Privacy Policy

1. Introduction

We take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are, how and why we collect, store, use, and share your personal information. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint.

We collect, use and are responsible for certain personal information about you. When we do so we are subject to various laws in the United States and, if applicable, the General Data Protection Regulation which applies across the European Union (including in the United Kingdom), and we are responsible as "controller" of that personal information for the purposes of those laws if and when they apply.

We have prepared this Privacy Policy to help you understand our practices with respect to the collection, use, and disclosure of information we collect from you through (i) the emberlegacy.ai website, its subdomains, and any other website where our Terms of Service are posted; (ii) our online hosted services; and (iii) our "Software", meaning, collectively, our browser extensions, our Ember Legacy mobile applications, other downloadable apps, application programming interfaces ("APIs"), and tools and documentation (collectively, the "Services").

Key Terms:

• "We," "us," "our," "Ember Legacy, Inc." or "the Company": Ember Legacy, Inc. and its affiliates.
• "Personal information": any information relating to an identified or identifiable individual.
• "Services": Ember Legacy, Inc.'s website (including emberlegacy.ai), mobile applications, and related services, information, and communications.
• "User Content": stories, photos, videos, audio recordings, written messages, and other media or materials you upload, record, create, or otherwise submit through the Services.

2. Personal Information We Collect About You

We may collect and use the following personal information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:

• Identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers): name, postal address, IP address, email address, account name.
• Information that identifies, relates to, describes, or is capable of being associated with a particular individual (including, but not limited to, name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state ID, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial, medical, or health insurance information): name, address, telephone number, credit card number, debit card number, other financial information, personal interests, household income range, number of children, gender, demographic information, and product and service preferences.
• Audio and visual information: pictures you provide or upload in connection with our Services, and the content and audio or video recordings and other media you upload or create (including stories, messages, and legacy content) in connection with the Services, as well as audio or video calls between you and us that we record where permitted by law.
• Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies): records of products purchased.
• Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement): we use cookies and similar technologies to collect certain information about your interactions with the Services to operate, secure, and improve the Services, to understand usage patterns, and to provide features such as search, personalization, and prompt suggestions. We do not use this information for third-party advertising or cross-context behavioral advertising.
• Geolocation data: IP address, location of access and purchase.
• Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes: we use cookies and similar technologies to collect certain information about your interactions with the Services to operate, secure, and improve the Services. We do not use this information for third-party advertising or cross-context behavioral advertising.

In addition, when you use the Services we may collect User Content, including photos, videos, audio recordings, written stories, and messages you choose to upload or create. We collect this information solely to provide and improve the Ember media-sharing and legacy-preservation Services that you request. We do not collect sensitive personal information (as defined by applicable law) unless you choose to include it in your User Content.

This personal information is required to provide products to you. If you do not provide the personal information we ask for, it may delay or prevent us from providing products to you.

3. Third-Party Integrations

Certain aspects of the Services allow you to link or integrate third-party products and services to enable certain features and functionalities with the Services. If you choose to use these features or functionalities, you may be asked to create an account with a third party that provides such features or functionalities or link your existing third-party service account with the Services (and, by doing so, agree to the privacy policy and/or terms and conditions of that third party).

You may also be asked to authorize the Services to collect information from the third party on your behalf. We will then collect information (such as your username or user ID associated with that third-party service) from you and/or that third party as necessary to enable the Services to access your data and content stored with that third-party service. Once the authentication is complete, we have the ability to access information you provided to us or was otherwise collected by the third-party service in accordance with the privacy practices of that third party. We will store the information and data we collect and associate it with your Ember account, and we will use that information and data to enable the integration of the Services with the third-party service and to perform actions requested or initiated by you, or that are reasonably necessary to carry out instructions provided by you.

Certain integrations may provide AI-enabled functionality (for example, transcription or media analysis) for your User Content. These integrations process your User Content only as necessary to provide the requested functionality to you and, under our agreements, may not use your User Content to train their own general-purpose AI models.

4. Information Collection and Tracking Technologies

When you download, access, or use the Services, it may use technology to automatically collect or utilize:

Cookies (or mobile cookies). A cookie is a small file placed on your computer or smartphone. Cookies are small text strings that the websites visited by a user install on the user's terminal. These strings are then re-transmitted to the site that installed them upon further requests by the user. When the user also receives cookies sent by other sites or web servers during site navigation, those cookies are considered third-party cookies. It may be possible to refuse to accept mobile cookies by activating the appropriate setting on your computer or smartphone. However, if you select this setting, you may be unable to access certain parts of our Services.

