Your privacy matters to us. This policy explains what data EmberGrow collects, how we use it, who we share it with, and the rights you have over your personal information. We are committed to transparency and to handling your data responsibly.
Information We Collect
Account Information
When you create an EmberGrow account, we collect your email address and a hashed version of your password. If you choose to sign in with Google, we receive your name and email address from Google's OAuth service. We never store your Google password.
Reddit Account Data
When you connect a Reddit account to EmberGrow, we store your Reddit username and the session cookies necessary to operate the engagement service on your behalf. We do not store your Reddit password. Reddit session data is encrypted at rest using AES-256 encryption and is only decrypted in memory during active engagement sessions.
Usage and Analytics Data
We collect aggregated analytics data including pages visited, features used, engagement metrics, and general usage patterns. This data helps us improve the product and diagnose technical issues. We use PostHog for product analytics, and you may opt out of non-essential analytics tracking at any time via our cookie consent controls.
Payment Information
All payment processing is handled securely by Stripe, a PCI DSS-compliant payment processor. We never store your credit card number, CVV, or full card details on our servers. We receive and store your subscription status, billing email, and a Stripe customer identifier to manage your account.
Device and Technical Data
When you use the EmberGrow desktop application, we may collect device type, operating system version, application version, and crash reports. This information is used solely for debugging and improving application stability.
How We Use Your Information
We use the information we collect for the following purposes:
- To provide, operate, and maintain the EmberGrow service, including executing AI-powered Reddit engagement on your behalf
- To process payments, manage subscriptions, and send transactional communications such as receipts and account confirmations
- To analyze usage patterns and product performance, allowing us to improve features and user experience
- To detect, investigate, and prevent fraudulent transactions, abuse, and other harmful activities
- To communicate with you about product updates, security alerts, and support inquiries
- To comply with legal obligations and enforce our Terms of Service
We do not sell your personal data to third parties. We do not use your Reddit engagement data to train general-purpose AI models outside of your individual account context.
Third-Party Services
We share data with the following third-party service providers, each of which maintains their own privacy policies:
- Supabase -- Authentication, database hosting, and real-time data synchronization
- Stripe -- Secure payment processing and subscription management
- Vercel -- Website and application hosting, serverless functions, and web analytics
- PostHog -- Product analytics and feature flagging (opt-out available)
- OpenAI / Anthropic -- AI language model providers used to generate engagement content. Prompts may include subreddit context but never include your personal information or credentials.
We require all third-party providers to maintain appropriate security measures and to process your data only as necessary to provide their services to us.
Data Retention
We retain your personal data for as long as your account remains active and as needed to provide you with our services. Specific retention periods are as follows:
- Account data -- retained for the lifetime of your account, deleted within 30 days of account deletion
- Reddit session data -- retained while your Reddit account is connected; removed immediately upon disconnection
- Engagement history -- retained for 12 months for analytics purposes, then automatically anonymized
- Payment records -- retained for 7 years as required by tax and financial regulations
- Anonymized analytics -- may be retained indefinitely as this data cannot be used to identify individuals
When you delete your account, we initiate a data purge process that removes all personally identifiable information within 30 days. Backups containing your data are purged within 90 days.
Data Security
We implement industry-standard security measures to protect your data, including:
- TLS/HTTPS encryption for all data in transit
- AES-256 encryption for sensitive data at rest, including Reddit session credentials
- Bcrypt password hashing with appropriate salt rounds
- Secure, HTTP-only cookies with SameSite attributes
- Regular security audits and dependency vulnerability scanning
- Role-based access controls for internal systems
While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents and notifying affected users as required by applicable law.
Your Rights
GDPR Rights (European Economic Area)
If you reside in the European Economic Area, you have the following rights under the General Data Protection Regulation:
- Right of access -- request a copy of the personal data we hold about you
- Right to rectification -- request correction of inaccurate or incomplete data
- Right to erasure-- request deletion of your personal data (“right to be forgotten”)
- Right to restrict processing -- request that we limit how we use your data
- Right to data portability -- receive your data in a structured, machine-readable format
- Right to object -- object to processing based on legitimate interests or for direct marketing
CCPA Rights (California Residents)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete your data, and the right to opt out of the sale of personal information. We do not sell personal information.
To exercise any of these rights, please contact us at privacy@embergrow.co. We will respond to your request within 30 days.
International Data Transfers
EmberGrow is based in the United States. If you access our services from outside the United States, your data may be transferred to and processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses where required by GDPR.
Children's Privacy
EmberGrow is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child has provided us with their data, please contact us at privacy@embergrow.co.
Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (using the address associated with your account) and/or by posting a prominent notice on our website at least 14 days before the changes take effect. Your continued use of EmberGrow after the effective date of the revised policy constitutes your acceptance of the changes.
Contact Us
If you have questions, concerns, or requests regarding this privacy policy or how we handle your personal data, you can reach us at:
- Email -- privacy@embergrow.co
- General inquiries -- support@embergrow.co
We aim to respond to all privacy-related inquiries within 5 business days.