Privacy Policy 1 — Cevera - Visual CV Portfolio

Updated 03/26

1. INTRODUCTION

Cevera is a visual CV and digital portfolio platform committed to protecting your

privacy. This Privacy Policy explains how we collect, use, share, and protect your

personal data when you use the Cevera mobile app or website, in compliance with all

applicable data protection laws. These laws include the EU General Data Protection

Regulation (GDPR), the UAE Personal Data Protection Law (Federal Decree-Law No. 45

of 2021, “PDPL”), and the Philippines Data Privacy Act of 2012 (Republic Act No.

10173). We adhere to the principles of transparency, legitimate purpose, and

proportionality in processing personal information as required by these regulations. By

using Cevera, you acknowledge that you have read and understood this Privacy Policy. If

you do not agree with our practices, please do not use the platform.

2. DATA CONTROLLER

The Cevera platform is operated by Cevera (referred to as "we", "us", or "our"). For the

purposes of GDPR and other laws, Cevera acts as the “data controller” of your personal

data provided to or collected by us. This means we determine how and why personal data

is processed. We have appointed a Data Protection Officer where required and you can

3. SCOPE

This policy applies to all users of the Cevera service worldwide, including users in the

European Union, United Arab Emirates, and the Philippines. It covers data collected

through our mobile application, website, and any related services or communications. It

also describes users’ privacy rights and how to exercise them under GDPR, UAE PDPL,

and the Philippines DPA.

4. PERSONAL DATA WE COLLECT

4.1. We only collect personal data that is relevant for providing and improving the Cevera

service. This includes:

Account Information: When you register for Cevera (via email or Facebook Login), we

collect your full name, email address, city-level location (e.g. city and country), date of

birth, and a password (if signing up via email). Date of birth is used to confirm you meet

our minimum age requirement and to personalize your experience. If you choose to

profile picture (if you allow) to create your Cevera profile. This happens only with your

permission during the Facebook sign-in process, and Facebook’s privacy policy will

apply to the data it provides. We do not receive your Facebook password or any data

beyond the basics you consent to share.

4.2. 4.3. 4.4. 4.5. Profile and Portfolio Content: You may optionally add information to your profile such

as a profile photo, biography, professional skills, and other details. You can also upload

content to your portfolio – for example, text descriptions, images, videos, links,

documents, or other media showcasing your work and skills. All such content is provided

voluntarily by you. Please note: Any personal information or sensitive details you include

in your profile or portfolio content are provided at your discretion. We advise you not to

post sensitive personal data (such as government ID numbers, financial information,

health or biometric data, or information about your race, religion, or political beliefs) on

your profile. Cevera does not require or intentionally collect any sensitive personal data

like biometric identifiers, health information, or information about your ethnicity or

beliefs. The platform is focused on professional portfolio content, and such sensitive

information is neither requested nor needed.

Usage Data: When you use Cevera, we collect certain technical data automatically to

ensure the service works correctly and securely. This includes information like your

device type, operating system, browser type, IP address, and timestamps of actions (e.g.

website (such as pages viewed or buttons clicked) for the purpose of understanding usage

and improving our user experience. This usage data is generally collected via cookies or

similar technologies (explained below) and through our server logs. While this data may

be linked to your account, we typically use it in aggregate form or pseudonymized form

to analyze trends and performance.

Cookies and Preferences: If you use our web platform, we will set necessary cookies to

run the site (for example, to keep you logged in, load pages faster, or remember your

language preference). We may also use preference cookies to remember your settings and

personalize your experience (such as your chosen theme or other customizations). These

cookies collect information like your preferences or login status. We do not use any

advertising or third-party tracking cookies that profile you for marketing. See Cookies

and Similar Technologies below for more details.

Communications: If you contact us for support or feedback, we will collect the

information you choose to give in your message (such as your contact information and

the content of your request). We keep these communications to address your inquiries and

improve our services.

We collect personal data either directly from you (when you sign up, fill in your profile,

or communicate with us) or automatically through your interaction with our app/website

(via cookies, logs, etc.). If we ever obtain information about you from a third party, it will

only be in accordance with applicable law and with your knowledge. For example, if

someone shares a Cevera portfolio link with you and you view it as a guest, we might

5. 5.1. 5.2. 5.3. process limited technical data (like your IP address and browser info) to deliver the

content, but we do not collect identifying information from unregistered viewers.

HOW WE USE YOUR PERSONAL DATA

We use your personal data only for legitimate and specified purposes in connection with

the Cevera platform. Under data protection laws, we must have a valid “legal basis”

(justification) for each use of your data – see Legal Basis for Processing below for more

detail. The purposes for which Cevera processes personal data include:

Providing and Improving the Service: We process your registration and profile data to

create and maintain your account, allow you to log in, and enable you to build your visual

CV/portfolio. For example, we use your name and profile info to populate your online

portfolio, and your email to verify your account and communicate with you. We display

your portfolio content (name, photo, work samples, etc.) on the platform as instructed by

you (either publicly or privately, according to the settings you choose). We may also

internally analyze how users use Cevera in order to improve features, fix bugs, and

enhance the user experience. This is done using aggregated or pseudonymized data

whenever possible.

Facilitating Professional Networking and Sharing: A core feature of Cevera is to allow

you to share your portfolio with others. If you choose to make certain content public, we

will make it accessible to other users and even to unregistered viewers via a shareable

link or QR code that you generate. If your content is marked “public”, other Cevera users

may find it via search or see it on your profile, and anyone with whom you share your

portfolio link/QR can view the content. We use your data to enable these sharing features

at your direction. (If you prefer to keep content private, we will restrict access according

to your settings.) Important: When you share content publicly, you are consenting to

make that information available to others. While you can change a portfolio item back to

private at any time, we cannot control (and are not responsible for) how third parties who

accessed your public content may have used or retained it. Please consider what you

share publicly.

