Privacy Policy

This Privacy Policy describes how Emu team (“Emu”, “we”, “us”) collects, uses, stores, and shares your personal data when you use the Emu mobile application (the “App”) and the website at getemu.app (together, the “Service”).

We are based in Australia. We process personal data in line with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), Brazil’s LGPD, and other applicable laws depending on where you are based.

Where we operate. The Service is not offered to, and is not intended for, residents of the European Economic Area (EEA), the United Kingdom, or Switzerland. The App is not made available on those App Store storefronts. If you are in one of those regions, please do not use the Service.

1. What we collect

We collect only what we need to run the Service.

Account data

• A user identifier issued by our authentication provider (Supabase Auth)
• Your email address (if you sign in with email)
• Your name (if you provide it during email sign-up)
• Whether your account is anonymous
• Account creation and update timestamps
• The timestamp of your most recent authenticated request, used to detect dormancy and decide whether to send re-engagement reminders

If you sign in with Apple or Google, we receive an identity token from that provider. We do not receive your Apple or Google password. We do not request access to your contacts, calendar, photos, or any other data beyond the minimum needed to identify your account.

Usage data

Inputs you provide when asking for a suggestion (such as your mood, who you’re with, time available, transport, and any notes), the suggestions we return to you, and how you respond to them (saved, visited, or dismissed). We also keep counters needed to enforce free-tier limits.

Location data

To find places or spots for you, we need to know where to search. You provide this in one of two ways:

• GPS from your device (with your operating-system permission), or
• A place or address you type in, which we look up via Google Places.

What we do with it: your location is used only to (a) search for nearby venues via Google Places, (b) give our AI enough context to pick a relevant spot, and (c) display travel time to the suggestion. That’s it. We don’t use it to build advertising profiles, infer anything about you, or track your movements over time.

We do not store your location. This applies to both GPS coordinates from your device and any place or address you type in. Your location stays on your device, is sent to our servers only as part of a suggestion request, and is held in memory only while that request is running before being discarded. We do not persist it server-side, and we do not continuously track you in the background.

You can revoke location permission at any time in your device settings. The App keeps working. You can type a place manually instead.

We also do not store the coordinates of the places we suggest to you. We only save a stable Google “place ID” so we can fetch fresh details (including coordinates) from Google Places when you revisit the place from your history. See Section 5 for details.

Device data

• A device identifier issued by your operating system (or a unique identifier we generate locally if none is available), used to prevent abuse such as creating many anonymous accounts from the same device.
• Your IP address, used in memory to enforce rate limits. We do not store raw IP addresses.

Notification data

If you enable push notifications, we store the push token issued by your device’s operating system so we can deliver notifications to it. We also keep an internal log of what we sent and when, so we can measure delivery reliability and avoid sending you the same nudge twice. The log does not contain personal information beyond the link to your account and is deleted with your account.

Subscription data

If you purchase a subscription or one-off credit, our subscription provider (RevenueCat) receives your account identifier and the product you bought. We receive the resulting subscription status. Apple or Google processes your payment directly; we never see your card details.

Consent records

When you accept our Terms and confirm you are 18 or older, we keep a record of your consent so we can demonstrate it was given.

A note on free-text fields

Emu has several free-text fields. Please do not type information about your health, race, religion, political views, sexual orientation, or other sensitive personal information in them. We do not solicit, infer, or store sensitive characteristics. We do not share what you type with advertisers, and we do not use your inputs to identify you or infer sensitive attributes.

Your free-text inputs are stored alongside the action they relate to and are deleted with your account.

Information about the people you’re with

We ask who you’re with so the AI can tailor the suggestion to your context. We collect only a broad category. We do not ask for, and do not collect, any personal information about other people from you. No names, no contact details, no identifying information.

Sources of personal information

We collect personal information from:

• You directly, when you sign up, accept our Terms, or use the App (for example, your email address, your sign-up choices, your suggestion inputs, and any free-text notes).
• Your device, including identifiers issued by your operating system, your IP address (held in memory only), your approximate or precise location (with your permission), and your push notification token.
• Authentication providers (Apple, Google, and Supabase Auth) when you sign in, in the form of an identity token and a user identifier.
• Our subscription provider (RevenueCat) for your subscription status.
• Our places provider (Google Places) for venue data tied to a specific suggestion request.

2. Sensitive personal information

Several privacy laws apply heightened protection to “sensitive personal information.” This includes:

• Under the California Privacy Rights Act (CPRA) and similar US state laws: precise geolocation (a location identifying you within a radius of 1,850 feet).
• Under Australian Privacy Principle 3.3: information about your racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, sexual orientation, sex life, criminal record, and health or genetic information.

