EmberMotion Privacy Policy

The short version

EmberMotion is built for Australian athletes by a small Australian company. This policy explains what we do with your information when you use the EmberMotion app or visit ember-systems.com.

Three things you should know:

• Your video stays on your phone. EmberMotion uses your phone's camera to assess movement. The video and the body landmarks we detect from it never leave your device. We never see them, never store them, never send them anywhere.
• We don't sell your data, show you ads, or share with insurers, employers, sponsors, or sports organisations. No advertising IDs, no ad networks, no affiliate partners. Our business model is subscriptions — yours is the only money in our pockets.
• You're in control. You can see what's stored about you, export it as a download, change it, or delete your whole account from inside the app. We keep what we have to keep for as long as we have to keep it, and not a day longer.

If you want the detail, the rest of this policy walks through it section by section. If you only have time for the short version, that's most of it.

1. About this policy

This policy is published by Ember Systems Pty Ltd (ACN 695 871 142), a company registered in Buderim, Queensland, Australia. We're the controller of any personal information you give us, in the sense the Australian Privacy Principles use that word.

Throughout this policy, "we," "us," and "Ember Systems" mean the company. "You" means the person using our Services.

"Services" means:

• ember-systems.com (our website), and
• EmberMotion (our app for iOS and Android).

We've written one privacy policy that covers both. Where something only applies to the website or only to the app, we'll say so.

This policy was last updated on the date shown at the top. We keep an archive of older versions and we'll tell you when we change it materially.

2. Who can use the Services

For now, EmberMotion is available only to people in Australia. The website serves general information to anyone, but signing up for the waitlist or creating an account in the app requires you to be in Australia.

You also need to be 18 or older. We'll ask your date of birth and you'll need to confirm you're at least 18 when you create your account. We don't knowingly collect information about anyone under 18.

We'll open the app to other countries in the future. When we do, we'll update this policy with the additional rights and protections that apply to people outside Australia, and we'll tell you about the changes before they take effect.

3. The information we collect

Here's what we collect, broken down by where it comes from.

Information you give us when you sign up

• Email address — we use it to identify your account, send you assessment results, and (with your permission) send marketing updates.
• Display name — we ask "what should we call you?" so you can choose any name. Most people use their first name or a nickname. We don't ask for or verify your legal name.
• Password — your password is hashed by our authentication system before it touches our database. We never see the password itself.
• Sign-in provider — if you sign in with Apple or Google, we receive an identifier from that provider and (if you let them share it) your email address. We ask for the minimum information needed to set up your account.

Information you give us during your assessment

When you do a movement assessment in the app, we ask you a series of questions about your training, your body, and your history. This includes:

• Demographics — age, sex, height (exact), weight, primary sport, handedness.
• Health information — injuries, pain levels, surgeries, and relevant health history. We ask this so the assessment can give you a meaningful findings report and a useful corrective program. Health information is sensitive under Australian law, and we treat it that way (see Section 6).

We collect this through a voice-driven intake. We process and keep the transcript of what you tell us. We don't keep the audio.

Information we generate from your assessment

Based on what you tell us and the movement assessment, the app produces:

• Your Resilience Score
• Your body risk map
• Compensation patterns and asymmetries we detect
• A personalised findings report and corrective program

We keep these so you can see your progress over time and access your results across devices.

Information about your device and how you use the app

• Device information — your phone model, operating system version, app version, IP address, and crash logs.
• Usage data — which screens you visit, which exercises you complete, how often you use the app, and similar patterns.
• Coarse location — we infer your general region from your IP address. We don't collect your precise location and we don't ask for GPS.

We don't collect advertising identifiers (IDFA on iOS, GAID on Android). We've made this choice deliberately.

Information about your subscription

If you subscribe to a paid plan, the payment itself goes through Apple's App Store or Google Play. We don't see your card number, your billing address, or any payment details. Apple and Google do.

What we do see, through our subscription provider RevenueCat, is which plan you're on, when it started, when it renews, and whether it's active. That's it.

4. The information we don't collect

It's worth being explicit about what doesn't leave your phone, doesn't get stored, or doesn't ever get associated with you. These aren't promises we intend to keep — they're how the system is built.

• Your video. When you record an assessment, the camera feed is processed entirely on your device. The video itself is never uploaded, never copied, never sent anywhere outside your phone.
• The body landmarks our pose detection generates. When the app detects the position of your joints, those coordinates exist only in memory on your device for the length of the assessment. They aren't saved to disk and they aren't sent to us. We never see them.
• Your real name. We ask for a display name so we know what to call you. Some people use their real first name, some use a nickname, some use a pseudonym. We don't ask for, verify, or store your legal name.
• Your card details. Apple and Google handle payment. We don't see your card number, CVV, billing address, or anything else attached to your payment method.
• Health data from Apple Health or Google Fit. We don't read from or write to either platform.
• Your contacts, photo library, microphone outside an assessment, or anything else. The app asks for camera permission to do its job. It doesn't ask for anything else and it doesn't read anything else.

