Last updated: 2026-05-19
This policy explains how Emit Vision (“we”, “us”) collects and uses personal data. We operate in two distinct data roles, described below. Counsel must confirm the controller/processor classification before public launch.
Account and organisational data (controller). We determine the purpose and means of processing account data: email addresses, organisation and member records, invite and password-reset tokens, session tokens, and audit log entries (including IP address and user-agent where recorded).
Customer telemetry data (processor). We process telemetry on behalf of our customers. Customers send events, errors, logs, traces, and session context through the Emit Vision SDK and ingest API. That data may contain personal data about their own end users. We process it only as instructed by the customer and only to provide the Service.
Event payloads, error reports, log entries, trace spans, and session context submitted by customers via the ingest API. Payloads may include user identifiers, device context, or other fields supplied by the customer’s application. We run recursive sensitive-key scrubbing on ingestion to redact values under common secret key names (password, token, secret, authorization, etc.).
Customers control what data they send. The Service provides in-product retention settings, sampling controls, and custom scrub rules (Pro and above) so customers can limit what personal data enters the platform. Customers are responsible for ensuring their use of the ingest API complies with their own obligations to data subjects.
Telemetry events are retained according to the plan limit (7 days Hobby, 30 days Pro, 90 days Team, custom on Enterprise). Account data is retained while the account is active and for a reasonable period after to meet legal and audit obligations.
During beta, data export and deletion are handled manually by the operator team. Contact us at [email protected] to request export, deletion, correction, or to exercise other data rights. We will acknowledge requests within 10 business days and complete them within the timeframes required by applicable law. See our internal rights-request process.
We use TLS for data in transit. Passwords are hashed and never stored in plaintext. API keys are hashed after creation. Access to production systems is limited to authorised operators. We take reasonable technical and organisational measures to protect personal data, but no system is completely secure.
The marketing site uses only strictly necessary cookies and session storage for theme preference. The application uses a session cookie for authenticated sessions. We do not currently use analytics or advertising cookies. If we add non-essential cookies in future, we will update this policy and provide appropriate notice. See our Cookie Policy.
We use third-party vendors to help operate the Service (hosting, database, email delivery, etc.). A list of current and pending subprocessors is available at our subprocessors page.
[Transfer mechanism and jurisdiction to be confirmed with counsel before public launch.] If we transfer personal data across borders, we will rely on appropriate safeguards such as standard contractual clauses or adequacy decisions.
Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal data. Contact us at [email protected] to make a request. We will verify your identity before acting on the request.
Customers seeking rights fulfilment for their end users’ data should submit a request so we can assist according to our processor obligations.
Data controller enquiries: [email protected]