EMOR Social is in betaGet started
EMOR SocialEMOR SocialBeta
Back to home
Legal · Privacy Policy

Privacy Policy

Last updated · June 4, 2026

EMOR AI, LLC (“EMOR,” “we,” “us,” or “our”) operates EMOR Social(the “Service”), an AI-powered social media management platform that lets you plan, generate with AI, schedule, queue, publish, and analyze content across social networks; manage a unified inbox of comments and direct messages; and collaborate with a team. EMOR Social is one of several products operated by EMOR AI, LLC; the parent-company website is emorai.com. This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Service.

EMOR Social is a multi-tenant business platform. Each customer workspace (a “tenant”) is isolated from every other tenant using Postgres row-level security (“RLS”). The content, connected accounts, analytics, and audience data inside a workspace are visible only to that workspace’s authorized members. Section 6 describes how that isolation is enforced.

EMOR Social is currently offered as a beta / early-access product and is provided “as is.” Features, plan inclusions, AI-generation limits, and pricing are still being finalized and may change; some plans may be free during the beta. This Policy describes our data practices as they exist as of the “Last updated” date above and will be revised as the Service evolves.

1. Information We Collect

We collect the categories of information described below, in each case limited to what the Service needs to operate for you.

1.1 Account Information

When you create an account, we collect your name, email address, workspace and brand name, and the billing details associated with your subscription. Authentication, sessions, and multi-factor authentication (“MFA”) are handled by Clerk; EMOR does not store your password. Subscription billing and payment processing are handled by Stripe; payment card numbers are tokenized and stored on Stripe’s own PCI-compliant infrastructure, and EMOR stores only the Stripe customer and subscription identifiers needed to bill your account. EMOR never has access to or stores your full card number, CVC, or bank-account credentials.

1.2 Workspace & Brand Configuration

You provide details that configure your workspace — brand names, posting preferences, default time zones, posting schedules and queues, content guidelines, tone and voice settings, saved hashtag groups, and any AI prompts, briefs, or templates you save for reuse. This information is used solely to operate your workspace and to power the Service’s planning, generation, and scheduling features.

1.3 Connected Social Accounts & OAuth Tokens

To publish and analyze on your behalf, you connect your accounts on the supported networks — Instagram, Facebook, TikTok, YouTube, Pinterest, X (Twitter), LinkedIn, Google Business Profile, Threads, and Reddit. Each connection is established through an OAuth authorization flow brokered by our integration provider, Zernio, which operates the Late.dev product. EMOR Social never calls the social networks’ APIs directly; Zernio (Late.dev) brokers the OAuth connection. Through that flow we receive and store, on a per-workspace basis:

  • Access and refresh tokens that authorize the Service to publish content, schedule posts, read post performance, and sync comments and messages on your behalf. These tokens are stored encryptedin your tenant’s Supabase database (see Section 6).
  • Account identifiers and basic profile metadata — the connected account’s ID, username or handle, display name, avatar, and the permissions (scopes) you granted during the OAuth flow.

We neverreceive or store your social-network passwords. You can disconnect any account at any time from your workspace settings, which deletes the stored tokens and ends EMOR Social’s access to that account. You may also revoke EMOR Social’s access directly from the social network’s own app-permissions or connected-apps settings; revoking on the network invalidates the tokens we hold.

1.4 Content & Media

We store the content you create, generate, or import — captions and post copy, hashtags, first comments, link metadata, drafts, scheduled-post settings, queues, and campaigns — together with the images and videos you upload. Uploaded media is stored as objects in Cloudflare R2 object storage. Your content and media remain in your workspace until you delete them or the retention rules in Section 5 apply.

1.5 AI Prompts & Generated Content

When you use the Service’s AI features — caption and idea generation, content strategy, image generation, and video scripting — the prompts and briefs you submit, along with any source content you ask the AI to work from, are transmitted to our AI providers, OpenAI and Anthropic (Claude), to produce the requested output. Text generation (captions, ideas, strategy) may be served by either OpenAI or Anthropic; image generation and video scripting are served by OpenAI. The generated outputs are written back to, and stored in, your workspace so you can review, edit, schedule, and reuse them. As described in Section 2, your prompts and content are notused to train these providers’ general-purpose models.

