Ember stores transcripts, summaries, and your account data — not the original audio or video you link to. This Policy explains what personal data we collect, why we collect it, how we share it, and the rights you have over it. If anything below is unclear, email privacy@yourdomain.com.
Ember is a personal knowledge management product operated by {{COMPANY_NAME}}, a Hong Kong company with its registered office at {{REGISTERED_ADDRESS}} ("we", "us", "our"). "Ember" is a product name and brand owned by us; it is not a separate legal entity. This Policy applies to everyone who uses our website and service ("you"), regardless of location.
We act as a data controller for the personal data described below. Our service is designed to minimise the personal data we handle — we are not an ad-funded product and do not build user profiles for marketing.
Email address, display name, hashed password, and — if you sign in through a third-party identity provider — the opaque user identifier that provider returns to us.
The URLs you choose to submit, the transcripts and AI-generated summaries we produce from those URLs, and any notes, tags, or organisation you add. This is the data you actively create inside the service.
Timestamps of requests, which features were used, and error diagnostics. We use this to operate and improve the service, not to build a behavioural profile of you.
If you subscribe to a paid plan, payment is processed by Stripe and Airwallex. We do not receive or store your full card number. We receive and retain only the card's last-four digits, card brand, billing country, and a processor-issued transaction reference.
IP address, user-agent string, and coarse device characteristics. We use this for abuse prevention, rate-limiting, and troubleshooting. We retain this data only for the limited periods described in Section 7.
We use the data above to:
If the GDPR, UK GDPR, or Swiss FADP applies to you, we rely on the following legal bases:
We share personal data only with the categories of recipients listed below, and only to the extent needed for each purpose:
We do not sell your personal data. We do not share your personal data for cross-context behavioural advertising. We do not allow any third party to use your content to train their general-purpose models.
Our primary storage region is Hong Kong. The service is delivered globally through Cloudflare's edge network, and some sub-processors listed in Section 5 may process data in the United States, the European Union, or elsewhere. All transfers use TLS encryption in transit and encryption at rest where supported.
Hong Kong is a separate jurisdiction from mainland China for data protection purposes. By creating an account or otherwise using the service, you acknowledge and consent that your personal information will be transferred to and processed in Hong Kong, and may be further processed by our sub-processors in other jurisdictions for the purposes described in this Policy. If you do not consent, please do not use the service.
Where personal data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or an equivalent mechanism, together with supplementary technical and organisational measures.
Where we are legally required to retain data longer, we will do so only for as long as required and will not use it for other purposes.
We use TLS for data in transit, encryption at rest for supported storage, least-privilege access controls, and periodic internal review. No system is perfectly secure: we cannot guarantee that unauthorised access, disclosure, or loss will never occur. If we become aware of a security incident affecting your personal data, we will notify you and the competent authorities where required by applicable law.
Depending on where you live, you may have the right to:
Jurisdiction-specific notes:
To exercise any of these rights, email privacy@yourdomain.com. We will respond within 30 days (or such shorter period as applicable law requires). We may ask you to verify your identity before acting on certain requests.
Our website and product use a small set of technologies that read from or write to your device:
We currently do not use analytics, advertising, or other tracking cookies. If we add analytics or similar technologies in the future, we will update this Policy and, for users in the EU, UK, and Switzerland, request your consent through a cookie banner before setting any non-essential cookie.
You can clear cookies and local storage at any time from your browser settings; doing so will sign you out and may reset your preferences.
The service is not directed to children under 16, consistent with Section 3 of our Terms of Service. If we learn that we have collected personal data from a child under that age without appropriate consent, we will delete it. If you believe a child has provided us with personal data, please contact privacy@yourdomain.com.
We do not use your personal data to make decisions based solely on automated processing that have legal or similarly significant effects on you. The AI processing described in Section 5 is applied to the content you choose to submit in order to generate transcripts and summaries; it is not used to evaluate, profile, or make decisions about you as a person.
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA, together the "CCPA") gives you additional rights. This section supplements the rest of this Policy.
Categories of personal information we collect: identifiers (such as email address, IP address, account identifier); commercial information (subscription status, transaction history); internet or other electronic network activity (timestamps, feature usage); and other information you voluntarily provide (your notes, submitted URLs, generated transcripts).
Sources and purposes: as described in Sections 2 and 3.
Sale and sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. In the 12 months preceding the date above, we have not sold or shared personal information within the meaning of the CCPA.
Your CCPA rights: Right to Know, Right to Delete, Right to Correct, Right to Limit Use of Sensitive Personal Information, and Right to Non-Discrimination for exercising any of the above. To exercise these rights, email privacy@yourdomain.com. We will verify your request and respond within the timeframes required by the CCPA.
We may update this Policy from time to time. For material changes, we will notify registered users by email and update the "Last updated" date at the top of this page at least 30 days before the changes take effect, unless applicable law requires a different notice period. Continued use of the service after the effective date constitutes acceptance of the updated Policy.
Privacy requests and questions: privacy@yourdomain.com
Postal: {{COMPANY_NAME}}, {{REGISTERED_ADDRESS}}
We do not currently designate an EU or UK representative under Article 27 of the GDPR / UK GDPR, as we do not actively market the service in those regions. If that changes, we will appoint a representative and update this Policy accordingly.