Privacy Policy

1. Introduction

This Privacy Policy explains how Emika ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use our AI employee platform at emika.ai and app.emika.ai (the "Service").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using the Service, you acknowledge that you have read and understood this policy.

2. Data We Collect

2.1 Account Information

Email address — for account creation, authentication, and communication
Name — for personalization and account identification
Password — stored as a secure hash, never in plain text

2.2 Usage Data

Chat history — conversations between you and your AI employee
Files — documents, code, and other files stored in your AI employee's workspace
Activity logs — actions performed by your AI employee (commands, API calls, tasks)
Usage patterns — features used, session duration, interaction frequency

2.3 API Keys & Credentials

When you connect third-party services, you may provide API keys, tokens, and other credentials. These are:

Stored encrypted on our servers
Used solely to perform actions on your behalf through your AI employee
Never shared with other users or third parties
Accessible only to your AI employee's isolated container

You can revoke or delete your credentials at any time.

2.4 Technical Data

IP address, browser type, operating system
Device information and screen resolution
Referring URLs and page views
Error logs and performance data

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Providing and operating the Service	Contract performance
Account creation and authentication	Contract performance
Executing AI employee tasks on your behalf	Contract performance
Sending service-related communications	Contract performance
Improving and developing the Service	Legitimate interest
Analytics and usage statistics	Legitimate interest
Error tracking and debugging	Legitimate interest
Security monitoring and fraud prevention	Legitimate interest
Legal compliance	Legal obligation

We do not sell your personal data. We do not use your chat history or files to train AI models.

4. Data Storage & Location

All data is stored on dedicated servers hosted by Hetzner in Germany, within the European Union. Each user's AI employee runs in an isolated Docker container with its own:

File system and workspace
MongoDB database
Persistent memory storage

Data does not leave the EU for storage purposes. However, some data may be processed by third-party services outside the EU as described in Section 5.

5. Third-Party Services

We use the following third-party services to operate and improve Emika:

Service	Purpose	Data Shared
Cloudflare	CDN, DDoS protection, DNS	IP address, request metadata
Amplitude	Product analytics	Anonymized usage events, feature interactions
Sentry	Error tracking & monitoring	Error logs, stack traces, device info
OpenAI	AI language model provider	Chat messages, prompts (for AI processing)
Anthropic	AI language model provider	Chat messages, prompts (for AI processing)

AI providers (OpenAI, Anthropic) process conversation data to generate AI responses. We use their API services, which have their own data handling policies. We do not opt into any training data programs offered by these providers.

When you connect your own third-party services through API keys, your AI employee communicates directly with those services on your behalf. We do not control how those third-party services handle your data.

6. Cookies & Tracking

We use cookies and similar technologies for:

Essential cookies — authentication, session management, security (required for the Service to function)
Analytics cookies — understanding how you use the Service (Amplitude)

We do not use advertising or marketing cookies. You can manage cookie preferences through your browser settings, though disabling essential cookies may prevent the Service from working properly.

7. Data Retention

Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
Closed accounts: After account deletion, we delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).
Chat history & files: Stored for the duration of your account. You can delete individual conversations or files at any time.
Analytics data: Aggregated and anonymized analytics may be retained indefinitely.
Backups: Data may persist in encrypted backups for up to 90 days after deletion.

8. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

Access — Request a copy of the personal data we hold about you
Rectification — Request correction of inaccurate or incomplete data
Erasure — Request deletion of your personal data ("right to be forgotten")
Data portability — Request an export of your data in a machine-readable format
Restriction — Request that we limit how we process your data
Objection — Object to data processing based on legitimate interest
Withdraw consent — Where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by the GDPR. You also have the right to lodge a complaint with a supervisory authority in your country of residence.

9. GDPR Compliance

We process personal data in accordance with the GDPR. Our lawful bases for processing include:

Contract performance — processing necessary to provide the Service you signed up for
Legitimate interest — processing necessary for our legitimate business interests (analytics, security, product improvement), balanced against your rights
Legal obligation — processing required to comply with applicable laws
Consent — where applicable, for optional data processing activities

For data transfers outside the EU (e.g., to US-based AI providers), we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by the GDPR.

10. Children's Privacy

Emika is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

11. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

Encrypted data storage and transmission (TLS/SSL)
Isolated Docker containers per user
Encrypted credential storage
Regular security reviews and updates
Access controls and authentication requirements
Dedicated servers (not shared cloud hosting)

While we take security seriously, no method of storage or transmission is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach as required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the effective date at the top of this page
Notify you by email or in-app notification for significant changes

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, contact us at:

Email: [email protected]
Website: emika.ai

For GDPR-related inquiries, we aim to respond within 30 days.