Communications: We use your contact information (email address) to send you essential

service-related communications. These include verification emails, password reset

emails, notifications about important updates to our terms or privacy policy, security

alerts, or support responses. These are not marketing messages, but necessary information

for using the service. If you opt-in to any newsletter or optional updates (if offered in the

future), we would use your email to send those as well – but only with your consent, and

you can opt out at any time. We may also send in-app notifications for things like new

features or tips to help you use Cevera, which you can control via your settings.

5.4. Customer Support: If you reach out to us with a question or issue, we will use your

provided information to respond and resolve your issue. For example, if you email

support, we will use your email and issue details to look into your account and

troubleshoot. We may ask for additional information if needed to assist you, and will only

use it for that purpose.

5.5. 5.6. Security and Abuse Prevention: We process certain data to keep Cevera and our users

safe. This includes using login and device information to detect suspicious activity (for

example, multiple failed logins might prompt us to verify if it’s really you). We may use

IP addresses and other identifiers to block malicious actors, prevent spam or fraud, and to

enforce our Community Guidelines and Terms. If necessary, we will use personal data to

investigate violations of our terms or applicable laws, and to take action (such as

notifying you, or removing content, or, in serious cases, suspending accounts) to protect

our community and legal rights.

Legal Compliance: We may need to process and retain your information to comply with

legal obligations. For instance, if we receive a lawful subpoena or request from law

enforcement, or if we need to retain certain records for tax or accounting purposes, we

will process the necessary data. We will also use your data to satisfy obligations under

privacy laws for example, responding to your requests to exercise your data rights (like

deleting or providing a copy of your data) requires us to use your information to identify

records that relate to you.

We do not use your personal data for any kind of behavioral advertising or sale to third

parties. We do not engage in automated decision-making that produces legal or similarly

significant effects on you (such as profiling for creditworthiness or insurance). Any

automated processes we have (like sorting search results or suggesting profiles) have no

legal impact on users and are purely aimed at improving user experience. If this changes

in the future, and we intend to use automated decision-making that affects you, we will

update this policy and, if required by law, obtain your consent or provide opt-out

mechanisms.

6. LEGAL BASIS FOR PROCESSING

6.1. We process your personal data only when we have a valid legal basis to do so under

applicable laws. Depending on your jurisdiction, the terminology may differ (for

example, GDPR outlines specific lawful bases, while UAE’s PDPL emphasizes consent

with certain exceptions, and the Philippines DPA requires consent unless an exception

applies). In practical terms, these are the legal justifications we rely on:

Contractual Necessity: When you register and use Cevera, you enter into a user

agreement (our Terms of Service) with us. We process your personal data to fulfill that

contract – i.e. to provide the services you have requested. This includes maintaining your

6.2. 6.3. 6.4. account, displaying your portfolio, enabling sharing features, and providing customer

support. We cannot provide the core Cevera services without this data, so this processing

is necessary for the performance of our contract with you. (GDPR Art. 6(1)(b); UAE

PDPL Art. 4(1) via contractual obligation exception; Philippines DPA Sec. 12(a) and Sec.

12(b) for contract fulfillment or steps requested by the data subject).

Consent: In certain cases, we rely on your consent. For example, if you choose to sign up

via Facebook, we ask your consent to retrieve your profile information from Facebook.

By linking your Facebook account, you consent to that data sharing. Similarly, if we ever

wish to use your data for a new purpose not covered by this Privacy Policy, we will ask

for your consent. You have the right to withdraw your consent at any time, and we will

stop the processing in question. Withdrawal will not affect the lawfulness of processing

already carried out. We obtain consent in a clear and unambiguous manner and ensure

you are informed of what you’re consenting to. (GDPR Art. 6(1)(a) and GDPR Art. 7

conditions for consent; UAE PDPL defaults to consent as primary basis unless exceptions

apply; Philippines DPA requires consent for data collection, with similar standards of

being freely given, specific, and informed.)

Legitimate Interests: We may process your data as necessary for our legitimate interests

but only if those interests are not outweighed by your rights and freedoms. For instance,

it is in our legitimate interests to maintain the security of our platform, to prevent fraud/

spam, to improve our services, and to market new features to our users. When we rely on

legitimate interests, we carefully consider and balance any impact on you (both positive

and negative) and your rights under privacy laws. We do not use this basis for any

processing which is particularly intrusive or unexpected. Examples: using cookies for

analytics to improve site performance, or processing your data to send optional surveys to

gather feedback (with the option to opt out) could fall under our legitimate interests. In all

cases, we ensure compliance with applicable law’s requirements for legitimate interest

balancing. (GDPR Art. 6(1)(f); Philippines DPA allows legitimate interests of the

controller as an exception to consent, provided fundamental rights are not overridden.

Note: UAE PDPL does not explicitly enumerate “legitimate interests” as a basis, and

tends to require consent or other specific grounds, so we primarily rely on contract or

consent in UAE contexts, unless another PDPL exception applies such as public interest

or legal claims.)

Legal Obligation: If we need to process or disclose your personal data to comply with a

law, regulation, court order, or other legal mandate, we will do so. For example, data

needed to satisfy financial reporting laws, or information we must retain or provide to

authorities by law. (GDPR Art. 6(1)(c); UAE PDPL Art. 4(1) – compliance with legal

obligations exception; Philippines DPA Sec. 12(c) – necessary for compliance with a

legal obligation.)

