Back

Privacy Policy

Last updated: 27 April 2026

The short version

  • • We collect what we need to run embr — your account, your projects, your conversations with the advisor.
  • • We never sell your data to anyone, ever.
  • • We don't use advertising trackers or third-party analytics that profile you.
  • • Your advisor chats are sent to Anthropic to generate responses — they aren't used to train AI models.
  • • You can export, edit, or delete everything from Settings.
  • • Email embrlaunch@gmail.com with any questions.

1. Who we are

embr is operated by the founder of embrlaunch.com (“embr,” “we,” “us”). We are based in the United Kingdom and are the data controller for your personal information when you use our service.

If you have any questions about this policy, your data, or your rights — email embrlaunch@gmail.com. We aim to respond to all privacy enquiries within 30 days, and faster for time-sensitive ones.

2. What we collect, and why

We collect personal data in the categories below. We only collect what we genuinely need to run embr — there is no “data collection for the sake of it” here.

Account information

Email address, name, and a hashed password (or, if you sign in with Google, your Google account identifier and profile information). Used to create your account, sign you in, and address you in the product.

Project context you give us

What you're building: business type, stage, team size, experience level, current goal, revenue model, marketing channels, and any additional context you choose to share during onboarding or in project settings. Used to personalise your weekly brief, advisor responses, and build guide.

Content you create in the product

Tasks, milestones, metric entries, build guide progress, project notes, and the content of your conversations with the advisor. Used to operate the product features you're using.

Billing information

Subscription status, plan, and trial end date. Payment card details are held entirely by Stripe — we never see them. Used to manage your subscription and prevent abuse.

Technical information

IP address (truncated by our analytics provider before storage), browser type, operating system, page URLs, and timestamps. Used for security, debugging, and understanding how the product is used at an aggregate level.

Preferences

Light/dark mode, active project, cookie consent choice, and similar settings. Used to remember how you like the product set up.

3. Why we are legally allowed to process your data (UK / EU)

Under UK GDPR and EU GDPR, we rely on the following legal bases:

  • Performance of a contract — most processing happens because you've signed up to use embr, and we need to handle your data to actually deliver the service (account, billing, features, support).
  • Legitimate interests — for things like preventing abuse, securing the service, and limited product analytics that don't profile you. We've weighed these against your rights and consider the impact minimal.
  • Consent — for non-essential cookies (privacy-friendly analytics) and any marketing emails. You can withdraw consent at any time.
  • Legal obligation — for things like keeping financial records for tax purposes.

4. The AI advisor and weekly briefs

embr's advisor chat and weekly brief features are powered by Anthropic's Claude API. When you message the advisor or when your weekly brief is generated, we send Anthropic the context needed to generate a useful response — typically your project context (business type, stage, goal, etc.) and the relevant message history.

Anthropic processes that data to generate the response and then returns it to embr. Per Anthropic's commercial terms, your data is not used to train Anthropic's models, and is retained for a limited period for abuse-monitoring before being deleted from their systems. You can read Anthropic's policy here.

Two important notes:

  • The advisor produces general guidance, not regulated professional advice. Don't share confidential client information, sensitive personal data, or anything regulated (medical records, others' personal data, etc.) in advisor chats — for accuracy reasons as much as privacy.
  • If you'd prefer not to use the advisor, you can simply not use it — none of the rest of the product depends on it.

5. Who else processes your data (sub-processors)

We use a small set of trusted infrastructure providers to deliver embr. Each one only sees the minimum data needed to do their job. We don't share your data with anyone outside this list.

ProviderPurpose
SupabaseDatabase hosting and authentication
StripePayment processing and subscription billing
AnthropicAI advisor responses and weekly brief generation (Claude API)
ResendTransactional email delivery (signup, trial reminders, weekly digest, account notifications)
VercelWeb hosting and privacy-friendly analytics (page views, no cookies, no personal data)
GoogleGoogle OAuth — only if you choose to sign in with Google

On smaller screens, the data and region columns are hidden — click a provider's name to read their full privacy policy, which covers both.

Where data is transferred outside the UK or EU (mainly to the US), we rely on the relevant EU Standard Contractual Clauses (or the UK equivalent), and on each provider's certification under the EU-US Data Privacy Framework where applicable.

We don't share your data with anyone else — no advertising networks, no data brokers, no “partners.” The only exceptions are if we're legally required to (e.g. a valid court order), or if we ever sell or transfer the business (in which case we'll tell you well before it happens).

6. Cookies and analytics

We use two kinds of cookies and storage:

  • Essential cookies — used to keep you signed in (Supabase Auth) and to remember your theme/active project. These are required for the product to work and don't need consent under UK/EU law.
  • Privacy-friendly analytics — Vercel Analytics, which uses no cookies and collects no personal data. We still ask for consent before loading it because EU regulators have made clear that consent is needed even for cookieless analytics.

