Emblox — Privacy Policy (v1.3)

Introduction

Emblox AB ("Emblox," "we," "us," or "our") provides AI-powered tools that help users build websites, apps, and other digital services through natural-language prompts. We respect your privacy and are committed to protecting it. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit emblox.dev (the "Site") or use our products, applications, and services (collectively, the "Services"). It should be read together with our Terms of Service.

Scope & Controller

This Policy applies to personal information we process as a controller for visitors and users of our Services. Emblox AB is the data controller for processing described herein.

We have not appointed a Data Protection Officer. If required by law in the future (for example, if the scale or nature of processing changes), we will update this Policy. If UK law requires the appointment of a UK representative, we will update this Policy and our website accordingly.

Children's Privacy

The Services are not intended for individuals under the age of eighteen (18). We do not knowingly collect or solicit personal information from anyone under this age. If we learn that we have collected personal information from a minor without verifiable parental consent, we will delete it promptly. If you believe a minor has provided personal data to us, please contact privacy@emblox.com.

Information We Collect

Cookies & Similar Technologies

We use cookies and similar technologies to operate and improve the Services. Our cookie banner/manager (e.g., Cookiebot) allows you to control preferences. Non‑essential cookies will only be used with your consent in the EEA/UK/CH. In the United States, we honor applicable opt‑out signals, including Global Privacy Control (GPC), where required.

• Strictly Necessary: authentication, session routing, security, consent storage.
• Analytics & Performance: service usage and diagnostics (e.g., Plausible).
• Functional: preferences like language or theme.
• Marketing/Advertising: if we deploy advertising tags (e.g., Meta) in the future, they will be subject to prior consent in the EEA/UK/CH and opt‑out rights elsewhere.

You can change preferences at any time via the cookie banner/manager or your browser settings. Analytics identifiers are not kept longer than necessary for the stated purposes and, for cookies, not longer than 13 months.

How We Use Personal Information

We process personal information for the following purposes:

• Provide, operate, and maintain the Services (including hosting projects, builds, and deployments).
• Power AI‑assisted features and personalize your experience (without using your Customer Data to train general‑purpose foundation models).
• Analyze usage and improve performance, reliability, and functionality.
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Provide support, send transactional notices, and communicate about updates you've opted to receive.
• Process payments and manage subscriptions.
• Comply with legal obligations and enforce our agreements.
• Maintain business continuity, auditing, accounting, and corporate governance.

Legal Bases (EEA/UK/CH)

Where GDPR/UK GDPR/rev‑FADP applies, our legal bases include:

• Contract: to provide and support the Services you request.
• Legitimate Interests: securing the platform, preventing abuse, service analytics and improvement (balanced against your rights).
• Consent: for non‑essential cookies/marketing communications and any processing that requires consent under applicable law; you may withdraw consent at any time.
• Legal Obligations: to meet bookkeeping, regulatory, export‑control, and other legal duties.
• Vital Interests: rare cases to prevent serious harm.

Data Sharing & Processing

We do not sell or "share" personal information as those terms are defined under certain U.S. privacy laws (e.g., CPRA). We disclose personal information only in these situations:

• Service Providers/Processors: companies we engage under contract to host, store, analyze, or support the Services. They may access personal information solely to perform services for us and are bound by confidentiality and data protection obligations.
• Integrations You Enable: if you connect third‑party integrations (e.g., GitHub), we exchange the minimum required data with the provider to deliver that integration, under their terms.
• Analytics/Monitoring: privacy‑focused analytics (e.g., Plausible) and error/telemetry tools (e.g., Sentry).
• Payments: Stripe processes payment information; Emblox does not store full card numbers.
• Communications & Support: email service provider (e.g., Resend).
• Infrastructure & Hosting: Vercel, Railway, and Hetzner (for hosting, compute, and storage).
• Community/Chat: Discord (community), Slack (internal). Content posted in public community spaces may be visible to others.
• Advertising: if we deploy advertising tags (e.g., Meta), we will do so with consent where required and with appropriate opt‑out mechanisms elsewhere.
• Legal/Compliance: to comply with law, court orders, or lawful requests; to enforce our terms; to protect rights, safety, and security. Where legally permitted, we will notify affected users before responding to a data disclosure request.
• Business Transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and continued protection of personal information.

