Privacy Policy - Cerbotrace.com

Version 1.3 – Last Revised December 2024

1. Introduction

At Cerbotrace ("we," "us," or "our"), operated by Fluffy Pants Studio LLC, doing business as Cerbotrace, we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital content tracing and notification services.

Please read this Privacy Policy carefully. By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

This Privacy Policy applies to information we collect:

On our website (cerbotrace.com)
Through our digital watermarking and tracing services
In email, text, and other electronic messages between you and our service
When you interact with our advertising and applications on third-party websites and services

Data Controller: Fluffy Pants Studio LLC (d/b/a Cerbotrace) is the data controller responsible for your personal information under this Privacy Policy.

EU Representative (Article 27 GDPR):
[EU Representative Service Name]
[Address]
Email: eu-rep@cerbotrace.com

UK Representative (Article 27 UK GDPR):
[UK Representative Service Name]
[Address]
Email: uk-rep@cerbotrace.com

Data Protection Officer (DPO): As our core activities include systematic monitoring of the internet for copyright infringement detection, we have appointed a Data Protection Officer as required by GDPR Article 37(1)(b). You may contact our DPO at dpo@cerbotrace.com for all data protection matters.

2. Information We Collect

We collect several types of information from and about users of our services, including:

2.1 Personal Information

Personal information is data that can be used to identify you individually. We may collect the following personal information:

Account Information: When you register for our services, we collect your name, email address, and contact information.
Billing Information: If you subscribe to our paid services, we collect payment information, which may include credit card details, billing address, and other financial information necessary for processing payments. Note: Payment card data is processed and stored securely by Stripe in their PCI-DSS compliant environment; we never see or store your raw card numbers.
Identity Verification Information: To validate ownership of digital content, we may request additional information such as business registration documents, platform seller accounts, copyright registration numbers, or government-issued identification in some cases. Important: Government-issued identification constitutes sensitive personal information under CPRA and high-risk personal data requiring heightened protection. We process identity documents based on our legitimate interests in preventing fraud and ensuring copyright ownership (Art. 6(1)(f)) and where required by law (Art. 6(1)(c)). We have conducted a balancing test confirming this processing is necessary and proportionate. Identity documents are deleted within 7 days after verification is complete.
Communication Data: We collect information you provide when you contact our support team, respond to surveys, or communicate with us in any way.

2.2 Digital Content Information

When you use our watermarking and tracing services, we process information related to your digital content:

Watermark Identifiers: Unique identifiers embedded in your digital files.
File Metadata: Basic information about your files such as file type, size, and creation date.
Content Characteristics: Technical data points used for content matching and identification.
Visual Fingerprints: Digital signatures generated by our AI vision system for content recognition. These are never shared with third parties except as required by law.
Similarity Scores: Results from automated content comparison algorithms. These scores are used solely for our services and are not shared with third parties.
Content Keywords: Text and metadata extracted from files for matching purposes.

As stated in our About page, we do not store your original files. Our process generates digital fingerprints, then immediately deletes all source data after processing is completed.

2.3 Usage Information

We automatically collect certain information about your equipment, browsing actions, and patterns when you interact with our website or services, including:

Log Data: Information that your browser sends whenever you visit our website, such as your IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform. This data is processed via CloudFlare for security and performance purposes under the lawful basis of legitimate interests. We do not use any AWS CloudWatch or Stripe telemetry data for analytical purposes.
Usage Data: Information about how you use our website and services, including the pages you visit, the time and date of your visit, the time spent on those pages, and other diagnostic data.
Device Information: Information about your computer or mobile device, including its type, model, unique device identifiers, operating system, and mobile network information.

3. Automated Processing and Artificial Intelligence

We use automated processing, including artificial intelligence and machine learning technologies, as core components of our services:

3.1 AI Vision System

Our proprietary AI vision system automatically:

Recognizes and analyzes visual content submitted to our platform
Generates digital fingerprints for content identification
Performs similarity matching against existing content in our database
Extracts keywords and metadata from uploaded files
Detects potential copyright infringement patterns
Scans third-party platforms for your protected content and sends automated alerts when positive matches are detected

3.2 Automated Decision Making

We make certain automated decisions that may affect you:

Content Rejection: Our system may automatically reject content if it shows high similarity (typically >95%) to existing protected content. The logic involves comparing visual fingerprints, metadata patterns, and similarity algorithms. Consequences include inability to proceed with watermarking until human review is completed.
Account Flagging: Repeated submission of similar or infringing content (3+ incidents within 30 days) may trigger automated account warnings. This could result in temporary upload restrictions or required manual review of future submissions.
Processing Priority: Subscription tier determines automated processing speed and features through rule-based assignment (Free: 7-day processing, Premium: 24-hour processing).
Third-Party Platform Monitoring: Our automated system continuously scans third-party platforms for matches to your protected content and categorizes findings into three levels: HIGH similarity (>85%), MEDIUM similarity (70-85%), and LOW similarity (50-70%). Only HIGH similarity matches automatically trigger email notifications to alert you of potential unauthorized use. By using our service, you consent to receive these automated notification emails as part of our content tracing and notification functionality.