5. How we use your information

We use the information we collect to:

Run the Services

Setting up and running your account, taking you through assessments, generating your Resilience Score and program, showing your results across your devices, processing your subscription, and sending you transactional emails (account confirmations, password resets, receipts).

Improve EmberMotion

We analyse the de-identified information we collect — derived metrics, intake responses, usage patterns — to refine our movement screening algorithms and to make the app more accurate over time. We don't sell, license, or share this with anyone outside Ember Systems for this purpose. We don't train external AI models on it.

Talk to you

With your permission, we send marketing updates about new features, new content, and what's happening at Ember Systems. You can unsubscribe at any time using the link at the bottom of every email. Push notifications work the same way — you can turn them off in your phone's settings or in the app.

Publish aggregate insights

We may publish or talk about patterns we see across our user base — for example, "Australian CrossFit athletes show this much hip asymmetry on average." These insights are statistical and population-level. They never identify any individual.

Keep things working safely

We use device data and usage logs to investigate problems, detect abuse, and keep the app secure.

Comply with the law

If we have to disclose information to comply with an Australian legal obligation — for example, a court order or a regulator's request — we'll do that and document it.

By creating an account and using the app, you agree to the first two of these (running the Services and improving EmberMotion). The rest are either voluntary on your part (marketing, push notifications) or required by law.

6. Sensitive information

The health information you share during your intake — injuries, pain, health history, and similar — is "sensitive information" under the Australian Privacy Principles. We collect it only with your explicit consent.

Before each voice intake, the app asks you to confirm you understand you're about to share health information and that you agree to it. The session won't proceed without that consent.

We use sensitive information only for:

• Producing your assessment, findings, and program
• Improving our screening algorithms (in de-identified form)

We don't share it with insurers, employers, healthcare providers outside Ember Systems, sponsors, sports organisations, or any other third party. You can withdraw your consent at any time by deleting your account, which permanently removes the information you've shared (see Section 12).

Important: EmberMotion is not a medical device. It doesn't identify health conditions, and the findings aren't a medical opinion — they're an assessment of how you move. If you have pain, an injury, or any health concern, please see a qualified healthcare professional.

7. Who else processes your data

We rely on a small number of trusted third-party providers to run the Services. These providers process your information on our behalf, under contracts that require them to keep it secure and use it only for what we've engaged them to do.

The current list is:

• Supabase — our database and authentication provider. Stores your account, your assessment results, and your derived metrics. Supabase hosts our project in their Sydney region (ap-southeast-2). Most of your data lives in Australia.
• Vercel — hosts ember-systems.com. Vercel is a US-based company with edge servers in many countries, including Australia.
• OpenAI — runs the language and speech models that power the voice intake, the assessment, and the generated findings report and program.
• RevenueCat — manages our paywall and subscription state.
• Apple App Store / Google Play — process subscription payments.
• Google Workspace — handles our email, including replies to messages you send to privacy@ember-systems.com.
• Analytics and error-tracking providers — we use a small number of operational providers for app analytics and error monitoring. The current list is published at ember-systems.com/sub-processors.

We may add or change providers over time. The current list lives at ember-systems.com/sub-processors and we update it whenever a provider changes. If a change is material, we'll let you know by email.

We don't use ad networks, marketing affiliates, or analytics platforms that profile users across apps and websites.

8. Where your data is stored

Most of your information lives in our Supabase project in Sydney. Specifically:

• Your account and profile fields
• Your assessment results and derived metrics
• Your voice intake transcripts
• Your subscription state

This means the bulk of your personal information stays in Australia.

Some processing happens outside Australia:

• The OpenAI models we use for voice intake, assessment, and report generation run on OpenAI's infrastructure in the United States.
• Vercel's edge network may serve our website from servers outside Australia.
• RevenueCat's infrastructure is in the United States.
• Email replies you send to us are processed by Google Workspace.

Where information leaves Australia, we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles. We rely on contractual commitments and the providers' own published privacy and security practices.

9. Automated processing and AI

EmberMotion uses automated processing to generate your assessment and program. Specifically:

• Pose detection on your phone identifies the position of your body in real time.
• Our screening algorithms analyse the assessment data to detect compensation patterns and asymmetries.
• A language model translates the results into a written findings report and a corrective program.

These outputs are training tools, not medical opinions. They support your training; they don't replace a qualified professional.

If you'd like a human to look at your results — for example, if something doesn't seem right, or you'd like another perspective — email privacy@ember-systems.com and someone from our team will review the assessment with you.

