1. Introduction
Emberist (“we”, “our”, or “us”) is committed to protecting the privacy of our users (“you” or “your”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our web application. By using Emberist, you consent to the data practices described in this policy.
2. Data Controller
For the purposes of the General Data Protection Regulation (GDPR), Emberist is the data controller of your personal data. If you have any questions about this Privacy Policy, please contact us at privacy@emberist.com.
3. Personal Data We Collect
We collect and process the following personal data:
- Name
- Email address
- Date of birth
- City location
- Current income
- Financial goals (including target expenses, savings rate, financial independence age, expected return, investment rate)
- User-entered financial account data including history
- Subscription status and payment information
4. How We Collect Your Data
We collect data in the following ways:
- Directly from you when you create an account or use our service
- Automatically through your use of the application
5. Purpose and Legal Basis for Processing
We process your personal data for the following purposes and legal bases:
| Purpose | Legal Basis |
|---|---|
| To provide and maintain our service | Performance of a contract |
| To process payments for subscriptions | Performance of a contract |
| To notify you about changes to our service | Legitimate interests |
| To allow you to participate in interactive features of our service | Performance of a contract |
| To provide customer support | Performance of a contract |
| To gather analysis or valuable information to improve our service | Legitimate interests |
| To monitor the usage of our service | Legitimate interests |
| To detect, prevent and address technical issues | Legitimate interests |
| To manage free trials and transitions to paid subscriptions | Performance of a contract |
| To send functional emails necessary for service operation (e.g., account update reminders) | Performance of a contract |
Where we rely on legitimate interests, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms.
6. Data Retention
We will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.
Specific retention periods:
- Account information: Retained for the duration of your account and for 12 months after account closure
- Financial data: Retained for the duration of your account and for 7 months after account closure to comply with regulation
- Usage data: Retained for the duration of your account and for 6 months after account closure for analysis purposes
- Subscription and payment data: Retained for the duration of your account and for 7 years after account closure to comply with tax regulations
7. Data Security
We use appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage. These measures include:
- Encryption of financial data at rest in our SQL database
- Regular security assessments and updates
- Access controls and authentication mechanisms
- Regular backups and disaster recovery plans
8. Use and Sharing of Aggregated Data
We collect and analyze aggregated, anonymized data about our users to improve our services and for business purposes. This aggregated data may be shared with or sold to third parties under the following conditions:
8.1. Nature of Shared Data: The data shared or sold is always in an aggregated and anonymized form. This means that it does not contain any personally identifiable information and cannot be traced back to individual users.
8.2. Purpose: This data may be used for market research, trend analysis, or other business purposes by third parties.
8.3. User Consent: We only include data from users who have explicitly consented to this use. You can opt-in or opt-out of having your data included in these aggregated reports at any time through your account settings.
8.4. Anonymization Process: We use robust anonymization techniques to ensure that individual users cannot be identified from the aggregated data. These techniques may include methods such as k-anonymity, l-diversity, or differential privacy.
8.5. Data Minimization: We only include data in these reports that is necessary for the intended analytical purposes.
8.6. Third-Party Agreements: All third parties receiving this aggregated data are bound by strict confidentiality and data protection agreements.
9. Your Data Protection Rights
Under GDPR, you have the following rights:
- The right to access your personal data
- The right to rectification of inaccurate personal data
- The right to erasure (‘right to be forgotten’)
- The right to restrict processing
- The right to data portability
- The right to object to processing
- The right not to be subject to automated decision-making, including profiling
To exercise these rights, please contact us at privacy@emberist.com. We will respond to your request within one month.
You also have the right to lodge a complaint with a supervisory authority if you believe we have not complied with the requirements of the GDPR with regard to your personal data.
10. Third-Party Service Providers
We may employ third-party companies and individuals to facilitate our service (“Service Providers”), to provide the service on our behalf, to perform service-related services or to assist us in analyzing how our service is used. These third parties have access to your personal data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
We use Stripe as our payment processor. When you make a payment, your payment information is collected and processed directly by Stripe. We do not store your full payment information on our servers. For more information on how Stripe processes your data, please refer to Stripe’s privacy policy.
We may also share aggregated, anonymized data with third parties for business purposes, as detailed in Section 8 of this policy.
11. Analytics
We may use third-party Service Providers to monitor and analyze the use of our service. We only share aggregated, anonymized data for this purpose.
12. International Data Transfers
12.1. Data Storage: We store all user data on servers located within the European Union. This ensures that your data is stored within the EU and subject to EU data protection laws.
12.2. International Data Transfers: While we store and process your data within the EU, please note that in some cases, your information may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.
12.3. If you are located outside the European Union and choose to provide information to us, please be aware that we transfer the data, including personal data, to the EU and process it there.
12.4. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.
12.5. Emberist will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
12.6. For any transfers of data outside the EU/EEA (for example, to service providers), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or other legally acceptable mechanisms that ensure an adequate level of protection.
13. Children’s Privacy
Our service does not address anyone under the age of 18 (“Children”). We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we take steps to remove that information from our servers.
14. Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last Updated” date. For significant changes, we will provide a more prominent notice, which may include email notification to the email address specified in your account.
15. Your Choices
You have the choice to opt-in or opt-out of having your data included in the aggregated reports that may be shared with or sold to third parties. You can manage this preference in your account settings at any time. Opting out will not affect your ability to use our service.
16. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
By email: privacy@emberist.com
Emberist takes data protection responsibilities seriously. We have designated a point of contact for all data protection matters, who can be reached at the email address above.
We regularly review our data processing activities to ensure compliance with GDPR and other applicable data protection regulations. If our operations grow to a scale where it becomes necessary under GDPR, we will appoint a Data Protection Officer and update this policy accordingly.
17. Email Communications
17.1. Functional Emails: We may send you emails that are necessary for the operation of our service, such as reminders to update your accounts, notifications about important changes to your data, or security alerts. These emails are considered part of our core service and are based on our legitimate interest in providing a functional and secure service.
17.2. Opting Out: While you cannot opt out of critical service emails (such as those related to your account security or legal obligations), you can manage your preferences for other types of communications in your account settings.