Legal Effects: These consequences have no legal effect outside our platform and do not affect your legal rights or obligations with third parties.

3.3 Your Rights Regarding Automated Processing

Under GDPR Article 22, you have the right to:

Not be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you
Object to automated decision-making that significantly affects you
Contact Support if you think this is wrong
Receive an explanation of the logic, significance, and envisaged consequences of automated processing
Contest automated decisions and provide additional information
Express your point of view regarding the automated decision

Appeal Process: If your content is automatically rejected, you may appeal by contacting support@cerbotrace.com within 30 days. Appeals are reviewed by human staff within 5 business days (usually sooner) as required by GDPR Article 22(3) "without undue delay." During appeal review, you may submit additional evidence or context that was not available to the automated system.

Human Override: You can request human review of any automated decision by checking the "Request Human Review" option when submitting content or by contacting our support team directly.

4. How We Use Your Information

We use the information we collect about you or that you provide to us for the following purposes:

4.1 Providing and Improving Our Services

To provide you with the digital content tracing and notification services you have requested
To process and complete transactions, and send you related information, including purchase confirmations and invoices
To fingerprint your digital content and trace it across various platforms
To notify you when your protected content has been detected in unauthorized locations
To respond to your comments, questions, and requests, and provide customer service
To improve our website and services, and develop new products and services

4.2 Communication

To communicate with you about your account, services, and updates
To send you technical notices, security alerts, and support and administrative messages
To notify you about changes to our services, terms, or policies
For business users, we may contact you regarding service updates, security notifications, and account-related matters based on our legitimate interests in maintaining customer relationships

4.3 Security and Legal Compliance

To verify your identity and prevent fraud or other unauthorized or illegal activity
To enforce our terms, conditions, and policies
To protect our rights, property, or safety, and that of our users or others
To comply with applicable laws, regulations, legal processes, or governmental requests

4.4 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services to you
Legitimate Interests (Art. 6(1)(f)): Service improvement, security, fraud prevention, and copyright protection (balanced against your rights and freedoms)
Legal Compliance (Art. 6(1)(c)): Compliance with applicable laws and regulations, including identity verification for fraud prevention
Consent (Art. 6(1)(a)): For optional features (where explicitly provided)

5. Data Retention and Storage

5.1 Data Retention Periods

We retain different types of data for specific periods:

Personal Information: Retained for one (1) month after account termination, then pseudonymized or deleted
File Fingerprints: Retained for service functionality and similarity matching. These are automatically deleted 1 month after account termination
Identity Documents: Removed from active systems within 7 days after verification completion. Backup copies expire automatically on their normal 90-day retention cycle
Billing Records: Retained for 7 years as required by applicable law (note: Stripe retains tokenized payment data separately)
Legal Hold Data: Retained longer if required for ongoing legal proceedings
Evidence Packs: Pseudonymized and retained for up to six years for potential legal defense and user protection
Communication Records: Support communications retained for 2 years
System Backups: Retained for 90 days, then automatically deleted (encrypted and logically segregated)
Server Logs: Retained for 6 months for security and performance analysis

Data Processing Terminology: "Pseudonymized" means we retain a separate key and the data can still be re-linked under strict controls; it remains personal data under GDPR. "Anonymized" means the data cannot be re-linked to individuals and is no longer considered personal data.

5.2 Data Storage Locations

Your data may be stored and processed in:

United States (primary data centers via AWS)
Other locations where our service providers operate
CloudFlare edge servers worldwide for performance optimization

As mentioned earlier, we do not store your original digital files on our servers. Once the watermarking process is complete, the watermarked version is returned to you, and no copies of your original files remain on our systems.

5.3 Security Measures

We have implemented comprehensive security measures to protect your information:

Encryption: All data is encrypted in transit using industry-standard encryption (currently TLS 1.2 or higher) and at rest (AES-256 or equivalent)
Access Controls: Role-based access with multi-factor authentication for all staff
Infrastructure Security: AWS enterprise-grade security with CloudFlare DDoS protection
Regular Audits: Security assessments conducted at least annually (with quarterly reviews as resources permit)
Data Minimization: We collect and process only data necessary for service provision
Secure Development: Security-by-design principles in all software development

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our website and hold certain information to improve and analyze our services.

