Skip to content
Empi Empi
Views Features AI agents Use cases Pricing Blog
Français Coming soon
Back to home

GDPR

Last updated: 14 July 2026 · Lire en français

Empi is built in the EU and privacy-first. This notice summarises your rights under the General Data Protection Regulation (GDPR) and how to exercise them. It complements our full Privacy Policy, which describes the data we process in detail.

      <h2>1. Controller and contact</h2>
      <p>
        The data controller is <strong>Empi</strong>, France. For any data protection
        request, contact <a href="mailto:[email protected]">[email protected]</a>.
      </p>

      <h2>2. Your rights</h2>
      <ul>
        <li><strong>Access</strong>: get confirmation of whether we process your data and a copy of it.</li>
        <li><strong>Rectification</strong>: correct inaccurate or incomplete data.</li>
        <li><strong>Erasure</strong>: have your data deleted, including via a GDPR crypto-shred that destroys your tenant key so encrypted content cannot be recovered, backups included.</li>
        <li><strong>Restriction</strong>: limit how we process your data in certain cases.</li>
        <li><strong>Portability</strong>: receive the data you provided in a structured, machine-readable format, and have it sent to another controller where technically feasible.</li>
        <li><strong>Objection</strong>: object to processing based on our legitimate interests, including profiling.</li>
        <li><strong>No solely automated decisions</strong>: we do not make decisions with legal or similarly significant effects about you based solely on automated processing. Empi's scheduling suggestions are decision-support, not binding decisions.</li>
        <li><strong>Withdraw consent</strong>: where we rely on consent, you can withdraw it at any time, without affecting prior processing.</li>
      </ul>

      <h2>3. How to exercise them</h2>
      <p>
        Email <a href="mailto:[email protected]">[email protected]</a>. We respond
        within one month, as the GDPR allows, and may ask you to confirm your identity. You
        can also export and delete much of your data directly from your account settings.
      </p>

      <h2>4. Lawful bases</h2>
      <p>
        We process personal data on these bases: performance of our contract with you
        (running the Service and billing), our legitimate interests (security, abuse
        prevention, and aggregated analytics, balanced against your rights), legal
        obligations (such as keeping invoices), and your consent (non-essential analytics,
        optional communications). See the <a href="privacy.html">Privacy Policy</a> for the
        mapping of purposes to bases.
      </p>

      <h2>5. Sub-processors</h2>
      <p>
        We use a small set of vetted sub-processors under data-processing agreements,
        including Scaleway (EU hosting and key management), Google and Microsoft (calendar
        integrations), Clerk (authentication), PostHog (analytics),
        and Sentry (error monitoring). The current list and regions are in the
        <a href="privacy.html">Privacy Policy</a>.
      </p>

      <h2>6. Data location and transfers</h2>
      <p>
        Your data is hosted in the European Union. Where a sub-processor is outside the
        EU/EEA, transfers rely on an adequacy decision or the European Commission's Standard
        Contractual Clauses, with supplementary safeguards where appropriate.
      </p>

      <h2>7. Encryption and crypto-shred</h2>
      <p>
        Task and note content is encrypted at rest with a per-tenant key wrapped by
        a master key in our key management service. A crypto-shred destroys the tenant key,
        so the corresponding ciphertext is permanently unrecoverable, backups included. This
        is how we deliver a delete that truly deletes.
      </p>

      <h2>8. Right to complain</h2>
      <p>
        If you believe we have mishandled your data, you can lodge a complaint with your
        local supervisory authority. In France, that is the CNIL
        (<a href="https://www.cnil.fr" target="_blank" rel="noopener">cnil.fr</a>). We would
        appreciate the chance to address your concern first.
      </p>

      <h2>9. Business customers (DPA)</h2>
      <p>
        If you use Empi on behalf of an organisation and need a Data Processing Agreement,
        request one at <a href="mailto:[email protected]">[email protected]</a> and we
        will provide our standard DPA, including the sub-processor list and SCCs.
      </p>
Empi Empi

The capacity-first task & time planner. A plan you approve, not a black box.

Product
Views Features AI agents Use cases Pricing Security
Resources
Documentation Blog RSS API reference
Legal
Terms Privacy GDPR
© 2026 Empi. All rights reserved. Web & Android · iOS coming · Multilanguage