Privacy Policy

Last updated: June 12, 2026

This Privacy Policy explains how [LEGAL ENTITY NAME], a [STATE/JURISDICTION] [ENTITY TYPE, e.g. LLC] located at [BUSINESS ADDRESS] ("Embarqly," "Company," "we," "us," or "our") collects, uses, discloses, and safeguards information in connection with the Embarqly onboarding platform, including our website, dashboard, and client onboarding portals (collectively, the "Service").

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service. This policy should be read together with our Terms of Service.

In short: Embarqly is built for IT service providers (MSPs) to manage client onboarding, including the temporary handling of sensitive client credentials. We encrypt credential data at rest, log every access to it, and give MSPs tools to permanently delete it once it's no longer needed. We do not sell personal information, and we share data only with the service providers necessary to run Embarqly, as described below.

1. Definitions

"MSP," "you," or "Customer" means the managed service provider or business that creates an Embarqly account and uses the Service to manage onboardings.
"Client" or "End User" means a customer of an MSP who receives an onboarding link and submits information through a Client Portal.
"Onboarding Data" means information entered into onboarding checklists, including text responses, contact details, and uploaded files.
"Credential Data" means usernames, passwords, license keys, access codes, or similar secrets submitted through the Credential Vault feature.
"Account Data" means information about the MSP account itself, such as the account owner's email address and company name.

2. Information We Collect

2.1 Account Data (from MSPs)

When you create an Embarqly account, we collect:

Email address and password (password is hashed and managed by our authentication provider, Supabase Auth — we never see or store your plaintext password).
Company / MSP name.
Any other information you voluntarily provide, such as messages to support.

2.2 Onboarding Data (about your Clients)

As an MSP, you control what information is requested from your Clients through onboarding templates you create. This may include:

Client business and contact name, email address, and other contact details.
Free-text responses to checklist items (e.g., confirmations, notes, answers to setup questions).
Files uploaded by the Client (e.g., signed agreements, network diagrams, configuration exports).
Electronic signatures or acknowledgments submitted through the portal.

You (the MSP) are the data controller for Onboarding Data you collect from your Clients. Embarqly acts as a data processor / service provider on your behalf. You are responsible for ensuring you have a lawful basis to collect this information from your Clients and for providing your Clients with any notices required by applicable law.

2.3 Credential Data (Credential Vault)

The Service includes an optional "Credential Vault" that allows Clients to submit sensitive credentials (such as administrator usernames and passwords for systems being onboarded) directly to the MSP through the portal. Because this data is highly sensitive, we apply additional safeguards:

Encryption at rest: Credential values are encrypted using AES-256-GCM before being stored. The encryption key is held separately from the database and is never exposed to client-side code.
Access logging: Every time an MSP user views ("reveals") a stored credential, we record an entry in an audit log (including the user, timestamp, and credential identifier).
Purge on demand: MSP users can permanently delete ("purge") a stored credential once it has been transferred to their own password manager or system. Purged values are irrecoverably removed from our database.
Minimal retention: Credential Data is intended for short-term transfer only. We recommend, and our product encourages, purging credentials promptly after use.

Important: Embarqly is a transfer mechanism, not a permanent credential storage or password management solution. Neither Embarqly nor the MSP should rely on the Credential Vault as a long-term vault. See our Terms of Service for the allocation of responsibility for Credential Data.

2.4 Usage and Technical Data

We and our infrastructure providers automatically collect limited technical data, including:

IP address, browser type, device/operating system information.
Authentication session identifiers (cookies) required to keep you signed in.
Timestamps and metadata associated with requests to our servers (e.g., for security monitoring, debugging, and abuse prevention).
Audit log entries described in Section 2.3.

2.5 Cookies

We use a small number of strictly necessary cookies to maintain your authenticated session (set by Supabase Auth). We do not use third-party advertising or cross-site tracking cookies. If this changes, we will update this policy and, where required, request your consent.

3. How We Use Information

We use the information described above to:

Provide, operate, and maintain the Service, including the onboarding dashboard, Client Portals, and Credential Vault.
Authenticate users and secure accounts.
Send transactional and onboarding-related emails (e.g., portal links, reminder nudges to Clients about pending onboarding items, account notifications).
Generate onboarding completion records and exports (e.g., PDF summaries) at an MSP's request.
Monitor, investigate, and prevent fraud, abuse, security incidents, and technical issues.
Comply with legal obligations and enforce our Terms of Service.
Communicate with MSP account holders about the Service, including updates, security notices, and (where applicable) billing.

We do not use Onboarding Data or Credential Data to train machine learning or AI models, and we do not sell or "share" (as defined under applicable law) personal information for cross-context behavioral advertising.

