Privacy Policy — CronusAI
1. Introduction
This Privacy Policy describes how SOFTBLITZ PESQUISA DESENVOLVIMENTO E CONSULTORIA DE SOFTWARE DO BRASIL LTDA - ME ("SoftBlitz," "we," "us," or "our"), operating the CronusAI platform, collects, uses, and protects personal information in compliance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other applicable U.S. state privacy laws.
CronusAI is an HR SaaS solution within the OrbittAI ecosystem, offered in the United States and Brazil, covering time tracking, payroll, employment contracts, employee management, and AI-powered analytics.
We process personal information in accordance with applicable law, including the CCPA/CPRA's requirements for transparency, purpose limitation, and consumer rights.
2. Data Controller Information
The data controller responsible for personal information processed through the CronusAI platform is:
SoftBlitz Pesquisa Desenvolvimento e Consultoria de Software do Brasil Ltda - ME
CNPJ: 56.145.925/0001-85
Address: Av. Paulista 1471, Conj. 1110, Bela Vista, São Paulo – SP, CEP 01311-927, Brazil
For privacy-related inquiries and consumer rights requests:
Data Protection Officer (DPO)
Email: dpo@orbittai.com
3. Types of Data Collected
In operating the CronusAI platform, we collect and process the following categories of information:
Identification data: Full name, preferred name, SSN/CPF, date of birth, government-issued ID number, full address (street, number, complement, city, state, ZIP, country), phone numbers, email address, and profile photo (avatar).
Professional data: Job title, function, department, employment type (W-2, 1099, contractor, etc.), work schedule, hire and termination dates, salary and compensation, overtime settings, internal evaluations, and work history.
Financial data: Banking information for payments (bank name, routing number, account number, account type), payment history, payment proofs, and signed receipts.
Technical data: IP address, device identifier, browser and operating system type, access and activity logs, cookies, and similar technologies.
Geolocation data: Coordinates collected at the time of digital signature of contracts or receipts, for purposes of proof and compliance with electronic signature requirements.
Analytics data: Productivity metrics, hours worked, overtime, and AI-generated insights regarding performance and contracts.
4. Categories of Personal Information (CCPA)
Under the CCPA (Cal. Civ. Code § 1798.140), we collect the following categories of personal information:
| CCPA Category | Examples |
|---|---|
| Identifiers | Name, SSN, email, phone, IP address, unique identifiers |
| Commercial information | Payment history, transaction records |
| Biometric information | Biometric data used for KYC/identity verification when applicable |
| Internet or network activity | Browsing history, search history, interactions with our platform |
| Geolocation data | Physical location, coordinates at time of signature |
| Professional or employment-related information | Job title, salary, evaluations, work history |
| Inferences | Productivity insights, AI-generated summaries |
The CCPA defines "personal information" broadly to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household (Cal. Civ. Code § 1798.140(v)).
5. Sensitive Personal Information (CPRA)
The CPRA (Cal. Civ. Code § 1798.140(ae)) defines "sensitive personal information" to include, among other things:
- Government identifiers (e.g., SSN, driver's license)
- Account log-in and financial account credentials
- Precise geolocation
- Racial or ethnic origin, religious beliefs, union membership
- Contents of mail, email, or text messages (other than our business communications)
- Genetic data
- Biometric information for identification
- Health and sexual orientation information
We may process biometric information (e.g., for identity verification/KYC) and health-related information (e.g., blood type, allergies) only where necessary for the services, with appropriate legal bases and safeguards. We do not sell or share sensitive personal information for cross-context behavioral advertising. California residents have the right to limit our use of sensitive personal information to that which is necessary to perform the services (Cal. Civ. Code § 1798.121).
6. Sources of Data
We obtain personal information from the following sources:
- Directly from the consumer: Registration, forms, document uploads, time entries, contract and receipt signatures.
- Employer or account administrator: Professional, salary, and contractual data entered by company administrators.
- Authorized third parties: KYC providers (e.g., Didit) for identity and document verification.
- Automatically generated: Logs, IP addresses, technical identifiers, and analytics produced by platform use.
7. Purpose of Data Processing
We process personal information for the following business and commercial purposes (Cal. Civ. Code § 1798.140(e)):
- Providing and maintaining the CronusAI platform (time tracking, payroll, contracts, employee management, AI features).
- Fulfilling contractual and pre-contractual obligations.
- Complying with legal and regulatory obligations (labor, tax, employment law).
- Verifying identity and preventing fraud.
- Processing payments and managing payroll.
- Sending transactional communications and service notifications.
- Improving our services, security, and user experience.
- Conducting analytics and generating AI-powered insights.
- Responding to lawful requests from authorities.
Each category of data is processed only to the extent necessary for these purposes.
8. Legal Bases for Processing
Where applicable under U.S. law, we rely on the following bases for processing:
- Performance of a contract: Provision of services, registration, payroll, contracts.
- Legitimate interests: Security, fraud prevention, service improvement, analytics.
