Privacy Policy

Ambera is operated by an independent developer based in the European Union. References to "we," "us," or "Ambera" in this policy mean the operator of the Ambera mobile application and ambera.app.

You can reach us at [email protected] for any privacy-related question, including requests under the GDPR or other applicable laws.

We collect only the information needed to run the product. We separate it into three categories:

Information you provide

• Account information: your email address (either entered directly when you sign in with a magic link, or returned by Google or Apple when you sign in with one of them — with Apple you can choose to hide your real address behind a private relay) and your first name, which we ask for during onboarding so the app can address you by name. We do not store passwords — sign-in is magic link, Google, or Apple only.
• Ledger entries: the activities you log, including direction (depleting or recovering), intensity, optional title, optional note, and the time you booked them.
• Arcs and planned activities: an arc is a stretch you set up — a week or a sprint — with a descriptive shape (how you expect it to lean, from heavy depletion to heavy recovery), an optional named lens, an optional short description, and a length. Within an arc you can add planned activities (drafts) — title, expected direction, expected intensity, planned time, and an optional per-activity reminder toggle that, when on, queues a push notification at the planned time. Drafts only count toward the ledger after you confirm them.
• Daily energy check-in: a felt rating of how the previous day left you (from drained to restored) and an optional short note. From the rating, Ambera derives a single ledger entry that fills the gap between how the day felt and what you actually logged — attributed as a check-in and editable like any other entry. We store the rating, the optional note, and the derived entry.
• Daily reflections: the free-form end-of-day note you can write on the reflection screen, one per calendar day. Writing reflections is free; the Premium weekly synthesis is what reads them back as a paragraph.
• "About you" pages: the structured notes you fill in on the edit-profile screen to give the AI assists context about you (e.g. work shape, life context, energy patterns, plus any custom pages you add). Writing these is free; only the Premium AI assists consume them.
• "Describe your day" chat sessions: when you use the Premium chat to turn a free-form description of a stretch of time into ledger entries, we store the conversation transcript and the current proposed-entry list as your active session. The session is replaced on every turn and automatically cleared the moment you save the proposed entries to your ledger or tap "Start over." Until then it persists across app restarts so a chat you began on the bus is still there when you reopen the app at home.
• Preferences: settings such as your week start day, notification preferences, quiet hours, and time zone.
• Waitlist signups: if you join the waitlist on ambera.app, your email address and the timestamp of the signup.
• Support correspondence: anything you send us by email.

Information we generate

• Derived ledger metrics: rolling balances, cumulative series, and state labels computed from your entries. These are produced from data you provided; we do not infer them from outside sources.
• Activity suggestions: the activities you tend to repeat on a given weekday, detected on our own servers from your past entries and offered back so you can add them in a tap. This is computed from your own ledger — no AI model and no outside data are involved.
• Device tokens: an opaque identifier from Apple or Google issued to your device so we can deliver push notifications you have opted into.
• Diagnostic logs: minimal request and error logs needed to keep the service running.
• Product analytics: a pseudonymous identifier tied to your account, plus events recording which screens you viewed and a small set of named interactions (signing up, logging an activity, viewing the paywall, subscribing). We use this to understand which parts of the product work and which need fixing. The analytics stream never includes the title, note, intensity, or any other content of a ledger entry.

Information from third parties (only with your permission)

• Google Calendar events, if you connect a calendar — synced into your activity log to save you from re-entering things you already scheduled. For each event we capture the title, start time, duration, attendee count, and event type. We also capture the event description, truncated, only if you opt in under Profile → Integrations → AI capture (off by default, Premium). We never capture attendee email addresses, meeting locations, or conference links. Imported items are flagged so you can tell them apart from entries you logged yourself.
• Linear activity, if you connect a Linear workspace — when you open the Linear picker for a day, we read issues you are assigned to that were updated or commented on that day, plus issues assigned to you that have been updated within the last fourteen days regardless of state, so you can pick which tickets shaped each day. Each ticket you confirm becomes its own ledger entry. For each confirmed ticket we capture the identifier, title, team, priority, and workflow state. We also capture each confirmed ticket's description, truncated, only if you opt in under Profile → Integrations → AI capture (off by default, Premium). We never capture the body of Linear comments. We only read; we never write back to Linear. Imported items are flagged like the calendar ones.
• Apple Health metrics, if you connect Apple Health on a future release — sleep duration, heart rate, step count, and active energy burned, used to adjust the energy balance calculations in the app so the ledger reflects what your body actually did, not only what you logged.
• Subscription status from RevenueCat and the App Store or Google Play, if you purchase a Premium subscription.

We do not collect precise location, contacts, photos, advertising identifiers, or browsing activity outside the app.

