Privacy Policy.

This Privacy Policy (the "Policy") describes how Cæros ("Cæros", "we", "us", or "our") collects, uses, discloses, and safeguards personal information processed in connection with the website located at caeros.ai and any related services we make available (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read and understood this Policy.

01Introduction

Cæros is committed to protecting personal information in a manner consistent with applicable data-protection laws, including the European Union General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the United Kingdom GDPR, and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the "CCPA/CPRA").

This Policy applies exclusively to personal information processed through the Service. It does not apply to information collected by any third party, including any third-party website or service that may be linked from the Service.

02Definitions

Personal information

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on personal information, whether or not by automated means.

Controller

The entity that determines the purposes and means of the processing of personal information.

Processor

A natural or legal person that processes personal information on behalf of the Controller.

Data subject

The identified or identifiable natural person to whom personal information relates.

03Data controller

For the purposes of the GDPR and equivalent legislation, the data controller in respect of personal information processed through the Service is Cæros. You may contact the controller at support@caeros.ai.

04Information we collect

We process the following categories of personal information:

Information you provide

• Email address submitted through the waitlist registration form.

Information collected automatically

• Technical information generated in connection with requests to the Service, including the Internet Protocol (IP) address, user-agent string, request timestamp, and the HTTP referrer.
• Operational logs produced by our hosting infrastructure for the purposes of service delivery, security monitoring, and abuse prevention.

We do not knowingly collect special categories of personal information (including data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, or data concerning sexual orientation).

05Purposes and legal bases of processing

We process personal information for the following purposes and on the following legal bases:

1. Waitlist administration. To register you on the waitlist, send a confirmation message, and, where applicable, notify you of product availability. Legal basis: performance of a pre-contractual measure taken at your request (GDPR Art. 6(1)(b)) and your consent (Art. 6(1)(a)).
2. Service operation, security, and fraud prevention. To operate and secure the Service, detect and prevent abuse, and investigate suspected violations of our Terms of Service. Legal basis: our legitimate interests (Art. 6(1)(f)) in maintaining a secure, reliable Service.
3. Compliance with legal obligations. To comply with applicable law and respond to lawful requests from public authorities. Legal basis: compliance with a legal obligation (Art. 6(1)(c)).

We do not use personal information for automated decision-making producing legal or similarly significant effects, and we do not sell or share personal information for cross-context behavioral advertising within the meaning of the CCPA/CPRA.

06Disclosure to third parties

We disclose personal information only to the categories of recipients set out below, and only to the extent necessary for the purposes described in this Policy:

• Hosting and serverless infrastructure. Google LLC, operating Firebase Hosting and Cloud Functions for Firebase, which host the Service and process operational logs.
• Transactional email. Resend, Inc., which delivers waitlist confirmation and product announcements on our behalf.
• Competent authorities. Public authorities where required by applicable law, including in response to a valid legal process.
• Professional advisers. Legal, accounting, and similar advisers, subject to applicable confidentiality obligations.

Each processor is bound by a written data-processing agreement imposing confidentiality, security, and use-limitation obligations substantially equivalent to those set out in this Policy.

07International data transfers

Personal information may be transferred to, and processed in, countries other than your country of residence, including the United States. Where personal information originating in the European Economic Area or the United Kingdom is transferred to a jurisdiction not recognized as providing an adequate level of protection, we implement appropriate safeguards, including the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum.

08Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements.

• Waitlist records: retained until the earlier of (i) your request to be removed and (ii) twenty-four (24) months after the Service exits its waitlist phase.
• Operational logs: retained for a period of up to ninety (90) days, after which they are deleted or aggregated into non-identifying statistics.

09Your rights

Subject to applicable law, you have the following rights in relation to personal information we hold about you:

• Right of access to obtain confirmation as to whether personal information concerning you is processed and, where that is the case, access to that information.
• Right to rectification of inaccurate or incomplete personal information.
• Right to erasure ("right to be forgotten") in the circumstances set out in Article 17 GDPR.
• Right to restriction of processing in the circumstances set out in Article 18 GDPR.
• Right to data portability in the circumstances set out in Article 20 GDPR.
• Right to object to processing based on legitimate interests.
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint with a competent supervisory authority.

Residents of California have additional rights under the CCPA/CPRA, including the right to know, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising such rights.

To exercise any of these rights, please submit a request to support@caeros.ai. We will respond within the statutory period, ordinarily within thirty (30) days of receipt.

10Security

We implement appropriate technical and organizational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures include:

• Encryption of personal information in transit using industry-standard Transport Layer Security (TLS).
• Encryption at rest provided by our infrastructure processors.
• Principle of least privilege for access to production systems.
• Secret management through a dedicated key-management service.
• Regular review of access controls and supplier security posture.

No method of transmission over the Internet or method of electronic storage is entirely secure. While we strive to use commercially reasonable means to protect personal information, we cannot guarantee absolute security.

11Cookies and tracking technologies

The Service does not set first-party cookies and does not use advertising, analytics, or behavioral-tracking technologies. Your browser may transmit session-level information to our infrastructure providers for security and operational purposes; such information is processed as described in Section 4.

12Children

The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of sixteen (16). If you become aware that a child has provided personal information through the Service, please contact us and we will take steps to delete such information.

13Changes to this Policy

We may update this Policy from time to time. The "Effective" date at the top of this Policy indicates the date of the most recent revision. In the event of a material change, we will provide reasonable advance notice, including by email to subscribers where appropriate, before the change takes effect.

14Contact

Questions, requests, or concerns regarding this Policy or our processing of personal information should be addressed to the data controller using the contact details below.