1. Who We Are

Emberlitt Inc. ("Emberlitt," "we," "us," or "our") is a social reading service for iOS and related web services, headquartered in Miami, Florida, United States. This Privacy Policy explains how Emberlitt collects, uses, discloses, retains, and deletes personal data when you use Emberlitt. Data Controller: Emberlitt Inc., Miami, FL, United States Contact: legal@emberlitt.com Privacy requests: privacy@emberlitt.com Website: https://www.emberlitt.com

2. Scope

This Privacy Policy applies to Emberlitt accounts, profiles, posts, comments, annotations, messages, Reading Circles, uploaded media, recommendations, notifications, analytics, and related support and safety operations.

3. Data We Collect

• Account and identity data, including username, email address, sign-in provider, profile photo, settings, and account status.
• Profile and social data, including bio, reading preferences, follows, followers, blocks, mutes, invitations, and privacy settings.
• Content you create or upload, including posts, comments, annotations, highlights, messages, Reading Circle content, Club content, book uploads, media files, voice recordings, and reports.
• Library and activity data, including books you add or upload, reading progress, saves, likes, reposts, bookmarks, reading statistics, and recommendation signals.
• Device and usage data, including IP address, app version, device identifiers, diagnostics, logs, push tokens, and app interaction events.
• Location data only if you enable location-based features or location sharing.
• Support and safety data, including appeals, support messages, moderation records, enforcement history, fraud-prevention data, and security logs.

4. How We Use Data

• To operate Emberlitt, create and manage accounts, deliver messaging and social features, and sync your content.
• To host and display user content, library data, uploads, notifications, and recommendations.
• To personalize feeds and suggestions using ranking systems and AI-assisted recommendations.
• To maintain safety, investigate abuse, enforce the Terms of Service and Community Guidelines, and comply with platform requirements.
• To detect fraud, spam, security incidents, and policy evasion.
• To respond to support requests and legal requests.
• To improve performance, reliability, and product quality.
• To create aggregated or de-identified analytics.
• To comply with law and protect readers, Emberlitt, and rights holders.

5. Legal Bases for Processing

Where required by law, including in the European Economic Area (EEA), the United Kingdom, Switzerland, and similar jurisdictions, Emberlitt relies on the following legal bases: • Contract: to create and administer your account and provide the service. • Legitimate interests: to secure, moderate, improve, and defend the service. • Consent: for optional permissions such as push notifications, microphone access (voice messages), photo library access (profile photos, post media), camera access, and location services. • Legal obligation: to comply with lawful requests and required records. You may withdraw your consent at any time by adjusting your device permissions in iOS Settings or by contacting privacy@emberlitt.com. Withdrawing consent does not affect the lawfulness of processing that occurred before the withdrawal.

6. Recommendations and AI

Emberlitt uses ranking systems and recommendation tools, including signal-based and AI-assisted recommendations, to personalize books, content, and people you may want to see. These systems are not used to make decisions with legal or similarly significant effects about you. You are not subject to decisions based solely on automated processing that produce legal or similarly significant effects, as described in Article 22 of the GDPR.

7. When We Share Data

• With service providers and processors that operate Emberlitt, including Firebase Authentication, Firestore, Cloud Functions, Cloud Storage, Firebase Analytics, Google Cloud, and BigQuery. • With Apple, Google, and other platform providers where required for login, notifications, or platform compliance. • With other readers according to your content, activity, and privacy settings. • With moderators, advisors, auditors, insurers, and professional service providers. • With law enforcement, regulators, courts, or rights holders where legally required or reasonably necessary. • With a buyer or successor in a merger, acquisition, financing, or asset sale. Emberlitt does not sell personal information and does not share personal information for cross-context behavioral advertising.

8. What Other Readers Can See

Because Emberlitt is a social reading service, other readers may see content and profile information you choose to share, subject to your settings. • Depending on your settings, other readers may see your username, display name, profile image, bio, public or follower-visible posts, comments, annotations, Reading Circle activity, shared books or media, and content you send to them. • Messages and group chats are visible to conversation participants.

9. User-Generated Content and Safety

Emberlitt uses filtering, reporting, blocking, moderation review, and enforcement tools to reduce abuse and meet platform safety obligations. Reports, enforcement decisions, and related evidence may be reviewed by humans and used to investigate repeat violations, copyright complaints, scams, harassment, threats, and other misuse.

10. International Transfers

Emberlitt may process and store personal data in the United States and other countries where our providers operate. Where required by applicable law, including the GDPR and UK GDPR, Emberlitt relies on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs), adequacy decisions, or other safeguards recognized under applicable law.

11. Data Retention

• Account and profile data: while your account remains active.
• User content: until you delete it, your account is deleted, or Emberlitt removes it under the Terms of Service.
• Messages and chat history: while your account remains active and as needed for participants, delivery, abuse review, dispute handling, and safety.
• Library, reading progress, reading statistics, and achievements: while your account remains active unless you delete them earlier.
• Analytics and recommendation signals: up to 24 months, then deleted, aggregated, or de-identified.
• Push tokens and inactive device records: while the device remains associated with your account, with stale records typically removed after 90 days of inactivity.
• Support, abuse, security, and moderation records: up to 3 years, or longer if needed for repeat-offender tracking, legal claims, audits, or safety investigations.
• Location data: only while location features are enabled and as needed to provide those features.
• Security and server logs: typically up to 90 days unless longer retention is needed for investigation or legal hold.
• Backups and disaster recovery: encrypted backups may be retained for up to 30 days after deletion of the source data for disaster recovery purposes.

12. Account Deletion and Data Export

You can request account deletion from within the app. Emberlitt requires re-authentication before deletion. Once deletion is confirmed, Emberlitt begins a backend deletion workflow that deletes profile data, social connections, uploads, notifications, location data, and other account-linked records. Certain chat records may be anonymized rather than deleted where they must remain for other readers or for safety and legal reasons. Emberlitt may also initiate the deletion workflow when an account is terminated for a Terms of Service violation, following the procedures described in the Terms of Service. In rare cases, accounts or data may be deleted due to technical errors or administrative actions; Emberlitt maintains commercially reasonable backups but cannot guarantee recovery in all circumstances. You can also request a copy of your data through Emberlitt's data export tools in Settings. Export availability may be rate limited for security reasons. Data exports are provided in a structured, machine-readable JSON format inside a ZIP archive, in compliance with GDPR Article 20 (right to data portability) and CCPA Section 1798.100.

13. Your Privacy Rights

Depending on where you live, you may have rights regarding your personal data, as described below. • European Economic Area, United Kingdom, and Switzerland: You may have the right to access, correct, delete, restrict processing, object to processing, and port your data under the GDPR and UK GDPR. You also have the right to lodge a complaint with your local data protection authority (supervisory authority). • California (CPRA/CCPA): You may request to know, access, correct, or delete personal information. You may opt out of the sale or sharing of personal information. Emberlitt does not sell or share personal information for behavioral advertising. You have the right to limit the use of sensitive personal information. Emberlitt will not discriminate against you for exercising these rights. • Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other US states: You may have rights to access, correct, delete, and port your data, and to opt out of targeted advertising, sale of personal data, and profiling. • Brazil (LGPD): You may have the right to access, correct, anonymize, block, or delete your data, and to obtain information about the entities with which your data has been shared. To exercise any of these rights, contact privacy@emberlitt.com or legal@emberlitt.com. Emberlitt may need to verify your identity before acting on a request. Emberlitt will respond within the timeframes required by applicable law (typically 30–45 days, with extensions where permitted).

14. Children’s Privacy

Emberlitt is not directed to children under 13, and children under 13 may not use Emberlitt. Some jurisdictions — including parts of the European Economic Area (EEA), the United Kingdom, and other regions — set a higher minimum age for digital consent under the GDPR (typically between 13 and 16, depending on national implementation). If you reside in such a jurisdiction and are below your local digital-consent age, you may not register for or use Emberlitt without verifiable parental or guardian consent. If Emberlitt learns that it collected personal data from a child below the applicable minimum age without legally sufficient authorization, Emberlitt will delete the account and associated data as required by law.

15. Third-Party Services

Emberlitt relies on third-party infrastructure and platform services, including Google Firebase and Google Cloud services, Apple platform services, and Google sign-in services. Those providers may process data under their own privacy terms when acting as independent controllers.

16. Changes and Contact

Emberlitt may update this Privacy Policy. If Emberlitt makes material changes, the effective date will be updated and additional notice will be provided where required, including through the app or by email. Questions or requests: legal@emberlitt.com or privacy@emberlitt.com Technical support: support@emberlitt.com

17. Tracking Technologies and Analytics

Emberlitt uses Firebase Analytics, device identifiers, and similar technologies to understand how readers use the service, improve performance, and personalize recommendations. These tools may collect usage patterns, session data, interaction events, and device information. Third-party SDKs and services integrated into Emberlitt include: • Firebase Authentication (sign-in and identity) • Cloud Firestore and Firebase Realtime Database (data storage and sync) • Firebase Cloud Storage (media and file uploads) • Firebase Cloud Messaging (push notifications) • Firebase Analytics (usage analytics) • Google Cloud Functions (server-side processing) • Google BigQuery (aggregated analytics) • Kingfisher (image caching, local only) Emberlitt does not use third-party advertising cookies or cross-site tracking pixels. Emberlitt does not participate in ad networks or sell data to advertisers. You can limit certain tracking through your device settings, such as disabling analytics sharing in iOS Settings or using the App Tracking Transparency prompt. Disabling analytics may reduce the quality of personalized recommendations but will not affect core functionality.

18. Data Breach Notification

In the event of a data breach that compromises the security or confidentiality of your personal information, Emberlitt will notify affected readers in accordance with applicable law, including the GDPR (within 72 hours to supervisory authorities where required) and applicable US state breach notification laws. Notification may be provided through the app, by email to the address associated with your account, or through other appropriate means. Emberlitt maintains reasonable security measures to protect personal data, including encryption of data in transit and at rest, access controls, and monitoring. However, no system is completely secure, and Emberlitt cannot guarantee absolute security.

19. Do Not Track

Emberlitt is a native iOS application and does not respond to web browser Do Not Track (DNT) signals. Emberlitt does not track users across third-party websites or applications. You can control analytics and data sharing through your iOS device settings.

20. Data Processing Agreements

Emberlitt’s primary infrastructure providers, including Google LLC (Firebase, Cloud Functions, BigQuery, Cloud Storage), are bound by data processing agreements that require them to process personal data only as directed and to maintain appropriate technical and organizational security measures.

21. Governing Law

This Privacy Policy and any disputes arising from it are governed by the laws of the State of Florida, United States, without regard to conflict of law principles, except where overridden by mandatory local privacy law (such as the GDPR for European Economic Area residents or the UK GDPR for United Kingdom residents).

22. Apple Platform Disclosures

Emberlitt is distributed through the Apple App Store and complies with Apple’s App Store Review Guidelines, including privacy and data handling requirements. The data categories disclosed in Emberlitt’s App Store privacy nutrition labels reflect the data collection and use practices described in this Privacy Policy. Emberlitt respects the App Tracking Transparency (ATT) framework. Emberlitt does not track you across apps or websites owned by other companies for advertising purposes.

23. Movie and TV Catalog Data (TMDB)

Emberlitt’s movie and TV features are powered by The Movie Database (TMDB) API. This product uses the TMDB API but is not endorsed or certified by TMDB. When you browse, search, or open a movie or TV title in Emberlitt, Emberlitt sends limited, non-identifying request data to TMDB through a server-side proxy operated by Emberlitt. The data sent typically includes catalog identifiers (such as movie or TV IDs), search terms you enter, filter selections (such as genre, language, or country), and a coarse region setting used to determine streaming availability. Emberlitt does not send your Emberlitt username, email address, profile, account identifier, or any directly identifying information to TMDB. Movie and TV metadata, posters, backdrops, cast information, and trailer references displayed in Emberlitt are provided by TMDB and remain subject to TMDB’s own terms and rights. When you mark a title as seen, rate it, comment on it, add it to a playlist, or create a shareable card from movie or TV titles, the only data stored in Emberlitt are the TMDB catalog identifiers you selected and your own content (your rating, your comment text, your playlist title). The poster images themselves are fetched live from TMDB’s image servers. TMDB’s processing of any data Emberlitt sends to it is governed by TMDB’s own privacy policy, available at https://www.themoviedb.org/privacy-policy. Emberlitt has no control over and is not responsible for TMDB’s independent data practices. If you do not wish to use any TMDB-powered feature, you may simply avoid opening the movie and TV catalog inside Emberlitt; no request is sent to TMDB unless you actively use these features.