Privacy Policy — Embr
Effective date: 20 April 2026 Last updated: 20 April 2026 Version: 1.0
1. Who We Are (Data Controller)
This Privacy Policy describes how Piotr Zajac, conducting business as a sole proprietorship (jednoosobowa działalność gospodarcza / JDG) under the name Embr, registered in Poland, NIP: 6782888740, REGON: 361907192, with registered address at Bachledzki Wierch 7a/1, 34-500 Zakopane, Polska, processes personal data in connection with the Embr platform at getembr.io ("Service").
We are the data controller for personal data collected directly from users of the Service.
Data Protection contact: privacy@getembr.io
Note: Embr is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR as we are a small enterprise that does not process special categories of data at large scale. Questions about data processing can be directed to the contact above.
2. What Personal Data We Collect
2.1 Account and Registration Data
When you register, we collect:
- Full name
- Email address
- Company name and size
- Country / billing address
- Job title (optional)
- Password (stored as a one-way hash — we never store the plaintext)
2.2 Usage Data
- Pages visited and features used within the Service
- Login timestamps and session duration
- Browser type and version, operating system, device type
- IP address (used to determine approximate country for VAT purposes; not stored long-term beyond log retention)
- Referral source (if available)
2.3 Content You Submit
Data you enter into the Service, including employer branding inputs, survey responses, company information, and generated content. This data is used solely to deliver the Service to you.
2.4 Billing and Transaction Data
Billing and payment data is processed by Paddle.com Market Limited (our Merchant of Record). We receive from Paddle: subscription status, plan tier, billing country, and Paddle customer/subscription IDs. We do not receive or store payment card details.
2.5 Communications
Emails you send to us (e.g., support@getembr.io) and any in-product messages.
2.6 Cookies and Tracking Technologies
See our separate Cookie Policy at [getembr.io/cookies] for details.
3. Legal Basis for Processing (GDPR Article 6)
| Purpose | Legal Basis |
|---|---|
| Providing and maintaining the Service | Contract performance (Art. 6(1)(b)) |
| Billing, invoicing, and tax compliance | Legal obligation (Art. 6(1)(c)) |
| Sending transactional emails (receipts, alerts) | Contract performance (Art. 6(1)(b)) |
| Sending product newsletters and marketing | Legitimate interests / Consent (Art. 6(1)(a) / (f)) — you may unsubscribe at any time |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Analytics and product improvement | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
- Service delivery: Process your inputs, generate employer branding content and recommendations, store your results.
- Account management: Authentication, password reset, account settings.
- Billing: Subscription management, invoicing (via Paddle as MoR), tax compliance.
- Communications: Transactional emails (receipts, plan changes, security alerts), product update emails, marketing emails (opt-out available).
- Security: Monitor for suspicious activity, prevent fraud and abuse.
- Analytics: Understand how features are used to improve the product. We use aggregated, anonymised data where possible.
- Legal compliance: Comply with applicable Polish, EU, and international law.
5. Data Sharing and Third-Party Processors
We use the following sub-processors to deliver the Service. All sub-processors are bound by Data Processing Agreements:
| Sub-processor | Purpose | Location | Privacy Reference |
|---|---|---|---|
| Paddle.com Market Limited | Payment processing, Merchant of Record, subscription management | Ireland / UK | paddle.com/legal/privacy |
| Supabase Inc. | Database and authentication (hosted on AWS EU region) | USA (EU data in EU) | supabase.com/privacy |
| Vercel Inc. | Application hosting and CDN | USA (Edge in EU) | vercel.com/legal/privacy-policy |
| Anthropic PBC (if AI features used) | AI-powered content generation | USA | anthropic.com/privacy |
| Resend Inc. (or alternative) | Transactional email delivery | USA | resend.com/legal/privacy-policy |
| PostHog Inc. (if used) | Product analytics | EU-hosted instance | posthog.com/privacy |
We do not sell your personal data to third parties.
We may disclose your data to public authorities if required by law (e.g., tax authorities, courts).
6. International Transfers
Some sub-processors (e.g., Vercel, Anthropic) are based in the USA. When transferring personal data outside the EU/EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of subscription + 2 years after account deletion |
| Content / employer branding data | Duration of subscription + 30 days (then deleted unless exported) |
| Billing records and invoices | 5 years (Polish accounting law / ustawa o rachunkowości) |
| Server logs (including IP addresses) | 90 days |
| Email correspondence | 3 years |
| Marketing preferences | Until unsubscription + 1 year |
8. Your Rights Under GDPR/RODO
As a data subject in the EU/EEA (and in Poland under the RODO — Regulation 2016/679 as implemented), you have the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure / Right to be forgotten (Art. 17) | Request deletion of your data (subject to legal retention requirements) |
| Restriction of processing (Art. 18) | Request that we limit how we use your data |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interests (including marketing) |
| Withdraw consent | Where processing is based on consent, withdraw it at any time without affecting prior processing |
| Automated decision-making (Art. 22) | Not to be subject to solely automated decisions with significant legal effects |
To exercise any of these rights, contact privacy@getembr.io. We will respond within 30 days (extendable by two months for complex requests, with notification).
We may need to verify your identity before fulfilling the request.
Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority. In Poland, this is the Urząd Ochrony Danych Osobowych (UODO) at uodo.gov.pl. In your EU country of residence, contact your local DPA.
9. Data Processing Agreement (DPA) for Business Customers
Where you use the Service to process personal data of your employees or other data subjects (e.g., submitting employee survey responses or HR data into Embr), you act as the data controller and Embr acts as a data processor on your behalf under Article 28 GDPR.
The following terms apply to such processing:
Instructions: Embr processes that data solely on your documented instructions (i.e., to provide the Service as you configure it).
Confidentiality: Embr personnel with access to your data are bound by confidentiality obligations.
Security: Embr implements appropriate technical and organisational measures (see Section 10).
Sub-processors: Embr uses the sub-processors listed in Section 5. By accepting these Terms, you authorise Embr to engage those sub-processors, subject to notice of any new sub-processors.
Assistance: Embr will reasonably assist you in responding to data subject requests and in meeting your GDPR obligations (security, breach notification, DPIAs).
Deletion: Upon termination, Embr will delete your data within 30 days unless retention is required by law.
Audits: Embr will provide reasonable documentation to demonstrate compliance.
If you require a separate, signed DPA document for regulatory purposes, contact privacy@getembr.io.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- All data transmitted via TLS 1.2+
- Passwords stored as bcrypt hashes
- Row-level security (RLS) enforced in the database
- Access controls and least-privilege principles for internal systems
- Regular security reviews
We will notify you of any data breach affecting your personal data within 72 hours of becoming aware of it, as required by Article 33 GDPR.
11. Children's Data
The Service is not directed at persons under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification at least 30 days before they take effect. The updated policy will be published at [getembr.io/privacy] with a new "Last updated" date.
13. Contact
Embr / Piotr Zajac Bachledzki Wierch 7a/1, 34-500 Zakopane, Poland Email: privacy@getembr.io NIP: 6782888740
Supervisory authority (Poland): Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warsaw uodo.gov.pl
© 2026 Embr. All rights reserved.