Ambera

Privacy Policy

Privacy Policy

Last updated
June 28, 2026
Effective
June 28, 2026

Ambera is a debt tracker for your energy. To do that job, it has to hold some of the most personal data you can record about yourself — what depleted you, what restored you, when, and how much. This policy explains what we collect, why we collect it, and what we will and will not do with it.

We treat the ledger as yours. We do not sell it, we do not mine it for advertising, and we do not share it with employers, insurers, or anyone you have not explicitly authorized.

This policy covers two products: the Ambera mobile app (the personal energy tracker, billed through the app stores) and Ambera Forge (forge.ambera.app), our web app for software teams to estimate effort together. The bulk of this policy is about the personal app, because that is where the sensitive data lives. The Forge-specific sections — "Team workspace data" and "The privacy membrane" — explain the team product and, crucially, the wall we build between the two. Your personal energy data never reaches your employer.

01

Who we are

Ambera is operated by an independent developer based in the European Union. References to "we," "us," or "Ambera" in this policy mean the operator of the Ambera mobile application, ambera.app, and Ambera Forge at forge.ambera.app.

You can reach us at hello@ambera.app for any privacy-related question, including requests under the GDPR or other applicable laws.

02

Information we collect

We collect only the information needed to run the product. We separate it into three categories:

Information you provide

  • Account information: your email address (either entered directly when you sign in with a magic link, or returned by Google or Apple when you sign in with one of them — with Apple you can choose to hide your real address behind a private relay) and your first name, which we ask for during onboarding so the app can address you by name. We do not store passwords — sign-in is magic link, Google, or Apple only.
  • Ledger entries: the activities you log, including direction (depleting or recovering), intensity, optional title, optional note, and the time you booked them.
  • Arcs and planned activities: an arc is a stretch you set up — a week or a sprint — with a descriptive shape (how you expect it to lean, from heavy depletion to heavy recovery), an optional named lens, an optional short description, and a length. Within an arc you can add planned activities (drafts) — title, expected direction, expected intensity, planned time, and an optional per-activity reminder toggle that, when on, queues a push notification at the planned time. Drafts only count toward the ledger after you confirm them.
  • Daily energy check-in: a felt rating of how the previous day left you (from drained to restored) and an optional short note. From the rating, Ambera derives a single ledger entry that fills the gap between how the day felt and what you actually logged — attributed as a check-in and editable like any other entry. We store the rating, the optional note, and the derived entry.
  • Daily reflections: the free-form end-of-day note you can write on the reflection screen, one per calendar day. Writing reflections is free; the Premium weekly synthesis is what reads them back as a paragraph.
  • "About you" pages: the structured notes you fill in on the edit-profile screen to give the AI assists context about you (e.g. work shape, life context, energy patterns, plus any custom pages you add). Writing these is free; only the Premium AI assists consume them.
  • "Describe your day" chat sessions: when you use the Premium chat to turn a free-form description of a stretch of time into ledger entries, we store the conversation transcript and the current proposed-entry list as your active session. The session is replaced on every turn and automatically cleared the moment you save the proposed entries to your ledger or tap "Start over." Until then it persists across app restarts so a chat you began on the bus is still there when you reopen the app at home.
  • Preferences: settings such as your week start day, notification preferences, quiet hours, and time zone.
  • Waitlist signups: if you join the waitlist on ambera.app, your email address and the timestamp of the signup.
  • Support correspondence: anything you send us by email.

Information we generate

  • Derived ledger metrics: rolling balances, cumulative series, and state labels computed from your entries. These are produced from data you provided; we do not infer them from outside sources.
  • Activity suggestions: the activities you tend to repeat on a given weekday, detected on our own servers from your past entries and offered back so you can add them in a tap. This is computed from your own ledger — no AI model and no outside data are involved.
  • Device tokens: an opaque identifier from Apple or Google issued to your device so we can deliver push notifications you have opted into.
  • Session metadata: when you sign in, we record the IP address and browser/device user-agent associated with the session, retained for security and abuse prevention (for example, spotting a sign-in from an unexpected place).
  • Diagnostic logs: minimal request and error logs needed to keep the service running, including error and performance traces sent to Sentry, our error-tracking provider. Sentry is configured to collect no personal information by default — it receives the stack trace and technical context of an error, not the content of your ledger.
  • Product analytics: a pseudonymous identifier tied to your account, plus events recording which screens you viewed and a small set of named interactions (signing up, logging an activity, viewing the paywall, subscribing). We use this to understand which parts of the product work and which need fixing. The analytics stream never includes the title, note, intensity, or any other content of a ledger entry.

Information from third parties (only with your permission)

  • Google Calendar events, if you connect a calendar — synced into your activity log to save you from re-entering things you already scheduled. For each event we capture the title, start time, duration, attendee count, and event type. We also capture the event description, truncated, only if you opt in under Profile → Integrations → AI capture (off by default, Premium). We never capture attendee email addresses, meeting locations, or conference links. Imported items are flagged so you can tell them apart from entries you logged yourself.
  • Linear activity, if you connect a Linear workspace — when you open the Linear picker for a day, we read issues you are assigned to that were updated or commented on that day, plus issues assigned to you that have been updated within the last fourteen days regardless of state, so you can pick which tickets shaped each day. Each ticket you confirm becomes its own ledger entry. For each confirmed ticket we capture the identifier, title, team, priority, and workflow state. We also capture each confirmed ticket's description, truncated, only if you opt in under Profile → Integrations → AI capture (off by default, Premium). We never capture the body of Linear comments. We only read; we never write back to Linear. Imported items are flagged like the calendar ones.
  • Apple Health metrics, if you connect Apple Health on a future release — sleep duration, heart rate, step count, and active energy burned, used to adjust the energy balance calculations in the app so the ledger reflects what your body actually did, not only what you logged.
  • Subscription status from RevenueCat and the App Store or Google Play, if you purchase a Premium subscription.

Team workspace data (Ambera Forge)

Ambera Forge is our web app for software teams to estimate effort together. If you use Forge — either as a member of an organization or as the person who set one up — we collect the data needed to run a shared workspace:

  • Organization details: the organization name, its URL slug, and an optional logo.
  • Members and roles: the email address and role (such as admin or member) of each person in the workspace.
  • Invitations: the email address of anyone invited to join the workspace, kept until the invitation is accepted, declined, or revoked.
  • Tasks: the title, description, comments, and estimate or planning-poker votes attached to each task.
  • Projects and sprints: the projects and sprints you organize tasks into.

Forge sign-in is by magic link — we do not store passwords for it. One person can have both a personal Ambera account and a membership in a Forge organization under a single identity, signed in with the same email. That shared identity is what makes the privacy membrane below necessary, and it is exactly the boundary we keep.

We do not collect precise location, contacts, photos, advertising identifiers, or browsing activity outside the app.

Voice dictation

Long-form text fields (reflection notes, activity notes, intention descriptions, "about you" pages, the "Describe your day" chat composer) carry a tap-to-dictate microphone button. When you use it, speech recognition runs entirely on your device — your operating system converts audio to text locally, and Ambera only ever sees the resulting transcript as if you had typed it. No audio is recorded, transmitted to our servers, or sent to any third party. The microphone button auto-hides on platforms or devices that do not support on-device recognition.

03

The privacy membrane (Ambera Forge)

This is the most important promise in this policy, so we will state it plainly: your personal energy data is never shared with your employer or your organization. It lives only in your own personal Ambera account. Your Forge organization cannot see it, query it, or export it — not in any view, not in any report, not on request.

Forge personalizes the effort estimates you make using a signal derived from your own energy ledger, so that the number reflects how a given stretch of work actually tends to land for you rather than for an average person. But the organization never receives that signal, and it never receives the reason an estimate moved. What the organization sees is only de-identified output:

  • De-identified story-point estimates and confidence bands — the size of a piece of work and how sure the model is, attached to the task, not to a person's energy state.
  • De-identified actuals — how long work actually took, recorded for planning, again without any link to anyone's energy data.

The energy signal that personalizes an estimate is computed per person at read time and is never written to the organization's records. The organization's data model has no column for it, no field for it, and no way to reconstruct it. This is enforced structurally — in how the data is stored and how the systems are wired — not merely by a promise in this document. The wall is in the architecture; the policy only describes it.

04

Controller and processor roles (Ambera Forge)

For the workspace data inside an Ambera Forge organization — members, tasks, projects, sprints, and the like — the customer organization is the data controller and Ambera acts as a data processor on its behalf, handling that data under the organization's instructions. (For your personal Ambera account, by contrast, we are the controller.)

A Data Processing Agreement covering Forge workspace data is available on request — write to hello@ambera.app.

05

How we use your information

We use your information for the following purposes:

  • To operate the ledger — store, sync, and display the activities, balances, arcs, planned activities, daily check-ins, and "about you" pages that are the product.
  • To deliver notifications you have asked for, including the free imbalance nudge that surfaces when your week is drifting depletive, the daily reflection prompt, the daily energy check-in reminder, and per-activity reminders you toggle on for individual planned activities.
  • To provide Premium features you have subscribed to, including AI-tailored draft suggestions, AI-assisted activity prefill from notes, personalized intensity calibration, and weekly reflections.
  • To process and personalize the content you see in the app — using AI to tailor suggestions, intensity estimates, reflections, and recommendations to your own history rather than to a generic average. AI assists are always user-initiated by tapping a button; nothing is silently inferred onto your ledger.
  • To process Premium subscription payments for the mobile app through RevenueCat and the platform store.
  • To run Ambera Forge as a shared workspace — store and display the organization, members, tasks, projects, and sprints — and to bill the organization's per-seat subscription through Stripe.
  • To respond to support requests and to communicate service updates that materially affect you.
  • To protect the service from abuse and to comply with legal obligations.

We do not use your ledger to build advertising profiles, sell to data brokers, or train general-purpose foundation models on your behalf.

06

AI-assisted features

Some Premium features use a third-party language model to suggest activity titles, directions, and intensities from notes you write, and to propose a starter set of planned activities tailored to your arc. These features are deliberately gated: the model proposes, you confirm or override, and nothing is silently inferred onto your ledger. AI assists are always user-initiated — you tap a button (for example, "Tailor for me" on the arc, or "Suggest from note" on an imported activity) to ask for them. The one exception is the per-arc summary, which generates on its own when you open an arc; it only reads your data back to you and never writes to the ledger.

We also use AI to process and personalize the content you see in the app — for example, calibrating intensity suggestions to your own logging history, summarizing your week in language that reflects your specific patterns, and identifying which recovery activities have most reliably restored balance for you. The goal is to make what you see feel like it was written for you rather than for an average user.

When you use an AI assist, the request to our model provider includes what is needed for that specific assist and nothing else. The full list, by assist type:

  • Tailored draft suggestions (arc): the arc's shape, optional lens, and optional description, the content of your "about you" pages, a small slice of your recent confirmed activities so the model anchors intensity to your own logging style rather than a generic average, the current weekday and rough time of day so the suggestions fit the remaining hours, and — if you typed anything into the tailor sheet — the free-text refinement you wrote there ("working until 5pm," "give me 6 things, lean toward recovery"). The refinement text is sent verbatim with that single request and is not retained beyond the in-memory cache that keeps your suggestions visible while you're on the arc.
  • Per-arc summary (arc): the arc's set shape and optional lens and description, the shape that is emerging from your ledger over the arc so far, and the deterministic patterns Ambera computes on our own servers (your strongest and heaviest logged day, how many days you logged) — combined into a one-to-two-sentence observational read. The result is cached on our side, keyed to the arc, and regenerated only when the arc's underlying data changes.
  • "Describe your day" chat (activity form → Describe your day): the message you just typed, the prior turns of your active chat session and the current proposed-entry list (so the model can refine in place rather than start over each time you reply), the content of your "about you" pages, your time zone and the current local datetime so phrases like "this morning" or "yesterday evening" resolve to concrete times, and a small slice of your recent confirmed activities used solely to anchor the intensity number. Each refinement is sent independently. The session is persisted on our side as described under "Information you provide" so you can close the app and come back to the same chat; it is automatically cleared when you save the proposed entries to your ledger or tap "Start over."
  • Suggest from note (activity form): the note you wrote, plus a small slice of your recent confirmed activities used solely to anchor the intensity number.
  • Reflection gap-fill (evening reflection screen): the reflection note you just saved, the activities you have already logged for that day so the model does not propose duplicates, the content of your "about you" pages, the current weekday and rough time of day, and a small slice of your prior confirmed activities used solely to anchor the intensity number. The model proposes activities the reflection mentions that are not yet on the ledger; you confirm or remove each one before anything is recorded.
  • Weekly reflections and personalized activity audits (daily background job): your confirmed ledger for the relevant window, and the daily reflection notes you wrote during that window, used together to produce a short summary or recommendation that is then cached on our side and displayed to you.
  • Patterns synthesis (daily background job): the multi-week trends Ambera computes on our own servers from your ledger — for example, which weekday tends to run hardest, or what typically follows a stretch of demanding days — together with the arc shapes and lenses you set. Only these computed aggregates and your arc settings are sent to the model, never the individual entries; the resulting sentence is cached on our side and displayed to you.

Our model provider is Anthropic (Claude). Under Anthropic's commercial terms, inputs and outputs from our API requests are not used to train its models. We do not use AI to surveil patterns in your data without you having actively requested an AI feature, and we do not use your content to train general-purpose foundation models.

If you connect Google Calendar or Linear, Ambera always captures a small structured summary of each imported item (duration and attendee count for events; identifier, priority, and workflow state for Linear tickets) so the AI assist has useful context — this summary contains no free text, names, or email addresses. Separately, Premium subscribers can opt in to also include truncated event and issue descriptions in the notes attached to imported activities; the toggle lives in Profile → Integrations and is off by default. We never capture or send the bodies of Linear comments, attendee email addresses, or meeting locations. When the opt-in is on, the truncated descriptions follow the same handling as anything else you write into a note — sent to our model provider only when you request an AI suggestion, never retained for training, never used to build advertising profiles.

07

Google API Services — Limited Use disclosure

Ambera's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain terms, this means that for any data Ambera receives from Google Workspace APIs — currently Google Calendar event metadata when you choose to connect a calendar, as described in the "Information from third parties" section above:

  • We only use the data to provide and improve user-facing features of Ambera that are prominent in the app — specifically, syncing calendar events into your activity ledger so you can confirm them as depleting or recovering entries, and (only if you opt in to AI capture under Profile → Integrations) including truncated event descriptions as context when you request an AI suggestion.
  • We do not transfer this data to any third party except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
  • We do not use this data for serving advertisements, including personalized, retargeted, or interest-based advertising.
  • We do not allow humans to read this data, except (a) with your explicit consent for specific data, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.

You can disconnect Google Calendar at any time from Profile → Integrations in the app, or by revoking Ambera's access from your Google Account permissions page. When you disconnect, we stop syncing new events immediately and delete the synced event metadata associated with your account within 30 days, on the same schedule described under "Retention and deletion".

08

Product analytics

We use PostHog, a product analytics service hosted in the European Union, to understand how Ambera is used so we can improve it. PostHog is configured as a data processor under our control — it acts on our instructions and does not use your information for its own purposes.

What we send to PostHog:

  • A pseudonymous identifier for your account once you sign in (the same internal account id we use elsewhere). Before sign-in, the SDK uses an anonymous device id only.
  • Screen views inside the mobile app and a small set of named events — currently signing up, logging an activity, viewing the paywall, and completing a subscription.
  • Standard technical metadata that comes with any analytics event: device model, operating system version, app version, language, and the time of the event.

What we never send to PostHog: the title, note, intensity, direction, or any other content of a ledger entry; your email address or name; the content of any Google Calendar event, Linear issue, or Apple Health metric; and any precise location. The analytics stream tells us "an activity was logged," never what that activity was.

You can opt out of analytics by deleting your account or by writing to hello@ambera.app to request that analytics events for your account be excluded going forward.

09

How we share information

We share information only with the service providers needed to run Ambera, and only the minimum each one needs to do its job. The current list is:

  • Cloudflare — application hosting, edge compute, content delivery, and transactional email through Cloudflare Email Service (for example, your magic-link sign-in message, sent from noreply@ambera.app).
  • Neon — managed Postgres database storage.
  • Hetzner — encrypted off-site database backups, stored in Germany (EU) for disaster recovery.
  • Expo — push notification delivery and over-the-air mobile updates.
  • RevenueCat — subscription entitlement management for the mobile app.
  • Apple and Google — payment processing for in-app subscriptions on their respective platforms.
  • Stripe — payment processing for Ambera Forge's per-organization, per-seat subscription. Stripe acts as a processor; we store the organization's Stripe customer id, subscription id, subscription status, and current billing-period end so we can keep entitlements in sync.
  • Anthropic (Claude) — our AI model provider, only when you use a Premium AI feature, as described above.
  • PostHog (EU) — product analytics, as described in the "Product analytics" section above.
  • Sentry — error and performance diagnostics, configured to collect no personal information by default.

We do not sell or rent your personal data. We do not share your ledger with employers, insurers, advertisers, or analytics brokers. If we are ever legally compelled to disclose information, we will narrow the scope as much as the law allows and, where permitted, inform you.

If Ambera is ever acquired or merged, your data would transfer to the acquirer only under terms at least as protective as this policy, and you would be notified before any material change.

10

Retention and deletion

We keep your ledger for as long as your account is active, because the value of the product compounds with history. You can delete individual entries at any time from the app.

You can delete your entire account from within the app. When you do, we remove your data from primary storage within 30 days. We keep encrypted off-site backups (held in Germany, in the EU) on a rolling 10-day retention, alongside the point-in-time recovery window our database provider maintains; deleted data ages out of those layers as the backups roll forward.

Two things may survive account deletion. The first is a record of the deletion itself, retained because the law requires us to be able to demonstrate we honored the request. The second is billing audit records — the purchase and subscription events tied to your account, including their raw payloads from the payment platforms — which we keep for financial reconciliation, accounting, and tax obligations. These billing records do not include your ledger.

For Ambera Forge, deletion of an organization's workspace data and the off-boarding of a member are handled on request — write to hello@ambera.app. There is no automated purge of organization data today; we act on the organization's instructions as its data processor.

11

Security

Data is transmitted over TLS, stored encrypted at rest in our database provider, and access to production systems is restricted to the operator. We follow common-sense practices around credentials, dependency updates, and least-privilege access.

No system is perfectly secure, and we will not claim otherwise. If we ever discover a breach affecting your data, we will notify you and the relevant authorities within the timeframes the law requires.

12

Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you and receive a copy in a portable format.
  • Correct information that is inaccurate or incomplete.
  • Delete your account and the data associated with it.
  • Object to or restrict certain processing.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

Most of these you can exercise directly inside the app. For anything you cannot, write to hello@ambera.app and we will respond within 30 days.

13

International transfers

Ambera is operated from the European Union. Some of our service providers operate globally; where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses or equivalent safeguards required by applicable law.

Our US-based sub-processors currently include Anthropic and Stripe, alongside Apple, Google, Expo, PostHog, and Sentry. Transfers of personal data to them are made under Standard Contractual Clauses. Our database and its backups are kept within the EU.

14

Children

Ambera is not directed at children under 16, and we do not knowingly collect personal data from them. If you are a parent or guardian and believe your child has provided us with personal data, contact us and we will delete it.

15

Changes to this policy

When we change this policy in a way that materially affects you, we will notify you in the app or by email before the change takes effect. The date at the top of this page always reflects the current version. Older versions are available on request.

16

Contact

Questions, requests, complaints, or things we got wrong — hello@ambera.app. A real person reads it.