6.5. Vital Interests and Public Interest: It is highly unlikely, but if processing is necessary

to protect someone’s life or vital health interests, we may do so (e.g. if we become aware

of a user in imminent danger and need to provide data to emergency services – a very rare

scenario). Likewise, if processing is needed for the public interest (for instance, for public

health or safety reasons as authorized by law), we may rely on that basis. (GDPR Art.

6(1)(d) and (e); UAE PDPL allows exceptions for protection of the data subject’s

interests and for public interest matters; Philippines DPA Sec. 12(d) and (e) cover vital

interests and national emergency/public order scenarios.)

In summary, the primary bases for our day-to-day processing are contract and consent,

with legitimate interests for certain additional activities (like security and improvement),

and legal obligations as required. We will explicitly ask for your consent when required

by law (for example, if in the future we introduce certain cookies or new features that

require consent). Where we rely on legitimate interests, we will inform you what those

interests are. If you have any questions about the legal basis for a specific processing

activity, feel free to contact us.

7. COOKIES AND SIMILAR TECHNOLOGIES

7.1. What are cookies? Cookies are small text files that websites save on your browser or

device. They are widely used to make websites work, or work more efficiently, as well as

to provide information to the owners of the site. We also use similar technologies like

local storage in the app or web (for example, to remember your in-app preferences).

7.2. How we use cookies: Cevera’s website uses cookies in a limited manner, fully in line

with applicable privacy and electronic communications laws. We categorize the cookies

we use as follows:

7.2.1. Necessary Cookies: These are essential for the operation of our service. For

example, when you sign in on the website, a session cookie keeps you logged in

as you navigate between pages without it, you would have to log in again on each

page. Necessary cookies might also be used for load balancing (distributing traffic

across servers) or security (e.g. to help prevent fraudulent use of the site). Because

these cookies are strictly necessary for our site to function, they do not require

user consent. You can disable them by changing browser settings, but then some

parts of the site may not work.

7.2.2. Preference Cookies: These cookies remember your choices and settings to

enhance your experience. For instance, if our site offers a dark mode or language

selection and you choose those, a cookie may store that preference so that the next

time you visit, your preferences are automatically applied. Similarly, if you

dismiss a one-time notification or pop-up, a cookie might remember that so it

doesn’t show again. Preference cookies are not critical for basic functioning, but

they improve usability. We currently use such cookies to store things like your

language and other interface preferences. In jurisdictions where consent is

required for non-essential cookies, we will obtain your consent (e.g. via a cookie

7.2.3. 7.3. 7.4. banner) before setting preference cookies. By using our site with cookies enabled

in your browser, you are giving us implicit consent to use these preference

cookies. You can always adjust your cookie settings (see Your Choices below).

No Advertising or Analytics Cookies: We do not use any third-party advertising

cookies or trackers on Cevera. This means we are not collecting data about your

browsing for advertising targeting, and we are not sharing your browsing behavior

with third-party ad networks. At present, we also do not use Google Analytics or

similar analytics cookies that track user behavior across sites. We may in the

future implement basic analytics to understand usage of our platform, but if we do

so, we will do it in compliance with privacy laws (e.g. use analytics that do not

identify users, or obtain consent if identification is involved). If this happens, we

will update this policy and our cookie notification to inform you.

Cookies in the Mobile App: While cookies are primarily a web technology, our mobile

application may store similar small data files (for example, using the device’s local

storage or secure storage) to keep you logged in and remember settings. This functions

similarly to the cookies described above and is solely for providing the service to you in a

convenient way. The app does not track you outside of the app or engage in third-party

data collection.

Cookie Management: Most web browsers automatically accept cookies, but provide

controls that allow you to block or delete them. You can modify your browser settings to

notify you when cookies are being set or to automatically reject cookies. Additionally,

our site’s cookie banner (if shown) allows you to refuse non-essential cookies. However,

please note that if you disable cookies entirely, the Cevera website may not function

properly (for example, you might not be able to log in or use certain features).

For more information on how to manage cookies, you can visit the help section of your

browser or websites like aboutcookies.org that provide guidance. Keep in mind that any

preferences are device- and browser-specific, so you may need to set them for each

device and each browser you use.

8. SHARING OF PERSONAL DATA

We do not sell or rent your personal information to third parties. However, we do share

your data in certain limited scenarios, as described below, in order to operate our service

or as required by law. Whenever we share data, we ensure we have an appropriate legal

basis and that the sharing is done securely. Key instances of data sharing include:

8.1. Service Providers (Processors): We use trusted third-party companies to help us run

Cevera – for example, to host our servers, send emails, or provide customer support tools.

These third parties act under our instructions and are “data processors” under GDPR/

PDPL terminology. The main service providers we use are: DigitalOcean (cloud

infrastructure provider) – which hosts our application and database. Your personal data

8.2. 8.3. 8.4. (including profile info and content) is stored on DigitalOcean’s servers. DigitalOcean

may process this data for storage and backup, but they cannot use it for their own

purposes. We have a contract with DigitalOcean that includes standard data protection

clauses to safeguard your information in compliance with GDPR and other laws. We also

ensure that DigitalOcean maintains appropriate security measures. Besides hosting, we

may use an email delivery service (for sending verification emails and notifications) – if

so, that service would receive your email address and the content of the email to send. All

our service providers are bound by confidentiality and data protection agreements,

meaning they must protect your data and only use it to provide services to us. We conduct

due diligence on our processors and choose reputable companies with strong privacy and

security standards. (Article 28 GDPR requires this, and UAE PDPL similarly requires

controllers to use processors with sufficient guarantees of protection, while Philippines

DPA Sec. 20(e) mandates that third parties processing data implement adequate

safeguards – we comply with all these provisions.)

Within Cevera (Personnel): Our team members and staff may access personal data on a

need-to-know basis, strictly for performing their job duties (for example, a support agent

may view your account details when helping with an issue). All staff are trained on data

privacy and are bound by confidentiality obligations. Access to production databases is

limited and controlled.