Voice dictation

Long-form text fields (reflection notes, activity notes, intention descriptions, "about you" pages, the "Describe your day" chat composer) carry a tap-to-dictate microphone button. When you use it, speech recognition runs entirely on your device — your operating system converts audio to text locally, and Ambera only ever sees the resulting transcript as if you had typed it. No audio is recorded, transmitted to our servers, or sent to any third party. The microphone button auto-hides on platforms or devices that do not support on-device recognition.

We use your information for the following purposes:

• To operate the ledger — store, sync, and display the activities, balances, arcs, planned activities, daily check-ins, and "about you" pages that are the product.
• To deliver notifications you have asked for, including the free imbalance nudge that surfaces when your week is drifting depletive, the daily reflection prompt, the daily energy check-in reminder, and per-activity reminders you toggle on for individual planned activities.
• To provide Premium features you have subscribed to, including AI-tailored draft suggestions, AI-assisted activity prefill from notes, personalized intensity calibration, and weekly reflections.
• To process and personalize the content you see in the app — using AI to tailor suggestions, intensity estimates, reflections, and recommendations to your own history rather than to a generic average. AI assists are always user-initiated by tapping a button; nothing is silently inferred onto your ledger.
• To process subscription payments through RevenueCat and the platform store.
• To respond to support requests and to communicate service updates that materially affect you.
• To protect the service from abuse and to comply with legal obligations.

We do not use your ledger to build advertising profiles, sell to data brokers, or train general-purpose foundation models on your behalf.

Some Premium features use a third-party language model to suggest activity titles, directions, and intensities from notes you write, and to propose a starter set of planned activities tailored to your arc. These features are deliberately gated: the model proposes, you confirm or override, and nothing is silently inferred onto your ledger. AI assists are always user-initiated — you tap a button (for example, "Tailor for me" on the arc, or "Suggest from note" on an imported activity) to ask for them. The one exception is the per-arc summary, which generates on its own when you open an arc; it only reads your data back to you and never writes to the ledger.

We also use AI to process and personalize the content you see in the app — for example, calibrating intensity suggestions to your own logging history, summarizing your week in language that reflects your specific patterns, and identifying which recovery activities have most reliably restored balance for you. The goal is to make what you see feel like it was written for you rather than for an average user.

When you use an AI assist, the request to our model provider includes what is needed for that specific assist and nothing else. The full list, by assist type:

• Tailored draft suggestions (arc): the arc's shape, optional lens, and optional description, the content of your "about you" pages, a small slice of your recent confirmed activities so the model anchors intensity to your own logging style rather than a generic average, the current weekday and rough time of day so the suggestions fit the remaining hours, and — if you typed anything into the tailor sheet — the free-text refinement you wrote there ("working until 5pm," "give me 6 things, lean toward recovery"). The refinement text is sent verbatim with that single request and is not retained beyond the in-memory cache that keeps your suggestions visible while you're on the arc.
• Per-arc summary (arc): the arc's set shape and optional lens and description, the shape that is emerging from your ledger over the arc so far, and the deterministic patterns Ambera computes on our own servers (your strongest and heaviest logged day, how many days you logged) — combined into a one-to-two-sentence observational read. The result is cached on our side, keyed to the arc, and regenerated only when the arc's underlying data changes.
• "Describe your day" chat (activity form → Describe your day): the message you just typed, the prior turns of your active chat session and the current proposed-entry list (so the model can refine in place rather than start over each time you reply), the content of your "about you" pages, your time zone and the current local datetime so phrases like "this morning" or "yesterday evening" resolve to concrete times, and a small slice of your recent confirmed activities used solely to anchor the intensity number. Each refinement is sent independently. The session is persisted on our side as described under "Information you provide" so you can close the app and come back to the same chat; it is automatically cleared when you save the proposed entries to your ledger or tap "Start over."
• Suggest from note (activity form): the note you wrote, plus a small slice of your recent confirmed activities used solely to anchor the intensity number.
• Reflection gap-fill (evening reflection screen): the reflection note you just saved, the activities you have already logged for that day so the model does not propose duplicates, the content of your "about you" pages, the current weekday and rough time of day, and a small slice of your prior confirmed activities used solely to anchor the intensity number. The model proposes activities the reflection mentions that are not yet on the ledger; you confirm or remove each one before anything is recorded.
• Weekly reflections and personalized activity audits (daily background job): your confirmed ledger for the relevant window, and the daily reflection notes you wrote during that window, used together to produce a short summary or recommendation that is then cached on our side and displayed to you.
• Patterns synthesis (daily background job): the multi-week trends Ambera computes on our own servers from your ledger — for example, which weekday tends to run hardest, or what typically follows a stretch of demanding days — together with the arc shapes and lenses you set. Only these computed aggregates and your arc settings are sent to the model, never the individual entries; the resulting sentence is cached on our side and displayed to you.

We instruct the provider not to retain inputs for training. We do not use AI to surveil patterns in your data without you having actively requested an AI feature, and we do not use your content to train general-purpose foundation models.

