Effective Date: 10/19/2023
Cranium AI, Inc. (“Cranium”, “we”, “our” or “us”) understands that your privacy is important to you and that you care about how your personal data is used and shared online. At Cranium we only collect and use personal data in ways that are described here, and in a manner that is consistent with Cranium’s obligations and your rights under the law.
About Cranium AI, Inc.
Cranium AI, Inc. provides technology that drives confidence and trust in the use of secure AI. The Cranium platform was developed to provide visibility and monitoring to enterprise security teams responsible for the security of internal and external AI and ML projects. Cranium AI, Inc.’s SaaS application enables enterprises to inventory and monitor the assets being developed, used, and deployed by data science teams.
Personal data means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data or under certain privacy regulations a natural person’s household.
(a) The right to be informed about Cranium’s collection and use of your personal data.
(b) The right of access to the personal data Cranium holds about you (please contact us using the details in Section 14).
(c) The right to correct any personal data we hold about you if it is inaccurate or incomplete (please contact us using the details in Section 14).
(d) The right to be forgotten (i.e., the right to ask Cranium to delete your personal data).
(e) The right to restrict (i.e., prevent) the processing of your personal data.
(f) The right to data portability (obtaining a copy of your personal data to re-use with another service or organization); and
(g) The right to object to Cranium’s using your personal data for particular purposes. In certain circumstances we may not be able to stop using your personal data, if that is the case, we’ll let you know why.
(h) If your data is provided to a third party for any reason, other than processing required by Cranium for the Service you requested, then in certain jurisdictions you may also have a legal right to know what data was shared, with what person or entity and for what purpose.
If you have any cause for complaint about Cranium’s use of your personal data, please contact us using the details provided in Section 14 and we will do our best to solve the problem for you.
Personal Data Collected By Cranium
- Your User Account Name and password
- Email address
- Job title
- Business/company name
- IP address
Information You Provide to Us
The information we collect on or through our website and SaaS application may include:
- Information that you provide by filling in forms or inputting data on our website or SaaS application.
- Records and copies of your correspondence, if you contact us.
- Your search queries on Cranium’s website.
Information We Collect Through Automatic Data Collection Technologies
As you navigate through and interact with our website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:
- Details of your visits to our website, including traffic data, location data, logs, and other communication data and the resources that you access and use of Cranium’s website.
- Information about your computer and internet connection, including your IP address, operating system, and browser type.
The information we collect automatically may include Personal Information, or we may maintain it or associate it with Personal Information we collect in other ways or receive from third parties. It helps us to improve our website and to deliver a better and more personalized service.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).
How We Use Your Personal Data
All personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights.
Our use of your personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your personal data (e.g., by subscribing to emails), because it is in our legitimate interests, or for the establishment, exercise, or defense of legal claims. Specifically, we may use your data for the following purposes:
- Providing and managing your access to Cranium’s Site and SaaS application.
- Personalizing and tailoring your experience on Cranium’s Site.
- Supplying our products and services to you (please note that we require your personal data in order to enter into a contract with you).
- Personalizing and tailoring our services for you.
- Replying to emails from you.
- Supplying you with emails that you have opted into (you may unsubscribe or opt-out at any time by clicking the unsubscribe link at the bottom of any of the emails).
- To fulfill any other purpose for which you provide it.
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
- To notify you about changes to any products or services we offer or provide.
- In any other way we may describe when you provide the information.
- For any other purpose with your consent.
- Market research.
- Analyzing your use of Cranium’s Site and SaaS application and gathering feedback to enable us to continually improve Cranium’s Site and SaaS application and your user experience.
With your permission and/or where permitted by law, we may also use your data for marketing purposes which may include contacting you by email with information, news and offers on our products, services, and events. We take reasonable steps to ensure that we fully protect your rights and comply with our legal obligations. By subscribing to our emails, we assume you are a business user and have an interest in the business content that we supply, even if you choose to use a personal email address.
Cranium does not share sensitive personal information with anyone within or across national boundaries without the explicit, affirmative, written consent of the person to whom it relates. You will need to “Opt-In” before any such action is undertaken.
Exceptions to this rule may exist as permitted by law or for internal administration and operations or for other reasonable and valid business purposes referred to in this Policy (e.g., Human Resources administration). Cranium personnel are required to obtain approval from legal counsel before sharing or transferring such information.
The sharing of sensitive personal information requires precautions that are more elaborate than the sharing of non-sensitive information. Sensitive personal information must be protected with security and confidentiality measures that are more stringent and more comprehensive as non-sensitive personal information.
When Cranium shares sensitive personal information with a third party, in addition to the general requirements that apply to non-sensitive personal information, Cranium will:
(i) identify in writing to the third party that the information is sensitive.
(ii) require that the third party limit access to the sensitive personal information only to those of its personnel with “need to know”; and
(iii) require that the third party protect the sensitive personal information with the same confidentiality and security measures as those that it uses for “highly confidential” information or data.