1.6 Analytics & Insights Data

Where you connect an account, the Service retrieves post-performance metrics — such as reach, impressions, views, likes, comments, shares, saves, follower counts, and click data — for content published or measured through your connected accounts. This data is retrieved through Zernio (Late.dev) from the underlying networks’ APIs and stored in your workspace so you can review performance and derive insights. Metrics are provided by the networks and may be approximate, delayed, or restated by the network at any time.

1.7 Inbox & Engagement Data

If you enable the unified inbox, the Service syncs comments and direct messages associated with your connected accounts — including the message or comment text, the sender or commenter’s handle and public profile metadata, timestamps, and thread context — so you can read and respond from within the Service. This data is synced through Zernio (Late.dev) from the underlying networks and stored in your workspace. You control whether the inbox is enabled and which accounts it covers.

1.8 Stock Media Search

If you search for stock imagery inside the Service, your search query is sent to the PexelsAPI to return matching results. We send only the text of your search query — we do not send your workspace content, connected-account data, audience data, or other personal information to Pexels.

1.9 Team & Collaboration Data

If you invite teammates into your workspace, we collect the names, email addresses, assigned roles or permissions, and invitation status of each member, along with collaboration metadata such as who created, edited, approved, or scheduled a given piece of content. This information is used to operate role-based access within your workspace and to attribute actions for your records.

1.10 Support & Communications

When you contact support, respond to a survey, or otherwise communicate with us, we collect the content of your message and any information you choose to provide (for example, screenshots, account identifiers, or descriptions of an issue). We use this information to respond to you, resolve problems, and improve the Service.

1.11 Usage, Log & Device Data

We collect aggregated usage and technical data — feature usage, AI-generation counts, scheduling and publishing activity, plan-limit consumption, IP address, browser and device type, and server logs and error reports — to operate and secure the Service, enforce plan limits, diagnose problems, prevent abuse, and improve the product.

1.12 Cookies & Local Storage

The Service uses a small number of strictly necessary cookies for authentication and security, and stores certain interface preferences (such as your theme and sidebar state) locally in your browser. We do not use advertising or cross-site behavioral-tracking cookies. Full detail, including categories and your choices, is in our Cookie Policy.

2. How We Use Your Information

We use the information we collect to:

  • Operate your workspace and plan, generate, schedule, queue, and publish your content across your connected networks;
  • Generate AI content (captions, ideas, content strategy, images, and video scripts) at your request, and store the outputs in your workspace;
  • Retrieve and display post-performance analytics and insights for your connected accounts;
  • Sync and display comments and direct messages in your unified inbox, where you have enabled it, and let you respond from within the Service;
  • Manage team membership, roles, invitations, and collaboration within your workspace;
  • Process payments, enforce plan and AI-generation limits, and manage your subscription;
  • Send transactional communications (account, billing, security, and service notices);
  • Provide support, maintain security, prevent abuse and fraud, debug and improve the Service, and comply with our legal obligations.

AI training.EMOR does not use your workspace content, prompts, connected-account data, audience data, or analytics to train general-purpose AI models, and does not provide that data to any third party for the purpose of training general-purpose AI models. As of the “Last updated” date of this Policy, OpenAI does not use data submitted through its API to train its general-purpose models, in accordance with its API Data Usage Policies, and Anthropicdoes not train its Claude models on content submitted through its API, in accordance with Anthropic’s Commercial Terms of Service. Each provider’s practices are governed by its own published policies at the URLs above, which the provider may revise from time to time; those URLs are the authoritative source for the provider’s current terms, and we will update this Policy to reflect material changes of which we become aware. Each provider retains API request and response data only for a limited period for abuse-monitoring and trust-and-safety purposes before deletion, under the policies above.

Marketing communications. We may send occasional product updates, beta announcements, and marketing emails to account holders. You can unsubscribe at any time using the link in any such email or by contacting legal@emorai.com. Unsubscribing does not stop transactional and service messages, which are necessary to operate your account.

