Privacy Policy

1. Who we are

Ember is operated by EmberFI(ABN 72 568 450 529), an Australian small business. We are the “APP entity” responsible for the personal information collected through Ember under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

You can contact us at tech@emberfi.com.au about anything in this policy — questions, access requests, corrections, complaints.

This policy explains what personal information Ember collects, why, who we share it with (including service providers outside Australia), how we keep it secure, and how you can access, correct, or delete it.

2. What information we collect

Ember is a cash-flow management app. To do that, we need to collect:

• Account information — your email address and (optionally) your name. Created when you sign in.
• Financial transaction data — descriptions, amounts, dates, and account names from transactions you import. Imports happen by you (a) uploading a CSV from your bank, (b) forwarding emails to your Ember inbound address, or (c) entering transactions manually.
• Account identifiers — only the last 4 digits of a bank account or card number, never the full number. We mask everything else on the way in.
• Categorisation and tagging choices — the categories, flags (business expense, transfer, recurring, etc.), tags, and notes you apply to transactions.
• Email metadata for forwarded receipts — sender, subject, date. Raw email bodies and attachments are stored only as long as needed to parse them, then redacted or deleted (see §9).
• Usage telemetry — basic web-performance signals (page load, navigation timings) via Vercel Speed Insights. No third-party advertising or behavioural tracking.

We do not collect: your bank password, your full account or card number, government identifiers (TFN, Medicare, driver licence), health information, biometric data, or location data.

Open Banking / Consumer Data Right (CDR). Ember is not currently an accredited data recipient under the Consumer Data Right regime. We do not receive transaction data via CDR / Open Banking. Every transaction we hold was provided directly by you (CSV upload, email forwarding, or manual entry). If we later become a CDR participant, we will update this policy and notify you before any CDR data is collected on your behalf.

3. Why we collect it

We collect the information above to:

1. Provide the core service — show you your transactions, summaries, and cash-flow insights.
2. Categorise transactions automatically using a mix of deterministic rules and an LLM fallback (see §8).
3. Detect and prevent duplicate imports.
4. Communicate with you about your account (account-related email only — see §4).
5. Diagnose errors and improve performance.
6. Meet our legal obligations, including responding to lawful requests.

We will not use your information for any other purpose without first telling you.

4. Direct marketing (APP 7)

We do not use your personal information for direct marketing. We will not send you promotional emails, push notifications, or third-party offers. The only emails we will send you are operational — account verification, password resets, security notifications, and material changes to this policy.

If we ever decide to send marketing communications in the future, we will tell you first and provide a clear opt-out in every message, as required by APP 7 and the Spam Act 2003 (Cth).

5. Anonymity and pseudonymity (APP 2)

Under APP 2 you have the right to deal with us anonymously or under a pseudonym where lawful and practicable. Because Ember holds your financial transaction data and supports households with shared visibility, using a real identifier (your email address) is required to keep your account secure and recoverable. You can choose any name (or no name) for display inside the app.

6. Who we share it with

Ember is a small operation. We use a short list of service providers to run it, and your data flows through them in the course of normal use. All are bound by contractual obligations and published privacy commitments.

We do not sell your personal information. We do not share it with advertisers. We do not share it with insurers, employers, banks, or any other third party for commercial purposes.

We may disclose information if required by Australian law (for example, a court order or a regulator request) — we will only disclose what is strictly required.

7. Cross-border disclosures (APP 8)

Some of our providers process information outside Australia (United States — Vercel, Anthropic, Postmark). When we disclose your personal information to an overseas recipient, we remain accountable for that recipient's handling of it under APP 8.1.

Before using any overseas provider we check that they publish a privacy policy or data-processing agreement that aligns with the APPs. Each provider above does, and we keep current copies of those documents in our internal records.

By using Ember you consent to these overseas disclosures for the purposes described in §3 and §8. If you would prefer your data not be sent to Anthropic for LLM categorisation, you can switch that off in Settings → AI categorisation (see §8).

