Legal

Privacy Policy

Last updated: April 18, 2026

This Privacy Policy describes how Emiri sp. z o.o. collects, processes and protects your personal data in connection with your use of the emiri.io website and the panel application.

1. Data Controller

The controller of your personal data is:

Emiri sp. z o.o.
ul. Przykładowa 1, 00-001 Warsaw, Poland
NIP: 0000000000
E-mail: hello@emiri.io

2. Data We Collect

Depending on how you use the service, we collect:

  • Account data: email address, password (stored as argon2 hash), optionally company name.
  • Billing data: invoice details — processed by Stripe. Emiri does not store card numbers.
  • Technical data: IP address, browser type, session timestamps — for security and diagnostics.
  • Widget data: content of conversations from visitors to your site (visitorId, messages) — linked to your workspace, not to visitor identity.
  • Leads: contact data collected by the assistant (name, email, phone) — visible only to the workspace owner.

3. Purpose and Legal Basis

Purpose Legal basis (GDPR)
Providing the service (account, chatbot, panel) Art. 6(1)(b) — performance of a contract
Billing and invoicing Art. 6(1)(c) — legal obligation
Security and abuse detection Art. 6(1)(f) — legitimate interest
Newsletter (if you have consented) Art. 6(1)(a) — consent

4. Cookies and Tracking

Emiri uses only strictly necessary cookies:

  • emiri_client_session — httpOnly, SameSite=Lax; session authentication.
  • emiri_ev — httpOnly; email verification status.

We do not use advertising cookies, Meta pixels, Google Analytics or any other tracking tools. The marketing site contains no external tracking code whatsoever.

5. Sub-processors

We use the following sub-processors:

  • Hetzner Online GmbH (DE) — infrastructure hosting, servers in Frankfurt data centre.
  • Stripe Inc. (US → EU SCC) — payment processing, DPA with Emiri.
  • Anthropic PBC (US → EU SCC) — conversation content processing via Claude; data not used for training.
  • OpenAI Ireland Ltd. (IE) — embedding generation; data not used for training.
  • Resend Inc. (US → EU SCC) — transactional email delivery.

6. International Data Transfers

Some sub-processors (Anthropic, OpenAI, Resend, Stripe) are based in the US. Transfers are made under Standard Contractual Clauses (SCCs) approved by the European Commission. Conversation content sent to AI APIs is minimised — we only send what is necessary to generate a response.

7. Data Retention

  • Account data — for the duration of the agreement plus 30 days after account deletion (recovery window).
  • Security logs (audit_log) — 12 months.
  • Billing data — 5 years (statutory accounting obligation).
  • Conversation content — until workspace deletion or 24 months from last activity, whichever is earlier.

8. Your Rights

Under the GDPR you have the right to:

  • Access your data (Art. 15 GDPR).
  • Rectification of inaccurate data (Art. 16 GDPR).
  • Erasure ("right to be forgotten", Art. 17 GDPR).
  • Restriction of processing (Art. 18 GDPR).
  • Data portability in CSV/JSON format (Art. 20 GDPR).
  • Objection to processing based on legitimate interest (Art. 21 GDPR).
  • Withdrawal of consent at any time (where consent is the legal basis).

To exercise these rights, write to dpo@emiri.io. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection supervisory authority.

9. Data Protection Contact

Data Protection Officer: dpo@emiri.io