AI & Model Providers

To fulfill your requests, we may route prompts and necessary context to third‑party large language models or AI platforms. We configure providers to the extent available so that customer prompts and outputs are not used to train their general‑purpose models. We do not use your Customer Data to train general‑purpose foundation models. We may use de‑identified or aggregated Service Data to improve our middleware and product features.

International Transfers

Emblox is established in the EU (Sweden). When we transfer personal information to countries outside the EEA/UK/CH (for example, to U.S. service providers), we rely on appropriate safeguards, such as:

• EU Standard Contractual Clauses (SCCs) and, for the UK, the UK International Data Transfer Addendum; for Switzerland, the Swiss addendum where applicable.
• Additional technical, contractual, and organizational measures as needed (including transfer risk assessments).

If a provider participates in the EU‑U.S. Data Privacy Framework (or the UK/Swiss extensions), we may rely on that certification for eligible transfers.

Security

We use reasonable and appropriate safeguards to protect personal information, including:

• Encryption in transit (TLS) and, where feasible, at rest.
• Access controls for staff (role‑based access, MFA), least‑privilege principles, background checks, and confidentiality obligations.
• System resilience with backups and standard recovery objectives designed to minimize downtime and data loss.
• Security monitoring, logging, and vulnerability management (including error monitoring via Sentry).

No system is perfectly secure. You are responsible for safeguarding your account credentials and for promptly notifying us of any suspected compromise.

Retention

We keep personal information only as long as necessary for the purposes described in this Policy or as required by law. As a guide:

• Log Data is typically retained for up to ninety (90) days unless required longer for security or legal reasons.
• Account, billing, and subscription records are retained as required by tax and accounting laws.
• Project content and artifacts are retained while your account is active or until you delete them; upon account closure, we delete or de‑identify within a reasonable period (typically within 90 days) unless retention is required by law.
• Support tickets and communications may be retained to improve service and comply with legal obligations.

Backups may persist for a limited period after active deletion as part of routine disaster‑recovery operations.

Your Privacy Rights & Choices

Depending on where you live, you may have the right to request: access, correction, deletion, restriction or objection to certain processing, and data portability. You may also withdraw consent where we rely on consent (e.g., non‑essential cookies, marketing emails).

• EEA/UK/CH: you can exercise rights under GDPR/UK GDPR/rev‑FADP. We will respond within one month (or as allowed by law).
• United States: to the extent applicable state privacy laws grant rights (e.g., access, deletion, correction, portability, opt‑out of certain processing), we honor those rights. We do not sell or share personal information as defined by CPRA. If you believe a request was denied in error, you may appeal by replying to our decision within 60 days.

To exercise rights, contact privacy@emblox.com. We may need to verify your identity and request additional information to process your request.

Project Visibility & Access

Projects are private by default unless you choose to make them public or share them. Public projects may be visible to other users and may be discoverable, forkable, or remixable according to your settings. Emblox personnel and trusted service providers may access limited Customer Data as necessary to provide support, ensure security, and operate the Services, subject to confidentiality obligations.

Investigations & Legal Requests

We may preserve or disclose information if we believe it is reasonably necessary to comply with a law, regulation, legal process, or governmental request; to enforce our agreements; or to protect the rights, property, or safety of Emblox, our users, or the public. Unless we are legally prohibited, we will attempt to notify affected users before producing data.

Notices & Communications

We send transactional or administrative communications related to your account (e.g., security alerts, billing). You can opt out of non‑essential marketing emails via the unsubscribe link or by contacting us.

Changes to this Policy

We may update this Policy to reflect changes to our practices or applicable law. We will post the updated Policy with a new "Last updated" date and, if we make material changes that reduce your rights or expand our purposes, we will provide advance notice through the Site, in‑product messages, or email where appropriate.

Contact & Complaints