Facebook (for Login): If you choose to use Facebook Login, some data sharing with

Facebook occurs in that authentication process. Specifically, you will be redirected to

Facebook to enter your Facebook credentials; Facebook then asks if you permit Cevera to

access certain information (like your name and email). Only if you approve, Facebook

will send us that info to create your account. We do not send any data from Cevera to

Facebook aside from a token verifying your request. However, Facebook may record that

your Facebook account was used to sign up for Cevera. This is governed by Facebook’s

Facebook Login. Using Facebook Login is optional – you can always choose to sign up

with an email and password instead.

Public or Other Users: As noted earlier, any information you choose to make public on

Cevera (such as a public portfolio item, your name, profile photo, or any content marked

public) will be visible to others by design. Registered Cevera users may see your public

profile and portfolio within the platform. Additionally, non-users to whom you provide

your portfolio link or QR code can view the content without logging in. This is a form of

sharing you control. If another user on Cevera wants to view your public profile, they

may search by your name or find your profile link on the platform. Public content could

also potentially be indexed by search engines (if we allow indexing – we will inform you

if this becomes the case). Please only share and make public content that you are

comfortable being visible to others. Cevera is not responsible for what other viewers do

8.5. with information you make public. For example, someone could screenshot your public

portfolio or share your link further – that is outside our control. If you have concerns, use

the privacy settings to restrict content to private.

Legal Requirements and Protection: We may disclose personal data to third parties

(such as government authorities, law enforcement, or courts) if we believe in good faith

that such disclosure is required to (a) comply with a legal obligation or request (e.g. a

court order, subpoena, or law enforcement inquiry), (b) enforce our Terms of Service or

other agreements, (c) protect the rights, property, or safety of Cevera, our users, or the

public. For instance, if required by law to report illegal content, we will provide

necessary information to the proper authorities. We will carefully review each request to

ensure it has a valid legal basis and only disclose the minimum data necessary. We will

also notify you of such requests when permitted (i.e. unless we are legally restricted from

doing so).

8.6. Business Transfers: If Cevera is involved in a merger, acquisition, investment,

financing, or sale of all or part of its assets, your data may be transferred to the new

owner or merging entity as part of the business transaction. We would ensure the new

owners have to respect your personal data in a manner consistent with this Privacy

Policy. We will notify you (for example, via email or notice on our site) of any such

change in ownership or control of your personal information, as required by law.

Other than the situations above, we will not share your personal information with third

parties without your consent. If we ever want or need to share your data in a new way not

covered here, we will update this policy and obtain any necessary consents.

9. INTERNATIONAL DATA TRANSFERS

9.1. Cevera is available to users in multiple countries, including the UAE, the Philippines, and

countries in the European Economic Area (EEA). This means your personal data may be

transferred across national borders in order for us to provide the service. Specifically, our

servers (managed by DigitalOcean) may be located in data centers outside of your home

country. For example, we might host data in the United States or European Union. Also,

our support or development team may access data from locations outside your country

(e.g. if our engineers are based in a different region).

Laws and Adequacy: When we transfer personal data internationally, we comply with

the transfer requirements of applicable law. The GDPR, for instance, requires that

personal data of EU/EEA users be transferred only to countries that have “adequate” data

protection laws or under appropriate safeguards like Standard Contractual Clauses

(SCCs). The UAE PDPL similarly mandates that data can only be sent outside the UAE if

the destination country is approved as having an adequate level of protection, or if certain

safeguards or exemptions apply. The Philippines DPA requires that, in the absence of an

9.2. adequacy finding, contractual or other safeguards be in place and that data sharing

agreements are reviewed by the National Privacy Commission. We take all these

requirements seriously.

Our Safeguards: In practice, here are the measures we have implemented for

international transfers:

9.2.1. If your data originates from the EU/EEA: We ensure that it is either stored in the

EEA or transferred under EU-approved safeguards. DigitalOcean’s servers for EU

users are typically in the EU region; however, some backups or technical

processing might involve servers in the US. For any EU->US transfers, we have

incorporated the latest StandardContractual Clauses (SCCs) – these are legal

contracts approved by the European Commission to ensure your data gets the

same level of protection as under EU law. We also assess if additional technical

measures (like encryption) are needed, in line with the GDPR and guidance from

EU regulators.

9.2.2. If your data originates from the UAE: At the time of writing, the UAE Data

Office (which enforces PDPL) is establishing lists of jurisdictions deemed to

provide adequate protection. We will only transfer data out of UAE in compliance

with PDPL Article 22. That means either the destination is approved by the UAE

Data Office as adequate, or we obtain your explicit consent for the transfer, or we

put in place a contract that meets PDPL standards (analogous to SCCs), or another

allowed exception applies (such as necessity for performing our contract with

you, or to carry out your request). For example, since we use cloud servers that

might be outside UAE, we rely on the contractual and security safeguards

mentioned, and by using our service you understand your data may be processed

in countries with robust data protection regimes which have strong protections,

and we ensure PDPL compliance via contract and encryption).

9.2.3. If your data originates from the Philippines: The National Privacy Commission

(NPC) allows transfers abroad as long as the requirements of the DPA are met. We

ensure that any overseas service providers (like our hosting) sign a Data

Processing Agreement with us that includes clauses to protect Philippine data

subjects’ rights. These agreements contain provisions very similar to the

aforementioned SCCs, committing the recipient to safeguard your data and use it

only for the purposes we specify. Additionally, if the NPC has any specific rules

or requires notification of certain transfers, we will comply with those. The

Philippines also recognizes government-to-government data transfer

arrangements, but as a private entity we mainly rely on contractual safeguards and

your consent where needed.

