Privacy Policy

We collect information you provide directly to us, including when you create an account, use the Service, or communicate with us. This includes: your name, email address, billing information, and any content you submit to the Service.

We also collect information automatically when you use the Service. This includes: log data (IP address, browser type, pages viewed), device information, usage data (features used, actions taken), and cookies and similar tracking technologies.

We may also receive information about you from third parties, such as authentication providers (Google, GitHub), analytics providers, and payment processors. We combine this information with data we collect directly from you.

We use the information we collect to: provide, maintain, and improve the Service; process transactions and send related information; send transactional and promotional communications (with your consent where required); respond to comments and questions; monitor and analyze trends and usage; and detect and prevent fraudulent transactions and other illegal activities.

We process your personal data on the following legal bases: performance of a contract (to provide the Service you requested); legitimate interests (to improve the Service and prevent fraud); compliance with legal obligations; and your consent (for marketing communications).

We do not sell your personal information to third parties. We never use your data to train AI models without your explicit consent.

We may share your personal information in the following circumstances: with service providers who perform services on our behalf (payment processors, cloud hosting, analytics); in response to legal process or government requests; to protect the rights, property, and safety of Ember, our users, and the public; in connection with a merger, acquisition, or sale of assets (with advance notice to affected users); and with your consent.

All service providers are contractually required to protect your information and may only use it for the purposes we specify. We conduct regular audits of our sub-processors and maintain an up-to-date list of all third parties with access to your data, available at https://ember.app/subprocessors.

We retain your personal information for as long as your account is active or as needed to provide the Service. If you cancel your account, we will retain your data for 30 days to allow you to export it. After this period, your data will be permanently deleted from our systems.

We may retain certain information longer if required by law, for the resolution of disputes, or for the enforcement of our agreements. Aggregated and anonymized data may be retained indefinitely for analytical purposes.

We implement data minimization principles, collecting only the personal data necessary for specified purposes and deleting data that is no longer needed.

We implement industry-standard security measures to protect your personal information, including: AES-256 encryption at rest and TLS 1.3 in transit; continuous monitoring and evidence collection across our infrastructure; regular penetration testing by independent security firms; multi-factor authentication support; and role-based access controls.

Despite our efforts, no security measure is perfect or impenetrable. In the event of a data breach affecting your personal information, we will notify you within 72 hours in accordance with GDPR Article 33, and provide details of the breach and steps we are taking to address it.

We encourage you to use a strong, unique password for your Ember account and to enable two-factor authentication.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

Right of Access: You have the right to request a copy of the personal data we hold about you.

Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure: You have the right to request deletion of your personal data ("right to be forgotten"), subject to certain legal obligations.

Right to Restriction: You have the right to restrict certain processing while a request or objection is reviewed.

Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object: You have the right to object to processing of your personal data for direct marketing or where we rely on legitimate interests.

Right Related to Automated Decision-Making (GDPR Art. 22): You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning you or similarly significantly affects you. Where automated processing is used in this way, you may request human review, contest the decision, and express your point of view by contacting us.

To exercise any of these rights, please contact our Data Protection Officer at privacy@ember.app. We will respond to all requests within 30 days. You also have the right to lodge a complaint with your local data protection authority.

If you are a resident of California (CCPA/CPRA), Colorado, Connecticut, Texas, Virginia, Oregon, or another US state with a comprehensive consumer-privacy law, you have the following rights, subject to certain exceptions:

Right to Know / Access: You may request the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You may request deletion of the personal information we have collected from you, subject to our legal retention obligations.

Right to Correct: You may request correction of inaccurate personal information we maintain about you.

Right to Opt Out of Sale or Sharing: We do not sell your personal information for money. If we share personal information for cross-context behavioural advertising, you may opt out at any time via our "Do Not Sell or Share My Personal Information" page (linked in the footer where applicable). We also recognise the Global Privacy Control (GPC) signal as an opt-out, as described in our Do Not Track and Global Privacy Control section.

Right to Limit Use of Sensitive Personal Information: Where we process sensitive personal information, you may direct us to limit its use to that which is necessary to provide the Service.

Right to Non-Discrimination: We will not discriminate or retaliate against you for exercising any of these rights.

To exercise these rights, contact us at privacy@ember.app or use the "Do Not Sell or Share My Personal Information" page. We may need to verify your identity before responding, and you may use an authorised agent. We respond to verifiable requests to know, delete, or correct within 45 days (extendable by a further 45 days where reasonably necessary). Requests to opt out of sale or sharing, or to limit the use of sensitive personal information, are honoured as soon as feasible and no later than 15 business days, consistent with our Do Not Sell or Share My Personal Information page.

We honour Global Privacy Control (GPC) where legally required. We do not currently respond to Do Not Track (DNT) browser signals because no common technical standard defines how websites should interpret them.

We use cookies and similar tracking technologies to collect and use information about you and your use of the Service. Cookies are small data files stored on your device.

We use the following types of cookies: Strictly necessary cookies (required for the Service to function); Functional cookies (to remember your preferences); Analytics cookies (to understand how you use the Service, using privacy-preserving analytics); and Marketing cookies (with your consent, to deliver relevant advertising).

You can control cookies through your browser settings or our Cookie Preference Center. Note that disabling certain cookies may affect the functionality of the Service. We do not use third-party advertising cookies unless you have explicitly consented.

If you have questions about this Privacy Policy or how we handle your personal data, please contact us:

Email: privacy@ember.app Data Protection Officer: privacy@ember.app Postal address: REPLACE WITH YOUR LEGAL COMPANY NAME, REPLACE WITH YOUR REGISTERED ADDRESS

For GDPR-related inquiries, our EU representative can be reached at privacy@ember.app.

We take privacy seriously and will respond to all inquiries within 5 business days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.