Disclosure to Third Party Service Providers.
Cranium does not and will not sell your Personal Data. Except as otherwise stated in this policy, we do not generally share the Personal Data that we collect with other entities. However, we may share your Personal Data including each category of Personal Data described above with third party service providers to: (a) provide you with the Services that we offer you through our website; (b) process payments; (c) conduct quality assurance testing; (d) facilitate creation and maintenance of accounts; (e) collect and analyze data; (f) provide technical support; or (g) provide specific business services, such as synchronization with other software applications and marketing services. These third-party service providers are required by written agreement not to retain, use, or disclose your Personal Data other than to provide the services requested by us.
- Other Disclosures.
Regardless of any choices you make regarding your Personal Data (as described below), we may disclose Personal Data if we believe in good faith that such disclosure is necessary to (a) comply with relevant laws or to respond to subpoenas or warrants served on us; (b) protect or defend our rights or property or the rights or property of users of the Products; or (c) protect against fraud and reduce credit risk.
9. No processing for automated individual decision-making including profiling
We do not knowingly collect or process personal data for automated individual decision-making including profiling.
Where and How Do We Store Your Personal Data
We only keep your personal data for as long as we need to in order to use it as described above in Section 6, and/or for as long as we have your permission to keep it.
Cranium’s Site is hosted in the United States and are governed by United States law. If you are using Cranium’s Site from outside the United States, please be aware that your personal data will be transferred to, stored, and processed in the United States where our servers are located, and our central database is operated. The data protection and other laws of the United States and other countries might not be as comprehensive as those in your country. You are deemed to accept and agree to this transfer by using Cranium’s Sites and submitting personal data to us.
Cranium’s SaaS application may have servers and databases operated from within your country or geographic locale, to which you can request your data be stored exclusively at the time of your initial engagement with the Cranium SaaS application. In the event that a specific location is available and requested by you, then your personal data provided to Cranium’s SaaS application will only be transferred to, stored, and processed within that location. The data protection and other laws of the selected location will apply to all personal data provided to Cranium’s SaaS application, and you are deemed to accept and agree to this transfer by using Cranium’s SaaS application and submitting personal data to us.
Data security is important to Cranium, and to protect your data we have taken suitable measures to safeguard and secure personal data collected through Cranium’s Site.
Personal Data Sharing and International Transfer
We make reasonable efforts to ensure that all the entities with whom we are working store your personal data in safe locations and implement appropriate security measures.
Some of the contractors are third parties who are not intended to process the personal data but may have access to it upon fulfilling their tasks or interacting with us, such as technical maintenance companies, financial or legal auditors.
We may also provide personal data to third parties in the following situations:
- to public authorities, auditors or institutions authorized to conduct inspections or audits of Cranium. Such public authorities or institutions may be relevant data protection authorities or authorities for consumer protection.
- to comply with a legal requirement or to protect the rights and assets of Cranium or other entities or people.
All the information you provide may be transferred or accessed by entities around the world. Cranium uses applicable Model Contractual Clauses and GDPR Model Contractual Terms for the international transfer of personal information collected in the European Economic Area and Switzerland.
How Can You Control Your Data
In addition to your rights set forth in Section 4, when you submit personal data via Cranium’s Site, you may be given options to restrict our use of your personal data. In particular, we aim to give you strong controls on our use of your personal data for direct marketing purposes including the ability to opt-out of receiving emails from us which you may do by unsubscribing using the links provided in our emails and at the point of providing your details).
Your California privacy rights
California Civil Code Section 1798.83 permits users that are California residents to request certain information regarding our disclosure of personal information to third parties for such third parties’ direct marketing purposes. If you are a California resident and would like to make such a request, contact us by email at firstname.lastname@example.org
With regard to the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) please be advised that Cranium will not sell your data to any third parties, California Law requires that we allows you to Opt-Out Of the sale of your personal information which can be accessed by clicking on the link below, and letting us know via website message form: Opt-Out Message Form
If you are a California Consumer you have certain rights under the CCPA:
Consumers have the right to request access to personal information. They can make this request for free, twice per year.
Right of Access
On receiving an access request, the business must provide the necessary information in a portable and easily accessible format, normally within 45 days of the request.
- The categories of personal information the business collects about the consumer.
- The categories of sources of the consumer’s personal information.
- The business or commercial purpose for collecting or selling the consumer’s personal information.
- The categories of any third parties with whom the business shares the consumer’s personal information.
- The specific pieces of personal information collected about the consumer.
Right to Deletion
Consumers have a right to request the deletion of personal information that the business holds on the consumer. However, this right does not apply where the business needs to retain the personal information in order to do any of the following:
- Provide goods or services to the consumer.
- Detect or resolve issues security or functionality-related issues.
- Comply with the law.
- Conduct research in the public interest.
- Safeguard the right to free speech.
- Carry out any actions for internal purposes that the consumer might reasonably expect.
