GDPR Compliance

1. Our Commitment to GDPR

Although Cereb Intelligence Limited is based in Hong Kong, we are committed to protecting the personal data of individuals in the European Economic Area (EEA) and United Kingdom in accordance with the General Data Protection Regulation (GDPR). This policy supplements our general Privacy Policy with specific information for EEA and UK data subjects.

2. Legal Basis for Processing

We process personal data of EEA/UK residents under the following legal bases:

• Contract Performance: Processing necessary to provide our AI + IoT platform services and fulfill our contractual obligations.
• Legitimate Interests: Processing for our legitimate business interests, such as improving our services, fraud prevention, and network security.
• Consent: Where required, such as for marketing communications.
• Legal Obligation: Processing necessary to comply with applicable laws.

3. Your Rights Under GDPR

As an EEA or UK data subject, you have the following rights:

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to access that data.
• Right to Rectification (Article 16): You have the right to correct inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances ("right to be forgotten").
• Right to Restriction (Article 18): You have the right to restrict processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing with significant effects.

4. International Data Transfers

As we are located in Hong Kong and may use cloud services globally, personal data from the EEA/UK may be transferred outside the EEA. We ensure such transfers are lawful through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with adequacy decisions
• Other appropriate safeguards as required by GDPR Article 46

5. Data Processing Activities

We process personal data for the following purposes:

6. IoT Data and GDPR

Our platform processes IoT sensor data. Where such data may be linked to identifiable individuals (e.g., occupancy sensors, access logs), we:

• Apply data minimization principles
• Implement privacy by design and default
• Provide anonymization and pseudonymization options
• Enable granular data retention controls
• Support data subject requests through our platform

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that may pose high risks to individuals' rights and freedoms, including new AI features and large-scale IoT deployments.

8. Data Breach Notification

In the event of a personal data breach affecting EEA/UK data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. We will also notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

9. Supervisory Authority

EEA data subjects have the right to lodge a complaint with their local supervisory authority. A list of supervisory authorities is available at: European Data Protection Board Members

10. Exercising Your Rights

To exercise any of your GDPR rights, please contact us using the details below. We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.