Embra Mentors — Privacy Policy

Last updated: June 2, 2026 Version: 2026-06-02

1. What We Collect

Embra Mentors collects only the information needed to operate the Service.

Identity information (all users)

• Email address
• Display name
• Role (student or mentor)

Student profile information (student users)

• Law school name
• Year of admission
• Year in program (1L / 2L / 3L / LLM / etc.)
• Areas of interest (e.g., litigation, transactional, public interest)
• Bio (free text, optional)
• Goals for mentorship (free text, optional)

Mentor profile information (mentor users)

• State of bar admission(s)
• Admission year(s)
• Bar number (stored privately; never shown to other users)
• Firm name (optional, visible to students)
• Years of practice experience
• Practice areas (e.g., labor and employment, intellectual property, family law)
• Topics willing to mentor on
• Mentorship capacity (number of active mentees)
• Bio (free text, optional)

Mentorship message history

• Text content of messages sent between matched mentor-student pairs
• Timestamps of messages
• Read receipts (whether a message has been viewed)

Messages are stored to enable mentorship continuity. When a user deletes their account, message history is anonymized rather than fully deleted, so the other participant retains a complete record of the conversation. See Section 4 for retention details.

Account activity

• Timestamps of account creation, sign-in, profile updates, and other account events
• IP address (for security and abuse-prevention purposes)
• Device type, operating system, and app version (for diagnostic purposes)

Push notification tokens (iOS users only)

• Apple Push Notification Service (APNs) device tokens, used to deliver in-app notifications when matched, when a message arrives, etc.

Analytics events

• App-level analytics events (e.g., "report opened," "mentor card clicked")
• Analytics events do not include personally identifying information, message content, or profile content

2. Why We Collect

Embra collects the information above to:

• Operate the Service (let you sign in, create a profile, find mentors, send and receive mentorship messages)
• Verify mentor bar credentials at signup
• Match students with mentors who fit their interests
• Send mentorship-related notifications (e.g., "your mentor accepted your request")
• Protect the Service and its users from abuse, fraud, and unauthorized access
• Comply with legal obligations and respond to lawful requests

3. Who We Share With

Embra shares your information with the following categories of third parties, only as necessary to operate the Service.

Service providers

• Google (Firebase): Embra uses Firebase for authentication, database storage, push notification delivery (via Firebase Cloud Messaging), and serverless backend operations. Your data is processed by Google's Firebase infrastructure under Google's standard service-provider terms.
• SendGrid (Twilio): Embra uses SendGrid to deliver transactional emails (e.g., welcome emails, account verification, mentorship request notifications). SendGrid processes your email address and the email content Embra sends through it.
• Apple: Embra uses Apple's authentication infrastructure for "Sign in with Apple" (where applicable), and Apple's Push Notification Service to deliver iOS push notifications.

Law enforcement

Embra may disclose your information to law enforcement, courts, or other government authorities when legally compelled to do so (e.g., by valid subpoena, court order, or other legal process) or when Embra reasonably believes disclosure is necessary to prevent imminent harm.

Embra does NOT share your information with:

• Advertisers
• Data brokers
• Marketing networks
• Third parties for any purpose unrelated to operating the Service

Embra does not sell your personal information to anyone, under any circumstance.

4. How Long We Keep Your Information

Embra keeps your information for as long as your account is active.

When you delete your account using the in-app account deletion flow:

• Identity and profile information is permanently deleted within thirty (30) days.
• Mentorship message content is anonymized (your name, email, and identifiers are removed) but the message text itself is retained, so the other participant in each conversation continues to have access to their own history. The retained messages are not associated with any account or person after anonymization.
• Account-activity logs and IP addresses are retained for up to ninety (90) days for security and abuse-investigation purposes, then deleted.
• Backups that contain your information are overwritten on Embra's standard backup rotation, typically within thirty (30) days.

Embra may retain information longer if required by law, by a legal hold related to a dispute, or for fraud or abuse prevention investigations that are open at the time of your deletion request.

5. Your Rights

All users

• Access: You can see all profile information Embra holds about you by signing in to your account.
• Correction: You can update most profile fields directly in the app (Settings → Edit Profile). To correct bar credentials, contact support@myembra.com.
• Deletion: You can delete your account using the in-app flow (Settings → Delete Account). See Section 4 for what happens to your data after deletion.
• Marketing communications: Embra does not send marketing emails. All emails Embra sends are operational (e.g., account verification, mentorship notifications). If you receive an email you believe is in error, contact support@myembra.com.

EU and EEA users (GDPR)

If you reside in the European Union, the European Economic Area, or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including:

• The right to access your personal data
• The right to rectification (correction)
• The right to erasure (the "right to be forgotten")
• The right to restrict processing
• The right to data portability (planned for a future release — not yet available)
• The right to object to processing
• The right to lodge a complaint with your local data protection authority

To exercise any of these rights, contact support@myembra.com. Embra responds to verified requests within thirty (30) days.

6. Children Under 18

Embra Mentors is not directed to children under 18, and Embra does not knowingly collect personal information from anyone under 18.

The Service requires that all users be at least 18 years old as a condition of account creation. If Embra learns that it has inadvertently collected personal information from a child under 18, Embra will delete that information promptly.

If you are a parent or guardian and you believe your child has provided personal information to Embra, contact support@myembra.com and Embra will investigate and delete any such information.

7. International Users

Embra is headquartered in the United States, and Embra's service infrastructure (Firebase, SendGrid, Apple) is operated primarily in the United States. By using the Service from outside the United States, you consent to the transfer of your personal information to the United States, where data-protection laws may differ from those of your home country.

For EU and EEA users, see Section 5 for your specific rights under GDPR.

8. Security

Embra protects your information using:

• Encrypted transit: All data transmitted between your device and Embra's infrastructure uses HTTPS / TLS encryption.
• Encrypted storage: All data at rest in Firebase is encrypted using Google's standard server-side encryption.
• Access controls: Embra applies Firebase security rules to enforce that users can only read and write their own data, plus the data of mentorship pairs they are matched with.
• Authentication: Embra uses Firebase Authentication, including support for Sign in with Apple, Sign in with Google, and email/password sign-in.
• Operational practices: Embra's small operational team follows standard security hygiene including limited credential access and periodic credential rotation.

No system is perfectly secure. If Embra discovers a security incident affecting your information, Embra will notify you in accordance with applicable law.

9. Cookies (Web Service Only)

Embra's web service uses essential cookies to:

• Keep you signed in across sessions
• Remember your preferences (e.g., role-based navigation)
• Protect against cross-site request forgery and other common web attacks

Embra's web service does not use:

• Advertising or marketing cookies
• Cross-site tracking cookies
• Cookies that share data with third parties for analytics or marketing purposes

The iOS app does not use cookies (it uses native iOS authentication tokens stored securely on-device).

10. Changes to This Policy

Embra may update this Privacy Policy from time to time. When Embra makes a material change:

• The "Last updated" date at the top of this policy will be revised
• The TERMS_VERSION constant will be updated to the publish date
• Existing users will see a disclaimer banner the next time they open a mentorship conversation, indicating that the policy has changed

Your continued use of the Service after a material update to this policy constitutes your acceptance of the updated policy.

If you do not agree to an updated policy, you may terminate your account using the in-app deletion flow before continuing to use the Service.

11. Contact

Questions about this Privacy Policy, or want to exercise your rights under it? Contact:

Email: support@myembra.com Mailing address: Embra LLC, Little Rock, Arkansas