Emerge Data –
Emerge Data –
Privacy Policy
Privacy Policy
Last Updated:
July 16, 2025
This is the master privacy notice for Emerge Protocol Ltd. ("Emerge", "we", "us", "our"). It applies to all visitors to https://www.emergedata.ai/protocol (the "Website"), users of our mobile or web applications, and anyone who engages with our data‑sharing flows (collectively the "Services").
Emerge helps you retrieve copies of your personal data from major digital platforms and – only with your permission – use that data for personalised insights, rewards, and partner experiences. We take privacy seriously and design every feature with "privacy‑by‑design" principles.
Controller (EU/UK GDPR): Emerge Protocol Ltd., 86‑90 Paul Street, London, EC2A 4NE, United Kingdom. Company no. 16142850.
Data Protection Officer / Privacy contact: privacy@emergedata.ai
EU representative (Art. 27 GDPR): John Arts, Director
Quick‑look summary
You stay in control. We collect data only after you grant explicit consent and you can revoke at any time.
No selling of personal data. We never monetise your raw personal data.
Minimum data. We ask only for the fields needed to deliver the benefit you choose.
Transparent partners. We name every partner and purpose before any sharing occurs.
EU hosting first. Primary storage is in AWS EU clusters (Paris). Transfers outside the EEA are safeguarded by SCCs or equivalent.
1. What we collect
We collect personal information in the following contexts:
Category | Examples | Source | Optional? |
Account data | Email, password hash / SSO token, locale, device identifiers | You | Email required; rest optional |
Connected‑platform data | Google Search queries, Website visits, YouTube interests | You → via Google Data Portability API | Yes – scope toggles shown at connection |
Partner‑specific IDs | Loyalty ID at your chosen partner | Partner or you | Yes |
Usage & log data | App interactions, crash reports | Automatically collected | Yes (see §11 cookies) |
Developer / partner contact data | Name, job title, business email | You | Yes |
Special‑category data (e.g., health, religion) is processed only if you knowingly connect it (for example, medical travel receipts) and you give explicit consent.
Google Data Portability API compliance
Our use of data obtained via Google’s API adheres to Google’s Limited Use Requirements. We cannot access your Google data until you complete Google’s OAuth consent screen. You may revoke access at https://myaccount.google.com/permissions or in the Emerge app.
2. How we use your data
Purpose | Typical activities | Lawful basis |
Operate & secure the Services | Authentication, fraud detection, bug‑fixing | Contract (Art. 6 (1)(b)) |
Import and normalise platform data | Pull Google Takeout export, parse receipts | Consent (Art. 6 (1)(a)) |
Provide insights in the app | Dashboards, personal spending trends | Consent |
Share selected data/tags with partner you activate (e.g., your chosen partner) | Loyalty points, tailored offers, recommendations | Consent (separate toggle) |
Marketing communications | Product updates, newsletters | Consent (opt‑in) or Legitimate Interests (existing customers) |
Improve & develop new features | Aggregate analytics, A/B testing | Legitimate Interests (Art. 6 (1)(f)) – minimal, pseudonymised |
Legal & compliance | Recordkeeping, dispute handling | Legal obligation (Art. 6 (1)(c)) |
3. Legal bases in more detail
Where we rely on legitimate interests we have conducted a balancing test to ensure our interests do not override your rights. You can object at any time (§9).
4. Sharing your data
We share personal information only in these circumstances:
At your request: You activate an integration and consent to share specified fields with the named partner.
Example: You opt in to your chosen partner; we share “Favourite brands: Patagonia, Camel” so they can award points and make recommendations.Service providers: Cloud hosting, email delivery, authentication, analytics. All are bound by GDPR‑compliant DPAs and process data on our behalf (Art. 28 processors). Current list: emergeprotocol.com/legal/subprocessors.
Professional advisers: Lawyers, auditors, accountants—only under confidentiality.
Legal or regulatory: If required to comply with law or valid legal request.
Affiliates: If we establish subsidiaries or group companies, they may process data under this Policy.
We do not share data with advertisers or data brokers.
5. International transfers
Primary storage is in the EU/EEA (AWS Paris & Frankfurt). When we must transfer data outside the EEA/UK (e.g., US support ticket system), we rely on one or more of:
Standard Contractual Clauses (SCCs) or UK IDTA;
Adequacy decisions;
Additional encryption & access controls.
6. Security
We implement organisational & technical safeguards including:
TLS 1.2+ for data in transit; AES‑256 for data at rest;
Segregated encryption keys and access‑control lists;
Role‑based access & zero‑trust network segmentation;
Continuous monitoring & anomaly detection;
Independent penetration tests at least annually;
Incident‑response playbook—users and regulators notified within 72 hours where required.