We use cookies and similar technologies only to support core functionality, security, analytics, and personalization of the Ember media-sharing platform, and not for third-party advertising or cross-site tracking. The Ember mobile application does not use cookies. We do not use tracking pixels, third-party advertising cookies, or cross-site tracking of any kind. We honor Do Not Track (DNT) browser signals. We recognize and honor Global Privacy Control (GPC) signals as a valid opt-out of any sharing of personal information, as required by applicable law.

Web Beacons. Pages of the Services and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related Services statistics (for example, recording the popularity of certain app content and verifying system and server integrity).

5. How Your Information is Collected

We collect most of this personal information directly from you: by phone, text, email, your orders, or via our website. However, we may also collect information:

• From publicly accessible sources (e.g., property records).
• Directly from you when you provide it to us, such as when you make a purchase, visit or use our website, place an order with us, contact us by email, by phone, or by online chat, register for an online account, participate in a contest or sweepstakes, respond to a survey, comment on blog posts, engage in a promotional activity, or sign up for emails, newsletters, or marketing.
• Certain information from third parties, such as social media platforms and networks that you use in connection with our Services, or that share or allow you to share information with us; service providers that we use that provide us with information about you and the devices you use online; and other third parties that we choose to collaborate with in order to make the Services and its services available for your use.
• From a third party with your consent (e.g., your bank or credit card company).
• Automatically when you use the Services, including automatically collected information, but which generally does not include personal information unless you provide it through our website or you choose to share it with us.
• When you use the Services' media features (for example, by recording or uploading photos, audio, videos, or written stories), we collect the User Content you submit, along with limited technical information needed to store, process, and deliver that content to you and to the recipients you choose.
• From cookies on our website.
• Via our IT systems, including automated monitoring of our websites and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems.

6. Third Party Information Collection

When you use the Services or its content, certain third parties may use automatic information collection technologies to collect information about you or your device. These third parties may include:

• Advertisers, ad networks, and ad servers
• Analytics companies
• Your mobile device manufacturer
• Your mobile or internet service provider

These third parties may use tracking technologies to collect information about you when you use the Services. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites, apps, and other online services. We do not authorize our service providers to use information collected via the Services to provide you with interest-based (behavioral) advertising or other targeted advertising unrelated to Ember.

Any data provided within the United States will not be transferred by us to third countries or international organizations outside the United States. The hosting of the site is also within the United States. Any data provided outside the United States will be transferred by us to the United States. Where personal data transfers occur internationally, they are governed by safeguards which include International Group Data Transfer Agreements which contain the appropriate Model Contract Clauses for data protection where required. We may transfer any information we collect mentioned above to the United States.

We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

Our core business is providing a secure media-sharing and legacy-preservation platform. We do not sell your personal information and do not share your personal information with third parties for cross-context behavioral advertising.

7. How and Why We Use Your Personal Information

Under data protection law, we can only use your personal information if we have a proper reason for doing so, e.g.:

• To comply with our legal and regulatory obligations
• For the performance of our contract with you or to take steps at your request before entering into a contract
• For our legitimate interests or those of a third party
• Where you have given consent

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

What we use your personal information for, and our reasons:

• To provide Ember's media-sharing and legacy-preservation Services to you, including storing, organizing, transcribing, and delivering your User Content to recipients you select. Reason: performance of our contract with you, or to take steps at your request before entering into a contract.
• To prevent and detect fraud against you or Ember Legacy, Inc. Reason: legitimate interests, to minimize fraud that could be damaging for us and for you.
• Conducting checks to identify our customers and verify their identity; screening for financial and other sanctions or embargoes; other processing necessary to comply with professional, legal and regulatory obligations that apply to our business; gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies. Reason: to comply with our legal and regulatory obligations.
• Ensuring business policies are adhered to, e.g. policies covering security and internet use. Reason: legitimate interests, to make sure we are following our own internal procedures so we can deliver the best service to you.
• Operational reasons, such as improving efficiency, training and quality control. Reason: legitimate interests, to be as efficient as we can so we can deliver the best products for you at the best price.
• Ensuring the confidentiality of commercially sensitive information. Reason: legitimate interests, to protect trade secrets and other commercially valuable information; and to comply with our legal and regulatory obligations.
• Statistical analysis to help us manage our business, e.g. in relation to our financial performance, customer base, product range or other efficiency measures. Reason: legitimate interests, to be as efficient as we can so we can deliver the best service for you at the best price.
• Preventing unauthorized access and modifications to systems. Reason: legitimate interests (to prevent and detect criminal activity), and to comply with our legal and regulatory obligations.
• Updating and enhancing customer records. Reason: performance of our contract with you; to comply with our legal and regulatory obligations; and legitimate interests, e.g. making sure that we can keep in touch with our customers about existing orders and new products.
• Statutory returns. Reason: to comply with our legal and regulatory obligations.
• Ensuring safe working practices, staff administration and assessments. Reason: to comply with our legal and regulatory obligations, and legitimate interests in following our own internal procedures.
• Communicating with you about Ember Services, including updates, new features, and offerings related to the media-sharing and legacy-preservation Services you use (but not third-party advertising). Reason: legitimate interests, to promote our business to existing, prospective and former customers.
• External audits and quality checks, e.g. licensure verification and related audits. Reason: legitimate interests in maintaining licensure, and to comply with our legal and regulatory obligations.
• Training and improving Ember's own AIML features (such as transcription of audio and video that you record or upload, semantic search across your media, and content suggestions) for use within the Ember Services only. We do not use your User Content to train general-purpose AIML models for use outside of the Ember Services. Reason: legitimate interests, where we determine that processing is necessary and where such legitimate interests do not override the interests or fundamental rights and freedoms of the data subject.

When you share a story or message with another user, the received copy belongs to that recipient permanently, even if your account is later deleted. Revoking access removes future visibility but does not delete copies already received.

8. Use of Personal Data for Artificial Intelligence and Machine Learning (AIML)

We use Artificial Intelligence and Machine Learning ("AIML") technologies to provide certain features of the Services (such as transcription, search, and content suggestions), but we do not use your User Content to train general-purpose AIML models for use outside of the Ember Services.

Scope of Data Collection and Processing. We may collect and process various categories of personal data that could be utilized in AIML model training, including but not limited to:

• Personal Identifiers
• Demographic Information
• Transactional data
• Behavioral Data
• User Content
• Device and technical information

Personal data may be collected through various touchpoints, as described in this Privacy Policy. For AIML features that operate on User Content (for example, audio, video, images, and text you upload), we process that User Content only as necessary to provide the feature to you and to maintain and improve the Ember Services.

Purposes and Legal Basis for Processing. The personal data collected may, at our discretion, be used for AIML-related purposes, which could include:

• Enabling features such as automatic transcription of audio or video you upload, semantic search across your User Content, media organization, and optional message or story suggestions
• Improving the accuracy, performance, and safety of these Ember AIML features
• Optimizing user experience
• Enhancing security measures
• Improving personalization of prompts and in-product recommendations within the Ember Services (not for third-party advertising)
• Legitimate interests, pursuant to Article 6(1)(f) of GDPR, where we determine that processing is necessary for the purposes of our legitimate interests, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject
• In specific cases where explicit consent is required and obtained pursuant to Article 6(1)(a) of GDPR

Where we rely on legitimate interests for AIML processing, our interests include providing and improving Ember's media-sharing and legacy-preservation features while respecting your privacy expectations. We do not use your User Content to train general-purpose AIML models offered to other customers or third parties.

Data Protection Safeguards. We implement appropriate technical and organizational measures to protect personal data used in AIML processes, in line with GDPR requirements and industry standards. Our AIML service providers are contractually prohibited from using your User Content to train or improve their general-purpose models for use by others, except as necessary to provide AIML services to Ember under our instructions. The specific AI service providers we use to process your User Content are disclosed to you in the in-app signup flow before any User Content is sent for AI processing, and may be updated by us from time to time.

Data Subject Rights. Data subjects retain their rights under GDPR, including the right to access, rectification, erasure, and objection to processing. While we strive to accommodate data subject rights, the nature of AIML processing may impact our ability to fully execute certain requests, particularly where data has been aggregated or transformed for model training.