6.1 What Are Cookies

Cookies are small data files that are placed on your device when you visit a website. Cookies serve various functions, including enabling certain features, remembering your preferences, and understanding how you interact with our website.

6.2 Types of Cookies We Use

Strictly Necessary Cookies: These cookies are essential for the website to function properly and cannot be switched off in our systems. They are usually set in response to actions made by you, such as setting your privacy preferences, logging in, or filling in forms. These meet the strict necessity test under ePrivacy regulations.
Security and Performance Cookies: CloudFlare cookies (_cf_bm, _cf_clearance) are necessary to mitigate bot traffic and ensure service availability. We rely on legitimate interests and do not use them for any promotional purposes. These cookies protect against malicious attacks and ensure service availability.

Note: We do not use analytical cookies, advertising cookies, or third-party promotional pixels. However, we do collect server-side usage data (IP addresses, pages visited, access times) for security and performance purposes based on our legitimate interests in maintaining service security and preventing fraud. This server-side logging does not require consent under ePrivacy as it is necessary for security purposes.

6.3 Your Cookie Choices

Most web browsers allow you to control cookies through their settings preferences. However, if you limit the ability of websites to set cookies, you may worsen your overall user experience and/or lose access to certain features of our website.

For more detailed information about cookies and how to manage them, please visit www.allaboutcookies.org.

6.4 Do-Not-Track and Global Privacy Control Signals

We honor Global Privacy Control (GPC) signals as required by California Privacy Rights Act (CPRA) regulations and similar state laws. When we detect a GPC signal from your browser:

We treat it as a valid request to opt-out of the sale or sharing of personal information
We apply the opt-out to the specific browser/device where the signal is detected
No additional action is required from you to exercise this right

Note: We do not sell personal information or share it for cross-context behavioral advertising, so the GPC signal serves as confirmation of our existing practices. For legacy Do-Not-Track (DNT) signals, we do not currently respond as no industry standard exists for interpreting these signals.

7. Third-Party Sharing and Services

We may share your information with third parties in certain circumstances:

7.1 Data Processors

We work with the following third-party data processors (not controllers):

Stripe: Payment processing for subscriptions and transactions (Data Processing Agreement in place)
CloudFlare: Content delivery network, DDoS protection, and web security. CloudFlare acts solely as our data processor under strict contractual controls and does not use data for its own purposes or cross-context behavioral advertising (Data Processing Agreement in place)
Amazon Web Services (AWS): Cloud hosting infrastructure and data storage (Data Processing Agreement in place)

These processors are contractually bound to protect your information, use it only for the specific services they provide to us, and comply with applicable data protection laws. We maintain an up-to-date list of sub-processors and provide 30 days' notice before onboarding new vendors.

Sub-Processor Management: For current list of sub-processors and change notifications, contact privacy@cerbotrace.com.

7.2 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction. We will notify you of any such change in ownership or control of your personal information.

7.3 Legal Requirements

We may disclose your information where we believe it is necessary to:

Comply with applicable laws, regulations, legal processes, or governmental requests
Enforce our Terms of Service and other agreements, including for billing and collection purposes
Protect our rights, privacy, safety, or property, and/or that of you or others
Prevent or investigate possible wrongdoing in connection with the services

7.4 With Your Consent

We may disclose personal information only to our contracted processors listed below. We do not share or sell your personal information to any other third parties.

Stripe – payment processing and billing
Amazon Web Services (AWS) – cloud hosting and storage
Cloudflare – content-delivery network and web-application firewall

For the most up-to-date list visit cerbotrace.com/subprocessors or email privacy@cerbotrace.com.

7.5 Aggregated or De-identified Data

We may share aggregated or de-identified information, which cannot reasonably be used to identify you, with third parties for research, security improvement, and service enhancement purposes.

8. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

8.1 Access and Update

You can access and update certain information about your account by logging into your account settings. If you cannot access certain information or need assistance, please contact us using the details provided at the end of this policy.

8.2 GDPR Rights (European Users)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

Right of Access (Art. 15): Request copies of your personal information
Right to Rectification (Art. 16): Correct inaccurate or incomplete personal information
Right to Erasure (Art. 17): Request deletion of your personal information
Right to Restrict Processing (Art. 18): Limit how we process your information
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON, CSV, or ZIP file delivered via secure encrypted email)
Right to Object (Art. 21): Object to processing based on legitimate interests
Right to Withdraw Consent (Art. 7): Withdraw consent for consent-based processing
Right to Complain (Art. 77): Lodge a complaint with your local data protection authority (EU users), Information Commissioner's Office/ICO (UK users), or Federal Data Protection and Information Commissioner/FDPIC (Swiss users)

Response Time: We will respond to GDPR requests within one (1) month of receipt (extendable by two months for complex requests with notification).

