Privacy Policy
Version: v2026-06-02 · Effective date: 2026-06-02
This Privacy Policy explains how EmberHound Ltd (“EmberHound”, “we”, “our”) collects, uses, discloses, and protects personal data in connection with our marketing website (emberhound.com), the EmberHound hosted platform, and the EmberHound endpoint agent (together, the “Service”). It also describes the rights available to individuals under applicable privacy laws and how to exercise them.
This Policy should be read alongside our Terms of Service and, where applicable, the Data Processing Addendum (“DPA”) we enter into with business customers.
1. Our Role — Controller and Processor
EmberHound’s role under the EU and UK General Data Protection Regulations (and equivalent laws) depends on the data:
- Controller — for personal data we collect directly: marketing visitors, prospects, account administrators and named users of customer organisations, support correspondents, and applicants.
- Processor — for personal data that a business customer (“Customer”) submits to or generates through the Service in the course of using it, including Findings Metadata describing data discovered on Customer-Authorised Devices and DSAR portal submissions made by a Customer’s end users. For that data, the Customer is the controller and we act solely on the Customer’s documented instructions under the DPA.
If you are an individual whose data appears in the Service because your employer, service provider, or another organisation deployed the EmberHound Agent or filed a DSAR, please direct privacy requests to that organisation in the first instance. We will support that organisation in responding.
2. What the Agent Does Not Transmit
The EmberHound Agent is engineered around a strict data-minimisation principle. When the Agent discovers sensitive content on a device (for example, a payment card number, an email address, or a national identifier), it does not transmit the raw content to our platform. Instead, the Agent transmits structured Findings Metadata: the file path, a masked preview that obscures the underlying value, a one-way fingerprint hash, the matching rule identifier, a confidence score, and the timing of the detection. The Agent processes the raw content locally on the Customer-Authorised Device and discards it.
This is not a configuration option — it is a hard architectural constraint. It means our servers do not become an aggregated repository of regulated content and the blast radius of any security incident affecting us is materially lower than for a product that exfiltrates raw data.
3. Personal Data We Collect
3.1 Marketing website visitors
When you visit our marketing site, we (or our service providers) may collect IP address, approximate location derived from IP, browser and device characteristics, referring URL, pages viewed, and information you provide via contact forms (name, work email, company, message content). We use strictly-necessary cookies for site functionality and may use a small number of analytics or product-analytics cookies on the marketing site only, as described in Section 10.
3.2 Account and named users
When a Customer creates an account or invites a named user, we collect identity and contact information (name, work email, role), authentication data (hashed password or federated identity provider token, multi-factor enrolment), session and audit records, in-product activity logs, and preferences. We collect billing contact details and payment provider tokens for paid subscriptions; payment card details are processed directly by our payment provider and never stored on our systems.
3.3 Device telemetry
The Agent transmits operational telemetry from Customer-Authorised Devices: hostname, operating-system family and version, agent version, configuration hash, enrolment status, scan timing, error diagnostics, and heartbeat events. This data may incidentally reveal information about device users in single-user device environments; the Customer is the controller for such telemetry.
3.4 Findings metadata
As described in Section 2, the Agent submits Findings Metadata that may contain pseudonymised representations of personal data (for example, peppered hashes of an email address detected in a file). For the purpose of GDPR Article 4(5), these hashes are pseudonymised using a per-organisation pepper stored in a hardware-isolated vault and not co-located with the hashes themselves.
3.5 DSAR portal submissions
When an end user of a Customer files a Data Subject Access Request through a DSAR portal we host on the Customer’s behalf, we receive the identifiers submitted (for example, email address, phone number, account ID) and any free-text context provided. We act as the Customer’s processor with respect to such submissions; the Customer is the controller.
3.6 Support and correspondence
When you contact our support or sales teams, we receive your name, contact details, the content of your message, and any attachments. We retain these records to provide support, resolve disputes, and improve the Service.