7. Data retention
We keep personal data only as long as necessary for the purposes listed in §3, unless a longer period is required by law (e.g., tax records). Illustrative defaults:
Data set | Standard retention | Deletion trigger |
Account data | Life of account + 24 months | Account deletion or 24 m inactivity |
Connected‑platform raw exports | Parsed then deleted within 30 days | Immediate on revocation |
Derived tags | Until revocation or 24 m | Revocation or expiry |
Partner‑sharing logs | 6 years (accountability) | Legal limit reached |
You may delete your data sooner via in‑app "Delete Account" (see §9).
8. Your privacy rights
You have the following rights under the EU/UK GDPR (with conditions & exceptions):
Access – obtain a copy of personal data we hold.
Rectification – correct inaccurate data.
Erasure – request deletion.
Restriction – limit processing.
Portability – receive data in machine‑readable format.
Objection – object to processing based on legitimate interests or direct marketing.
Withdraw consent – revoke at any time without affecting prior lawful processing.
Complaint – lodge with your supervisory authority.
How to exercise:
In‑app privacy controls (preferred);
Email: privacy@emergedata.ai
We may ask for verification of identity before acting. We aim to respond within 30 days.
9. Marketing
You may receive product updates or newsletters only if you have opted‑in or if you are an existing customer and we rely on legitimate interests. You can opt‑out at any time by:
Clicking “unsubscribe” in the email footer; or
Changing your preference in Settings → Notifications; or
Emailing privacy@emergedatal.ai
10. Cookies & similar technologies
We use privacy‑centric analytics (self‑hosted PostHog) and essential cookies only. A detailed cookie banner and preference centre is displayed to EU/UK visitors on first visit.
11. Links to other sites
Our Services may contain links to third‑party websites or services that we do not control. This Policy does not cover those third parties. We encourage you to review the privacy policies of every site you visit.
12. Changes to this policy
We update this Policy from time to time. The “Last updated” date reflects the latest revision. If changes materially affect your rights or the way we process data, we will notify you via email and/or in‑app and, where needed, seek new consent.
13. Contact & complaints
Questions, concerns, or complaints?
Email privacy@emergedata.ai or write to:
Emerge Protocol Ltd., 86‑90 Paul Street, London EC2A 4NE, United Kingdom.
If you are not satisfied, you may complain to your local Data Protection Authority. In the UK this is the Information Commissioner’s Office (ICO). In the EU, see the list at https://edpb.europa.eu.
Glossary (quick reference)
Controller: Entity that decides why/how personal data is processed.
Processor: Entity that processes data on behalf of a controller.
Personal data: Any information that can identify a living person.
Special‑category data: Sensitive data such as health, religion, political views.
SCCs: Standard Contractual Clauses for international data transfers.
This is the master privacy notice for Emerge Protocol Ltd. ("Emerge", "we", "us", "our"). It applies to all visitors to https://www.emergedata.ai/protocol (the "Website"), users of our mobile or web applications, and anyone who engages with our data‑sharing flows (collectively the "Services").
Emerge helps you retrieve copies of your personal data from major digital platforms and – only with your permission – use that data for personalised insights, rewards, and partner experiences. We take privacy seriously and design every feature with "privacy‑by‑design" principles.
Controller (EU/UK GDPR): Emerge Protocol Ltd., 86‑90 Paul Street, London, EC2A 4NE, United Kingdom. Company no. 16142850.
Data Protection Officer / Privacy contact: privacy@emergedata.ai
EU representative (Art. 27 GDPR): John Arts, Director
Quick‑look summary
You stay in control. We collect data only after you grant explicit consent and you can revoke at any time.
No selling of personal data. We never monetise your raw personal data.
Minimum data. We ask only for the fields needed to deliver the benefit you choose.
Transparent partners. We name every partner and purpose before any sharing occurs.
EU hosting first. Primary storage is in AWS EU clusters (Paris). Transfers outside the EEA are safeguarded by SCCs or equivalent.
1. What we collect
We collect personal information in the following contexts:
Category | Examples | Source | Optional? |
Account data | Email, password hash / SSO token, locale, device identifiers | You | Email required; rest optional |
Connected‑platform data | Google Search queries, Website visits, YouTube interests | You → via Google Data Portability API | Yes – scope toggles shown at connection |
Partner‑specific IDs | Loyalty ID at your chosen partner | Partner or you | Yes |
Usage & log data | App interactions, crash reports | Automatically collected | Yes (see §11 cookies) |
Developer / partner contact data | Name, job title, business email | You | Yes |
Special‑category data (e.g., health, religion) is processed only if you knowingly connect it (for example, medical travel receipts) and you give explicit consent.
Google Data Portability API compliance
Our use of data obtained via Google’s API adheres to Google’s Limited Use Requirements. We cannot access your Google data until you complete Google’s OAuth consent screen. You may revoke access at https://myaccount.google.com/permissions or in the Emerge app.