International Data Transfers. We may transfer personal data outside the European Economic Area (EEA) for AIML purposes, ensuring appropriate safeguards are in place as required by GDPR.

Transparency and Information. We will provide general information about our AIML data processing activities through this Privacy Policy and other appropriate channels, reserving the right to withhold specific details that may compromise our proprietary technologies or competitive position.

Data Retention and Deletion. Personal data used for AIML purposes will be retained as long as necessary for the purposes described herein, subject to our data retention policies and legal obligations.

Automated Decision-Making and Profiling. We may engage in automated decision-making and profiling as part of our AIML activities. Where such processing produces legal effects or similarly significantly affects data subjects, we will provide appropriate safeguards and information as required by GDPR.

Children's Data. We do not knowingly use personal data of children under the age of 18 for AIML purposes without appropriate parental consent.

Updates and Revisions. We reserve the right to update this AI/ML provision at any time. Material changes will be communicated through appropriate channels.

9. Promotional Communications

We may use your personal information to send you updates (by email, text message, telephone or mail) about our products, including exclusive offers, promotions or new products.

We have a legitimate interest in processing your personal information for promotional purposes (see "How and why we use your personal information"). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly. We will always treat your personal information with the utmost respect.

You have the right to opt out of receiving promotional communications at any time by:

• Contacting us at support@emberlegacy.ai; or
• Using the "unsubscribe" link in emails or "STOP" number in texts.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further products in the future, or if there are changes in the law, regulation, or the structure of our business.

10. Who We Share Your Personal Information With

We may disclose aggregated information about our users, and information that does not identify any individual or device, without restriction. We do not sell, trade or otherwise transfer personal information to outside parties (except to the third parties with whom we have contracted to provide services to us, as detailed below). We do not share your personal information with third parties for cross-context behavioral advertising.

In addition, we may disclose personal information that we collect or you provide:

• To our affiliates, including companies within the Ember Legacy, Inc. group of brands and companies.
• To service providers we use to operate the Services, including hosting and infrastructure, communications, AI services, and analytics providers. A current list of our sub-processors is available upon request by contacting support@emberlegacy.ai.
• Third-party AI service providers that perform transcription, media analysis, search, and suggestion services under our instructions and subject to contractual restrictions that prohibit using your User Content to train their general-purpose models.
• To third parties approved by you, including social media sites you choose to link your account to or third-party payment providers.
• To our insurers and brokers.
• To our banks.
• To parties in business transactions, such as a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our Services users is among the assets transferred. In these types of transactions, personal information may be shared, sold, or transferred, and it may be used subsequently by a third party.
• To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
• To enforce our rights arising from any contracts entered into between you and us.
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of us, our customers or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

We do not control third parties' collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website.

11. Personal Information We Disclosed for a Business Purpose

In the preceding 12 months, we have disclosed for a business purpose to one or more third parties the following categories of personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:

• Identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers)
• Information that identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state ID, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial, medical, or health insurance information
• Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
• Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement)
• Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

12. Where Your Personal Information is Held

Information may be held at our offices and those of our group companies, third party agencies, service providers, representatives and agents as described above (see "Who We Share Your Personal Information With"). User Content and account information are primarily stored on cloud infrastructure operated by our third-party hosting providers on Ember's behalf. We design the Services for long-term storage of your User Content, subject to your deletion and export choices and our data retention practices described below.

13. How Long Your Personal Information Will Be Kept

Because the Ember Services are designed for long-term preservation of your User Content, we generally retain your User Content for as long as your account remains active, unless you choose to delete specific content or your account, or applicable law requires earlier deletion. Thereafter, we will keep your personal information for as long as is necessary:

• To respond to any questions, complaints or claims made by you or on your behalf
• To show that we treated you fairly
• To keep records required by law

We will not retain your personal information for longer than necessary for the purposes set out in this policy. Retention by data type:

• User Content (stories, recordings, photos, messages): retained for the life of your account
• Account information (name, email, profile): retained for the life of your account, then deleted per the schedule below
• Payment records: transaction history retained for 7 years after the transaction date as required by tax and financial regulations
• Error and crash logs: automatically purged after 90 days
• Usage analytics: anonymized and aggregated within 30 days of collection; raw analytics data is not retained

Account deletion: You can request full account deletion at any time through Settings or by contacting support@emberlegacy.ai. After you request deletion:

• Your account enters a 60-day grace period during which it is deactivated but recoverable
• After 60 days, all personal data and content is permanently deleted from active systems
• Backup copies are purged within 90 days of final deletion (up to 150 days total from your initial request)
• Content you previously shared with family members that they received remains with the recipient: it belongs to them

Data export: You can export all of your data at any time, at no cost, in standard formats.