Precise location. We use your precise location only to find places near you and to give our AI context to pick a relevant spot. We do not use it to infer characteristics about you, build advertising profiles, or share with third parties beyond the subprocessors listed in Section 5. As noted in Section 1, we do not store your location; it is held in memory during the request and then discarded.

Other sensitive categories. We do not solicit, collect, infer, or process information about your race, religion, political opinions, sexual orientation, or health. If something like that ends up in a free-text field (see Section 1), we do not use it to infer sensitive attributes, build a profile of sensitive characteristics, or share it with advertisers.

If you are a California resident, you have the right to limit our use of sensitive personal information; see Section 13 for how to exercise that right.

3. Why we use your data

We use your personal information for the following purposes:

• To provide and improve the Service: creating your account, generating suggestions and refining them based on your past interactions, processing your location, enforcing free-tier limits, delivering your subscription.
• With your consent: accepting our Terms and age confirmation. You can withdraw consent at any time by deleting your account.
• To meet legal obligations: retaining consent records, responding to lawful requests from authorities.
• To protect our legitimate interests: preventing fraud and abuse (rate limiting, device-level checks), maintaining security, supporting customers.

We do not use your data for targeted advertising. We do not sell your personal data. We do not share it with data brokers.

4. AI and automated decision-making

Emu uses Anthropic’s Claude large language model to pick one venue suggestion from a set of possibilities. This is a form of automated decision-making (ADM). In line with Australian privacy law (APP 1.3, transparency obligations taking effect by 10 December 2026), we disclose the following.

Categories of personal information the AI uses

• The location used for the request
• Your suggestion inputs (such as your mood, who you’re with, time available, transport, and any notes)
• The local day of week and time
• A list of nearby places retrieved in real time from Google Places
• Your prior interactions with the app (to avoid repeating venues and to refine future suggestions).

Logic involved

The AI is instructed to pick one venue matching the context you provided. It uses real-time Google Places results for factual venue details (not its own training data) and accounts for opening hours and weather where relevant.

Envisaged consequences

The consequence is a single venue suggestion. Following it may influence your time, movement, or spending for the next few hours, which are the normal consequences of any leisure-planning tool. The ADM does not produce a legal or similarly significant effect on you (it is not used for credit, employment, insurance, law enforcement, or any other legally-consequential decision). You are always free to ignore, dismiss, or shuffle for another suggestion.

Your safeguards

• Explainability: every suggestion includes a “why this pick” rationale.
• Human override: you can shuffle, skip, or start over at any time.
• No sensitive inference: we do not use the AI to identify you or infer sensitive characteristics (such as race, religion, health, or sexual orientation).
• Real-time source verification: venue details come from Google Places at the moment of each request, not from the AI’s training data.
• Limited use of history: we may use your past interactions to refine future suggestions, but we do not profile you for advertising, infer sensitive characteristics, or share this data outside the subprocessors listed in Section 5.

Training and retention by Anthropic

Anthropic processes our API traffic under its Commercial Terms of Service, which state that Anthropic does not train its models on our Customer Content. Retention of API traffic is governed by Anthropic’s Data Processing Addendum. See Anthropic’s Commercial Terms.

Limits of the AI

The AI is a probabilistic system. Suggestions may be inaccurate or outdated. The suggestion is assistance, not professional advice. Verify critical details such as opening hours, accessibility, or area safety before you go.

5. Who we share data with

We share personal data only with the service providers (“subprocessors”) that keep the Service running. Each is bound by a written contract (a Data Processing Agreement or equivalent) that restricts their use of your data to delivering the specific service we engage them for. In particular, our AI provider is contractually prohibited from using your data to train its models.

Google Places caching: we comply with the Google Maps Platform Terms of Service. We only retain the Google “place ID” (a stable identifier) for places we have suggested to you. Other Google place data (name, address, coordinates, photos, ratings) is fetched in real time on each request and not cached beyond what Google’s API policies permit.

We may also share data when required by law, to protect our rights or the safety of users, or if our business is sold or reorganised (you will be notified before any change of controller takes effect).

6. International transfers

We are based in Australia. Some of our subprocessors operate overseas (see Section 5 for the list of countries). Where we transfer personal data outside Australia we take reasonable steps to ensure each subprocessor handles it consistent with the Australian Privacy Principles, in accordance with Australian Privacy Principle 8.

7. How long we keep your data

• Account data and adventure history: for as long as your account is active.
• When you delete your account: we deactivate it immediately and permanently erase all of your personal data after a 7-day grace period (the grace period lets you recover the account if you change your mind). The grace period is automated.
• Consent records: retained while your account exists; deleted together with your account.
• Your location: not stored. Held in memory only while a suggestion request is running, then discarded.
• Rate-limiting data (IP, device counts): held in memory only and cleaned up every few minutes; not persisted.
• Subscription records: the records we hold are linked to your account and are deleted with it. Apple and our subscription provider (RevenueCat) retain transaction records under their own policies, which are independent of ours.

