Ember

Privacy Policy

Last updated: 11 June 2026

Who we are

Ember is a financial-independence modelling service operated by [LEGAL ENTITY / TRADING NAME], [JURISDICTION]. Contact: [CONTACT EMAIL].

What we collect

  • Account data: email address, username, password (stored as a salted scrypt hash — we never see or store the plaintext), and at least one of phone number or postcode, used solely to verify account-recovery requests.
  • Two-factor secrets: your authenticator (TOTP) secret and hashed backup codes, encrypted at rest with a key derived uniquely for your account.
  • Financial data you enter: assets, debts, pensions, income, spending, scenarios, and imported statements. This data exists so the service can do its job; we do not sell it, share it with advertisers, or use it for marketing.
  • Integration credentials you choose to add:broker/bank API keys and OAuth tokens (encrypted at rest, per-account key derivation) used only to sync the accounts you connect.
  • Audit log: a record of changes made in your account, kept so you can review your own history.

What we deliberately do not do

  • No advertising, analytics trackers, or third-party cookies — the only cookies are the session and two-factor login cookies.
  • No selling or renting of personal data, ever.
  • AI features send relevant slices of your data to the model provider (Anthropic, or the provider whose key you supply) to answer your request; providers are contractually restricted from training on API data. AI features are optional.

Processors we rely on

  • Hosting: Hetzner Online GmbH (Germany/EU) — runs the application and database.
  • Email: Resend — delivers verification and account emails.
  • AI (optional): Anthropic, or the provider of a key you supply.
  • Market data: exchange-rate and price lookups are made server-side; your identity is not sent to those providers.

Retention and deletion

Your data is retained while your account exists. Deleting your account (Settings → Danger zone) permanently and immediately erases your data — financial records, credentials, integrations, audit history — with no soft-delete or recovery window. Encrypted database backups are retained for 14 days and then destroyed, after which deleted data is gone from backups too.

Security

Two-factor authentication is mandatory for every account. Stored secrets are encrypted with per-account derived keys; passwords and recovery tokens are stored only as cryptographic hashes; all traffic is TLS-encrypted. No system is perfectly secure — if we become aware of a breach affecting your data we will notify you without undue delay.

Your rights

You can export your data (Settings → export), correct it in-app, or erase it entirely via account deletion, at any time and without asking us. Depending on your jurisdiction (e.g. UK/EU GDPR) you may have further statutory rights; contact [CONTACT EMAIL] to exercise them.

Changes

We will update this policy as the service evolves and note material changes on this page with a new “last updated” date.