Back

Privacy Policy

Last updated: July 15, 2026

1. Who we are

Cerno AI ("Cerno", "we", "us") is an AI-assisted email triage product. This Privacy Policy explains what information we collect, how we use it, and the choices you have. This page is maintained by Cerno AI and is not an independent certification of our practices.

For the purposes of the UK GDPR, the EU GDPR and comparable data protection laws, Cerno AI acts as the data controller for personal data processed through the service, except that our payment reseller Paddle acts as an independent controller for the billing data it collects (see Section 5).

2. What we collect and why

We collect and process the following categories of personal data:

  • Account data — name, email address, hashed password or OAuth identifier. Used to create and authenticate your account.
  • Email content and metadata — the messages you route to Cerno, including sender, subject, body and attachments. Used to categorize, summarize and draft replies.
  • Usage and device data — log entries, IP address, browser type and pages viewed. Used for security, debugging and product improvement.
  • Support communications — messages you send us. Used to respond to and resolve your requests.

3. Legal basis for processing

We rely on the following legal bases under GDPR:

  • Performance of a contract — to provide the Service you subscribed to.
  • Legitimate interests — to secure the Service, prevent fraud and improve the product.
  • Legal obligation — to comply with tax, accounting and other laws applicable to us and our reseller Paddle.
  • Consent — where required by law, e.g. for non-essential cookies or marketing communications.

4. Email data security

Email content you connect to Cerno is transmitted over encrypted channels (TLS) and stored in encrypted databases operated by our infrastructure providers. Access to production data is limited to authorized personnel under least-privilege controls. We do not sell your email content and we do not use it to train foundation models.

5. AI processing and subprocessors

To categorize, summarize and draft replies, Cerno sends the minimum necessary email context to large language model (LLM) providers acting as our subprocessors. These providers process your data on our behalf under data-processing terms that prohibit training on your content. Automated outputs (summaries, priorities, draft replies) are AI-generated and should be reviewed before you rely on them.

Categories of recipients of your personal data include:

  • Payment processor / Merchant of Record — Paddle.com Market Limited ("Paddle"). Paddle acts as the reseller of our subscriptions and is the Merchant of Record for all our orders. When you purchase a plan, Paddle receives your name, email address, billing address, IP address and payment method details, and processes them to complete the sale, calculate and remit sales taxes, prevent fraud, and issue invoices, refunds and receipts under Paddle's own Privacy Notice. Paddle also handles customer service inquiries and returns relating to your order.
  • Hosting and infrastructure — cloud providers who host our application, database and email processing systems.
  • AI model providers — large language model vendors that process email context on our behalf under contract.
  • Support and analytics tools — providers that help us operate and improve the Service.
  • Professional advisers — legal, tax and accounting advisers where necessary.
  • Authorities — where required by applicable law.

Some of these recipients may be located outside your country. When personal data is transferred out of the UK or EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or adequacy decisions.

6. Data retention

We retain triaged email metadata and AI outputs for as long as your account is active or as needed to provide the Service. You can request deletion of your account and associated data at any time by contacting us; we will delete or anonymize your data within a reasonable period, subject to legal retention obligations (e.g. Paddle retains transaction records to comply with tax law).

7. Your rights

Depending on your jurisdiction, you may have rights to access, rectify, export, restrict, object to or delete personal data we hold about you, and to withdraw consent where processing is based on consent. UK/EEA users also have the right to lodge a complaint with their local supervisory authority. To exercise these rights, contact us using the details below and we will respond within one month.

8. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and regular review of our security posture. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Cookies

We use strictly necessary cookies to keep you signed in and secure the Service. If we add analytics or marketing cookies, we will ask for your consent where required.

10. Contact

Questions about this policy, or to exercise your rights? Reach us at privacy@cerno.email.