8.3 CPRA Rights (California Users)

If you are a California resident, you have the following rights under the California Privacy Rights Act (CPRA), effective January 1, 2023:

Right to Know: Request information about what personal information we collect, use, and share
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate personal information
Right to Limit Use of Sensitive Personal Information: Request limitation of use and disclosure of sensitive personal information
Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights
Right to Opt-Out of Sale: We do not sell personal information
Right to Opt-Out of Sharing: We do not share personal information for cross-context behavioral advertising

Response Time: We will respond to CPRA requests within forty-five (45) days of receipt (extendable by additional 45 days with notification).

Sensitive Personal Information: We collect government-issued identification documents as sensitive personal information under CPRA. We use this information solely for identity verification purposes and delete it within 7 days of verification. You have the right to limit our use of sensitive personal information. However, as we already limit use to the minimum necessary for verification purposes only, exercising this right will not change our practices. To submit a "Limit Use of My Sensitive Personal Information" request, contact privacy@cerbotrace.com.

Definitions: For California residents:

"Share" has the meaning set forth in Cal. Civ. Code §1798.140(ah).
"Sell" has the meaning set forth in Cal. Civ. Code §1798.140(ad).

8.4 Other U.S. State Privacy Rights

We extend comprehensive privacy rights to residents of all U.S. states with enacted privacy laws, including but not limited to:

Virginia (VCDPA) - effective January 1, 2023
Colorado (CPA) - effective July 1, 2023
Connecticut (CTDPA) - effective July 1, 2023
Utah (UCPA) - effective December 31, 2023
Florida (FDBR) - effective July 1, 2024
Montana (MCDPA) - effective October 1, 2024
Texas (TDPSA) - effective July 1, 2024
Oregon (OCPA) - effective July 1, 2024
Delaware (DPDPA) - effective January 1, 2025
Iowa (ICDPA) - effective January 1, 2025
New Jersey (NJDPA) - effective January 15, 2025
New Hampshire (NHDPA) - effective January 1, 2025
Tennessee (TIPA) - effective July 1, 2025
Maryland (MODPA) - effective October 1, 2025
Minnesota (MCDPA) - effective July 31, 2025
Nebraska (NCDPA) - effective January 1, 2025

Residents of these states generally have rights to access, correct, delete, and opt-out of certain processing of their personal information. Specific rights vary by state law. Contact privacy@cerbotrace.com to exercise your rights under your applicable state law.

8.5 Canadian Users (PIPEDA)

Canadian users may contact the Office of the Privacy Commissioner of Canada regarding privacy concerns under the Personal Information Protection and Electronic Documents Act (PIPEDA).

8.6 How to Exercise Your Rights

To exercise any of these rights:

Email us at privacy@cerbotrace.com
Include your account email and specific request details
We may request additional information to verify your identity (typically account verification questions or government-issued ID)
You may designate an authorized agent to make requests on your behalf
Data portability requests will be fulfilled in JSON format via secure encrypted email unless you specify CSV or ZIP

Response Priorities: Regulatory deadlines (GDPR 1 month, CPRA 45 days) take priority over courtesy targets. General inquiries are typically handled within 5 business days when not subject to regulatory timelines.

If you believe we have not resolved your request satisfactorily, you may escalate by emailing legal@cerbotrace.com with "Privacy Escalation" in the subject line.

9. Data Breach Notification

We take data security seriously and have implemented comprehensive incident response procedures:

9.1 Our Breach Response Protocol

Detection: Automated monitoring systems alert us to potential security incidents
Assessment: Within 24 hours, we assess the scope and impact of any incident
Containment: Immediate steps to contain and mitigate the incident
Investigation: Thorough investigation to determine cause and affected data
Notification: Timely notification to authorities and affected individuals
Remediation: Implementation of measures to prevent future incidents

9.2 User Notification

In the event of a data breach that may affect your personal information:

We notify affected individuals as required by applicable law, and in any event without unreasonable delay
If the breach is likely to result in a high risk to individuals, we will notify affected users without undue delay, typically within 72 hours of confirmation
We will post a notice on our website if the breach affects a large number of users
We will provide clear information about what happened, what data was involved, and what steps we're taking
We will offer guidance on steps you can take to protect yourself
We will comply with applicable state-specific notice requirements, including alternative notice methods (postal mail, press release) as required by Connecticut, Florida, and other state laws

9.3 Regulatory Notification

We will notify relevant data protection authorities without undue delay and, where feasible, within 72 hours of becoming aware of a breach, as required by GDPR and other applicable laws.