Automated suggestions.The Service offers decision-support features such as best-time-to-post recommendations and AI content suggestions. These are aids you review and approve — the Service does not autonomously make decisions that produce legal or similarly significant effects on you. You decide what to publish, when, and to which accounts. See Section 8 regarding Article 22 of the GDPR.

3. How Your Data Moves Through Our System

We do not sell your personal information.We disclose data only to the service providers (“Subprocessors”) described in this Section, solely to operate the Service. This Section describes, for each principal data flow, the systems through which the data transits, where it is stored, and the role each Subprocessor performs. The full, current list of Subprocessors with privacy-policy and data-processing links is published on our authoritative Subprocessors page.

3.1 Connecting an Account

When you connect a social account, you are redirected to that network’s own OAuth screen to authorize access. The authorization is brokered by Zernio (Late.dev), which completes the handshake with the network and returns access and refresh tokens together with basic profile metadata. EMOR receives those tokens and metadata and writes the tokens encrypted to your tenant database at Supabase, scoped to your tenant_id. We use the tokens only to perform the actions you authorize, and we never receive your social-network password.

3.2 Publishing & Scheduling

When you publish or schedule a post, the post content and any attached media are submitted to Zernio (Late.dev), which delivers them to the target network’s API immediately or at the scheduled time and reports back the publish status and the resulting post ID or URL. Scheduled-post metadata, queue position, and publish status are written to your tenant database at Supabase. Media is delivered from Cloudflare R2 through Zernio (Late.dev) to the target network.

3.3 AI Content Generation

When you use an AI feature, the prompt, brief, and any source content you provide are transmitted to OpenAI and/or Anthropic for inference. The generated output is returned and written to your workspace. The brief and the resulting output are retained in your workspace so you can edit and reuse them; the AI providers retain the API request and response only briefly for abuse monitoring under their published policies and do not train their general-purpose models on it (see Section 2).

3.4 Media Storage

Images and videos you upload are stored as objects in Cloudflare R2. Media is served from R2 to your workspace for preview and editing and, when you publish, delivered to the target network through Zernio (Late.dev). Media is retained in R2 until you delete it or the retention rules in Section 5 apply.

3.5 Analytics & Inbox Sync

On a recurring schedule, the Service retrieves post-performance metrics and (where the inbox is enabled) comments and direct messages for your connected accounts via Zernio (Late.dev), which pulls them from the underlying networks’ APIs, and writes them to your tenant database at Supabase for display. This flow runs only for accounts you have connected and features you have enabled.

3.6 Billing & Account Data

  • Account credentials. Email address, password hash, session tokens, and MFA factors are managed by Clerk under Clerk’s privacy policy. EMOR does not store passwords.
  • Billing. Subscription billing, payment-method tokenization, and invoicing are handled by Stripe under Stripe’s privacy policy. EMOR does not store payment card numbers; only the Stripe customer and subscription identifiers, plan tier, and billing status are written to your tenant database.
  • Usage counters. Aggregated usage counters (such as AI-generations used, posts scheduled, and connected-account counts) are written to your tenant database at Supabase for plan enforcement and dashboard display.

3.7 Subprocessors

EMOR engages the following Subprocessors to perform the functions described in Sections 3.1 through 3.6. Each Subprocessor processes data under its own privacy policy and a data-processing agreement with EMOR. The authoritative, current list is published on our Subprocessors page.

  • Zernio (Late.dev): Social-account OAuth brokerage, publishing and scheduling, and analytics and inbox sync between the Service and the supported networks.
  • OpenAI: AI content generation — captions, ideas, content strategy, image generation, and video scripting.
  • Anthropic (Claude): AI text generation — captions, ideas, and content strategy.
  • Clerk: Authentication, session management, and multi-factor authentication. EMOR stores no passwords.
  • Stripe: Subscription billing and payment processing. Card data is tokenized; EMOR never stores card numbers.
  • Supabase: Primary Postgres database hosting with row-level-security tenant isolation.
  • Cloudflare R2: Object storage for the images and videos you upload.
  • Pexels: Stock-media search. Receives only your search queries — no tenant, content, or audience data.
  • Vercel: Web-application and marketing-site hosting, serverless function execution, and CDN.

By using the Service, you acknowledge and consent to the processing of your account, content, connected-account, analytics, inbox, and billing data by the Subprocessors listed above for the purposes described in this Section 3 and under each Subprocessor’s own privacy policy. We may also disclose information where required by law, subpoena, or legal process, or to protect the rights, property, and safety of EMOR, our users, and the public.

Third-party policies may change.Each Subprocessor, and each social network you connect, processes data under its own privacy policy and (for Subprocessors) a data-processing agreement, linked above and on our public Subprocessors page. The descriptions in this Section 3 and on the Subprocessors page summarize each provider’s practices as of the “Last updated” date of this Policy. Providers may update their own policies independently of EMOR, and we do not control their content. The current published policy at each provider’s linked URL is the authoritative source for how that provider handles data, and we encourage you to review those policies directly when current detail matters.

3.8 Notice of Subprocessor Changes

We will provide at least thirty (30) days’ advance notice before adding a new Subprocessor that processes your personal data, via an update to the Subprocessors page and, where required by contract, email to account administrators. Customers with a signed Data Processing Agreement may object in writing during the notice period; if we cannot accommodate a reasonable objection, you may terminate the affected portion of the Service as provided in your agreement.

4. Connected Networks & Audience Data

When you connect a social account, the people who follow, comment on, or message that account are youraudience, not EMOR’s. With respect to audience information — for example, commenter and sender handles, public profile metadata, and the comment or message content surfaced in your inbox — you are the controller and EMOR acts as a processor that handles that data only on your behalf and on your documented instructions to operate the Service.

Each connected network governs its own data under that network’s own terms, developer and platform policies, and privacy policy. EMOR is not responsible for a network’s data practices, rate limits, content-moderation decisions, metric definitions, or API changes, and a network may at any time restrict, change, or revoke the access that Zernio (Late.dev) relies on to serve the Service.

Your responsibilities.You are responsible for using audience data lawfully; for complying with the terms, advertising and community policies, and disclosure requirements of each network you connect; for obtaining any consents required to message or contact your audience; and for honoring opt-out, deletion, and other requests you receive from members of your audience. You must not use the Service to send spam, to harvest or scrape data in violation of a network’s terms, or to process audience data for any purpose the relevant individual would not reasonably expect.

5. Data Retention

We retain your information for as long as your account is active and as needed to provide the Service, then delete or de-identify it on the schedules below, except where a longer period is required by law. The following retention rules apply:

  • Content & scheduled posts. Captions, drafts, scheduled posts, queues, campaigns, and AI outputs are retained while your account is active. You may delete any of them at any time from your workspace.
  • Connected-account tokens. Access and refresh tokens are retained until you disconnect the account or delete your workspace, at which point they are deleted and access is revoked.
  • Analytics & insights. Performance metrics are retained while the related account is connected and your account is active, then deleted on the cancellation schedule below.
  • Inbox data. Synced comments and messages are retained while the inbox is enabled and your account is active. Disconnecting an account or disabling the inbox stops further sync; previously synced items are deleted on the cancellation schedule below.
  • AI prompt logs. The prompts and briefs you submit and the outputs returned are retained in your workspace alongside your content while your account is active, and are deleted with your workspace on the cancellation schedule below.
  • Uploaded media. Images and videos in Cloudflare R2 are retained until you delete them or until your workspace is deleted on the cancellation schedule below.
  • Cancelled accounts. If you cancel your subscription, your account enters a 60-day dormant state during which your workspace data and configuration are retained so you can reactivate by resubscribing. If you do not reactivate within 60 days, your account is scheduled for permanent deletion following a further 30-day grace window during which you may cancel the deletion and resume service. After that grace window, your operational data is purged from active systems, and backups containing it are purged on a rolling 30-day cycle thereafter.
  • Billing records. Invoices and transaction records are retained for up to 7 years after account closure to satisfy tax, accounting, and audit obligations under applicable law.

6. Data Security & Breach Notification

EMOR’s security posture is built around four principles: encrypt everything in flight and at rest, isolate every tenant at the database row, push payments and credentials to dedicated providers, and minimize the data we hold to what the Service needs. The specific controls below reflect the architecture of the Service as of the “Last updated” date of this Policy.

6.1 Encryption

All traffic between you, the Service, and our Subprocessors is encrypted in transit using TLS 1.2 or higher. Customer data stored in the Supabase Postgres database — including your content, scheduled posts, analytics, inbox data, and connected-account access and refresh tokens — is encrypted at rest using AES-256. Connected-account tokens are additionally stored in encrypted form, and media stored in Cloudflare R2 is encrypted at rest by that provider under its published practices.

6.2 Tenant Isolation

EMOR Social is multi-tenant. Every tenant-scoped table carries a tenant_idcolumn and is protected by Postgres row-level security (RLS) policies that scope every read and write to the authenticated tenant, so one workspace can never read or modify another workspace’s content, connected accounts, analytics, or audience data. The Supabase service-role key, which can bypass RLS, is held only on EMOR’s server-side runtimes and is never exposed to the browser or embedded in client code.

6.3 Authentication & Access Control

User accounts, sessions, and multi-factor authentication are managed by Clerk; EMOR does not store passwords. Multi-factor authentication is available to every account holder. Within a workspace, access is governed by the roles and permissions you assign to team members. Access to production systems by EMOR personnel is restricted to authorized administrators with multi-factor authentication enabled on the upstream providers (Supabase, Vercel, Clerk, Stripe), and administrative actions are logged in those providers’ audit trails.

6.4 Payment Security

Subscription billing is handled by Stripe. Payment card numbers, CVCs, and bank-account details never touch EMOR systems; the card-input form is hosted by Stripe and tokenizes payment methods directly into Stripe’s PCI DSS Level 1 environment. EMOR stores only the Stripe customer and subscription identifiers needed to bill your account.

6.5 Subprocessor Security

Each Subprocessor listed in Section 3.7 processes EMOR data under a data-processing agreement that contractually requires appropriate technical and organizational measures. Where available, we select Subprocessors that publish their own third-party assurance — for example, SOC 2 Type II attestations and, in Stripe’s case, PCI DSS Level 1 certification. Customers may request a copy of EMOR’s Subprocessor security summary by contacting legal@emorai.com.

6.6 Limits on Assurance

Despite the controls described above, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security against every possible threat. EMOR Social is a beta product and does not currently hold a SOC 2 or ISO 27001 attestation of its own; we continuously evolve our controls as the Service matures and the threat landscape changes. For enterprise engagements, EMOR will provide a written security questionnaire response and a list of Subprocessor attestations on request, under mutual NDA where appropriate.

6.7 Breach Notification

If we become aware of a personal-data breach affecting your account or the audience data we process for you, we will notify you without undue delay and, in any event, within 72 hours of becoming aware of the breach to the extent feasible. Our notice will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take to address it and mitigate its effects. Notice will be delivered to the email address on file for your account administrators; for customers with a signed Data Processing Agreement, notice will also follow the channels specified there.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete personal data;
  • Delete your account and associated personal data;
  • Export your data in a portable, machine-readable format;
  • Opt out of non-essential communications;
  • Withdraw consent where consent is the legal basis for processing;
  • Restrict or object to certain processing activities;
  • Lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at legal@emorai.com. We respond to verified requests within 45 days where required by law (such as the CCPA/CPRA), and otherwise within a reasonable time. We may need to verify your identity before fulfilling certain requests, and we will not discriminate against you for exercising your rights. Where you ask us to act on audience data for which a customer is the controller, we will refer or forward your request to that customer and assist them in responding as their processor.

8. GDPR / UK GDPR (European Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and the UK GDPR apply to your personal data. EMOR acts as a data controller for your own account data (the information you provide to register, configure, and pay for the Service) and as a data processor for the audience data we process on your behalf through your connected accounts and inbox.

Lawful bases. Where EMOR is a controller, we rely on performance of contract (operating the Service for you), legitimate interests (security, fraud prevention, and product improvement, balanced against your rights), legal obligation, and consent (where required, for example for certain marketing communications).

International transfers.EMOR is based in the United States, and our Subprocessors may process data outside the EEA and UK. Such transfers rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum (IDTA), and other safeguards as applicable. See Section 12.

Automated decision-making (Article 22).The Service’s best-time-to-post and AI content suggestions are decision-support outputs that you review and approve; they are not solely automated decisions producing legal or similarly significant effects on you, and you retain full control over what is published.

Data Processing Agreements & representative.A Data Processing Agreement is available on request — contact legal@emorai.com. EMOR does not currently maintain an establishment in the EEA or UK; where Article 27 of the GDPR or UK GDPR requires the appointment of a Representative, EMOR will appoint one and list the contact details on this page. Until then, EU/UK data subjects may exercise their rights by contacting legal@emorai.com.

9. CCPA / CPRA (California Users)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the rights to know what personal information we collect, use, and disclose; to delete personal information we have collected from you; to correct inaccurate personal information; to opt out of the sale or sharing of personal information; to limit the use and disclosure of Sensitive Personal Information; and to not be discriminated against for exercising these rights.

EMOR does not sell your personal information, and we do not share personal information for cross-context behavioral advertising.

Sensitive Personal Information (SPI).The SPI we may process is limited to account log-in credentials (managed by Clerk) and the access and refresh tokens for your connected social accounts. We use this SPI solely to authenticate you and to perform the connected-account actions you authorize — never to infer characteristics about you and never for advertising. You may submit a “Limit the Use of My Sensitive Personal Information” request by contacting legal@emorai.com.

We respond to verified California consumer requests within 45 days (extendable by another 45 days where reasonably necessary, with notice). The categories of personal information we collect are described in Section 1, and we retain each category only as long as described in Section 5.

10. Other U.S. State Privacy Laws

Several U.S. states have enacted comprehensive privacy laws beyond CCPA/CPRA, including (without limitation) Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and Florida (FDBR), as well as Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Rhode Island, and Nebraska. If you reside in one of these states, you have rights similar to those in Section 9 — generally including the right to access, correct, delete, and port your personal data, and to opt out of targeted advertising or the sale of personal data. We do not engage in targeted advertising and do not sell personal data. To exercise any state-law right, contact legal@emorai.com.

11. Children’s Privacy

The Service is a business platform sold to businesses. Account holders must be at least 18 years old. We do not knowingly create accounts for, or collect personal information directly from, individuals under 18. If you believe a minor has created an account or provided personal information to us, contact legal@emorai.com and we will delete it promptly. Separately, the minimum-age requirements and content rules of each connected social network apply to your use of that network, and you are responsible for complying with them.

12. International Data Transfers

EMOR is based in the United States, and your information may be processed and stored in the United States and in other countries where our Subprocessors operate. By using the Service, you consent to such transfers. Where required, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and other lawful transfer mechanisms to protect personal data transferred out of the EEA, the UK, or Switzerland.

13. Do Not Track & Global Privacy Control

Because the Service does not track users across third-party websites or engage in cross-context behavioral advertising, browser “Do Not Track” signals do not change how the Service behaves. Where required by applicable law, we treat a recognized Global Privacy Control (GPC)signal as a valid request to opt out of the sale or sharing of personal information — though, as noted above, we do not sell or share personal information in the first place. See our Cookie Policy for more on the limited cookies we use and your choices.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service at least 30 daysbefore they take effect, and we will update the “Last updated” date at the top of this page. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy. If you do not agree to a change, you should stop using the Service and may close your account.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, or wish to exercise any of your rights, contact us at:

EMOR AI, LLC
563 NW 31st Avenue
Gainesville, FL 32609
Phone: (305) 582-0181
Email: legal@emorai.com
Support: support@emorai.com

For related terms, see our Terms of Service, our Cookie Policy, and our authoritative Subprocessors list.

More legal