July 4, 2025

PRIVACY POLICY

  1. Background

1.1 Cerebro 9 (hereinafter “we,” “us,” “our”) processes personal data about you in various situations. This occurs, for example, when you consider becoming a customer with us or actually become one, or if you interact with us in other ways, such as agreeing to receive marketing materials, applying for a job, or visiting our website. We also process your personal data when you create an account on http://app.Cerebro9 .com (hereinafter “the Application”) to receive one or more automated documents (hereinafter “Services”).

1.2 To fulfill our duty to inform, we provide the following details about how we collect, process, and share your personal data.

  1. Data Controller

2.1 Cerebro 9 by Web-X ApS, CVR no. 27566898, Ørnebjergvej 18, 2600 Glostrup, is the data controller for the processing of your personal data.

2.2 For inquiries about how we handle your personal data, please contact us at contact@Cerebro9 .dk.

  1. Purpose

3.1 The purposes of processing your personal data include i) managing and processing information related to marketing and recruitment, ii) fulfilling our agreement with you for the delivery of Services, and

    1. Administering your account and payments in the Application (hereinafter “the Purpose”).
  1. Personal data we collect and process

4.1 We collect and process personal data that you provide to us, which is necessary to fulfill the Purpose.

2/11

Customer administration

Purpose The purpose is to manage the customer relationship, including
customer registration, invoicing, quality management and
control, as well as to administer, manage, and develop our
business and services, and to handle the operation and
maintenance of systems.
Data subjects Customers, including employees of customers.

Category: General personal data, including information on name, title, address, phone number, and email address, consumption, subscription details, and billing information.

Source: Customers, including employees of customers.

Retention Period: Data will be deleted after 10 years from the end of the calendar year in which the customer relationship ends, unless specific circumstances require a shorter or longer retention period.

Legal Basis for Processing

The processing is necessary to fulfill agreements with our customers or to take measures at the customers’ request prior to entering into agreements, according to Article 6(1)(b) of the General Data Protection Regulation (GDPR).

The processing is also necessary for us to comply with legal obligations to which Cerebro 9 is subject, according to Article 6(1)(c) of the GDPR.

Furthermore, the processing is necessary for us to pursue our legitimate interest in managing customer relationships, fulfilling agreements with our customers, administering and developing our business, and handling the operation and maintenance of systems used in managing customer relationships, according to Article 6(1)(f) of the GDPR.

3/11

Marketing

Purpose The purpose is to carry out marketing activities, including
sending newsletters, emails, SMS, MMS, phone calls, and other
direct communications.
Data subjects Contacts.

Category: General personal data, including name, title, email, phone number, and organization.

Source: The contact itself or from publicly available sources, such as LinkedIn, Facebook, or the contact’s organization’s website.

Retention Period: Data is deleted when the contact requests not to be contacted. For our newsletters, data is deleted after 2 years from the time the contact withdraws their consent.

Legal Basis for Processing

If we have previously been in contact with you in one way or another, we consider that we have a legitimate interest in processing your personal data to maintain our relationship, market our services, and ensure that our communications with you are as relevant as possible, according to Article 6(1)(f) of the General Data Protection Regulation (GDPR).

Processing of personal data in connection with subscription to our newsletter or other electronic communications is based on your consent, according to Article 6(1)(a) of the GDPR.

Furthermore, the processing is necessary for us to comply with legal obligations to which Cerebro 9 is subject, according to Article 6(1)(c) of the GDPR.

4/11

Visitors to Our Website

Purpose The purpose is to manage visitors to our website Cerebro9 .com.
Data subjects Visitors to Cerebro9 .com.

Category: General personal data, including IP address.

Source: The visitor.

Retention Period: You can read more about the duration of individual cookies in our
cookie policy.
Legal Basis for We process personal data with the visitor’s consent, according to
Processing Article 6(1)(a) of the General Data Protection Regulation
(GDPR).
You can read more about Cerebro 9 ‘s use of cookies in our
cookie policy.

5/11

Recruitment

Purpose The purpose is recruitment, including processing and evaluating
applicants for a current or future position at Cerebro 9 .
Data subjects Applicants.

Category: General personal data, including name, address, phone number, and email, educational background, work experience, and other personal data provided by the applicant, as well as references. In some cases, information about criminal records, including criminal records checks. We also process sensitive personal data, including information about illnesses that could significantly affect the applicant’s ability to perform the job in question.

Source: The applicant and, where applicable, references (if the applicant has given consent) as well as publicly available information.

Retention Period: Information about applicants who are not offered a position is deleted after 3 months from the date the applicants are notified of the rejection of their applications, unless the applicant has consented to a longer retention period or specific circumstances require a longer retention period.

Legal Basis for Processing

Processing of general personal data is necessary for Cerebro 9 to pursue legitimate interests in recruiting applicants for positions at Cerebro 9 , according to Article 6(1)(f) of the General Data Protection Regulation (GDPR).