4. How We Use Personal Data — Purposes and Legal Bases
Where we act as controller, we rely on the following legal bases under the GDPR (or equivalents in other jurisdictions):
- Contract performance (Art. 6(1)(b)) — to create and operate accounts, authenticate users, provision the Service, calculate fees, and provide support.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service against fraud and abuse, monitor performance, prevent and investigate security incidents, conduct anonymised product analytics, recover unpaid invoices, and pursue or defend legal claims. We weigh these against your rights and provide a means to object (Section 8).
- Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, audit, and lawful-disclosure obligations.
- Consent (Art. 6(1)(a)) — for non-essential marketing communications and non-essential cookies, where required. You can withdraw consent at any time without affecting the lawfulness of prior processing.
Where we act as processor, our processing purposes are limited to those documented in the DPA and the Customer’s written instructions.
5. Disclosures and Sub-Processors
We disclose personal data only as needed to operate the Service and only to recipients bound by appropriate contractual confidentiality and data-protection obligations.
- Hosting and infrastructure. Our managed database and edge-compute platform provider hosts the application and persists Customer Data. Our static-site and edge-network provider serves the marketing site and the application frontend.
- Payment processing. Our payment provider processes card details, subscriptions, and invoices. We never see or store raw card numbers.
- Transactional email. Our email provider delivers account, security, billing, and DSAR-portal notifications.
- Error monitoring and observability. Our error-monitoring providers receive minimal diagnostic data needed to investigate issues; we configure them to redact sensitive fields where supported.
- Professional advisers. Auditors, accountants, and lawyers under duty of confidence.
- Corporate transactions. In connection with a merger, acquisition, financing, or sale of substantially all assets, with appropriate protections.
- Compelled disclosure. Where required by law and, where permitted, after notifying the affected party so they can seek a protective order.
A current list of sub-processors used for processing Customer Data is maintained in the DPA and on our Trust Center. We will provide reasonable notice of changes so Customers can exercise any objection rights under the DPA.
We do not sell personal data and we do not share personal data with third parties for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act and similar US state laws.
6. International Data Transfers
Personal data we process may be transferred to, and processed in, countries other than your country of residence, including the United States and other jurisdictions where our service providers operate. Where we transfer personal data of individuals in the European Economic Area, United Kingdom, or Switzerland outside those territories, we rely on a recognised transfer mechanism: an adequacy decision where one exists, otherwise the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum or the Swiss FDPIC equivalent, as applicable), together with supplementary technical and organisational measures we consider appropriate following a transfer-impact assessment. A copy of the relevant clauses is available on request.
7. Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, including any legal, tax, accounting, or reporting requirements. Indicative retention periods:
- Account data: for the life of the account and up to thirty (30) days after closure, except where longer retention is required by law.
- Findings Metadata and Customer Data (as processor): for the subscription term plus the period specified in the DPA (typically up to ninety (90) days after termination, to permit export and recovery), after which data is deleted or anonymised on the timelines documented in the DPA.
- Marketing-site analytics: at most twenty-six (26) months from collection.
- Support correspondence: up to three (3) years from the last interaction.
- Audit logs and security records: typically up to one (1) year, or longer where required for incident investigation or legal claims.
- Billing and tax records: for the period required by applicable tax law (commonly six (6) to seven (7) years).
When personal data is no longer required, we delete it, or where deletion is technically infeasible (for example, in immutable backups), we isolate it from further use until secure deletion is possible.
8. Your Rights
Subject to applicable law, you may have the right to:
- Access — obtain confirmation that we process your personal data and a copy of that data;
- Rectification — correct inaccurate or incomplete data;
- Erasure — request deletion in defined circumstances (also referred to as the “right to be forgotten”);
- Restriction — ask us to limit processing pending verification or resolution of an objection;
- Portability — receive your data in a structured, commonly-used, machine-readable format and have it transmitted to another controller where technically feasible;
- Objection — object to processing based on legitimate interests, including profiling, and to direct-marketing processing at any time;
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing;
- Opt out of sale or sharing — for US residents in jurisdictions that provide this right (EmberHound does not sell or share personal data, but the right is available to invoke);
- Limit use of sensitive personal information — where applicable under US state law;
- Non-discrimination — we will not deny you the Service or charge a different price for exercising any of these rights;
- Complain — lodge a complaint with your local supervisory authority. UK residents may complain to the Information Commissioner’s Office (ico.org.uk); EU residents may complain to the supervisory authority in their member state of habitual residence, place of work, or alleged infringement.