14. Accessing and Correcting Your Personal Information

You can review and change your personal information by logging into the Services and visiting your account profile page.

You may also contact customer support to request access to, correct, or delete any personal information that you have provided to us. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

15. Links to Other Sites

Please be aware that Ember's website may contain links to other sites that are not governed by this Privacy Policy but other privacy policies that will often differ. We encourage users to review the privacy policy of each Website visited before disclosing any personal information.

16. Children's Privacy and Parents' Rights

Our Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent. If we learn that a child under 13 has provided us with personal information without such consent, we will delete it or take other appropriate action as required by law.

If you are a parent or legal guardian and believe your child under 13 has provided us with personal information, you may contact us at support@emberlegacy.ai to request that we delete their information, review the information we have, or withdraw your consent. If you are a parent or guardian of a user between 13 and 17, you may also contact us to exercise your rights with respect to that minor's account and information.

17. Your Rights Under the GDPR

We are committed to complying with the General Data Protection Regulation (GDPR) for all users residing in the European Union (EU) and European Economic Area (EEA). This provision applies to the processing of personal data of EU/EEA residents, including:

• Users of the Services
• Children under 18, with specific protections as outlined below

We process personal data based on the following legal grounds:

• Consent: for non-essential data collection and processing
• Legitimate interests: for core platform functionality
• Contract performance: for providing our services

As a US-based company, we may transfer your personal data outside the EU to provide our services. Such transfers are conducted in compliance with GDPR requirements by ensuring:

• The use of Standard Contractual Clauses (SCCs) approved by the European Commission; or
• Other legally recognized safeguards

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy or as required by law.

As an EU resident, you have the following rights regarding your personal data:

• Right to Access: the right to be provided with a copy of your personal information.
• Right to Rectification: the right to require us to correct any mistakes in your personal information.
• Right to be Forgotten: the right to require us to delete your personal information in certain situations.
• Right to Restriction of Processing: the right to require us to restrict processing of your personal information in certain circumstances, e.g. if you contest the accuracy of the data.
• Right to Data Portability: the right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party in certain situations.
• Right to Object: the right to object at any time to your personal information being processed for direct marketing (including profiling); and in certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests.
• Right Not to be Subject to Automated Individual Decision-Making: the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

For further information on each of those rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individual rights under the General Data Protection Regulation.

18. How to File a GDPR Complaint

We hope that we can resolve any query or concern you raise about our use of your information. The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in the European Union (or European Economic Area) state where you work, normally live, or where any alleged infringement of data protection laws occurred.

19. Your Rights Under the CCPA

You have the right under the California Consumer Privacy Act of 2018 (CCPA) and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Information We Collect About You. You have the right to know:

• The categories of personal information we have collected about you
• The categories of sources from which the personal information is collected
• Our business or commercial purpose for collecting or selling personal information
• The categories of third parties with whom we share personal information, if any
• The specific pieces of personal information we have collected about you

Please note that we are not required to:

• Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained
• Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information
• Provide the personal information to you more than twice in a 12-month period

Personal Information Sold or Used for a Business Purpose. In connection with any personal information we may sell or disclose to a third party for a business purpose, you have the right to know:

• The categories of personal information about you that we sold and the categories of third parties to whom the personal information was sold
• The categories of personal information that we disclosed about you for a business purpose

Right to Deletion. Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

• Make a good-faith effort to delete your personal information from our records
• Direct any service providers to delete your personal information from their records

Please note that we may not delete your personal information if it is necessary to:

• Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity
• Debug to identify and repair errors that impair existing intended functionality
• Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law
• Comply with the California Electronic Communications Privacy Act
• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent
• Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us
• Comply with an existing legal obligation
• Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information

Protection Against Discrimination. You have the right to not be discriminated against by us because you exercised any of your rights under the CCPA. This means we cannot, among other things:

• Deny goods or services to you
• Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties
• Provide a different level or quality of goods or services to you
• Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services

Please note that we may charge a different price or rate or provide a different level or quality of goods to you, if that difference is reasonably related to the value provided to our business by your personal information.

