information collected (CCPA): Identifiers (email, IP address); Commercial information (service usage); Internet/electronic activity (log data); Geolocation data (approximate, from IP); Professional/employment information (organisation name, job role); Visual information (workplace video footage processed on behalf of your employer as Data Controller). Note: California residents' CCPA rights in relation to this data should be directed to their employer. CerebrumEdge processes this data solely as a Data Processor acting on the employer's instructions.

Response timeline: 45 days (extendable by a further 45 days with notice). Enforcement: California Attorney General; California Privacy Protection Agency (CPPA).

Other State Laws (Virginia VCDPA, Colorado CPA, Texas TDPSA): Residents of Virginia, Colorado, and Texas have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt-out of profiling. Response timeline: 30 days (Virginia, Colorado); 45 days (Texas).

To exercise any US state privacy right, contact: dpo@cerebrumedge.com with subject line "US Privacy Rights Request — [Your State]".

Note for US Customers: Customers deploying ErgoEdge® in Illinois should independently assess their obligations under the Illinois Biometric Information Privacy Act (BIPA) as Data Controllers. Customers deploying ErgoEdge® in Washington State should independently assess their obligations under the My Health MY Data Act as Data Controllers.
🇿🇦
11.4 South Africa
POPIA (Protection of Personal Information Act 4 of 2013)
  • Section 23 — Right to be notified that personal information is being collected
  • Section 24 — Right to access your personal information
  • Section 24 — Right to request correction or deletion of inaccurate, irrelevant, or unlawfully processed personal information
  • Section 11(3) — Right to object to processing based on legitimate grounds
  • Section 69 — Right to opt-out of direct marketing communications

Lawful grounds for processing (POPIA §11): We process your personal data on the following grounds: performance of a contract, compliance with a legal obligation, legitimate interest (where not overridden by your interests), or consent where specifically required.

Special personal information (POPIA §26): Processing of special personal information (including health-related or biometric data) is conducted only where an applicable exception applies (employment context, workplace health & safety) or with explicit consent.

Cross-border transfers: Transfers outside South Africa are conducted under binding agreements enforceable by data subjects (POPIA §72), implemented through Microsoft's Data Protection Addendum incorporating 2021 SCCs.

Response timeline: 30 days. Information Officer: dpo@cerebrumedge.com. Registered with the Information Regulator of South Africa.

Supervisory Authority: Information Regulator of South Africa — inforegulator.org.za | inforeg@justice.gov.za.

Data breach notification: In the event of a data breach, we will notify both the Information Regulator and affected data subjects as soon as reasonably possible (POPIA §22).

🇦🇺
11.5 Australia
Privacy Act 1988 & Good Privacy Practice

CerebrumEdge does not meet the threshold for mandatory application of the Australian Privacy Act 1988 (annual turnover below AUD 3M). The mandatory Australian Privacy Principles (APPs) therefore do not apply to CerebrumEdge directly. However, CerebrumEdge is committed to handling personal data of Australian individuals responsibly in line with good privacy practice.

Note for Australian Customers: Customers (as Data Controllers) deploying ErgoEdge® to process data of Australian workers should review their own APP obligations.

Cross-border disclosure: CerebrumEdge takes reasonable steps to ensure that overseas recipients (Microsoft Azure) handle personal information in a manner consistent with the APPs (APP 8.1). Our engagement with Microsoft is governed by the Microsoft Products & Services Data Processing Addendum.

Notifiable Data Breaches (NDB) Scheme: Eligible data breaches (those likely to result in serious harm) will be reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals as required.

🇮🇳
11.6 India
Digital Personal Data Protection Act 2023 (DPDPA)

India's Digital Personal Data Protection Act 2023 (DPDPA) applies to the processing of personal data of individuals located in India. Under the DPDPA, CerebrumEdge may act as a Data Fiduciary (where acting as Data Controller) or Data Processor (when processing data on behalf of a Customer).

Terminology note: Under DPDPA, "Data Fiduciary" corresponds to Data Controller; "Data Principal" corresponds to data subject; "Data Processor" is the same as under GDPR.

Rights of Indian Data Principals (DPDPA §§11–14):

  • Section 11 — Right to obtain a summary of personal data processed and information about third parties with whom it has been shared
  • Section 12 — Right to correction, completion, updating, and erasure of personal data
  • Section 13 — Right to grievance redressal — grievances will be addressed within 30 days
  • Section 14 — Right to nominate another individual to exercise rights on your behalf in case of death or incapacity (a right unique to DPDPA)

Consent (DPDPA §5–6): Before processing personal data of Indian data principals, we provide a consent notice in English describing: what data is collected, the purpose of processing, and the rights available. Consent may be given, managed, reviewed, and withdrawn through our DPO contact or, once operationalised, through a registered Consent Manager.

Withdrawal of consent: You may withdraw consent at any time by contacting dpo@cerebrumedge.com. Upon withdrawal, CerebrumEdge will cease processing and delete your personal data unless retention is required by applicable law or for the ongoing performance of a contract.

Deemed Consent for Workplace Processing (DPDPA §7): Where ErgoEdge® is deployed by an employer for legitimate workplace ergonomic safety purposes, processing may be conducted under deemed consent provisions (§7) — specifically employment, workplace health & safety, and obligations under applicable labour law.

Grievance Officer: dpo@cerebrumedge.com. Grievances will be acknowledged and resolved within 30 days. If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India.

Cross-Border Transfers (DPDPA §16): Transfer of personal data of Indian data principals outside India is permissible unless the Indian government restricts transfer to a specific country. Currently, no restricted countries list has been published. Our transfers are conducted via Microsoft's Data Protection Addendum incorporating 2021 SCCs Module 3.

Children's Data (DPDPA §9): Processing personal data of individuals under 18 years requires verifiable parental consent. ErgoEdge® is a B2B workplace tool and is not intended for use by minors. Customers must ensure the platform is not used to process data of workers under 18 without applicable consent.

Supervisory Authority: Data Protection Board of India (DPBI) — dpboard.gov.in.

Section 12

Cookies and Tracking Technologies

The ErgoEdge® application uses only strictly necessary cookies essential for secure login and session management. No analytics, tracking, or marketing cookies are used. A "cookie" is a small data file stored on your device to maintain your secure session within the ErgoEdge® application.

Cookie CategoryPurpose & Basis
Strictly NecessaryEssential for application operation and security. Cannot be disabled. Legal basis: legitimate interests.
Section 13

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, CerebrumEdge will:

  • As Data Processor: notify the relevant Data Controller (your employer) within 24 hours of becoming aware of a confirmed or suspected breach, to enable the Controller to meet its 72-hour GDPR Article 33 notification obligation.
  • As Data Controller (for business contacts): notify the relevant supervisory authority within 72 hours of awareness where required (GDPR Art. 33; POPIA §22; Australian NDB Scheme; DPDPA §8(6)).
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights (GDPR Art. 34; POPIA §22; Australian NDB Scheme).

All breach notifications and responses are documented in our Personal Data Breach Register per ISO/IEC 27001:2022 A.5.24–A.5.28.

Section 14

Business Transfers

If CerebrumEdge is involved in a merger, acquisition, asset sale, or similar corporate transaction, personal data may be transferred to the acquiring entity as part of that transaction. We will:

  • Notify affected data subjects of any material change in the identity of the Data Controller as a result of the transaction
  • Provide affected data subjects with the opportunity to withdraw consent or exercise applicable rights prior to data being processed under any materially different privacy policy
  • Ensure any acquiring entity is bound by data protection obligations at least equivalent to those in this Policy
Section 15

Children's Privacy

ErgoEdge® is a B2B workplace SaaS platform intended exclusively for use by adults in a professional/employment context. It is not directed at, and should not be used to process data of, individuals under the following age thresholds:

JurisdictionMinimum Age Threshold
🇪🇺 EU / EEA16 years (or lower threshold set by Member State, minimum 13)
🇬🇧 United Kingdom13 years
🇺🇸 United States (COPPA)13 years for general online services
🇺🇸 United States (state laws — sensitive/health data)18 years for sensitive/health data processing
🇿🇦 South Africa (POPIA)18 years
🇦🇺 Australia18 years (practical standard for workplace data)
🇮🇳 India (DPDPA)18 years

Customers are responsible for ensuring ErgoEdge® is not used to process data of workers below these age thresholds without applicable parental consent. CerebrumEdge does not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected without appropriate consent, we will delete it promptly.

Section 16

Third-Party Links

Our website may contain links to external websites not operated by CerebrumEdge. We have no control over the content or privacy practices of those sites and accept no responsibility for them. We encourage you to review the privacy policy of any third-party site you visit.

Section 17

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will:

  • Update the "Last Updated" date at the top of this Policy
  • Post the updated Policy on our website at ergoedge.cerebrumedge.com/privacy.html
  • For material changes (e.g., new processing activities, change in Data Controller identity, or new lawful basis), provide at least 30 days' advance notice via email to affected data subjects and request re-consent where required by applicable law

Your continued use of the ErgoEdge® platform or our website after the effective date of an updated Policy constitutes acceptance of the changes, to the extent permitted by applicable law.

Section 18

Contact Us & Supervisory Authorities

18.1 CerebrumEdge Contact

For all privacy-related enquiries, requests, or complaints:

Data Protection Officer (DPO)
Grievance Officer (India)
Information Officer (South Africa)
Postal Address
CerebrumEdge Tech Pvt Ltd, 3rd Floor, Evolve Work Studio, Doddanekundi Industrial Area, Bengaluru, Karnataka 560048, India
18.2 Supervisory Authorities

You have the right to lodge a complaint with the data protection supervisory authority in your jurisdiction:

JurisdictionSupervisory Authority & Contact
EU / EEAYour national DPA. Full list: edpb.europa.eu/about-edpb/board/members_en
GermanyFederal Commissioner for Data Protection (BfDI) — www.bfdi.bund.de
FranceCNIL — www.cnil.fr
IrelandData Protection Commission (DPC) — www.dataprotection.ie
United KingdomInformation Commissioner's Office (ICO) — ico.org.uk | 0303 123 1113
United States (CA)California Privacy Protection Agency (CPPA) — cppa.ca.gov
South AfricaInformation Regulator — inforegulator.org.za | inforeg@justice.gov.za
AustraliaOffice of the Australian Information Commissioner (OAIC) — oaic.gov.au (for information only; mandatory APPs do not apply to CerebrumEdge)
IndiaData Protection Board of India (DPBI) — dpboard.gov.in