Legal

Privacy Policy

We collect only what we need to run the service and protect it like we'd want ours protected. This page explains exactly what that means, in plain language first and with the formal terms right after.

Last updated: 2026-04-20

1. Overview

This Privacy Policy explains how Ceres ("we", "us") collects, uses, and shares information when you visit our website, sign up for an account, or use the Ceres service.

We are the data controller for the information we collect about you directly (for example, when you create an account or contact us). When you use the service to process data on your behalf, we act as the data processor and you are the controller — that arrangement is governed separately by our Data Processing Addendum.

2. What we collect

We collect three buckets of data:

Account data. When you sign up, we collect your name, work email, company name, and a password. If you pay, Stripe collects your payment details — we never see card numbers.

Usage data. When you use the Portal, we collect IP address, browser type, pages visited, and timestamps, so we can run the service, detect abuse, and improve the product. We use first-party analytics; we do not load ad-tracking scripts.

Customer data. Anything the service collects on your behalf — competitor research, briefings, approvals, evidence chains, IM channel IDs, connector tokens, and the content of outbound messages. This data belongs to you. We process it only to operate the service.

3. How we use it

We use the data we collect to:

  • Provide, operate, and secure the service.
  • Authenticate you and detect fraudulent or abusive activity.
  • Bill you, and give you receipts.
  • Send you product updates, security notices, and service-related messages (you cannot opt out of security notices while you have an account).
  • Respond to your support requests.
  • Improve the service — for example, by measuring which features get used.
  • Comply with legal obligations and enforce our Terms.

We do not sell your personal information. We do not use Customer Data to train shared AI models. We do not use Customer Data to target ads — we do not run ads at all.

4. Sharing & subprocessors

We share data only with vendors who help us run the service, and only to the extent they need it. Every vendor is under a written data-protection agreement and is listed on our Security page.

We may disclose data if required by a valid legal process. When we can, we will notify you first — unless the law prohibits notice — so you can seek protective action.

5. Retention

  • Account data: kept while you have an account, then deleted 30 days after cancellation.
  • Customer data: kept while you have an account, then deleted 30 days after cancellation, unless a longer period is required by law.
  • Usage logs: 90 days (access and audit logs), 365 days (aggregated).
  • Billing records: 7 years from the relevant transaction, for tax and accounting.

6. Your rights

You can:

  • Access a copy of the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your data in a portable format (JSON).
  • Object to or restrict certain processing, where the law allows.

Most of these you can do yourself from the Portal. For anything you can't, email [email protected] and we will respond within thirty days.

7. GDPR (EU/UK residents)

If you are in the EU, UK, or European Economic Area, we process your personal data under the following lawful bases:

  • Contract: to provide the service to you after you sign up.
  • Legitimate interest: to keep the service secure and to improve it.
  • Legal obligation: to meet tax and regulatory requirements.
  • Consent: for optional marketing emails (never for operational messages).

You have the right to lodge a complaint with your local supervisory authority. Our EU representative can be reached at [email protected].

8. CCPA (California residents)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to opt out of sale (we do not sell), and to non-discrimination for exercising those rights.

To exercise any of these rights, email [email protected] with the subject line CCPA Request. We verify identity through the email address on file.

9. International data transfers

Our infrastructure runs in Singapore, the United States, and the European Union. When we transfer personal data out of your region, we rely on the EU Standard Contractual Clauses (SCCs), the UK's International Data Transfer Agreement, or other mechanisms recognized by applicable law.

Customers can select data residency (SG, US, or EU) at onboarding on any plan, including the free trial. Customer Data for that tenant stays in the chosen region.

10. Cookies

We use cookies for authentication (a signed session cookie after you sign in) and for a small amount of first-party analytics. We do not use third-party ad trackers. You can disable cookies in your browser, but you will not be able to sign in to the Portal without them.

11. Children

Ceres is a business product. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, email [email protected] and we will delete it.

12. Security

We describe our security program in detail on our Security page. Short version: encryption in transit and at rest, per-tenant isolation, scrypt password hashing, device-paired auth for operator actions, and continuous monitoring.

13. Changes to this policy

We may update this policy as the service evolves. Material changes are announced by email at least thirty days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

14. Contact

For privacy questions, email [email protected]. For data subject requests (GDPR, CCPA, or otherwise), use the same address with a clear subject line describing the request.

Privacy Policy · Ceres