Privacy Policy
Last updated: May 2026
1. Who We Are
Embersent is operated by 21OQ B.V., KvK 88996174, based in the Netherlands. We are the data controller for personal data processed through the Service. Contact us via our contact form.
2. What Data We Collect
Account data: name, email address, and password (hashed) when you sign up.
Document analytics: page-level engagement data for documents you share — time spent per page, open timestamps, and derived geolocation from IP addresses (city-level only). No cookies are set on recipients.
Billing data: payment is processed by Mollie B.V. We store only subscription status and plan tier — no full card details.
Usage data: server logs including IP addresses and request paths for security and abuse prevention purposes.
3. Legal Basis for Processing (GDPR)
We process your data on the following legal bases:
Contract: processing account and billing data is necessary to deliver the Service you signed up for.
Legitimate interest: security logging and fraud prevention.
Consent: marketing emails, where applicable (you may withdraw at any time).
4. How We Use Your Data
We use your data to provide and improve the Service, send transactional emails (e.g. document open notifications), process payments, and maintain security. We do not sell your data or use it for third-party advertising.
5. Data Sharing
We share data only with trusted sub-processors necessary to operate the Service:
| Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Germany / EU |
| Mollie B.V. | Payment processing | Netherlands / EU |
| Brevo (Sendinblue) | Transactional email | France / EU |
| OVHcloud | Object storage | France / EU |
| Meta Platforms, Inc. | Advertising attribution (Meta Pixel + Conversions API) | USA (SCCs apply) |
Data shared with Meta Platforms, Inc. is transferred to the USA under Standard Contractual Clauses (SCCs). All other data remains within the European Economic Area.
6. Data Retention
Account data is retained for as long as your account is active. Analytics data retention depends on your plan (14 days on Free, 90 days on Solo, 1 year on Pro and Teams). Upon account deletion, we remove your data within 30 days.
7. Your Rights (GDPR)
You have the right to access, rectify, erase, or restrict processing of your personal data. You may also request data portability or object to processing based on legitimate interest. To exercise any right, contact us via our contact form. We will respond within 30 days.
8. Cookies
We use a single session cookie for authentication on the dashboard. Our marketing pages (embersent.com and its subpages) use the Meta Pixel, which sets _fbp and _fbc cookies to support advertising attribution on Facebook and Instagram. Document recipient pages (our /v/* viewer) set no tracking cookies.
We use the Meta Pixel to measure the performance of our Facebook and Instagram advertising campaigns. The Pixel records page visits and conversion events (account creation, subscription purchase) on our marketing pages and app. We send hashed email addresses (SHA-256) to Meta's Conversions API for server-side attribution. The Meta Data Processing Addendum applies to this processing. Legal basis: legitimate interest in measuring marketing effectiveness.
9. Security
All data is transmitted over TLS. Documents are stored encrypted at rest in EU object storage. Access to production systems is strictly limited and logged.
Uploaded documents are scanned for malware as a protective security measure. Scanning is best-effort and does not guarantee detection of all threats.
10. Changes to This Policy
We may update this Privacy Policy. Material changes will be communicated via email. Continued use after changes constitutes acceptance.
11. Contact and Complaints
For privacy questions, contact us via our contact form. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
12. Automated Decision-Making
Embersent does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.
13. Data Breach Notification
In the event of a personal data breach affecting your data, we will notify you and the Autoriteit Persoonsgegevens within 72 hours of becoming aware, where required by GDPR.
Related: Contact us · Terms of Service · Home