- Legal obligation: Compliance with employment, tax, and regulatory requirements.
- Consent: Where required for specific processing, including certain sensitive data or optional features.
9. Data Sharing and "Sale" of Personal Information (CCPA)
Under the CCPA, a "sale" is defined as the disclosure of personal information to a third party for monetary or other valuable consideration (Cal. Civ. Code § 1798.140(ad)). "Sharing" means disclosure for cross-context behavioral advertising (Cal. Civ. Code § 1798.140(ah)).
We do NOT sell personal information. We do not disclose personal information to third parties in exchange for monetary or other valuable consideration.
We do NOT share personal information for cross-context behavioral advertising.
We may disclose personal information to service providers and contractors who process data on our behalf under contract and subject to CCPA obligations. Such disclosures are not considered "sales" or "sharing" under the CCPA (Cal. Civ. Code §§ 1798.140(ad)(5), 1798.140(ah)(2)).
10. Service Providers and Contractors (CCPA)
Under the CCPA/CPRA, "service providers" and "contractors" process personal information on our behalf under written contracts that restrict use to specified business purposes and prohibit retention, use, or disclosure outside the contract (Cal. Civ. Code §§ 1798.140(ag), 1798.140(af)).
We engage the following categories of service providers and contractors:
| Provider/Contractor | Purpose |
|---|---|
| Cloudflare | CDN, security, tunneling |
| AWS / Cloudflare R2 | File storage |
| Resend | Transactional email |
| OpenAI | AI processing (contract generation, analysis) |
| Didit | Identity verification (KYC) |
These entities are contractually bound to use personal information only for the purposes we specify and in compliance with applicable privacy law.
11. International Transfers
We operate from Brazil and use infrastructure and service providers located in the United States and other countries. When we transfer personal information outside the U.S., we implement appropriate safeguards, including:
- Standard Contractual Clauses (SCCs): Where required, we use SCCs approved by relevant authorities to govern international transfers.
- Privacy Shield and successors: Where applicable, we rely on adequacy decisions or certification mechanisms recognized by regulators.
- Contractual and technical measures: Encryption, access controls, and contractual commitments to protect data in transit and at rest.
By using CronusAI, you acknowledge that your information may be transferred to, stored, and processed in countries outside your residence.
12. Data Retention
We retain personal information only as long as necessary to fulfill the purposes described in this policy and to comply with legal obligations:
| Category | Retention Period |
|---|---|
| Account and contract data | Duration of contract + 5 years (legal obligations) |
| Time records and payroll cycles | 5 years (employment and tax requirements) |
| Documents and proofs | 5 years or as required by law |
| Financial and payment data | 5 years (tax and regulatory) |
| Logs and technical data | Up to 2 years for security and audit |
| Signature and geolocation data | Duration of contract + 5 years |
After retention periods expire, we anonymize or securely delete data, except where law requires longer retention.
13. Security Measures
We implement reasonable technical and organizational measures to protect personal information, including:
- Encryption: Data in transit (TLS) and at rest where applicable.
- Access controls: Role-based access, least privilege, and multi-factor authentication where appropriate.
- Audit logging: Logging of access and significant changes for accountability.
- Monitoring: Security monitoring and incident response.
We periodically review and update our security practices to address evolving risks.
14. AI Processing and Analytics
CronusAI uses artificial intelligence for:
- Productivity analysis: Time worked, overtime, and usage patterns.
- Contract generation and analysis: Clause suggestions, risk analysis, and insights on employment contracts.
- Automated insights: Recommendations and reports based on aggregated data.
We strive to mitigate bias in AI processing and to provide transparency where AI has a significant impact on individuals. Where automated decisions produce legal or similarly significant effects, consumers may request human review as described below.
15. Automated Decision-Making
Where we make decisions based solely on automated processing that significantly affect you, you may request human review of the decision. To do so, contact dpo@orbittai.com with the subject "Automated Decision Review." We will provide information about the logic involved and facilitate human review where required by law.
16. Rights of California Residents (CCPA/CPRA)
California residents have the following rights under the CCPA and CPRA (Cal. Civ. Code §§ 1798.100–1798.125):
| Right | Description |
|---|---|
| Right to Know | Know what personal information we collect, use, disclose, and sell or share |
| Right to Delete | Request deletion of personal information, subject to exceptions |
| Right to Correct | Request correction of inaccurate personal information |
| Right to Opt-Out of Sale/Sharing | Opt out of the sale or sharing of personal information (we do not sell or share) |
| Right to Non-Discrimination | Not receive discriminatory treatment for exercising privacy rights |
| Right to Limit Use of Sensitive PI | Limit our use of sensitive personal information to that necessary to perform the services |
We do not sell or share personal information; therefore, the opt-out right does not apply to sales or sharing, but we honor requests to the extent required by law.
For the Right to Limit Use of Sensitive Personal Information, you may submit a request to dpo@orbittai.com. We will use sensitive personal information only as necessary to provide the services and as permitted by law.