4. Legal Bases for Processing

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we (and, where we act as a processor, the applicable MSP as controller) rely on the following bases:

Performance of a contract — to provide the Service to MSPs and operate Client Portals as part of an onboarding requested by the MSP and Client.
Legitimate interests — to secure the Service, prevent fraud, and improve reliability, balanced against individuals' privacy interests.
Legal obligation — where processing is required to comply with applicable law.
Consent — where required, such as for optional communications.

5. How We Share Information

We do not sell personal information. We disclose information only as follows:

5.1 Within your organization

Onboarding Data and Credential Data submitted by a Client are visible to the MSP team members associated with that onboarding, as configured by the MSP's account.

5.2 Sub-processors / Service Providers

We use a small number of third-party infrastructure providers to operate the Service. These providers process data only on our behalf and under contractual confidentiality and security obligations:

Supabase — database, authentication, and file storage (hosts Account Data, Onboarding Data, Credential Data in encrypted form, and uploaded files).
Resend — transactional email delivery (e.g., portal links, onboarding reminder emails sent to Clients, account emails sent to MSPs).
Hosting / infrastructure providers (e.g., Vercel and/or Render) — application hosting, scheduled jobs, and content delivery.

A current list of sub-processors is available on request at hello@embarqly.com.

5.3 Legal and safety disclosures

We may disclose information if we believe in good faith that disclosure is necessary to:

Comply with a legal obligation, subpoena, court order, or governmental request;
Enforce our Terms of Service or investigate potential violations;
Detect, prevent, or address fraud, security, or technical issues; or
Protect the rights, property, or safety of Embarqly, our users, or the public.

5.4 Business transfers

If Embarqly is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before personal information becomes subject to a different privacy policy.

6. Data Retention

Account Data is retained for as long as your account is active, and for a reasonable period afterward to comply with legal, accounting, or security obligations.
Onboarding Data is retained according to the MSP's account configuration and is deleted upon account deletion or earlier upon the MSP's request, subject to limited backup retention.
Credential Data is retained only until purged by the MSP, or for a maximum retention period we may enforce in the future to encourage timely purging. We strongly recommend purging Credential Data as soon as it has been used.
Audit logs (including credential access logs) are retained for a longer period as necessary for security and accountability purposes, even after the underlying credential has been purged.

You may request deletion of your account and associated data at any time by contacting hello@embarqly.com, subject to Section 9 and any legal retention requirements.

7. Data Security

We maintain technical and organizational measures designed to protect information, including:

Encryption of Credential Data at rest using AES-256-GCM, with keys managed separately from application data.
Encryption in transit via TLS/HTTPS for all connections to the Service.
Row-level security policies restricting database access so MSPs can only access data belonging to their own organization.
Access logging and audit trails for sensitive operations, including credential reveals.
Time-limited, signed URLs for access to uploaded files rather than permanent public links.
Principle-of-least-privilege access controls for our own personnel.

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify affected parties and relevant authorities as required by applicable law. See Section 11.

8. International Data Transfers

Our infrastructure providers may process and store data in the United States and other countries. If you access the Service from outside the country where our servers are located, your information may be transferred to, stored, and processed in a country with different data protection laws. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for such transfers.

9. Your Rights

Depending on your location, you may have rights regarding your personal information, including the right to:

Request access to, or a copy of, the personal information we hold about you;
Request correction of inaccurate information;
Request deletion of your personal information;
Request restriction of, or object to, certain processing;
Request portability of your information in a structured, commonly used format; and
Withdraw consent where processing is based on consent.

To exercise these rights, contact us at hello@embarqly.com. If your information was submitted to us by an MSP as part of an onboarding (i.e., you are a Client of an MSP), we recommend contacting that MSP directly, as they control the data; we will assist the MSP as needed to respond to your request. Residents of certain jurisdictions (e.g., California, EEA, UK) may have additional statutory rights, including the right to lodge a complaint with a supervisory authority.

10. Children's Privacy

The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us so we can delete it.

11. Data Breach Notification

In the event of a security incident that compromises the confidentiality, integrity, or availability of personal information, we will take reasonable steps to investigate, mitigate, and notify affected MSPs and, where legally required, individuals and regulators, without undue delay and in accordance with applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice (such as by email to the account owner or a notice within the Service) before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised. Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: hello@embarqly.com
[LEGAL ENTITY NAME], [BUSINESS ADDRESS]

This document is a general template and does not constitute legal advice. Embarqly should have this policy reviewed by qualified legal counsel in its operating jurisdiction(s) before relying on it, particularly with respect to applicable data protection laws (e.g., GDPR, UK GDPR, CCPA/CPRA) and the bracketed placeholders above.