8. Your rights (all users)

Wherever you live, you can ask us to:

• Access a copy of the personal data we hold about you
• Correct inaccurate data
• Delete your account and personal data
• Restrict or object to certain processing
• Port your data (receive it in a machine-readable format)
• Withdraw consent at any time (without affecting the lawfulness of prior processing)
• Lodge a complaint with your data protection authority

You can delete your account directly from the App’s profile screen. For all other requests, including data access and portability (export), email us at support@getemu.app from the address associated with your account. We will respond within 30 days (or the shorter period required by your local law).

9. Push notifications and other communications

If you enable push notifications in the App, we use them to let you know about things like new suggestions relevant to you, subscription renewal reminders, important service updates, and reminders if you haven’t opened the App in a while. You can turn them off at any time in your device settings.

We do not send marketing SMS. We may send transactional email (account, billing, security) to the address you provided. You can opt out of non-transactional email by using the unsubscribe link in any message or by emailing support@getemu.app.

10. Cookies and tracking

The mobile App does not use cookies. The website at getemu.app uses only strictly necessary cookies needed to serve the site. If we add analytics or advertising cookies in the future, we will update this policy and show you a consent banner first.

11. Children

You must be 18 or older to use Emu. This is a contracting-age requirement (so you can validly accept our Terms and authorise subscription purchases), not a content restriction. During sign-up we ask you to confirm your age. We do not knowingly collect personal data from anyone under 18, and we do not knowingly collect personal data from children under 13 in the United States (as defined by COPPA). If you believe a child has provided us with personal data, email support@getemu.app and we will delete it.

12. Security

We use encryption in transit (TLS), managed databases with access controls, role-based access for our team, and vendor reviews for our subprocessors. No system is completely secure, but we work hard to keep yours safe.

13. United States: state-specific rights

California (CCPA/CPRA)

If you are a California resident you have the right to:

• Know the categories of personal information we collect, the sources, the business/commercial purpose, and the categories of third parties we share it with
• Access the specific pieces of personal information we hold about you
• Delete your personal information, subject to legal exceptions
• Correct inaccurate personal information
• Opt out of the sale or sharing of your personal information
• Limit the use and disclosure of sensitive personal information
• Not receive discriminatory treatment for exercising these rights

We do not sell or share your personal information (as “sale” and “sharing” are defined under the CCPA/CPRA), and we do not use sensitive personal information for purposes that would trigger your right to limit. In the last 12 months we have not disclosed personal information for monetary or other valuable consideration.

To exercise any California right, email support@getemu.app with the subject line “California rights request”. You may also authorise an agent to act for you; we may require reasonable proof of authorisation.

California Shine the Light (Civ. Code §1798.83): we do not share personal information with third parties for their own direct-marketing purposes.

Nevada (SB 220)

Nevada residents have the right to opt out of the sale of certain covered information. We do not sell covered information, but if you would like us to record this preference, email support@getemu.app with the subject line “Nevada opt-out”.

Virginia, Colorado, Connecticut, Utah, Texas, Oregon (and other comprehensive state laws)

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other US states with comprehensive privacy laws have the right to access, delete, correct (where the law provides), and port personal data, and to opt out of sale, targeted advertising, and profiling for decisions that produce legal or similarly significant effects. We do not sell personal data, engage in targeted advertising, or use profiling to make legal or significant decisions about you. To exercise any right, email support@getemu.app with your state and the right you want to exercise.

If we deny your request, you may appeal by replying to our response. We will review the appeal within the period required by your state law.

14. Brazil (LGPD)

If you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) gives you the right to confirmation of processing, access, correction, anonymisation, portability, deletion, information about sharing, information about the consequences of refusing to consent, and withdrawal of consent. Email support@getemu.app to exercise any of these rights. You can also complain to the Brazilian National Data Protection Authority (ANPD).

15. Australia

If you are in Australia, your rights are set out in the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This policy has been written to meet the transparency obligations under APP 1.3 relating to automated decision-making that take effect by 10 December 2026, as introduced by the Privacy and Other Legislation Amendment Act 2024.

You can complain about how we handle your personal information to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We will try to resolve your complaint internally first. Email support@getemu.app with the subject line “Privacy complaint”.

16. Changes to this policy

We may update this policy from time to time. If the changes are material, we will notify you in the App at least 30 days before they take effect and ask for fresh consent where required. The effective date and version number at the top of this page always reflect the current version. Previous versions are archived and available on request.

17. Contact

For anything privacy-related, email support@getemu.app. See also our Terms of Service.