2. How we use your data
Purpose | Typical activities | Lawful basis |
Operate & secure the Services | Authentication, fraud detection, bug‑fixing | Contract (Art. 6 (1)(b)) |
Import and normalise platform data | Pull Google Takeout export, parse receipts | Consent (Art. 6 (1)(a)) |
Provide insights in the app | Dashboards, personal spending trends | Consent |
Share selected data/tags with partner you activate (e.g., your chosen partner) | Loyalty points, tailored offers, recommendations | Consent (separate toggle) |
Marketing communications | Product updates, newsletters | Consent (opt‑in) or Legitimate Interests (existing customers) |
Improve & develop new features | Aggregate analytics, A/B testing | Legitimate Interests (Art. 6 (1)(f)) – minimal, pseudonymised |
Legal & compliance | Recordkeeping, dispute handling | Legal obligation (Art. 6 (1)(c)) |
3. Legal bases in more detail
Where we rely on legitimate interests we have conducted a balancing test to ensure our interests do not override your rights. You can object at any time (§9).
4. Sharing your data
We share personal information only in these circumstances:
At your request: You activate an integration and consent to share specified fields with the named partner.
Example: You opt in to your chosen partner; we share “Favourite brands: Patagonia, Camel” so they can award points and make recommendations.Service providers: Cloud hosting, email delivery, authentication, analytics. All are bound by GDPR‑compliant DPAs and process data on our behalf (Art. 28 processors). Current list: emergeprotocol.com/legal/subprocessors.
Professional advisers: Lawyers, auditors, accountants—only under confidentiality.
Legal or regulatory: If required to comply with law or valid legal request.
Affiliates: If we establish subsidiaries or group companies, they may process data under this Policy.
We do not share data with advertisers or data brokers.
5. International transfers
Primary storage is in the EU/EEA (AWS Paris & Frankfurt). When we must transfer data outside the EEA/UK (e.g., US support ticket system), we rely on one or more of:
Standard Contractual Clauses (SCCs) or UK IDTA;
Adequacy decisions;
Additional encryption & access controls.
6. Security
We implement organisational & technical safeguards including:
TLS 1.2+ for data in transit; AES‑256 for data at rest;
Segregated encryption keys and access‑control lists;
Role‑based access & zero‑trust network segmentation;
Continuous monitoring & anomaly detection;
Independent penetration tests at least annually;
Incident‑response playbook—users and regulators notified within 72 hours where required.
7. Data retention
We keep personal data only as long as necessary for the purposes listed in §3, unless a longer period is required by law (e.g., tax records). Illustrative defaults:
Data set | Standard retention | Deletion trigger |
Account data | Life of account + 24 months | Account deletion or 24 m inactivity |
Connected‑platform raw exports | Parsed then deleted within 30 days | Immediate on revocation |
Derived tags | Until revocation or 24 m | Revocation or expiry |
Partner‑sharing logs | 6 years (accountability) | Legal limit reached |
You may delete your data sooner via in‑app "Delete Account" (see §9).
8. Your privacy rights
You have the following rights under the EU/UK GDPR (with conditions & exceptions):
Access – obtain a copy of personal data we hold.
Rectification – correct inaccurate data.
Erasure – request deletion.
Restriction – limit processing.
Portability – receive data in machine‑readable format.
Objection – object to processing based on legitimate interests or direct marketing.
Withdraw consent – revoke at any time without affecting prior lawful processing.
Complaint – lodge with your supervisory authority.
How to exercise:
In‑app privacy controls (preferred);
Email: privacy@emergedata.ai
We may ask for verification of identity before acting. We aim to respond within 30 days.
9. Marketing
You may receive product updates or newsletters only if you have opted‑in or if you are an existing customer and we rely on legitimate interests. You can opt‑out at any time by:
Clicking “unsubscribe” in the email footer; or
Changing your preference in Settings → Notifications; or
Emailing privacy@emergedatal.ai
10. Cookies & similar technologies
We use privacy‑centric analytics (self‑hosted PostHog) and essential cookies only. A detailed cookie banner and preference centre is displayed to EU/UK visitors on first visit.
11. Links to other sites
Our Services may contain links to third‑party websites or services that we do not control. This Policy does not cover those third parties. We encourage you to review the privacy policies of every site you visit.
12. Changes to this policy
We update this Policy from time to time. The “Last updated” date reflects the latest revision. If changes materially affect your rights or the way we process data, we will notify you via email and/or in‑app and, where needed, seek new consent.
13. Contact & complaints
Questions, concerns, or complaints?
Email privacy@emergedata.ai or write to:
Emerge Protocol Ltd., 86‑90 Paul Street, London EC2A 4NE, United Kingdom.
If you are not satisfied, you may complain to your local Data Protection Authority. In the UK this is the Information Commissioner’s Office (ICO). In the EU, see the list at https://edpb.europa.eu.
Glossary (quick reference)
Controller: Entity that decides why/how personal data is processed.
Processor: Entity that processes data on behalf of a controller.
Personal data: Any information that can identify a living person.
Special‑category data: Sensitive data such as health, religion, political views.
SCCs: Standard Contractual Clauses for international data transfers.