Legal

Privacy Policy

Effective date: 1 April 2026 · Last updated: 1 April 2026

Cerno Inc. ("Cerno", "we", "us", or "our") operates a compliance intelligence platform for financial institutions. This policy explains what data we collect, why we collect it, how we use it, and your rights over it. We process data subject to PIPEDA (Canada), GDPR (EU/UK), and applicable US state privacy laws.

Contents

1. Who we are 2. Data we collect 3. How we use your data 4. Legal bases for processing 5. Sharing and disclosure 6. Data retention 7. Security 8. International transfers 9. Your rights 10. Cookies and tracking 11. Children's data 12. Changes to this policy 13. Contact us

1. Who we are

Cerno Inc. is incorporated in Toronto, Canada. We provide KYC, pKYC, AML transaction monitoring, and agentic SAR drafting services to fintech companies ("Clients"). In providing these services, Cerno acts as a data processor on behalf of our Clients (who are data controllers) in respect of the personal data of their end customers. For data relating to our own website visitors and prospective customers, Cerno acts as a data controller.

2. Data we collect

Data we collect as a controller (about you, our website visitor or prospective customer):

Contact information you provide when requesting access — name, email address, company name, job title.
Usage data — pages visited, time on site, browser type, IP address, referring URL.
Communications — content of emails or messages you send us.

Data we process as a processor (on behalf of our Clients, about their end customers):

Identity documents — government-issued IDs, passports, driver's licences (images and extracted data).
Biometric data — liveness video and facial comparison data used for identity verification.
Personal identifiers — full name, date of birth, address, nationality, tax identification numbers.
Business information — company registration details, UBO structures, beneficial ownership graphs.
Transaction data — payment amounts, counterparties, timestamps, and geographic data submitted for AML screening.
Watchlist screening results — OFAC, FINTRAC, UN, EU, and other regulatory list matches.

When processing end-customer data on behalf of a Client, Cerno's use is governed by our Data Processing Agreement with that Client. End customers should refer to their financial institution's privacy notice for information on how their data is handled.

3. How we use your data

We use controller data to:

Respond to enquiries and manage your access request or account.
Send product updates and compliance insights you've opted into.
Analyse how our website is used and improve our services.
Comply with our legal and regulatory obligations.
Detect and prevent fraud or misuse of our services.

We process Client end-customer data strictly to deliver the contracted compliance services — identity verification, risk scoring, transaction monitoring, and SAR drafting — and for no other purpose without explicit Client consent.

4. Legal bases for processing

Where GDPR or UK GDPR applies, our legal bases are:

Contract performance — processing necessary to provide our services to you.
Legitimate interests — improving our platform, fraud prevention, direct marketing to business contacts (where not overridden by your rights).
Legal obligation — compliance with applicable laws, including AML/CFT regulations.
Consent — for optional communications and non-essential cookies.

For biometric data (liveness captures), we rely on explicit consent obtained by our Client at the point of collection, as required under GDPR Article 9 and applicable provincial laws.

6. Data retention

We retain controller data (website and enquiry data) for as long as necessary to fulfil the purposes above, typically no longer than 3 years after our last interaction.

End-customer data processed on behalf of Clients is retained according to the Client's instructions and applicable regulatory requirements. FINTRAC and FinCEN regulations require certain KYC and transaction records to be retained for a minimum of 5 years. We will delete or return data upon Client instruction after the retention period expires.

7. Security

We implement technical and organisational measures proportionate to the risk, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256).
Role-based access controls and least-privilege principles.
SOC 2 Type II audit programme (in progress — available to Clients under NDA).
Penetration testing at least annually by an independent third party.
Incident response plan with 72-hour breach notification to affected Clients.

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@cerno.ai.

8. International transfers

Cerno is headquartered in Canada, which the European Commission has recognised as providing adequate protection for personal data. Where we transfer data to sub-processors outside Canada or the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms. A list of the countries in which our sub-processors operate is available on request.

9. Your rights

Depending on your jurisdiction, you may have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your data where no legal obligation requires retention.
Restriction — ask us to restrict processing while a dispute is resolved.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests or for direct marketing.
Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any right, contact privacy@cerno.ai. We will respond within 30 days. If you are an end customer of a Cerno Client, please contact your financial institution directly — we will assist them in fulfilling your request.

You have the right to lodge a complaint with your supervisory authority — in Canada, the Office of the Privacy Commissioner; in the EU/UK, your local data protection authority.

10. Cookies and tracking

Our website uses essential cookies required for basic functionality (e.g. theme preference). We do not use third-party advertising trackers. We use privacy-respecting analytics (no cross-site tracking, IP anonymisation enabled) to understand aggregate traffic patterns. You can disable cookies in your browser settings; this will not affect core functionality.

11. Children's data

Our platform is not directed at children under 18. We do not knowingly collect data from minors. If you believe we have inadvertently collected data about a minor, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this policy to reflect changes in our practices or applicable law. Material changes will be notified to Clients by email at least 30 days before taking effect. The effective date at the top of this page reflects the most recent version.

13. Contact us

If you have any questions about this Privacy Policy, please contact us:

Email: privacy@trycerno.app