← emberry

Privacy Policy

Version legal@2026-06-19 · Effective 19 June 2026

This Privacy Policy explains how emberry collects, uses, stores, and discloses personal information when you use the emberry platform.

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

1. Who we are

This service is operated by EMBERRY PTY LTD (ACN 700 020 202) (“emberry”, “we”, “us”, “our”).

2. What information we collect

2.1 Information from customers (account holders)

We may collect:

  • name and email address
  • organisation name and role
  • authentication and login records
  • usage and audit logs within the platform

Payment information is processed by Stripe. emberry does not store full card details.

2.2 Information from respondents (survey participants)

Respondents may submit:

  • feedback, ratings, and free-text responses
  • optionally provided name, email address, or phone number (if the customer enables identification)

Where respondents choose to remain anonymous, we collect only:

  • survey responses
  • a non-identifying session or submission identifier (used for system integrity and abuse prevention)

2.3 Sensitive information

Some feedback may include sensitive information (as defined under the Privacy Act 1988 (Cth)), including health, care, or other sensitive personal details.

We do not actively seek sensitive information and only collect it where it is reasonably necessary for the operation of the Services and where permitted by law.

Customers are responsible for ensuring they obtain any required consent, authority, or lawful basis for the collection, use, and disclosure of sensitive information through the platform.

2.4 Automatically collected information

We may collect:

  • device and browser information
  • IP address (hashed using a per-purpose salt)
  • timestamps and activity logs within the platform
  • basic usage analytics

This information is used for security, system integrity, and operational purposes.

3. Why we collect and use information

We collect and use personal information to:

  • provide and operate the emberry platform
  • enable feedback collection, reporting, and analytics
  • authenticate users and secure accounts
  • process billing and subscription management
  • prevent fraud, abuse, and system misuse
  • comply with legal obligations
  • improve the platform using aggregated and de-identified insights

We do not use respondent content for advertising or marketing profiling.

We send customers transactional and service-related communications only (such as billing, security, and account notices). We do not send marketing emails.

We may use and disclose personal information only for the purposes set out in this Privacy Policy or as otherwise permitted by law.

4. How we disclose information

We may disclose personal information only as necessary to provide the Service, including:

  • to the relevant customer organisation (the tenant who operates the survey)
  • to service providers who assist us in operating the platform under contractual confidentiality and data protection obligations, including:
    • Amazon Web Services (AWS) — infrastructure hosting and AI processing via Amazon Bedrock (Sydney region)
    • Stripe — payment processing
    • Cloudflare — security, content delivery, and edge protection
  • where required by law or a valid legal request
  • to enforce our legal rights or prevent harm

We do not sell personal information.

5. Cross-tenant access

Data is logically separated by customer account. We do not intentionally access or use Customer Content or respondent data belonging to one customer for the benefit of another customer, except where it has been de-identified and aggregated in accordance with this Policy.

6. Storage and security

We store and primarily process data in Amazon Web Services (AWS) in the Sydney (ap-southeast-2) region, including AI processing via Amazon Bedrock.

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access using industry-standard safeguards, including:

  • encryption in transit and at rest
  • access controls and role-based permissions
  • audit logging
  • network security controls (including web application firewalls)

No system is completely secure, and we cannot guarantee absolute security.

7. Data retention

We retain information as follows:

  • Active Customer Content: for the duration of the customer account
  • Identified respondent contact details: for the duration of the customer account or until deleted by the customer, whichever occurs first
  • Audit logs and account records: up to 7 years for legal, security, and dispute resolution purposes
  • De-identified and aggregated data: may be retained indefinitely and will not reasonably be capable of identifying individuals

On termination of an account, Customer Content (including respondent data) may be exported for 30 days, after which it may be deleted or de-identified, subject to backup retention cycles and legal obligations.

8. Access, correction, and deletion

If you are a customer (account holder), you may request access to, correction of, or deletion of your personal information by contacting us.

We may refuse deletion where retention is required or authorised by law, including for legal, regulatory, or record-keeping obligations.

9. Respondent requests

emberry processes respondent feedback on behalf of, and under the instructions of, the customer organisation that collected it. That customer determines how the data is used.

Accordingly, respondent requests to access, correct, or withdraw responses (including identifiable details) should be directed to the relevant customer organisation.

We will take reasonable steps to assist customers in responding to such requests where required under applicable law.

10. Overseas disclosure

We store and primarily process platform data in Australia, including AI processing via Amazon Bedrock in the Sydney region.

A limited number of service providers may process some information outside Australia in the course of providing their services, including Stripe (payment processing) and Cloudflare (global security and content delivery).

Where we disclose personal information overseas, we take reasonable steps to ensure those providers handle personal information in accordance with applicable privacy standards.

11. Data breaches

We maintain processes to detect, assess, and respond to data security incidents.

Where a data breach is likely to result in serious harm to affected individuals, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

Where a breach affects Customer Content, we will notify the relevant customer within a reasonable time after becoming aware of the incident.

12. Children’s information

The platform is intended for use by organisations and is not directed at children.

Some feedback collected through the platform may relate to, or be provided by or on behalf of, children in certain contexts (such as childcare or family services).

Customers must ensure that appropriate parental or guardian consent is obtained where required under applicable law before collecting or processing such information through the platform.

13. Complaints

If you have a complaint about how we handle personal information, please contact us first:

support@emberry.com.au

We will investigate and respond within 30 days.

If you are not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au

14. Changes to this policy

We may update this Privacy Policy from time to time.

Where changes are material, we will provide at least 30 days’ notice via email or in-product notification.

15. Contact

Privacy enquiries: support@emberry.com.au