We don't use your personal information to train external AI models. The screening algorithms inside EmberMotion are refined using only de-identified data, and our language model provider (OpenAI) has committed not to use our data for their model training.

10. How long we keep your information

We keep your information for as long as we need it to run the Services and meet our legal obligations. Specifically:

When you delete your account, we begin a 30-day soft-delete window during which you can sign back in and recover the account. After 30 days, we permanently delete your information from our primary database. Backup copies are purged on natural rotation, which finishes within 90 days of your deletion request.

11. How we keep your information secure

We've put a number of measures in place to protect your information:

• All connections between your device, our website, and our backend are encrypted in transit using TLS.
• Information stored in our database is encrypted at rest.
• Access to our backend systems is restricted to people who need it, and is protected by multi-factor authentication.
• Database access is governed by row-level security, so each user's data is only accessible to that user (and to our small team for support and operations).
• Administrative actions are logged and auditable.

No system is perfectly secure. If something goes wrong and your information is compromised, we'll let you know. Specifically, where a breach is "eligible" under the Notifiable Data Breaches scheme — meaning it's likely to result in serious harm — we'll notify both you and the Office of the Australian Information Commissioner without undue delay.

Internally, our target is to investigate, contain, and notify within 72 hours of becoming aware of a notifiable breach.

12. Your rights and choices

Australian privacy law gives you a number of rights about your information. We've built tools into the app and website to make these as easy to exercise as possible.

See what we have about you

Most of your information is visible inside the app — your profile, your assessment history, your programs. If you want a complete picture, you can request a copy by emailing privacy@ember-systems.com or by using the Export My Data feature in your in-app preferences. We'll send you a CSV or JSON file with everything we hold.

Correct anything that's wrong

You can edit your profile fields directly in the app. For anything else, email us and we'll fix it.

Delete your account

From your in-app preferences, choose Delete My Account. We'll soft-delete your account immediately and permanently delete it 30 days later. If you change your mind during the 30 days, just sign back in.

Withdraw consent

Marketing emails, optional analytics, and any other consent-based processing can be turned off from your in-app preferences screen, or by clicking the unsubscribe link at the bottom of any marketing email.

Complain

If you think we've handled your information badly and we haven't fixed it after you've raised it with us, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

We aim to acknowledge any privacy request within 7 days and substantively respond within 30. We may need to verify your identity before disclosing or deleting information — usually this is straightforward (we'll ask you to confirm something only the account holder would know).

13. Marketing and notifications

We send two kinds of communication:

Transactional messages

Account confirmations, password resets, subscription receipts, deletion confirmations, and similar. We send these because you've signed up for the Services and they're necessary to provide them. You can't opt out of these as long as your account is active.

Marketing messages

Updates about new features, content, and what we're building. We only send these with your permission, which you give when you sign up for the waitlist or check the marketing box in your preferences. Every marketing email has a one-click unsubscribe link in the footer. Unsubscribing takes effect immediately.

Push notifications

If you enable push notifications, we may send you reminders about training sessions, new programs, or news from Ember Systems. You can turn these off at any time in your phone's settings or in the app preferences.

We don't send marketing SMS messages.

14. Cookies on our website

ember-systems.com uses a small number of cookies, all of them strictly necessary to make the website work:

• Authentication cookies that keep you signed in if you have an account
• Security cookies that help us prevent fraud and abuse
• Anti-CSRF cookies that protect form submissions

We don't use advertising cookies, social media tracking cookies, or third-party analytics cookies. For website analytics, we use Vercel Analytics, which is cookieless and doesn't set any tracking identifiers.

The app doesn't use cookies — apps don't work that way. App-side analytics is first-party only and configurable from your in-app preferences.

15. Children

EmberMotion is for adults. If you're under 18, please don't use the Services or sign up for the waitlist.

If we learn we've inadvertently collected information from someone under 18, we'll delete it. If you believe we have information from a child, email privacy@ember-systems.com and we'll investigate.

16. Changes to this policy

We update this policy from time to time. When we make a change that materially affects how we collect or use your information, we'll do all of these:

• Email everyone with an account
• Show a notice in the app the next time you open it
• Update the "Last updated" date at the top of this policy
• Keep an archive of the previous version, available on request

For minor changes — fixing a typo, adding a new sub-processor of the kind we've already disclosed, clarifying language — we'll just update the date and the text.

17. How to contact us

For anything to do with this policy or your information, write to:

• Email: privacy@ember-systems.com
• Privacy Officer: Calvin Atkinson
• Mailing address: Ember Systems Pty Ltd, Buderim, Queensland, Australia

We aim to acknowledge privacy emails within 7 days. For substantive responses, allow up to 30 days, although most things we resolve sooner.

If you've contacted us and you're not satisfied with how we've handled your concern, you can take it to: