GDPR & EEA/UK/CH Privacy Rights

Last Update: February 3rd, 2026

Introduction

Serus is committed to protecting personal data and respecting privacy rights. This page explains how Serus supports compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR and the UK Data Protection Act 2018, and—where applicable—similar laws in Switzerland and other jurisdictions. In this page, ‘Services’ has the meaning given in our Terms of Service.


Serus is operated by ANON AI Labs, Inc., a Delaware corporation (United States) (“Serus,” “ANON,” “we,” “us,” or “our”). This page should be read together with our:

Terms of Service (https://www.serus.ai/terms)

Data Processing Addendum (DPA) (https://www.serus.ai/dpa)

Subprocessors list (https://www.serus.ai/subprocessors)

Privacy Policy (https://www.serus.ai/privacy)

Cookie Policy (https://www.serus.ai/cookies)

Acceptable Use Policy (https://www.serus.ai/acceptable-use)

1. Roles and Responsibilities (Controller vs. Processor)

Serus as controller (typical for individual users):

Serus acts as a controller for account creation and administration, billing, customer support, product analytics, fraud prevention, and security operations. Details are in our Privacy Policy.

Serus as processor (typical for business/organization customers):

If you use Serus on behalf of an organization (including via platform, API, or white-label), Serus generally acts as a processor for Customer Data you submit into the Services. In those cases, our DPA governs the processing and your responsibilities as controller.

Your responsibilities:

If you submit personal data into the Services (including data about third parties), you are responsible for ensuring you have a valid legal basis and any required notices/permissions under applicable law.

2. What Personal Data We Process

Depending on your use of the Services, Serus may process:

  • Account data (e.g., name, email, account identifiers, billing/admin details)

  • Customer Data you submit (e.g., search inputs, monitoring targets, and removal request details)

  • Outputs generated for you (e.g., results and alerts derived from publicly available sources and third-party datasets)

  • Security and usage data (e.g., logs, timestamps, device/browser info, IP address where appropriate for security and abuse prevention)


Some features may allow users to view unredacted high-risk data (such as exposed passwords, authentication tokens, financial identifiers, or similar data) (“Sensitive Information”). Access to Sensitive Information may be gated by confirmations, role-based or account-level controls, and other safeguards. You may use Sensitive Information only for lawful and authorized purposes, and you must comply with our Acceptable Use Policy.

3. Lawful Bases for Processing (GDPR Article 6)

Where the GDPR/UK GDPR applies, Serus processes personal data under one or more of the following lawful bases:

  • Contract necessity – to provide the Services you request (for example, account access, searches, monitoring, alerts, and feature delivery).

  • Legitimate interests – to secure and improve the Services, prevent abuse and fraud, maintain reliability, and protect Serus and users (balanced against your rights).

  • Consent – where required (for example, for non-essential cookies/marketing technologies, or where a feature requires an affirmative confirmation).

  • Legal obligation – to comply with applicable laws, lawful requests, and regulatory requirements.


Where applicable, we apply additional safeguards for special categories of data (GDPR Article 9) and criminal-offence data (Article 10), including limiting access and restricting use, consistent with our policies and the Services design.

4. Removal Requests and Authority

If you use Serus removal request features, you instruct Serus to process and transmit relevant information to third-party websites, platforms, or services in order to submit removal requests on your behalf (including where you configure automated submission).


You represent and warrant that you have the legal right and authority to submit the information and request removal (including where you act as an authorized agent). Serus may request reasonable verification and may refuse or suspend requests we reasonably believe are unauthorized, inaccurate, abusive, fraudulent, or unlawful.

Important:

Removal outcomes depend on third parties and may be temporary, partial, reversible, or denied.

5. Security Measures

Serus implements reasonable technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures may include:

  • encryption in transit (e.g., TLS) and, where appropriate, encryption at rest

  • access controls and least-privilege permissions

  • monitoring and logging for security and abuse prevention

  • vulnerability management and secure development practices

  • incident response and recovery procedures

Serus does not claim SOC 2 or ISO 27001 certification unless expressly stated in writing.

6. International Data Transfers

Serus may process personal data globally, including in the United States and other jurisdictions where Serus and our subprocessors operate. Where GDPR/UK GDPR applies and personal data is transferred to jurisdictions without an adequacy decision, Serus uses recognized transfer safeguards such as the EU Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum or other valid transfer mechanisms under applicable law. More information is available in our DPA and Subprocessors list.

7. Your Rights Under GDPR (and Similar Laws)

If GDPR (or similar law) applies to you, you may have the right to:

  • Access – request a copy of your personal data

  • Rectification – correct inaccurate or incomplete data

  • Erasure – request deletion in certain circumstances

  • Restriction – limit processing in certain circumstances

  • Portability – receive data in a structured, machine-readable format (where applicable)

  • Objection – object to processing based on legitimate interests

  • Withdraw consent – where processing is based on consent (withdrawal does not affect prior processing)


Some rights may be limited or subject to exceptions (for example, where we must retain certain data for legal compliance, security, or dispute resolution).

8. How to Exercise Your Rights

To submit a privacy request, contact:

Privacy / DPO: dpo@serus.ai

Support: support@serus.ai


We may request information to verify your identity and/or authority before completing a request. We generally respond within one month, and may extend that period where permitted by GDPR (for example, for complex requests), in which case we will inform you.


We encourage you to contact us first so we can try to resolve your request or concern quickly.

9. Data Retention

We keep personal data only as long as necessary for the purposes described in our Privacy Policy and to meet legal, accounting, security, and operational requirements. Retention may vary depending on the category of data, your plan, and your configuration (for example, monitoring features or removal request workflows).

10. Complaints to a Supervisory Authority

If you are in the EEA/UK/Switzerland, you have the right to lodge a complaint with your local data protection authority. You may also contact the authority in the country where you live, work, or where you believe a violation occurred.

11. Changes to This Page

We may update this page to reflect changes in our Services, legal requirements, or our privacy practices. We will post updates here, and material changes may be communicated through the Services.