Regardless of where your data is processed, we apply the same level of protection. Your

data is always handled in accordance with this Privacy Policy. We employ encryption in

transit (HTTPS) to protect data as it crosses borders. Our servers are protected by

9.3. advanced security measures (see Data Security below). We also limit remote access to

data to only authorized personnel.

Note for Users in the EU/UK/EEA: You have the right to request a copy of the

safeguards (such as SCCs) we use for transfers of your personal data outside the EEA. To

make such a request, please contact us. We may need to redact certain confidential

clauses (like commercial terms) but will provide you with as much information as

possible.

By using Cevera, you acknowledge that your personal data may be transferred to and

stored in countries other than your own. We understand this can have privacy

implications, and we take our responsibility to protect your data across borders seriously.

If you have questions about international data transfers, feel free to reach out.

10. DATA RETENTION

10.1. 10.2. We retain personal data only for as long as necessary to fulfill the purposes for which it

was collected, or to meet legal or business requirements. This is in line with the principle

of storage limitation under laws like GDPR. Here is how we approach retention:

Active Account: If you have an active Cevera account, we retain the personal data you

have provided for the duration of your use of the service. This allows us to provide the

service to you continuously. All data in your profile and portfolio remains stored until

you choose to remove it or delete your account. You can edit or delete individual

portfolio items at any time; doing so will remove that content from our live databases

(though it may persist in backups for a short period, see below). We encourage you to

keep your information up-to-date and remove anything you no longer wish to share.

Account Deletion: You have the right to delete your account at any time. This can

typically be done through the account settings in the app/website or by sending us a

request (see Your Rights below for how to exercise deletion). When you delete your

account, we will remove or anonymize personal data associated with your account.

Specifically, your profile information and portfolio content will be deleted from our

primary databases. We will also disassociate your contributions or actions from your

identity (for example, if you had left any comments or likes, those may become

anonymized).

After you initiate deletion, there might be a short period (usually a few days) during

which the data still exists in system caches or active sessions – but our goal is to purge

data promptly. Additionally, your data might remain in encrypted backups for a certain

retention period (commonly up to 30-60 days for disaster recovery purposes). During this

backup retention period, the data is not accessible for active use and is only kept so we

can restore the service in case of catastrophic events. After the retention period, backups

containing your data are deleted as well. Rest assured, even within the retention period, if

we restore from a backup for any reason, we will re-delete any accounts that had been

deleted.

10.3. Legal Retention Requirements: In some cases, we may need to retain certain

information for a longer period as required by law. For example:

o If you made a purchase or some financial transaction through Cevera (not

applicable now, since our service does not involve payments, but hypothetically),

we might retain transaction records for accounting/tax regulations.

o We may keep logs of security incidents or consent records to demonstrate

compliance with data protection laws (e.g. proof that you agreed to this Privacy

Policy or provided consent for certain processing).

o If there is a legal dispute or an investigation (for example, a user violated terms

and we need to retain evidence), we will retain the relevant data until it is

resolved, based on advice from legal counsel.

Any such retained data will be limited to what is necessary and we will cease using it for

any other purpose.

10.4. Inactive Accounts: If you stop using Cevera without deleting your account, we may

eventually classify your account as “inactive.” We might send a reminder to the email on

file asking if you wish to maintain the account. If we receive no response for an extended

period (e.g. 1-2 years), we reserve the right to delete or anonymize the account data to

reduce storage. We will warn you before doing so, giving you a chance to keep the

account active. Note that we are not obliged to retain data indefinitely if there’s no user

activity, especially in jurisdictions that encourage data minimization.

After we delete data from our systems, either through your action or as per our retention

schedule, it is permanently removed or irreversibly anonymized so that the information

can no longer be linked to an identifiable individual. Anonymized data (which cannot

identify you) may be retained for analytics or statistical purposes, since it no longer

constitutes personal data.

11. DATA SECURITY

11.1. We take the security of your personal data very seriously. Cevera implements appropriate

technical and organizational measures to protect your information against unauthorized

access, alteration, disclosure, or destruction. While no service can guarantee absolute

security, we follow industry best practices to safeguard data. Our security measures

include:

Encryption: All data transmission between your device and our servers is encrypted

using HTTPS/TLS. This means that when you use the Cevera app or website, your

information (such as login credentials or any data you upload) is encrypted in transit and

cannot be easily intercepted. We also encrypt sensitive data at rest in our databases where

applicable. For example, user passwords are stored as salted hashes (not in plain text) for

11.2. 11.3. 11.4. 11.5. 11.6. 11.7. one-way security. If we store other particularly sensitive info in the future, we will

encrypt it at rest as needed.

Access Controls: We limit access to personal data strictly to personnel and service

providers who need it to operate. Our team members use multi-factor authentication to

access administrative systems. We maintain different levels of access privileges, ensuring

that no one (even within the company) can access more data than necessary. For instance,

our developers might have access to aggregated data for debugging, but not to plain

personal data of users unless absolutely required and authorized.

Secure Infrastructure: Our servers are hosted in secure facilities (DigitalOcean data

centers) that have 24/7 monitoring, biometric access controls, fire suppression, and other

advanced protections. DigitalOcean (and any similar cloud provider we use) maintains

multiple certifications (like ISO 27001, SOC 2) demonstrating adherence to high security

standards. We apply security patches and updates to our servers and software regularly to

protect against vulnerabilities. We also use firewalls and network monitoring to detect

and block suspicious activity.

Testing and Audits: We conduct periodic security audits and testing. This may include

vulnerability scanning, penetration testing by third-party experts, and code reviews to

catch security issues early. We also have logging in place – important actions and

accesses are logged so we can monitor for any unauthorized behavior. As per Philippines

DPA and UAE PDPL requirements, we maintain records of processing and a security

policy. Our internal policies outline how to handle personal data securely, and we train

our staff on these procedures.