We do not use Google Analytics, Facebook Pixel, advertising trackers, third-party marketing pixels, session replay, or anything in that family.

You can change your cookie choice at any time from Settings → Cookie preferences.

7. How long we keep your data

We keep your data for as long as your account is active. When you delete your account, we delete:

  • Your projects, tasks, milestones, metrics, build guide progress, and advisor chat history — immediately
  • Your account record and authentication credentials — immediately
  • Your Stripe subscription — cancelled immediately

Some limited data is kept for longer where we're legally required to keep it:

  • Stripe holds payment and invoice records for 7 years to meet UK / EU tax law requirements. Stripe is the data controller for those records — see their privacy policy.
  • Server logs (IP, user agent, timestamps) are kept for up to 30 days for security and debugging, then deleted.
  • Backups may contain your data for up to 30 days after deletion before they're cycled out, but are not used for any other purpose.

Anthropic retains the content of advisor chats for a limited period for abuse-monitoring (typically 30 days), then deletes them. They do not use this data to train models.

8. Your rights

You have a number of rights over your data. Most of them you can exercise yourself directly in embr — without needing to email us.

Right to access

Most of your data is visible in the product itself (your projects, tasks, advisor history, etc.). For a full data export, email embrlaunch@gmail.com and we'll send you a JSON dump within 30 days.

Right to correction

Update your name, project details, and most other fields directly in Settings. Email us if a field isn't editable for some reason and you need it changed.

Right to deletion (right to be forgotten)

Delete your account and all associated data immediately from Settings → Danger zone → Delete account. This cancels your Stripe subscription and removes your projects, tasks, advisor history, and account record.

Right to data portability

Email us for a structured export (JSON) of your data, which you can take to another service.

Right to object / restrict processing

You can object to specific processing activities (e.g. ask us to stop using your data for analytics). Email us with the specific request.

Right to withdraw consent

Where we rely on consent (cookies, marketing emails), you can withdraw it at any time without affecting any prior lawful processing.

We aim to respond to all rights requests within 30 days. If we can't (because the request is complex or we need more information), we'll tell you and explain why.

If you're unhappy with how we've handled your data, you also have the right to complain to a data protection regulator. In the UK that's the Information Commissioner's Office (ICO). In the EU it's your local data protection authority. We'd genuinely prefer you contact us first so we can try to fix things, but you don't have to.

9. If you're in California

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give California residents specific rights over their personal information. Most of these mirror the GDPR rights above, with a few additions:

  • Right to know what personal information we've collected, used, disclosed, or sold about you in the past 12 months.
  • Right to delete personal information we hold about you.
  • Right to correct inaccurate personal information.
  • Right to opt out of “sale” or “sharing” of personal information for cross-context behavioural advertising. We don't sell or share your personal information for advertising under any definition — but the right exists regardless.
  • Right to limit use of sensitive personal information. We don't collect sensitive PI in the CCPA sense — no government IDs, financial accounts (Stripe holds those), precise geolocation, racial / ethnic / religious data, biometrics, or similar.
  • Right to non-discrimination — exercising your privacy rights won't affect your access to embr or pricing.

To exercise any of these rights, email embrlaunch@gmail.com with “CCPA Request” in the subject line. We'll verify your identity using your account email and respond within 45 days (with a possible 45-day extension if needed, which we'll tell you about).

10. Children

embr is intended for adults running businesses. We don't knowingly collect personal information from anyone under 16. If you're a parent or guardian and you believe your child has signed up, email us and we'll delete the account and any associated data straight away.

11. How we protect your data

We take security seriously and implement reasonable technical and organisational measures, including:

  • HTTPS everywhere — all data in transit is encrypted
  • Encryption at rest for our databases (handled by Supabase)
  • Row-level security policies so users can only access their own data
  • No third-party access to production databases beyond named operational tooling
  • Passwords are hashed using industry-standard algorithms — we never see your password in plain text
  • Card details are held only by Stripe, who are PCI DSS Level 1 certified — we never receive them

No system is perfectly secure. If we ever discover a breach affecting your personal data, we'll notify you and the relevant supervisory authority within 72 hours, as required by UK GDPR.

12. Changes to this policy

We may update this policy as the product evolves or as the law changes. When we make a meaningful change, we'll update the “Last updated” date at the top, and for significant changes (new sub-processor, new data category, change in how we use data), we'll notify you by email at least 14 days before the change takes effect.

Minor wording or formatting changes won't trigger a notification. The current version is always the one published here.

13. Contact

For privacy questions, data requests, or anything else covered by this policy:

embrlaunch@gmail.com
embr
Last updated 27 April 2026. View Terms of Service.