8. Automated decision-making — LLM categorisation

Ember uses an automated process to categorise transactions you don't have an existing rule for. Most categorisation is deterministic (your rules and our built-in merchant database). For unknown merchants, we send a small request to Anthropic's Claude API to suggest a category, then save that suggestion as a rule for next time.

What we send to Anthropic:

• The transaction description, amount, an optional product hint extracted from a forwarded email subject (capped at ~200 characters), and (for receipt parsing) the email subject and body with personal-information patterns redacted server-side first.
• Patterns redacted before the request leaves Australia: emails, phone numbers, BSB-shaped digits, credit-card-shaped digits, Australian street addresses, PO Boxes.

What we do not send: your email, your name, your account balance, your historical data, or any other transactions.

Significance:the LLM's only effect is to choose a category and create a categorisation rule. It does not change your account balance, transfer money, share information with third parties, or make any consequential decision about you. Every suggestion can be overridden by a one-tap correction.

Per-user opt-out: if you prefer no data is sent to Anthropic, switch off Settings → AI categorisation. New uncategorised transactions will remain uncategorised until you classify them yourself or set a rule.

This section is provided ahead of the December 2026 APP 1.7 amendments that require disclosure of automated decision-making related to personal information.

9. Email forwarding and receipts

If you set up email forwarding so receipts and bank CSVs land in Ember automatically, those emails are received via Postmark and stored briefly in our database so we can parse them.

We minimise the footprint:

• The parser strips the email body, HTML, and attachments before logging. Only sender, subject, date, and a small extracted snippet are kept past initial parsing.
• Any remaining raw payload is automatically nulled after 90 days.
• You can revoke a forwarder at any time in Settings → Email forwarding.

10. How long we keep your data

When your account is closed (see §11), personal information is deleted unless we are required by law to keep it.

11. Access, correction, deletion (APP 12 / APP 13 / APP 11.2)

You can:

• See everything we hold about you — for now, ask us at tech@emberfi.com.au and we will provide a JSON export of your account data within 30 days. A self-serve export is in development.
• Correct anything inaccurate — most data is yours to edit directly inside Ember. For anything you cannot edit yourself, email us.
• Close your account and have your data deleted — email us. Deletion is completed within 30 days, subject to the retention exceptions in §10.

Access and correction are free. We will only refuse a request in the limited circumstances allowed under the Privacy Act, and we will tell you why in writing if we do.

12. How we keep it secure (APP 11)

Reasonable steps we take, in plain language:

• All data is encrypted in transit (HTTPS / TLS 1.2+) and at rest (Supabase-managed storage encryption).
• Database access is gated by row-level security — your data is only readable by you and any household members you explicitly add.
• Account numbers are stored as last-4 only and enforced at the database layer.
• Personal-information patterns are stripped from prompts before they leave Australia for LLM processing.
• Operational accounts (Supabase, Vercel, GitHub, the password manager, our admin email and Apple ID) are protected by multi-factor authentication.
• We follow a written breach-response plan aligned with the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act).

No system can be guaranteed perfectly secure. If we believe a breach has occurred that is likely to cause serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by law.

13. Cookies

Ember sets a small number of cookies, all first-party:

• An authentication session cookie (required to keep you signed in).
• A CSRF cookie (required for safe form submissions).
• A view-mode preference (Us/Me toggle for households).

We do not set advertising or cross-site tracking cookies.

14. Children

Ember is not intended for use by anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

15. Not financial advice

Ember provides general financial information only — categorised summaries of your own spending and savings. Nothing in the app is personal financial advice for the purposes of the Corporations Act 2001. If you want personal advice tailored to your circumstances, see a licensed financial adviser.

16. Complaints

If you think we have breached the APPs, please tell us first — email tech@emberfi.com.au with “Privacy complaint” in the subject. We will acknowledge within 7 days and respond substantively within 30 days.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Web: oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992

17. Changes to this policy

We will update this policy when our practices change. The Version and Effective from at the top of the page indicate the current version; prior versions are preserved in our git history. Material changes will be notified by email to active users.