If you connect Google Calendar or Linear, Ambera always captures a small structured summary of each imported item (duration and attendee count for events; identifier, priority, and workflow state for Linear tickets) so the AI assist has useful context — this summary contains no free text, names, or email addresses. Separately, Premium subscribers can opt in to also include truncated event and issue descriptions in the notes attached to imported activities; the toggle lives in Profile → Integrations and is off by default. We never capture or send the bodies of Linear comments, attendee email addresses, or meeting locations. When the opt-in is on, the truncated descriptions follow the same handling as anything else you write into a note — sent to our model provider only when you request an AI suggestion, never retained for training, never used to build advertising profiles.

Ambera's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain terms, this means that for any data Ambera receives from Google Workspace APIs — currently Google Calendar event metadata when you choose to connect a calendar, as described in the "Information from third parties" section above:

• We only use the data to provide and improve user-facing features of Ambera that are prominent in the app — specifically, syncing calendar events into your activity ledger so you can confirm them as depleting or recovering entries, and (only if you opt in to AI capture under Profile → Integrations) including truncated event descriptions as context when you request an AI suggestion.
• We do not transfer this data to any third party except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
• We do not use this data for serving advertisements, including personalized, retargeted, or interest-based advertising.
• We do not allow humans to read this data, except (a) with your explicit consent for specific data, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.

You can disconnect Google Calendar at any time from Profile → Integrations in the app, or by revoking Ambera's access from your Google Account permissions page. When you disconnect, we stop syncing new events immediately and delete the synced event metadata associated with your account within 30 days, on the same schedule described under "Retention and deletion".

We use PostHog, a product analytics service hosted in the European Union, to understand how Ambera is used so we can improve it. PostHog is configured as a data processor under our control — it acts on our instructions and does not use your information for its own purposes.

What we send to PostHog:

• A pseudonymous identifier for your account once you sign in (the same internal account id we use elsewhere). Before sign-in, the SDK uses an anonymous device id only.
• Screen views inside the mobile app and a small set of named events — currently signing up, logging an activity, viewing the paywall, and completing a subscription.
• Standard technical metadata that comes with any analytics event: device model, operating system version, app version, language, and the time of the event.

What we never send to PostHog: the title, note, intensity, direction, or any other content of a ledger entry; your email address or name; the content of any Google Calendar event, Linear issue, or Apple Health metric; and any precise location. The analytics stream tells us "an activity was logged," never what that activity was.

You can opt out of analytics by deleting your account or by writing to [email protected] to request that analytics events for your account be excluded going forward.

We share information only with the service providers needed to run Ambera, and only the minimum each one needs to do its job. The current list is:

• Cloudflare — application hosting, edge compute, and content delivery.
• A managed Postgres provider — primary database storage.
• Expo — push notification delivery and over-the-air mobile updates.
• RevenueCat — subscription entitlement management.
• Apple and Google — payment processing for in-app subscriptions on their respective platforms.
• Our AI model provider — only when you use a Premium AI feature, as described above.
• PostHog (EU) — product analytics, as described in the "Product analytics" section above.
• Resend or a comparable email provider — transactional and waitlist email.

We do not sell or rent your personal data. We do not share your ledger with employers, insurers, advertisers, or analytics brokers. If we are ever legally compelled to disclose information, we will narrow the scope as much as the law allows and, where permitted, inform you.

If Ambera is ever acquired or merged, your data would transfer to the acquirer only under terms at least as protective as this policy, and you would be notified before any material change.

We keep your ledger for as long as your account is active, because the value of the product compounds with history. You can delete individual entries at any time from the app.

You can delete your entire account from within the app. When you do, we remove your data from primary storage within 30 days. Encrypted backups age out within a further 60 days. After that, the only thing that may remain is a record of the deletion itself, retained because the law requires us to be able to demonstrate we honored the request.

Data is transmitted over TLS, stored encrypted at rest in our database provider, and access to production systems is restricted to the operator. We follow common-sense practices around credentials, dependency updates, and least-privilege access.

No system is perfectly secure, and we will not claim otherwise. If we ever discover a breach affecting your data, we will notify you and the relevant authorities within the timeframes the law requires.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you and receive a copy in a portable format.
• Correct information that is inaccurate or incomplete.
• Delete your account and the data associated with it.
• Object to or restrict certain processing.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection authority.

Most of these you can exercise directly inside the app. For anything you cannot, write to [email protected] and we will respond within 30 days.

Ambera is operated from the European Union. Some of our service providers operate globally; where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses or equivalent safeguards required by applicable law.

Ambera is not directed at children under 16, and we do not knowingly collect personal data from them. If you are a parent or guardian and believe your child has provided us with personal data, contact us and we will delete it.

When we change this policy in a way that materially affects you, we will notify you in the app or by email before the change takes effect. The date at the top of this page always reflects the current version. Older versions are available on request.

Questions, requests, complaints, or things we got wrong — [email protected]. A real person reads it.