Cerebral Code, LLC Privacy Policy

Last updated: 3.2.2025

1. Introduction

Cerebral Code, LLC (hereafter known as the "Company", "we", "us", or "our") develops and provides the Assessment Assistant, a software as a service (hereafter known as the "Product") to certain licensed school or healthcare providers (hereafter known as "Provider(s)", "User(s)", or "you") in the United States of America who serve clients (hereafter known as "Clients"). This policy explains how we collect, use, and protect user data and client data.

2. Information Collection

We collect data necessary for software operations, including:

  • User data: Provider's name, address, contact information, credentials, user configurations, activity logs, payment details, and other data used to establish the user's account.
  • Client data: Provider-entered client protected health information (PHI), personally identifiable information (PII), and other relevant data submitted by the User.
  • Technical data: IP addresses, device identifiers, locations, cookies, and other data necessary for system functionality, safety, and security.

Information we do not collect includes:

  • Health insurance or health plan information
  • Client payment information
  • Biometric data

3. Information Use, Sharing, Access, and Retention

Use

Our Company will use User and Technical data in the following ways:

  • Providing and Improving Services – To deliver, operate, maintain, and enhance the website, app, or service.
  • Communication – To send updates, service-related messages, marketing emails, or customer support responses.
  • Analytics and Performance Monitoring – To analyze usage patterns, troubleshoot issues, and improve functionality.
  • Security and Fraud Prevention – To detect, prevent, and respond to security threats, unauthorized access, or fraudulent activities.
  • Compliance with Legal Obligations – To fulfill legal, regulatory, or contractual requirements.
  • Third-Party Integrations – To enable integrations with external services, such as payment processors.
  • Business Operations – For administrative purposes.

Client data is used strictly for its advertised intended purpose and in accordance with the Company's policies. Only two entities will handle Client information and they include our Company and Google Cloud Platform (hereafter known as the "Processor"), our cloud computing provider. The Processor provides numerous safeguards to ensure that the information submitted to its services by the Company is handled in a way that complies to the regulations in discussion which is explained in more detail on the Processor's site . The Company has entered into a Business Associate Agreement (BAA) with the Processor.

Because the Company is a customer of the Processor, the Company specifies how the Processor may handle the collected information and as such the Company has specified that the Processor may only handle the collected information in the strictest, most conservative sense which includes but is not limited to these directives:

  • The prevention of data retention outside necessary operating data stores.
  • The use of collected information is restricted from the support or development of the Processor's products.
  • The geographical location of data storage and processing by the Processor is restricted to the United States of America.

Sharing

We do not share User, Client, or Technical data with any third party organization, service, or entity for any reason except for when required to do so by law.

Retention

We will retain collected information for as long as you are an active customer of our Product. We will then retain collected information for 6 years after the last activity on your account before it will be automatically deleted. You may delete any collected information at any time. You may request the extension of our data retention of collected information.

Access

In addition to the User, limited access to portions of a Client's data as a fundamental property of administering the database and storage operations will be restricted to authorized employees only, based on job roles and responsibilities, implementing role-based access controls (RBAC). These employees will be regularly reviewed and access rights will be updated based on their roles. If an employee no longer requires to work with this data, their access will be removed.

4. Information Security, Safeguards, and Risk Management

The Company, in its development of the Product, takes information security very seriously which is reflected in our robust commitment to protect PHI and other confidential information. These commitments include the following efforts:

Administrative Safeguards

  1. Security Management Process: Our Company has implemented and continues to develop its appraisal of potential risks and vulnerabilities to ePHI.
  2. Assigned Security Responsibility: Our security official is the Company's Chief Technology Officer.
  3. Workforce Security: Every employee of our company is screened for suitability for access to computer systems that have the potential of containing confidential information.
  4. Information Access Management: The Product is designed in a way that allows only authorized users to access confidential client information.
  5. Security and Awareness Training: Our employees engage in regular, ongoing professional development in the area of information security best practices.
  6. Security Incident Procedures and Contingency: Our company has a procedure for reporting and resolving security incidents, both internally and externally.
  7. Evaluation: We are currently conducting a risk analysis on our product to demonstrate its acceptable level of risk for use by healthcare professionals in the USA in accordance with regulatory agencies. Furthermore, whitepapers on our Product's development can be read on our website as they are published.

Physical and Technical Safeguards

  1. Company workstations and devices are secured using conventional methods such as locking cabinets, access controlled rooms, and inventory management practices. These resources are tracked, managed, and appropriately decommissioned when necessary.
  2. Audit controls: Information collected that is Technical allows the Company to monitor and audit the Product's handling of confidential information.
  3. Transmission security: we use standard end-to-end encryption technologies in our Product such as HTTPS, SLS, and AES 128-bit encryption in transit and AES 256-bit for data at rest.

Product Safeguards

In addition to the above efforts, our Company has developed a number of proprietary strategies that help further protect confidential information in our software. These strategies include:

  • A decoupling strategy where user PII is redacted from data sent to some services provided by the Processor and then re-inserted when the data returns from the particular service.
  • An in-app encryption strategy that encrypts data both at rest (when stored in the database) and in transit and decrypts confidential information in a way that prevents our Company's employees from seeing plain text confidential information in the Product's back end.

5. User Rights & Responsibilities

Users of the Product have the right to access, update, and manage their information in accordance with applicable privacy laws. Users are responsible for ensuring that any Client confidential information accessed through the Product is handled securely and in compliance with confidentiality agreements and legal obligations.

Unauthorized sharing, disclosure, or misuse of confidential information is strictly prohibited. Users must promptly report any suspected data breaches or security concerns to the Company.

By using the Product, users agree to uphold data protection best practices and maintain the integrity of Client confidential information as well as the nondisclosure of sensitive, propriety, or product-specific information that could be considered non-public or trade secret information by the product's copyright holder.

Data entered into the Product's information system is owned by the User. The Client has the right to request data from the User as outlined in the User / Company BAA.

6. Breach Notification

In the event of a data breach involving Client confidential information, the Company will promptly investigate and assess the scope of the incident. Affected users and relevant authorities will be notified within 5 days or sooner if in accordance with applicable laws and regulations. Notifications will include details of the breach, the type of data affected, potential risks, and any recommended actions to mitigate harm. The Company will take immediate steps to contain the breach, prevent further unauthorized access, and implement corrective measures to strengthen security. Users are responsible for reporting any suspected breaches or security vulnerabilities without delay to security@assessmentasssitant.app .

Additional breach responsibilities apply to both parties and are outlined in the User / Company Business Associate Agreement (BAA).

7. Policy Updates & Contact

The Company reserves the right to update this privacy policy periodically to reflect changes in legal requirements, industry standards, or operational practices. Users will be notified at least 30 days in advance of significant updates through appropriate communication channels including: in-app banner and e-mail notification. Continued use of the Product after policy changes take effect constitutes acceptance of the revised terms.

For any questions, concerns, or requests regarding this policy, users may contact the Company's Product support team at contact@assessmentassistant.app .