To exercise any of these rights with respect to data for which EmberHound is the controller, contact privacy@emberhound.com. We will respond within the timeframes required by applicable law (within one (1) month under the GDPR, extendable by two (2) months for complex requests). We may need to verify your identity before responding. You may use an authorised agent; we may require proof of authorisation.
If your data is processed by EmberHound as a processor on behalf of a Customer (for example, because your employer uses the Service), please contact that Customer first; we will assist them with their response under the DPA.
9. Security
We maintain administrative, technical, and physical safeguards designed to protect personal data appropriate to the risks of the processing, including:
- encryption in transit (TLS 1.3) and at rest (AES-256);
- per-organisation cryptographic pseudonymisation peppers for DSAR identifiers, stored in a hardware-isolated vault separated from the hashes they protect;
- tenant isolation enforced at the database layer via row-level security policies;
- role-based access controls with least-privilege defaults for our personnel;
- multi-factor authentication on production systems;
- device-certificate and rotated-secret authentication for Agent communications;
- comprehensive audit logging of administrative and data-access events;
- regular penetration testing and vulnerability management;
- documented incident-response procedures and breach-notification commitments under the DPA.
No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will notify you (and any Customer for whom we are processor) in accordance with applicable law and the DPA.
10. Cookies and Similar Technologies
We use a small number of cookies and similar browser-storage technologies. We do not use advertising cookies and we do not participate in cross-site behavioural advertising networks. The categories below describe everything we store on your device.
Strictly necessary
Required for the Service to function. These are always on and cannot be disabled, because the Service cannot operate without them.
- Authentication session — keeps you signed in and secures requests to our backend. Stored in your browser’s local storage for the duration of your session.
- Sidebar state — a first-party cookie remembering whether the app sidebar is expanded or collapsed (expires after 7 days).
- Feature configuration cache — short-lived local-storage cache of which features your organisation has enabled (refreshed every few minutes).
Functional
Remember in-product preferences and the state of dismissible notices (for example theme, notification-sound preference, and banners you have already closed). These are stored locally on your device.
Analytics & error monitoring
Where required by law, these are loaded only after you consent via our cookie banner. If you choose “Essential only”, none of the following are loaded:
- Product performance (Vercel Speed Insights) — aggregate page-performance metrics; no advertising profile is built.
- Error and session-replay monitoring (Sentry) — captures errors to help us fix problems. Replay masks all text and blocks media, and we never attach your email or name.
You can change or withdraw your choice at any time using the “Cookie preferences” link in our website footer, which re-opens the cookie banner. Withdrawing consent is as easy as giving it.
11. Children’s Data
The Service is intended for use by businesses and their authorised personnel. We do not knowingly collect personal data from children under the age of sixteen (16). If you believe a child has provided personal data to us, contact privacy@emberhound.com and we will take appropriate steps to delete it.
12. Automated Decision-Making and Profiling
We do not use personal data for solely-automated decision-making that produces legal effects on individuals or similarly significantly affects them. Risk scores, confidence scores, and similar signals generated by the Service are decision-support outputs intended for review by qualified personnel of the Customer and do not themselves take adverse action against any individual.
13. Changes to this Policy
We may update this Policy from time to time to reflect changes in the Service, our practices, or applicable law. We will post the updated Policy with a new “Last updated” date. For material changes, we will provide reasonable advance notice (by email or in-product notice) before the changes take effect.
14. Contact and Representatives
Privacy enquiries and rights requests:
privacy@emberhound.com
Security incidents:
security@emberhound.com
Privacy Lead:
privacy@emberhound.com
Postal Address:
EmberHound Ltd
[Registered Office Address]
United Kingdom