Right to Non-Discrimination
Consumers have the right not to be discriminated against for having exercised their rights under the CCPA. In particular, the business may not:
- Deny the consumer goods or services.
- Charge the consumer different prices for goods or services, whether through denying benefits or imposing penalties.
- Provide the consumer with a different level or quality of goods or services to the consumer.
- Threaten the consumer with any of the above.
To exercise the CCPA consumer access, portability or distribution rights described above, please submit a verifiable complaint by either:
- Submitting the website message form: Privacy Message Form
- Emailing us at email@example.com
Only you or a person registered with the California Secretary of State who you authorize to act on your behalf may file a valid compliant. You may also make a verifiable complaining on behalf of your minor child.
Consumers may only request access or data portability twice within a 12-month period. The verifiable complaint must contain:
- Sufficient information to allow us to verify that you are the person under the complaint.
- Describe you request in sufficient detail to allow us to understand, verify and respond to your request.
We will only use the personal information provided with the consumer request to verify the consumer’s identity (“Data Subject Request Form).
Right or Correct Data
Consumers have the right to request that we rectify any inaccuracies in relation to the Personal Data we hold about you. Please contact us as noted immediately above and we will assist you with your request.
You have the right to withdraw your consent to us processing your Personal Data. This will not affect the processing already carried out with your consent.
Not to be subject to decisions based on automated processing.
In some circumstances, you have the right not to be subject to decisions based solely on automated processing, and to obtain the human review of any such decisions that significantly affect you (please refer to the earlier section on automated decision making); and
You have the right to lodge a complaint with the local authorized supervisory authority. However, we would appreciate the chance to deal with your concerns before you approach our supervisory authority so please contact us in the first instance.
Only you or an authorized agent (“Authorized Agent”) may make a verifiable consumer request related to your personal data. Your Authorized Agent may be any natural person or business entity registered with the Secretary of State of California that you have authorized to act on your behalf. When an Authorized Agent is submitting a request on your behalf, we require your Authorized Agent to provide evidence of their entitlement, which must include information sufficient to identify you and the purpose of the request, and at least one of the following:
- Written and signed permission designating the Authorized Agent to act on your behalf. You must verify your identity with us and directly confirm with us that you have provided the Authorized Agent permission to submit the request.
- Evidence that you have provided the Authorized Agent with power of attorney pursuant to the California Probate Code; or
- Proof that the Authorized Agent is a person or business entity registered with the California Secretary of State and that you have authorized such person or business entity to act on your behalf.
Absent such documentation, we reserve the right to refuse to comply with third-party requests for information.
You also may make a verifiable consumer request on behalf of your minor child.
For Residents of Colorado, Connecticut, Utah, and Virginia
For users residing in certain states including Colorado, Connecticut, Utah, and Virginia, you may also have rights with respect to the personal data that Cranium collects about you. In addition to the rights that are available to residents of California, if you are a resident of one of these states, you may also have the right to:
- out of the processing of your personal data for the purposes of targeted advertising and for profiling in furtherance of decisions, including, for residents of Connecticut, solely automated decisions, that produce legal or similarly significant effects; and
- Right to appeal any decision or indecision related to the exercise of any right the consumer is granted under the applicable state law.
If you would like to exercise any of your rights under applicable law (including the right to appeal), please use the same methods stated within the “Contact Information” section below.
For Residents of Nevada
Nevada law gives residents of Nevada the right to request that a company not sell their personal data for monetary consideration to certain other parties. This right applies even if their personal data is not currently being sold (i.e., Cranium does not sell your data). If you are a resident of Nevada and wish to exercise this right, please send an email with the subject line “Nevada Resident Do Not Sell Request” to firstname.lastname@example.org.
- Session Cookie: A session cookie contains information that is stored in a temporary memory location and then subsequently deleted after the session is completed or the web browser is closed. This cookie stores information that the user has inputted and tracks the movements of the user within the website.
- Persistent Cookie: A persistent cookie is a data file capable of providing websites with user preferences, settings and information for future visits. Persistent cookies provide convenient and rapid access to familiar objects, which enhances the user experience.
- Analytics Cookie: An analytics cookie is a cookie placed by analytics software provided by a third party. An analytics cookie allows a website to monitor users of the website and the frequency with which they visit the website.
- Geo-targeting Cookie: A geo-targeting cookie establishes the location from which the user accesses the website.
What Analytic Tools Does Cranium Use
In order to understand the navigational trends on Cranium’s Site we use third-party analytics tools which collect information which your browser sends when you visit Cranium’s Site. Here are tools which we use and links to their privacy policies:
- Hubspot: https://legal.hubspot.com/privacy-policy
- Google Analytics: https://policies.google.com/privacy?hl=en
- Pendo:: https://www.pendo.io/legal/privacy-policy/
- Hotjar:: https://www.hotjar.com/legal/policies/privacy/
22. Contacting Cranium