Privacy Policy
This Privacy Policy explains how emAI Manager (the "Service") collects, uses, shares, and protects information when you use the Service. We act as a processor of the data your organization submits ("Customer Data") and as a controller of the account and usage data we collect to operate the Service.
1. Information we collect
- Account information — your name, work email, organization name, and role, provided when you sign up or are invited.
- Customer Data — the documents, knowledge bases, prompts, agent configurations, and outputs you submit to the Service.
- Connected credentials — model-provider API keys and connector tokens you supply, stored encrypted and used only to perform the integrations you configure.
- Usage & metering data — agent runs, token counts, feature usage, timestamps, and audit-log events, used for billing, observability, and security.
- Billing information — handled by our payment processor (Stripe). We do not store full card numbers on our systems.
- Technical data — IP address, browser type, and similar metadata collected automatically to operate and secure the Service.
2. How we use information
- To provide, maintain, and improve the Service;
- to authenticate users, secure accounts, and prevent abuse;
- to meter usage, calculate charges, and process payments;
- to send transactional messages (for example, email verification, password resets, and service notices);
- to provide support and respond to your requests; and
- to comply with legal obligations.
We do not sell your personal information, and we do not use Customer Data to train foundation models.
3. AI processing & your model providers
The Service is bring-your-own-key: when an agent runs, the relevant inputs are sent to the model provider you have configured (for example, Anthropic, OpenAI, or Google), using your own credentials. That provider's processing of those inputs is governed by your agreement with them. We transmit only what is needed to fulfill the request you initiate.
4. Sub-processors
We use a small number of vetted vendors to operate the Service:
| Sub-processor | Purpose |
|---|---|
| Fly.io | Application hosting & data storage |
| Stripe | Payment processing |
| Email provider (e.g. Resend / Postmark / SendGrid) | Transactional email delivery |
| Model providers you connect | AI inference on requests you initiate |
5. How we share information
We share information only: with the sub-processors above to operate the Service; when required by law or to respond to lawful requests; to protect the rights, safety, and security of users and the Service; and in connection with a merger, acquisition, or sale of assets, subject to this Policy. We do not otherwise disclose your information to third parties.
6. Data security
We protect data with encryption in transit (TLS) and at rest (AES-256-GCM for sensitive fields such as credentials), logical isolation between tenants, access controls, and audit logging. While we work hard to protect your data, no system is completely secure.
7. Data retention
We retain account and Customer Data for as long as your account is active and as needed to provide the Service. After account termination, we make Customer Data available for export for a reasonable period and then delete or anonymize it, except where retention is required by law or for legitimate business purposes such as billing records and security logs.
8. Your rights
Depending on your location, you may have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. If you are in the EEA/UK, our lawful bases include performance of a contract, legitimate interests, consent, and legal obligation. If you are a California resident, you have rights under the CCPA/CPRA, including the right to know and to delete; we do not sell or "share" personal information as those terms are defined. To exercise any right, contact us at Brian@avadabrands.com. For Customer Data, we will direct requests to the relevant organization (the controller) where appropriate.
9. Cookies
We use a single essential session cookie to keep you signed in. We do not use third-party advertising or cross-site tracking cookies on the application.
10. International transfers
Your information may be processed in countries other than your own. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.
11. Children
The Service is not directed to individuals under 18, and we do not knowingly collect their personal information.
12. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or in-product). The "Effective" date above reflects the latest version.
13. Contact
Questions or privacy requests? Contact us at Brian@avadabrands.com.