Privacy Policy

Last updated: 2026-04-15

This Privacy Policy explains how Veturu Pty Ltd ABN 48 691 855 482, trading as Ephemr ("we", "us"), collects, uses, discloses, and protects personal information in connection with the Ephemr service (the "Service"). We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").

1. What we collect

• Account data: your email address, a hashed (bcrypt) password, email-verification status, and account timestamps.
• Authentication data: session cookies (an opaque session identifier hashed at rest), and API keys you create (stored hashed).
• Content you upload: HTML/CSS/JS bundles, titles, descriptions, filenames, and file hashes. Uploaded files are stored in object storage and served from an ephemeral-pages domain until they expire or you delete them.
• Usage and operational data: page view counts and timestamps, quota and rate-limit counters, email-delivery events (sent/failed) for transactional email, audit logs of administrative actions.
• Network data: your IP address, user agent, and request metadata appear in short-lived server logs and are used transiently by in-memory rate limiters. We do not currently store IP addresses against your account record.
• Payment data (when we enable paid plans): we do not receive or store full card numbers. Card details are submitted directly to Stripe; we receive only tokens, last-four digits, brand, and billing metadata necessary to manage your subscription.
• Communications: messages you send us (for support, abuse, or billing) and our replies.

2. How we use it

• to provide, operate, secure, and improve the Service;
• to authenticate you and protect accounts (e.g. rate limiting, abuse detection);
• to send transactional email (verification, password reset, billing, service notices);
• to enforce our Terms of Service, investigate abuse, and comply with legal obligations;
• to process payments and prevent fraud (via Stripe);
• to produce aggregate, de-identified analytics about Service usage.

We do not sell your personal information. We do not use your account data or uploaded content to train machine-learning models.

3. Cookies and analytics

Essential cookies. We set a session cookie when you log in. It is HttpOnly, Secure, and SameSite-scoped, and is strictly necessary for the Service to function. We do not set any advertising, tracking, or analytics cookies.

Cookie-free, server-side analytics. On our public marketing and authentication pages (the homepage, /pricing, /docs, /mcp, /login, /signup, password-reset, and this and other legal pages) we record aggregate traffic statistics on our own servers. For each page view we store: the URL path, the referring site's hostname, any UTM parameters, a coarse browser/OS/device family derived from the User-Agent, a two-letter country code derived from the IP address via publicly available Regional Internet Registry allocation data, and a daily-rotating salted hash that lets us count unique visitors per day. We do not store your IP address, your full User-Agent string, or any cookie or identifier that persists across days. The salt is held only in server memory and rotates every 24 hours, so the hash cannot be linked across days or reversed to identify you. Raw events are retained for up to 90 days and then rolled up into per-day totals.

No third-party trackers. We do not use Google Analytics, advertising pixels, or any third-party analytics or tag-management product. Nothing is sent to third parties for analytics purposes.

No analytics on authenticated or published pages. We do not record analytics on authenticated portal pages, on our API, or on pages published by our users and served from the ephemeral-pages domain.

4. Who we share it with

We share personal information only with service providers who process it on our behalf under confidentiality and data-protection obligations, and only as needed to run the Service:

• Cloud hosting and storage providers for compute, database, and object storage;
• Transactional email provider for account and service emails;
• Stripe (Stripe, Inc. and/or Stripe Payments Australia Pty Ltd) for card processing and subscription billing;

We may also disclose personal information where required by law, to respond to lawful requests by public authorities, to enforce our Terms, or to protect the rights, property, or safety of Ephemr, our users, or others.

5. Overseas disclosure

Some of our service providers (including Stripe) may store or process personal information outside Australia, including in the United States and the European Union. Before disclosing personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs.

6. Retention

We retain personal information only for as long as needed to operate the Service, comply with legal obligations (including tax and financial-record requirements), resolve disputes, and enforce our agreements. Uploaded pages are deleted (or soft-deleted and later hard-deleted) according to their TTL and our retention policy. When you close your account, we delete or de-identify personal information within a reasonable period, except where retention is required by law or for legitimate business records.

7. Security

We use industry-standard measures to protect personal information, including HTTPS in transit, password hashing (bcrypt), hashed session and API-key storage, access controls, and audit logging. No system is perfectly secure; if you believe your account has been compromised, contact support@ephemr.io immediately.

8. Your rights

You may request access to, or correction of, the personal information we hold about you. You may also withdraw consent, close your account, or request deletion, subject to our legal and record-keeping obligations. To make a request, email support@ephemr.io. We will respond within a reasonable period (generally 30 days).

If you are in the European Economic Area or United Kingdom, you may also have rights under the GDPR/UK GDPR to object to processing, request data portability, and lodge a complaint with your local supervisory authority.

9. Complaints

If you believe we have breached the APPs, contact us at support@ephemr.io. We will investigate and respond. If you are not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

10. Children

The Service is not directed at children under 18 and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact support@ephemr.io and we will take appropriate steps.

11. Changes

We may update this Policy from time to time. The "Last updated" date at the top indicates when. Material changes will be notified by email or in-product notice.

12. Contact

Privacy Officer, Veturu Pty Ltd (trading as Ephemr)
ABN 48 691 855 482 · ACN 691 855 482
Office 3840, Ground Floor, 470 St Kilda Rd, Melbourne VIC 3004, Australia
support@ephemr.io