EMA AI
Home

Privacy Policy

1. Controller

The data controller in the sense of GDPR is Escapers GmbH, Schönbrunner Straße 222–228 / Stiege 3 / Top A2, 1120 Wien, Austria. Contact: privacy@useema.com. Full corporate details: Imprint.

2. What we process

We process two categories of personal data:

  • Customer data (business users of EMA AI): name, email, language, payment data (processed by Stripe), hashed passwords, optional TOTP secret for 2FA.
  • Visitor data (end-visitors of our customers' websites chatting with the EMA widget): chat message content, auto-generated session IDs, optional UTM parameters, IP address (truncated for rate-limiting), browser language.

3. Purposes & legal bases

  • Performance of contract — providing the SaaS platform (Art. 6 (1)(b) GDPR).
  • Operation and grounding of AI assistants — chat messages are forwarded in real-time to LLM providers to produce a reply that stays inside the domain provided by the customer (Art. 6 (1)(b)). Messages are NOT used to train the external LLM models.
  • Security & abuse prevention (rate limiting, origin enforcement) — legitimate interest (Art. 6 (1)(f)).
  • Payment processing & accounting — legal obligation (Art. 6 (1)(c)).

4. Automatic anonymisation (PII masking)

Before any LLM call and before any persistent log write, EMA scans incoming visitor messages with regex for personal data (email addresses, phone numbers, credit card numbers) and replaces them with [EMAIL], [PHONE], [CARD]. Neither our logs nor external LLM providers see the original values.

5. Sub-processors

  • OpenAI, Anthropic, Google (via Emergent Universal LLM Proxy) — AI reply inference. EU Standard Contractual Clauses; messages are not used for model training.
  • Stripe Payments Europe Ltd. (Ireland) — payment processing under their own privacy policy.
  • Resend Inc. — transactional email delivery (2FA codes, crawl-complete notifications). DPA in place.
  • MongoDB Atlas (EU region) — data storage.
  • Emergent Inc. — hosting platform.

6. Retention

Visitor conversation data is retained for 180 days, then auto-deleted via MongoDB TTL. Customer data is retained for the duration of the active subscription plus statutory retention periods.

7. Your rights (Art. 15–22 GDPR)

Right of access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with the competent supervisory authority (Austrian Data Protection Authority, dsb.gv.at). Direct requests to privacy@useema.com.

8. Cookies & tracking

We only use strictly necessary cookies (session, CSRF). Any optional analytics cookies are set only after your explicit consent via the cookie banner.

Last updated: February 2026.

Essential cookies keep you signed in. Analytics cookies help us understand which assistant flows convert. You decide. Read our Privacy Policy