Legal
Privacy Policy
The most private thing you own should stay that way. This policy explains, in plain words, what Ember does and doesn't do with data.
Privacy at a glance
- Your conversations stay on your phone. Ember's companion runs on-device by default. Your words are stored on your device, encrypted under a key only you hold.
- We cannot read your conversations. If you turn on sync/backup, what leaves your device is end-to-end encrypted content we cannot decrypt.
- Nothing is sold. Ever. No ads, no data brokers, no "partners", no exceptions.
- Almost nothing is collected. The little we do hold (for example, an email address you give us) is listed below, with why.
- Ember is non-clinical and 18+. It is not a medical device, does not diagnose or treat, and is not directed at children.
1. Who we are
Wellnetix Ltd is the data controller for the Ember app and this website under the UK GDPR and, where it applies, the EU GDPR.
- Controller: Wellnetix Ltd, United Kingdom.
- Contact for privacy matters: nimind@wellnetixltd.com
- We have not designated a statutory Data Protection Officer; privacy matters are handled directly by the team at the contact address above.
2. What this policy covers
It covers the Ember mobile app for iOS and Android (currently in private early access) and the ember.wellnetixltd.com website, including the early-access sign-up and contact forms. It does not cover third-party services you reach through signposting (for example, your GP's booking system or a crisis line) — those have their own policies.
3. What we collect — and what we deliberately don't
3.1 In the app: your conversations, journal and reflections
- Stored: on your device only, by default. Content is encrypted at rest using client-side encryption under a key derived on your device and held by you (with a recovery kit you control).
- Collected by us: no. We do not receive, read, mine, or train on your conversations. There is no server-side copy we can decrypt.
- Crisis and HRT-related moments are recognised and handled on-device. We do not build risk profiles, and no "flag" about you is sent to us or anyone else.
3.2 In the app: the on-device model
When you first set up Ember, the app downloads the language-model files it needs to run locally. That download is a plain file transfer: our cloud infrastructure sees standard technical request data (IP address, app version) needed to deliver the files, and no conversation content — the model comes to your words; your words don't go to the model.
3.3 In the app: optional cloud assistance
If a reply needs more capability than your device can provide, Ember can — only if you have turned cloud assistance on — send that exchange to a cloud model to generate the response. When it is used:
- the exchange is encrypted in transit (TLS);
- it is processed transiently to answer the request and is not retained afterwards, aside from minimal security and abuse-prevention logs kept for up to 90 days — and it is not used for training;
- the processing is carried out by an AI inference provider engaged only for this purpose (see section 6);
- cloud assistance is off by default, clearly labelled in the app, and can be switched off at any time.
3.4 In the app: optional sync & backup
If you enable sync or backup, your content leaves your device only as end-to-end encrypted data encrypted under your key. We store the encrypted blobs and the minimal metadata needed to run the service (account identifier, timestamps, data sizes, device registrations). We cannot decrypt the content. Encrypted backups are kept until you delete them or close your account.
3.5 In the app: optional account
Ember works without an account. If you claim an account (for sync, backup or restore), we collect your email address and the credentials needed to sign you in, to operate those features.
3.6 On the website
- Early-access sign-up: your email address, used only to contact you about Ember early access. Unsubscribe anytime.
- Contact form / email: your email address and the message you send, used to reply to you.
- Cookies and analytics: none. See section 10.
- Server logs: our cloud hosting provider keeps minimal web-server logs (IP address, user agent, pages requested) for security and reliability, retained for up to 90 days.
3.7 What we deliberately do not do
- No sale or sharing of personal data for advertising. No ad SDKs, no data brokers.
- No wearables, no sensor tracking, no location tracking. Region-aware crisis signposting uses your device's locale/region setting on-device; it is not reported to us.
- No third-party advertising or cross-app tracking identifiers.
- No scores, stages or forecasts about your body — Ember doesn't generate them at all.
4. Purposes and legal bases (UK GDPR / GDPR)
-
Early-access email Website
To invite you to Ember early access and send occasional updates about it.
Consent · Art. 6(1)(a) — withdraw anytime via unsubscribe.
-
Contact messages Website
To respond to your enquiry.
Legitimate interests · Art. 6(1)(f) — responding to people who write to us.
-
Account email + authentication data App · optional
To provide sign-in, sync, backup and restore.
Contract · Art. 6(1)(b)
-
Encrypted sync/backup blobs + minimal metadata App · optional
To provide the sync and backup you switch on. Content is end-to-end encrypted; we cannot read it.
Contract · Art. 6(1)(b)
-
Cloud-assistance exchange content App · optional · transient
To generate a reply when on-device capability isn't enough and you've turned cloud assistance on.
Consent · Art. 6(1)(a) — and, as conversation content may include health information, the app asks for your explicit consent (Art. 9(2)(a)) when you enable it.
-
Model download + server logs App + website
Delivering files, keeping services secure and working.
Legitimate interests · Art. 6(1)(f)
Special-category data: what you write in Ember may include health information. By design it stays on your device under your key; where any of it transits our systems (cloud assistance, sync) it does so encrypted and/or transiently as described above, on the basis of your explicit consent.
5. Storage, encryption and retention
- On your device: your conversations and journal stay on the device under your key until you delete them or uninstall the app; they are not retained by Wellnetix. You can export or erase everything in the app at any time (uninstalling is subject to your OS backups).
- Encrypted backup/sync (if you enable it): kept until you delete it or close your account. We cannot decrypt it at any point.
- Cloud-assistance content: processed transiently to answer the request and not retained afterwards, aside from minimal security and abuse-prevention logs kept for up to 90 days.
- Operational/server logs: minimal, kept for up to 90 days for security and reliability.
- Early-access email address: kept until you unsubscribe or ask us to remove it, or the early-access programme ends.
- Support correspondence: kept as long as needed to handle your query and for a short period after.
6. Sharing and sub-processors
We never sell personal data. We share it only with service providers who process it for us under contract, and only what each needs:
-
Cloud hosting & infrastructure
Runs this website and stores end-to-end encrypted sync/backup data we cannot decrypt. Sees server logs and encrypted blobs plus minimal service metadata.
-
Email delivery
Carries early-access and support correspondence to and from nimind@wellnetixltd.com.
-
AI inference provider
Engaged only if you turn on cloud assistance; processes exchange content transiently. Otherwise, all processing is on-device.
-
Apple & Google
App distribution via the App Store and Google Play. Their standard install/crash ecosystems apply per your device settings — see section 11.
We keep a current list of sub-processors and will provide it on request at nimind@wellnetixltd.com. We use no advertising networks and no data brokers, and we do not sell personal data.
We may also disclose data if the law genuinely requires it. Because conversation content is encrypted under your key, we could not hand over readable conversations even if asked.
7. International transfers
We aim to keep personal data in the UK/EEA. Where a provider processes data outside the UK/EEA, we rely on UK adequacy regulations or the appropriate safeguards, such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses.
8. Your rights
Under the UK GDPR / GDPR you can: access the personal data we hold about you; rectify it; erase it; restrict or object to processing; receive a portable copy; and withdraw consent at any time (without affecting earlier processing). Write to nimind@wellnetixltd.com and we'll respond within one month.
For your conversations, the strongest rights are in your hands directly: the app's export and erase controls work immediately, on-device, without asking us — by design we couldn't do it for you, because we can't read the data.
You can complain to the UK Information Commissioner's Office at ico.org.uk (or your local EU supervisory authority). We'd appreciate the chance to put things right first.
9. Children
Ember is for adults. The app and early access are 18+ only, the app asks you to confirm this during onboarding, and neither the app nor this website is directed at children. If you believe a minor has provided us personal data, contact us and we will delete it.
10. Cookies, analytics and crash reporting
- This website uses no cookies and no analytics. The only thing it stores in your browser is a single localStorage entry remembering your light/dark theme choice; it never leaves your browser. See the Cookie notice.
- The app ships with no third-party advertising or analytics SDKs.
- Crash reporting: the app includes no third-party crash-reporting SDK. Your operating system (Apple or Google) may collect crash reports subject to your own device settings; any such reports are content-free.
11a. Apple App Store — "App Privacy" disclosures
This is the declaration Ember makes on the App Store; it is checked against every build we ship:
-
Health & Fitness Not collected
Conversations stay on-device / end-to-end encrypted; we cannot access them, so they are not "collected" under Apple's definition.
-
Contact Info → Email Address Conditional
Collected only if you claim an account; linked to you; used for App Functionality only. No tracking, no marketing use without separate consent.
-
User Content Not collected
End-to-end encrypted sync blobs are inaccessible to us.
-
Identifiers, Usage Data, Diagnostics Not collected
No analytics or crash-reporting SDK ships in the app.
-
Location, Contacts, Browsing, Purchases, Financial, Sensitive Info Not collected
Ember has no use for any of these, and never asks.
-
Data used to track you None
No tracking across apps or websites; no App Tracking Transparency prompt needed.
11b. Google Play — Data Safety alignment
This is how Ember answers Google Play's Data Safety form; it is checked against every build we ship:
-
Does the app collect or share user data?
Collects: optional email (account). Shares with third parties: none for advertising or marketing. Optional cloud assistance processes conversation text transiently via a contracted provider, only when the user turns it on.
-
Health & personal-info categories Not collected
On-device / end-to-end encrypted — not collected by Wellnetix.
-
Data encrypted in transit? Yes
TLS everywhere.
-
Can users request deletion? Yes
In-app erase (immediate, on-device) and account deletion including server-side encrypted blobs.
-
Ads / tracking SDKs None
The app ships with no advertising or tracking SDKs.
-
Independent security review Not claimed
We do not claim an independent security review, and won't until one has actually happened.
12. Security
Security is architecture here, not a promise: client-side encryption with user-held keys and a recovery kit; end-to-end encryption for anything that syncs; TLS for everything in transit; no plaintext server-side copies of your words; least-access controls on the small amount of operational data we do hold. No system is perfect — if we ever discover a breach affecting your personal data, we will notify you and the ICO as the law requires.
13. Changes to this policy
If we change this policy, we'll update it here with a new effective date, and for material changes we'll tell you in the app or by email before they take effect. We will never quietly weaken the commitments above — in particular, "on your device", "under your key" and "never sold" are load-bearing.
14. Contact
Wellnetix Ltd, United Kingdom · nimind@wellnetixltd.com · wellnetixltd.com