Data Minimization: We collect only what we need and keep it only as long as necessary

(as described in Data Retention). By minimizing the amount of data stored and the

duration, we reduce exposure in case of any incident. For example, if you delete your

account, we remove your data so it’s no longer in our live system to be targeted.

Backup and Recovery: We securely back up critical data to prevent data loss. Backups

are encrypted and stored separately. We regularly test our backup restore processes to

ensure we can recover data in case of a physical or technical incident. These backups are

protected so that even in the worst-case scenario (natural disaster, etc.), your data remains

safe and recoverable by us (and only us).

Third-Party Security: When we share your data with third-party processors (like our

hosting or email service), we ensure via contract that they also implement robust security

measures. We only partner with companies that have a strong security reputation. We also

limit the data we send to third parties to the minimum needed for them to perform their

function.

Despite all these measures, it's important for you as a user to also play a role in keeping

your data safe. Protect your account credentials: Use a strong, unique password for

Cevera and do not share it. If you suspect any unauthorized access to your account,

please change your password immediately and contact us. Also be cautious of phishing –

Cevera will never ask for your password via email. Always make sure you are using our

official app or website.

12. DATA BREACH RESPONSE

In the unlikely event of a data breach that affects your personal data, we will act promptly

in accordance with applicable laws. This means we will contain and investigate the

incident immediately, and notify the relevant authorities and affected users without undue

delay as required. For example, GDPR generally requires notification within 72 hours to

authorities for significant breaches; UAE PDPL requires “immediate” notification to the

Data Office and users if the breach poses a risk to privacy; Philippines DPA’s rules also

mandate notification to the NPC and users within 72 hours for certain breaches. We have

an incident response plan in place to meet these obligations. Our notification would

include information on the nature of the breach, what data is affected, what we are doing

about it, and any steps you should take to protect yourself.

By using Cevera, you acknowledge that no method of transmission or storage is 100%

secure, but we strive to use commercially acceptable means and follow legal

requirements to protect your personal data.

13. YOUR RIGHTS AND CHOICES

13.1. 13.2. You have various rights regarding your personal data, as granted by GDPR, UAE PDPL,

and the Philippines Data Privacy Act, among other laws. We are committed to honoring

these rights. Below, we outline your key data subject rights and explain how you can

exercise them. Please note that these rights are subject to certain conditions and

exemptions under the law – but we will do our best to accommodate every legitimate

request. Your principal rights include:

Right to Be Informed: You have the right to clear and transparent information about

how we process your data. This Privacy Policy is part of fulfilling that right. If you have

any questions about our data practices, we will answer them. (GDPR Art. 12–14;

Philippines DPA Sec. 16(a)&(b) – the right to be informed whether your data is being

processed and details about the processing.)

Right of Access: You can request a copy of the personal data we hold about you, as well

as information about how it’s used, who we share it with, how long we keep it, etc.. This

is commonly known as a Data Subject Access Request. We will provide you with a copy

of your data in a commonly used format (usually electronic) unless doing so adversely

affects the rights of others. For example, you can ask us to confirm whether we’re

processing your data and get a copy of your profile info, portfolio content, and activity

data that we have on file. (GDPR Art. 15; UAE PDPL Art. 14(1) gives right to access

information; Philippines DPA Sec. 16(c) – right to reasonable access to contents of

personal data, sources, recipients, etc.)

13.3. Right to Rectification (Correction): If any personal data we have about you is

inaccurate or incomplete, you have the right to have it corrected. Most of the information

(like your name, profile details, etc.) you can correct yourself by logging into your

account and editing your profile. For any other data that you cannot update, you can

done. If we shared that incorrect data with others, we will, where possible, inform them

of the correction as well. (GDPR Art. 16; UAE PDPL Art. 14(3) – right to rectification;

Philippines DPA Sec. 16(d) – right to dispute inaccuracies and have them corrected.)

13.4. 13.5. Right to Erasure (“Right to be Forgotten”): You may request that we delete your

personal data. This right is not absolute, but we will honor it if 1) the data is no longer

necessary for the purposes it was collected, or 2) you withdraw consent (and we have no

other legal basis to keep it), or 3) you object to processing and we have no overriding

legitimate grounds, or 4) we unlawfully processed the data, or 5) erasure is required to

comply with a legal obligation. In practice, this means you can delete your account (as

described in Data Retention) or ask us to remove specific information. We will also

remove content you posted upon your request (assuming it’s your personal data – if it

involves another user, we may need to consider their rights too). Once we delete data, we

generally shouldn’t process it anymore. However, we will retain a record that you

requested deletion and basic data needed to honor that request (for example, to not

inadvertently re-create an account for you). There are certain exceptions where we may

refuse deletion – for instance, if we are obligated by law to keep the data, or if the data is

relevant to a legal dispute. If so, we will inform you of the reason. (GDPR Art. 17; UAE

PDPL Art. 14(3) – right to require erasure; Philippines DPA Sec. 16(e) – right to suspend,

withdraw or order the removal or destruction of data if it’s incomplete, outdated, false,

unlawfully obtained, used for unauthorized purpose, or no longer necessary – effectively

a form of right to erasure or blocking.)

Right to Restrict Processing: You have the right to ask us to limit the processing of your

data in certain situations. For example, if you contest the accuracy of your data, you can

request we pause processing (other than storing it) until we verify and fix the issue. Or if

you object to processing (see below) and we are considering it, you can have processing

restricted in the interim. Another case: if our processing is unlawful but you don’t want

full erasure, you can request a restriction instead. While your data is restricted, we will

store it securely and not use it except to the extent necessary (e.g. to exercise legal claims

or protect others, or if you consent). We will inform you before lifting a restriction.