17. Rights of Other U.S. Residents
Residents of other U.S. states may have additional rights under state privacy laws, including:
- Virginia (VCDPA): Rights to access, correct, delete, opt out of sale and targeted advertising, and portability.
- Colorado (CPA): Similar rights including opt-out of sale, targeted advertising, and profiling.
- Connecticut (CTDPA): Rights to access, correct, delete, portability, and opt out of sale and targeted advertising.
- Texas (TDPSA): Rights to access, correct, delete, portability, and opt out of sale and targeted advertising.
We will process requests from residents of these and other states in accordance with applicable law. Contact dpo@orbittai.com to exercise your rights.
18. Right to Access
You have the right to request that we disclose:
- The categories of personal information we collected about you.
- The categories of sources from which we collected such information.
- The business or commercial purpose for collecting such information.
- The categories of third parties to whom we disclose such information.
- The specific pieces of personal information we collected about you.
We will respond to verifiable requests within the timeframes required by applicable law (e.g., 45 days under the CCPA, extendable by 45 additional days with notice).
19. Right to Delete
You have the right to request deletion of your personal information, subject to certain exceptions, including:
- Completing a transaction or providing a requested service.
- Detecting and protecting against security incidents or fraud.
- Debugging or repairing functionality.
- Complying with legal obligations.
- Exercising or defending legal claims.
- Internal uses reasonably aligned with your expectations.
We will honor deletion requests to the extent required by law and inform you of any applicable exceptions.
20. Right to Correct
You have the right to request correction of inaccurate personal information. We will use commercially reasonable efforts to correct the information, subject to verification and applicable legal exceptions.
21. Right to Opt-Out of Sale/Sharing
Because we do not sell or share personal information, there is no need to opt out of sales or sharing. If our practices change, we will update this policy and provide a clear opt-out mechanism. California residents may submit opt-out requests to dpo@orbittai.com at any time.
22. Right to Data Portability
You have the right to receive your personal information in a portable and, to the extent technically feasible, readily usable format. We will provide the information in a structured, commonly used format (e.g., JSON or CSV) as permitted by applicable law.
23. How to Exercise Your Rights
To exercise your rights under the CCPA, CPRA, or other applicable state laws:
- Email: Send a request to dpo@orbittai.com with the subject line "Privacy Rights Request" or "CCPA Request."
- Verification: We will verify your identity using information you provide (e.g., email, account details). We may request additional information if necessary to prevent unauthorized access.
- Authorized agents: You may designate an authorized agent to submit a request on your behalf. We may require proof of authorization (e.g., signed power of attorney or written permission) and verification of your identity.
- Response: We will respond within the timeframes required by law. Under the CCPA, we generally have 45 days, extendable by 45 additional days with notice.
We do not charge a fee for processing verifiable requests unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request, as permitted by law.
24. "Do Not Sell or Share My Personal Information"
Under the CCPA, businesses that sell or share personal information must provide a link titled "Do Not Sell or Share My Personal Information" (Cal. Civ. Code § 1798.135).
We do not sell or share personal information. No such link is required for our current practices. If our practices change, we will add the required link and honor opt-out requests.
California residents may contact dpo@orbittai.com at any time to confirm our practices or submit an opt-out request.
25. Children's Data (COPPA)
The CronusAI platform is not intended for children under 16 (or under 13 where the Children's Online Privacy Protection Act (COPPA) applies). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without parental consent, we will delete it promptly. If you believe we have collected information from a child, please contact dpo@orbittai.com.
26. Security Incident Disclosure
In the event of a security incident that is reasonably likely to result in risk to individuals, we will:
- Assess and contain: Take steps to assess, contain, and remediate the incident.
- Notify regulators: Provide notice to applicable state attorneys general and regulators as required by state breach notification laws.
- Notify affected individuals: Notify affected individuals when required by law (e.g., Cal. Civ. Code § 1798.82 for California residents).
Notifications will include, to the extent required and practicable: the nature of the incident, the categories of information involved, the approximate date of the incident, steps we are taking, and steps you can take to protect yourself.
27. Changes to Policy
We may update this Privacy Policy from time to time to reflect legal, regulatory, or operational changes. Material changes will be communicated via email or a notice on the platform. The "lastUpdated" date in the frontmatter indicates when this policy was last revised.
Continued use of CronusAI after changes constitutes acceptance of the updated policy, except where the change requires new consent or explicit acceptance.
28. Contact Information
For questions, requests, or complaints regarding this Privacy Policy or our processing of personal information:
Data Protection Officer (DPO)
Email: dpo@orbittai.com
Data Controller
SoftBlitz Pesquisa Desenvolvimento e Consultoria de Software do Brasil Ltda - ME
CNPJ: 56.145.925/0001-85
Av. Paulista 1471, Conj. 1110, Bela Vista, São Paulo – SP, CEP 01311-927, Brazil
California residents may also contact the California Attorney General or the California Privacy Protection Agency (CPPA) with complaints regarding our compliance with the CCPA/CPRA.