10. Children's Privacy

Our services are intended for users who are at least 16 years of age. We do not knowingly collect personal information from children under 16. If you are under 16, please do not use our services or provide any personal information to us.

During account creation, users must confirm they are 16 years of age or older. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. If you believe we have collected information from a child under 16, please contact us at privacy@cerbotrace.com.

California Residents Under 18: If you are a California resident under 18 years of age and a registered user, you may request removal of content or information you have publicly posted. Please email privacy@cerbotrace.com with your request.

11. International Data Transfers

We are based in the United States and process information on servers located in the United States and potentially other countries. If you are located outside the United States, please be aware that information we collect may be transferred to and processed in the United States or other jurisdictions.

11.1 Safeguards for International Transfers

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we implement appropriate safeguards for international data transfers:

Standard Contractual Clauses (SCCs): European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 with our processors
UK Addendum: UK Addendum to the EU SCCs under the UK GDPR
Swiss FDPIC-Adapted SCCs: Swiss Federal Data Protection and Information Commissioner adapted Standard Contractual Clauses with appropriate choice of law provisions
Transfer Impact Assessments (TIA): Regular assessments of transfer risks and additional safeguards
Adequacy Decisions: Where available for specific jurisdictions
Additional Technical Measures: Enhanced encryption and access controls for international transfers
Supplementary Safeguards: Where required, we implement supplementary technical safeguards (e.g., end-to-end encryption) to ensure essentially equivalent protection in recognition of Schrems II requirements

11.2 EU-US Data Privacy Framework (Future Reliance)

If Cerbotrace becomes certified under the EU-US Data Privacy Framework (DPF), we will rely on that certification for EU→US transfers in addition to or instead of Standard Contractual Clauses.

Our complete Standard Contractual Clauses documentation is available by request to privacy@cerbotrace.com.

By using our services, you acknowledge and consent to the transfer, processing, and storage of your information in countries where the privacy laws may not be as comprehensive as those in your country of residence.

12. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date at the bottom of this Privacy Policy
Sending email notification for material changes
Displaying a prominent notice on our website home page for significant changes

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page, unless otherwise specified.

For material changes that affect your rights, we will provide at least 30 days' notice before the changes take effect.

13. Additional Information

13.1 Vulnerability Disclosure

We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please contact security@cerbotrace.com with details. We will acknowledge receipt within 48 hours and provide updates on remediation progress.

Independent Dispute Resolution: For privacy-related disputes that cannot be resolved through our standard process, independent dispute resolution may be available through recognized arbitration services upon request.

13.2 Data Processing Agreements

GDPR and UK GDPR customers may request a Data Processing Agreement (DPA) automatically upon signup by contacting legal@cerbotrace.com. We provide standard DPAs for enterprise customers at no additional cost.

13.3 Compliance Certifications

We are working toward ISO 27001 and SOC 2 Type II compliance to support enterprise customers. Current compliance status and roadmap information is available upon request for business customers.

14. Contact Us

If you have any questions about this Privacy Policy, your personal information, or your rights and choices, please contact us at:

Fluffy Pants Studio LLC
Registered Agents Inc.
2389 Main St., STE 100
Glastonbury, CT 06033

Email: privacy@cerbotrace.com
Support: support@cerbotrace.com
Legal: legal@cerbotrace.com
Security: security@cerbotrace.com

Response Times:

General inquiries: Within 5 business days (unless subject to regulatory deadlines)
GDPR requests: Within 1 month (extendable to 3 months for complex requests)
CPRA requests: Within 45 days (extendable to 90 days with notification)
Data breach concerns: Within 24 hours
Security vulnerabilities: Acknowledgment within 48 hours

Data Protection Authority Contacts:

EU users: Contact your local supervisory authority
UK users: Information Commissioner's Office (ICO) - ico.org.uk
Swiss users: Federal Data Protection and Information Commissioner (FDPIC) - edoeb.admin.ch
California users: California Attorney General - oag.ca.gov
Canadian users: Office of the Privacy Commissioner of Canada - priv.gc.ca

Version 1.3 – Last Updated: December 2024

Change Log:

Version	Date	Changes
1.3	December 2024	Added comprehensive state privacy laws coverage, GPC support, EU/UK representatives, DPO appointment, clarified age requirements, fixed data retention contradictions
1.2	June 04, 2025	Enhanced CPRA compliance, automated processing transparency, international transfer safeguards
1.1	December 15, 2024	Basic GDPR/CCPA compliance framework