(GDPR Art. 18; UAE PDPL Art. 14(4) – right to restrict and stop processing; under

Philippines law, the right to block/remove (Sec.16(e)) also effectively allows you to stop

certain processing.)

13.6. Right to Data Portability: You have the right to obtain your personal data in a

structured, commonly used, and machine-readable format, and to have it transmitted to

another service provider where technically feasible. In other words, you can ask for an

export of the data you provided to us, so you can reuse it elsewhere. For example, you

might want to download your profile and portfolio data to keep a backup or to upload to a

different service in the future. We support data portability to the extent required: this

typically covers data you actively provided (like your profile info, content, etc.) and data

generated by your activity (login times, etc.), if processed by automated means. Note this

right applies when processing is based on your consent or a contract and is carried out by

automated means (under GDPR). We will provide the data in a commonly used format

(likely JSON or CSV files, or similar). If you request, and it’s technically feasible, we can

also attempt to directly transfer the data to another service at your direction. (GDPR Art.

20; UAE PDPL Art. 14(2) right to request data portability; Philippines DPA Sec. 18

explicit right to data portability for processed data in electronic or structured format.)

13.7. 13.8. Right to Object: You have the right to object to certain types of processing. If we are

processing your data based on legitimate interests or for public interest, you can object to

that processing on grounds relating to your particular situation, and we must stop unless

we have compelling legitimate grounds that override your interests or it’s needed for

legal claims. Importantly, if we were to process your data for direct marketing (which we

currently do not do), you have an absolute right to object at any time and we will stop

such marketing. In the context of Cevera, an example of objecting might be if we ever did

data analytics you disagree with – you could object and we would consider if our interest

in that analytics is overridden by your rights. Since our use of data is fairly limited,

objections are unlikely, but the right is yours nonetheless. (GDPR Art. 21; UAE PDPL

Art. 14(5) includes right to stop processing, particularly for marketing or statistical

purposes; Philippines DPA Sec. 34 allows objections in certain cases, and NPC guidance

aligns with allowing opt-out of direct marketing, etc.)

Right not to be subject to Automated Decision-Making: As noted, Cevera does not

engage in fully automated decision-making that produces legal or similarly significant

effects. However, if we ever did (for example, an AI-based profiling that affects your

opportunities), you would have the right to not be subject to such decisions without

human intervention. You would also have the right to express your point of view and

contest the decision. (GDPR Art. 22; UAE PDPL Art. 14(6) gives right to object to

automated processing decisions. The Philippines DPA doesn’t explicitly enumerate this,

but general rights and NPC advisories support fairness in automated processing as well.)

13.9. Right to Withdraw Consent: If we are processing any of your data based on your

consent, you have the right to withdraw that consent at any time. For instance, if you

consented to us using your data in a certain optional feature, you can change your mind

later. Withdrawing consent will not affect the legality of processing done before the

withdrawal, but we will cease the processing going forward. There is no penalty for

withdrawing consent it is your choice. This can usually be done by changing a setting

(e.g. toggling off a feature) or by contacting us. (This right is strongly protected in all

relevant laws: GDPR Art. 7(3), UAE PDPL Art. 6(3) explicitly allows withdrawal, and

Philippines DPA by its nature of requiring consent allows you to stop consent-based

processing, aligning with the right to object/block.)

13.10. Right to Complain to a Supervisory Authority: In addition to the rights you can

exercise with us directly, you also have the right to lodge a complaint with a data

protection regulator if you believe we have violated your privacy rights. You can do this

either in the country where you live, where you work, or where the issue took place. For

EU users, this would be your national Data Protection Authority (for example, the CNIL

in France, the ICO in the UK (for UK GDPR), etc.). For UAE users, you can contact the

UAE Data Office (once it is fully operational as the PDPL regulator) or potentially other

designated authorities once specified. For users in the Philippines, you can file a

complaint with the National Privacy Commission (NPC). We encourage you to first reach

out to us so we can address your concerns directly, but you are free to approach the

authorities at any time. We will cooperate fully with any official investigations or

inquiries. (GDPR Art. 77 – right to complain to supervisory authority; UAE PDPL

provides for complaints mechanism through the Data Office; Philippines DPA Sec. 16(b)

(8) explicitly mentions the right to lodge a complaint with the NPC.)

13.11. Right to Authorize Agents or Transmit Rights: In some jurisdictions, you may appoint

an authorized agent to exercise your rights on your behalf (for example, under California

law or others, though not directly applicable here unless we expand to those regions). The

Philippines DPA (Sec. 17) also provides that your legal heirs or assigns can invoke your

rights on your behalf after your death or incapacity. If we receive a request from an agent

or heir, we will require proof of authority before acting on the request.

HOW TO EXERCISE YOUR RIGHTS

14. 14.1. Many rights can be exercised by logging into your Cevera account and using the tools

available (editing profile, downloading data, deleting account, etc.). For any rights that

require our assistance, you can contact us at privacy@ceveraapp.com (or use the contact

details in Contact Us section). Please provide your name, the email associated with your

account, and clearly state which right you wish to exercise (e.g. “I want a copy of my

data” or “Please delete my account”). For your security, we may need to verify your

14.2. identity before fulfilling the request typically by confirming control of your email or

asking for some identifying info. This is to ensure that we do not give your data to an

unauthorized person.