We process personal data obtained through references if the applicant has given consent, according to Article 6(1)(a) of the GDPR.

We also process personal data that is clearly published by the data subject, according to Article 9(2)(e) of the GDPR.

We process criminal record information if necessary to serve a legitimate interest in ensuring that the applicant can fulfill the position at Cerebro 9 , according to Article 10 of the GDPR, in conjunction with Section 8(3) of the Data Protection Act.

Processing is necessary to comply with our or the applicant’s labor law obligations and specific rights, according to Article

6/11

9(2)(b) of the GDPR, in conjunction with Section 7(2) of the Data Protection Act.

7/11

Supplier administration

Purpose The purpose is to manage supplier and collaboration
relationships.
Data subjects Suppliers and partners, as well as employees of these entities.

Category: General personal data, including name, title, address, phone number, and email address. For employees of suppliers and partners, we process name, title, email address, and phone number.

Source: Suppliers and partners, as well as their employees.

Retention Period: 6 years from the end of the calendar year in which the supplier and collaboration relationship ends, unless specific circumstances require a shorter or longer retention period.

Legal Basis for Processing is necessary to fulfill agreements with our suppliers

Processing and partners or to take measures at their request prior to entering into agreements, according to Article 6(1)(b) of the General Data Protection Regulation (GDPR).

Processing is also necessary for us to comply with a legal obligation to which Cerebro 9 is subject, according to Article 6(1)(c) of the GDPR.

Furthermore, processing is necessary for us to pursue our legitimate interest in managing supplier and collaboration relationships and fulfilling agreements with our suppliers and partners, according to Article 6(1)(f) of the GDPR

  1. Sharing your personal data

5.1 As a rule, we do not disclose your personal data to third parties.

5.2 However, in certain situations, we may share personal data with our auditors and other professional advisors, such as for audit purposes or to receive legal advice.

5.3 Additionally, we may be required to disclose personal data to public authorities if necessary for compliance with legal obligations.

8/11

  1. Security and protection

6.1 We protect the confidentiality, integrity, and availability of our customers’ and other relations’ information, including personal data. We prioritize customer confidentiality and information security highly and are strongly committed to ensuring continuous protection of information. We have implemented security measures to protect data, including customer information, personal data, and other confidential information. These measures include data encryption, access security, etc. We continuously follow up internally to ensure adequate security.

  1. Deletion

7.1 We delete your personal data when we no longer need it to fulfill the Purpose or to comply with legal requirements.

7.2 Personal data that you used to register your account will therefore be deleted no later than 2 years after our last contact.

7.3 We are required to keep information about your purchases of Services via the Application for up to 5 years after your purchase.

  1. Your rights

8.1 As a data subject, you have a number of fundamental rights. However, these rights may be limited, for example, if providing information that you are otherwise entitled to receive would infringe on the rights of others.

8.2 To the extent that our processing of your personal data is based on your consent, you may withdraw your consent at any time. The withdrawal does not affect the legality of the processing we carried out before the withdrawal. To withdraw your consent to our processing of your personal data, please contact us. If you no longer wish to receive emails with information and marketing material from us, you can easily unsubscribe by replying to one of

9/11

the received emails with “unsubscribe marketing” or as instructed on our

website or in our newsletter.

8.3

 As a general rule, you have the right to be informed if we process personal
data about you, and if so, which personal data we process about you and how
we process it, as well as to receive a copy of it.

8.4

 You have the right to have incorrect or incomplete personal data corrected. If
the data has been disclosed to others, we will ensure that the recipients are
informed of the correction, if possible and lawful.

8.5 You may have the right to have the personal data we process about you deleted. If the data has been disclosed to others, we will ensure that the recipients are informed of any deletion, if possible and lawful.

8.6

 You may have the right to have the processing of your personal data
restricted, so that the data is merely stored by us. If the data has been
disclosed to others, we will ensure that the recipients are informed of any
restriction, if possible and lawful.

8.7 In certain cases, you have the right to obtain the personal data about you that you have provided to us in a structured, commonly used, and machine-readable format, and to have the data transferred to another data controller.

8.8 In certain cases, you have the right to object to our processing of your data.

10/11

  1. Contact and complaint

9.1 If you have a complaint about our processing of your personal data, please email your complaint to contact@Cerebro9 .com. We will respond as soon as possible.

9.2 You also have the right to file a complaint with the Danish Data Protection Agency via their website www.datatilsynet.dk.

  1. Danish data protection agency

Borgergade 28, 5.,1300 København K. Phone num.: 33193200

E-mail: dt@datatilsynet.dk

  1. Sharing of your personal data

11.1 Transparency is an ongoing responsibility, and we therefore continuously update our privacy policy.

11.2 The privacy policy was last updated on 4 July, 2025.