20. Keeping Your Personal Information Secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. In particular, we implement technical and organizational measures to protect User Content, including encryption in transit and at rest where appropriate, access controls limiting who can access content within Ember's systems, and regular security reviews of our media-storage infrastructure.

We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. We urge you to be careful about giving out information in public areas of the Services like message boards. The information you share in public areas may be viewed by any user of the Services.

Unfortunately, the transmission of information via the internet and mobile platforms is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted through our Services. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures we provide.

21. How to Exercise Your Rights

If you would like to exercise any of your rights as described in this Privacy Policy, please email us at support@emberlegacy.ai.

Please note that you may only make a CCPA-related data access or data portability disclosure request twice within a 12-month period.

If you choose to contact directly by email, you will need to provide us with:

• Enough information to identify you (e.g., your full name, address and customer or matter reference number)
• Proof of your identity and address (e.g., a copy of your driver's license or passport and a recent utility or credit card bill)
• A description of what right you want to exercise and the information to which your request relates

We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information or is someone authorized to act on such person's behalf.

Any personal information we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification.

22. Disclosures to Residents of Colorado, Connecticut, Montana, Oregon, Texas, Utah and Virginia

The disclosures in this section apply solely to individual residents of the States of Colorado, Connecticut, Montana, Oregon, Texas, Utah and Virginia. Privacy laws in Colorado, Connecticut, Utah and Virginia give residents certain rights with respect to their personal data, and privacy laws in Montana, Oregon, and Texas will give residents certain rights with respect to their personal data when they take effect over the course of 2024. Those rights include:

• Right to Access Information: you have the right to access and obtain a copy of your personal data.
• Right to Request Deletion: you have the right to request that we delete personal data provided by or obtained about you.
• Right to Correct: you have the right to correct inaccuracies in your personal data.
• Right to Opt-Out of Targeting Advertising: you may ask us not to use or disclose your information for the purposes of targeting advertising to you based on your personal data obtained from your activity across different businesses, services, websites, etc.
• Right to Opt-Out of Personal Information Sales to third parties.

To submit a request to exercise your access, deletion, or correction privacy rights, please email us at support@emberlegacy.ai with the subject line "Privacy Rights Request" and let us know in which state you live.

Residents of Colorado, Connecticut, Montana, Oregon, Texas, and Virginia may appeal a refusal to take action on a request by contacting us by email at support@emberlegacy.ai.

Residents of Oregon may request that we provide a list of third parties to which we have disclosed personal data. To make such a request, please follow the instructions above for submitting an access, deletion, or correction request.

23. Nevada-Specific Disclosures

For residents of the State of Nevada, Chapter 603A of the Nevada Revised Statutes permits a Nevada resident to opt out of future sales of certain covered information that a website operator has collected or will collect about a resident. Although we do not currently sell covered information, please contact us at support@emberlegacy.ai to submit such a request.

24. Canada-Specific Disclosures

If you live in Canada, you have the following additional rights:

• Right to Access: you can ask us to (i) confirm that we have personal information about you, and (ii) provide you a copy of that information.
• Right to Correct: you can ask us to correct any inaccurate or incomplete personal information that we have about you.

You may submit a request by contacting us at support@emberlegacy.ai with the subject line "Canadian Privacy Rights Request". Before we honor your request, we will need to verify your identity.

25. Changes to This Privacy Notice

This privacy notice was published on May 8, 2026 and last updated on the date set forth above. We may change this privacy notice from time to time. When we do, we will inform you via our website or other means of contact such as email. By accessing or using the Services after we make any such changes to this Privacy Policy, you are deemed to have accepted such changes. Please refer to this Privacy Policy on a regular basis.

26. How to Contact Us

Please contact us by email if you have any questions about this privacy policy or the information we hold about you.

Ember Legacy, Inc. 2118 Wilshire Blvd #1222 Santa Monica, CA 90403

Email: support@emberlegacy.ai

If you would like this notice in another format (for example: audio, large print, braille) please contact us at the email above.