We will respond to your request as soon as possible and at least within the timeframes

required by law. Under GDPR, this is generally within one month (with a possible

extension to two months for complex requests if so, we’ll inform you of the need for

more time). Under UAE PDPL and Philippines DPA, similar prompt timelines are

expected. We will inform you of the outcome of your request or any action taken. If we

cannot fulfill your request (due to a legal exemption or conflicting rights, etc.), we will

explain the reason. For example, if you request a very broad data export that includes

other individuals’ data, we might need to redact certain parts to respect others’ privacy,

but we will give you as much as we can.

14.3. Exercising your rights is free of charge. However, if you make manifestly unfounded or

excessive/repetitive requests, we may charge a reasonable fee or refuse to act (as allowed

by GDPR Art. 12(5)). But we’ll always inform you of our reasoning in such cases. We

certainly do not intend to penalize genuine users for making legitimate requests.

14.4. Finally, we want you to know that your privacy and control over your data is important to

us. We have built the platform to give you control (like choosing what to share publicly

vs privately) and we’ll continue to enhance our tools to facilitate your rights. If you have

any suggestions or concerns regarding your data rights, please let us know.

15. CHILDREN’S PRIVACY

15.1. 15.2. Cevera is not intended for children and we do not knowingly collect personal data from

individuals under the age of 16. Our platform is designed for professional skills

development and networking, and as such, users are generally expected to be working

professionals or students above a certain age. During registration, we require users to

provide their date of birth to help ensure they meet our minimum age requirement of 16

years. If you are under 16, you are not permitted to use Cevera or provide any personal

information on our platform.

We set 16 as the minimum age in order to comply with global data protection standards.

For example, under the GDPR (applicable in the EU), children under 16 cannot legally

consent to the processing of personal data for online services without parental

authorization (note: some EU member states set this age at 13–15, but we adopt 16 by

default to be safe). Similarly, the UAE’s PDPL does not specify a strict age threshold in

the law, but upcoming child protection regulations in the UAE and general best practices

counsel that parental consent is crucial for young users. The Philippines DPA treats

information about one’s age as sensitive and emphasizes protecting minors’ information.

By restricting our platform to users 16 and older, we aim to avoid collecting data from

minors that would require special consent procedures.

16. NO COLLECTION FROM CHILDREN

17. 17.1. 17.2. We do not intentionally collect personal data from anyone under 16. We do not target our

content or services to children. If we discover that we have inadvertently collected

personal information from a child under 16 (for example, if a child misrepresents their

age during signup), we will take prompt action to delete that data from our records. The

account will be terminated in accordance with our terms. If you are a parent or guardian

and you believe your child under 16 has provided personal information to Cevera, please

CHILDREN’S PRIVACY / AGE REQUIREMENT

Cevera’s platform is intended only for individuals who are 18 years of age or older. We

do not knowingly collect, use, or store personal information from individuals under the

age of 18. If we become aware that personal data has been collected from a person under

18, we will take reasonable steps to delete such information and may suspend or

terminate the associated account. By accessing or using the platform, users represent and

warrant that they are at least 18 years old. If a parent or guardian becomes aware that a

minor has provided personal information to Cevera, they may contact us and we will

promptly take appropriate steps to remove such information in accordance with

applicable laws. Content involving minors: Given our platform is for professional

portfolios, it’s unlikely, but if you as a user upload content that includes personal data of

minors (e.g., a video of you teaching a class with children visible, etc.), you are

responsible for ensuring you have appropriate permissions or consent for that content.

Our Community Guidelines prohibit posting personal data of others without consent,

especially minors.

We encourage families to discuss responsible use of the internet and personal data. There

are many resources for educating teens about online privacy and we support those

educational efforts. We also encourage users who are just over 16 to still be mindful of

what they share publicly on Cevera as it could have future implications (like job

prospects) – this is not about privacy law per se, but general good practice.

UPDATES TO THIS PRIVACY POLICY

18. 18.1. We may update or revise this Privacy Policy from time to time to reflect changes in our

practices, technologies, legal requirements, or for other operational reasons. When we

make changes, we will let you know by appropriate means: we will post the updated

18.2. 18.3. 18.4. the changes are significant, we may provide a more prominent notice (such as a banner

on the site or an email notification).

Any changes will become effective on the date listed as “Last Updated” or as otherwise

required by law. In cases where a change would require your consent (e.g. if we plan to

start collecting a new category of personal data or using it for a new purpose that you

originally did not agree to), we will either ask for your consent explicitly or give you the

opportunity to opt in before the change affects you.

We encourage you to review this Privacy Policy periodically to stay informed about how

we are protecting your information. Your continued use of Cevera after any update to this

Policy will signify your acceptance of the changes, to the extent permitted by law. If you

do not agree with any changes, you should stop using the service and can request that

your data be deleted.

Historical versions of our Privacy Policy can be obtained by contacting us. We maintain

an archive of past privacy notices for transparency. If you have questions about any

update, feel free to reach out.

19. CONTACT US

19.1. If you have any questions, concerns, or requests regarding this Privacy Policy or your

personal data, please contact us. We are here to help and committed to resolving any

privacy issues promptly.

Contact Information: privacy@ceveraapp.com

19.2. When contacting us, please provide your name, contact information, and a clear

description of your inquiry or request. If you are making a rights request (as described in

Your Rights), please mention which right you are invoking and be prepared to verify your

identity.

19.3. We will respond as quickly as possible, and no later than the timeframes required by law.

For general questions, we aim to reply within a few business days. For rights requests,

see the timeline discussion in Your Rights section (typically within 30 days for most

cases).

19.4. Cevera is dedicated to protecting your privacy. We truly appreciate that you trust us with

your personal information, and we want to assure you that we handle it with care and

respect. If for any reason you feel that we have not lived up to our commitments in this

address any issues.

Thank you for reading our Privacy Policy. Happy networking and portfolio building on

Cevera!

Download PDF: Privacy Policy, 2026.