Privacy

CBRX is the trading name of Cyberalert, UAB — an AI adoption agency for mid-market service businesses across the Baltics, Nordics, and EU. We provide three productised services (Scan / Sprint / Managed AI) that help mid-market firms reduce senior-time-tax via AI-driven workflow automation.

When we process your personal data, Cyberalert, UAB is the data controller under the EU General Data Protection Regulation 2016/679 (the "GDPR").

We process personal data in three contexts.

2.1 Marketing and outbound outreach

When we identify your firm as a potential CBRX customer (within our ICP — mid-market professional services in LT/DK/SE/NO/FI/DE), we may contact you on LinkedIn. The personal data we hold for outreach purposes is:

• Identity: name, professional title, employer
• Contact: professional email, professional phone (where publicly available), LinkedIn profile URL
• Firm context: company name, sector, size band (FTE), country of registration
• Engagement signals: whether you've clicked a link we sent, whether you've replied, profile-visit frequency on LinkedIn

We do not process your private email, your home address, your bank details, your government identifiers, your health data, or any special-category data under Article 9 of the GDPR.

2.2 Reply triage calibration (the LI reply rules dataset)

When you reply to a CBRX LinkedIn message, we record a pseudonymised summary of the exchange to calibrate our internal reply triage rules. The pseudonymised dataset holds:

• A SHA-1 hash (first 8 characters) of `firstname.lastname@company` — pseudonymous identifier
• A sector + size descriptor (e.g., "DK audit, 40 FTE")
• The sentiment of your reply (positive / neutral / not interested / asking-about-AI)
• The response option we chose (warm-acknowledge / brand-seed / discovery question / book a call)
• An anonymised one-line rationale for the choice

This dataset is pseudonymous, not anonymous, under Article 4(5) and recital 26 of the GDPR — re-identification is technically possible via our CRM index. We treat it as personal data subject to GDPR.

We hold this dataset for 24 months from collection, after which it is deleted. If you become a CBRX customer (sign a Sprint), your row is deleted at conversion.

2.3 Customer engagement (when you become a CBRX customer)

If you sign a Scan, Sprint, or Managed AI engagement, separate processing applies under Article 28 GDPR (data processor capacity). The contractual data processing addendum (DPA) we sign with you governs that processing. This privacy notice is not the operative document for customer-engagement processing — your engagement letter / DPA is.

For §2.1 and §2.2, your personal data is processed by:

• Cyberalert, UAB (controller) — KS + AM only have access to the reply triage calibration dataset. Other CBRX team members (currently zero) and contractors (currently zero) do not have access.
• HubSpot, Inc. (CRM processor) — under Article 28 DPA. EU-residency configured where the option is available.
• Google LLC (Google Workspace processor — email, docs, drive) — under Article 28 DPA. Cyberalert, UAB is on Google Workspace's EU-residency setting where applicable.
• LinkedIn Corporation (Microsoft) — when we contact you on LinkedIn, LinkedIn processes the message metadata. We use LinkedIn's standard professional features; we do not transfer your data to LinkedIn beyond the use of their platform for the message.
• Lusha Systems, Inc. (data provider) — for ICP enrichment. Lusha holds professional contact data on a separate lawful basis declared in their own privacy notice.

For §2.3 (customer engagement), additional processors apply per your engagement letter / DPA.

CBRX operates an EU-first data architecture. Google Workspace EU-residency is configured (confirmed 2026-05-08). HubSpot CRM is configured to EU data residency where the option is available. In normal operation, your personal data does not leave the EU/EEA.

Where personal data is incidentally transferred outside the EEA (e.g., a Google support engineer accessing data from a non-EU location for incident resolution; HubSpot processing operations where EU-residency is not yet available for a specific feature), we rely on:

• Standard Contractual Clauses (Article 46 GDPR) — the European Commission's SCCs adopted in Implementing Decision 2021/914, applied via Google's and HubSpot's standard data processing terms
• Adequacy decisions (Article 45 GDPR) — where applicable to the destination jurisdiction

We re-evaluate transfer basis when our processors update their data location guidance.

Under GDPR Articles 15-21, you have the following rights regarding your personal data:

• Article 15 — right of access: request a copy of the personal data we hold about you
• Article 16 — right to rectification: correct inaccurate data
• Article 17 — right to erasure: request deletion ("right to be forgotten")
• Article 18 — right to restriction: restrict processing in certain circumstances
• Article 20 — right to data portability: receive your data in a machine-readable format (where Article 6(1)(b) consent applies)
• Article 21 — right to object: object to processing under Article 6(1)(f) legitimate interest. We will cease processing within 5 working days unless we demonstrate compelling overriding grounds.
• Article 22 — automated decision-making: we do not make automated decisions that significantly affect you. Every CBRX outbound communication is reviewed and sent by a human (KS or AM). Our internal rule engine produces *recommendations*, not decisions.

To exercise any of these rights, write to privacy@cbrx.ai. We will respond within 30 days per Article 12(3).

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your EU/EEA member state. For Lithuania, the supervisory authority is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — VDAI), L. Sapiegos g. 17, Vilnius, vdai@ada.lt. For other countries, see the European Data Protection Board's list of national authorities at edpb.europa.eu.

CBRX uses AI to draft outbound communications on the cold-channel outreach sequence (Lusha-sourced contacts within our ICP who have not previously interacted with CBRX). KS reviews and edits every AI-drafted message before send. Warm-channel outreach (referrals, prior conversations, ex-colleagues, second-degree connections) is hand-written by KS without AI drafting.

When we send you a LinkedIn message:

• First-touch cold message: AI-assisted drafting + KS review before send. The disclosure language is included verbatim in the message.
• Warm-channel message: hand-written by KS.
• Reply to your reply: depends on the path; we are transparent on request.

If you ask whether AI was used in any specific message we sent you, we will answer directly and verbatim. We will not deflect, hedge, or claim full human authorship where AI was involved.

This notice is itself written by KS with AI assistance (drafting + structure) and reviewed by external counsel before publication.

We will update this notice when our processing materially changes (new data categories, new processors, new lawful bases, new retention periods). Material updates are dated in the "Last updated" line at the top. Where the change affects your rights, we will inform you via the next outbound communication or via a separate notice email.

The current version is 1.0 (2026-05-12). Previous versions, when they exist, will be archived at cbrx.ai/privacy/archive.

For any data protection question, write to privacy@cbrx.ai. We aim to respond within 5 working days for non-rights questions and within 30 days for Article 15-21 rights requests.