Privacy Policy

This Privacy Policy explains how Cresion AI, Inc., the company behind Ceres ("we", "us"), collects, uses, and shares information when you visit our website, sign up for an account, or use the Ceres service.

We are the data controller for the information we collect about you directly (for example, when you create an account or contact us). When you use the service to process data on your behalf, we act as the data processor and you are the controller — that arrangement is governed separately by our Data Processing Addendum.

We collect three buckets of data:

Account data. When you sign up, we collect your name, work email, company name, and a password. If you pay, Stripe collects your payment details — we never see card numbers.

Usage data. When you use the Portal, we collect IP address, browser type, pages visited, and timestamps, so we can run the service, detect abuse, and improve the product. With your consent, we use first-party product analytics (PostHog); we do not load third-party ad-tracking scripts. If you arrive from one of our ads, we also store the ad's click identifier and campaign parameters in a first-party cookie to measure ad performance (see Advertising measurement).

Customer data. Anything the service collects on your behalf — competitor research, briefings, approvals, evidence chains, IM channel IDs, connector tokens, and the content of outbound messages. This data belongs to you. We process it only to operate the service.

We use the data we collect to:

• Provide, operate, and secure the service.
• Authenticate you and detect fraudulent or abusive activity.
• Bill you, and give you receipts.
• Send you product updates, security notices, and service-related messages (you cannot opt out of security notices while you have an account).
• Respond to your support requests.
• Improve the service — for example, by measuring which features get used.
• Comply with legal obligations and enforce our Terms.

We do not sell your personal information. We do not use Customer Data to train shared AI models. We advertise Ceres to potential customers and measure which ads lead to sign-ups (see Advertising measurement below), but we never use your Customer Data to target advertising.

We share data only with vendors who help us run the service, and only to the extent they need it. Every vendor is under a written data-protection agreement and is listed on our Security page.

We may disclose data if required by a valid legal process. When we can, we will notify you first — unless the law prohibits notice — so you can seek protective action.

• Account data: kept while you have an account, then deleted 30 days after cancellation.
• Customer data: kept while you have an account, then deleted 30 days after cancellation, unless a longer period is required by law.
• Usage logs: 90 days (access and audit logs), 365 days (aggregated).
• Billing records: 7 years from the relevant transaction, for tax and accounting.

You can:

• Access a copy of the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a portable format (JSON).
• Object to or restrict certain processing, where the law allows.

To exercise any of these rights, email [email protected] and we will respond within thirty days.

If you are in the EU, UK, or European Economic Area, we process your personal data under the following lawful bases:

• Contract: to provide the service to you after you sign up.
• Legitimate interest: to keep the service secure and to improve it.
• Legal obligation: to meet tax and regulatory requirements.
• Consent: for optional marketing emails (never for operational messages).

You have the right to lodge a complaint with your local supervisory authority. For any GDPR request or question, contact us at [email protected].

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to opt out of sale (we do not sell), and to non-discrimination for exercising those rights.

To exercise any of these rights, email [email protected] with the subject line CCPA Request. We verify identity through the email address on file.

We host on cloud infrastructure that may process your data in the United States, the European Union, or Singapore. When we transfer personal data out of your region, we rely on the EU Standard Contractual Clauses (SCCs), the UK's International Data Transfer Agreement, or other mechanisms recognized by applicable law.

We use a signed session cookie for authentication. If you accept analytics in our cookie banner, our analytics provider (PostHog) also sets first-party cookies so we can measure product usage — you can decline, and we set no analytics cookies until you accept. We do not use third-party ad trackers. If you arrive from one of our ads, we also set a first-party ceres_attr cookie that records the ad's click identifier so we can measure ad performance (see Advertising measurement); it is not a third-party tracker and is not shared with other sites for advertising. You can disable cookies in your browser, but you will not be able to sign in to the Portal without the session cookie.

When you reach our site from one of our ads — for example a Google Ads link — we store that ad's click identifier and campaign parameters (such as Google's gclid and utm_ tags) in a first-party cookie named ceres_attr for up to 90 days.

If you then create an account, start a trial, or subscribe, our servers report that conversion to the advertising platform that referred you, so we can measure which ads actually bring in customers. We send only the click identifier and a securely hashed, irreversible form of your email address — never your name, your plaintext email, or any Customer Data.

This is done server-to-server: we do not load third-party advertising scripts or pixels on our site, and the ceres_attr cookie is first-party and is not used to profile you across other websites. For visitors in the EU, UK, and EEA we apply this consistent with the lawful bases described in the GDPR section above.

Ceres is a business product. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, email [email protected] and we will delete it.

We describe our security program in detail on our Security page. Short version: encryption in transit and at rest, per-customer isolation, scrypt password hashing, device-paired auth for operator actions, and continuous monitoring.

We may update this policy as the service evolves. Material changes are announced by email at least thirty days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

For privacy questions, email [email protected]. For data subject requests (GDPR, CCPA, or otherwise), use the same address with a clear subject line describing the request.