Privacy
Policy.
We built Embedportal to move as little of your data as possible. This policy explains what we do collect, what we never will, and how long we keep any of it.
1. The short version
Embedportal is a thin embedding layer between your product and your BI tools (Tableau, Power BI, QuickSight, Looker, Metabase and similar). The business data that appears inside embedded dashboards never flows through our servers — it is rendered by the vendor directly into the viewer’s browser.
What we do collect is limited to account, configuration, audit, and basic operational telemetry. We don’t sell personal data. We don’t use it to train models.
2. Scope & roles
This policy covers embedportal.com and the Embedportal hosted service (the “Service”). Embedportal is a subproduct of atSpark Inc. (“we”, “us”).
- When your organization uses Embedportal, your organization is the controller of end-user data and we act as a processor on its behalf.
- When you visit this website, we are the controller of information you give us.
3. What we collect
We collect four categories of data, and nothing more:
| Category | Examples | Why |
|---|---|---|
| Account | Name, work email, organization, role | To create and operate your account |
| Configuration | Dashboard IDs, RLS rules, branding, tenant mapping | To render the right embed to the right viewer |
| Audit | Who viewed what dashboard, when, from where | Security, compliance, your audit trail |
| Telemetry | Request timing, error traces, IP, user agent | Keep the Service fast and reliable |
4. What we don’t collect
- The rows, columns or cells inside your dashboards.
- Your warehouse credentials.
- Your BI vendor’s source data.
- Third-party advertising identifiers.
- Any information sold to data brokers.
note: dashboards render directly from your BI vendor to your viewer’s browser. We sign the token that grants access; we do not proxy the payload.
5. How we use what we collect
- To provide, operate and maintain the Service.
- To authenticate users and enforce RLS rules.
- To keep an immutable audit trail for your organization.
- To debug, monitor and improve reliability.
- To communicate with you about the Service (service messages only).
- To comply with legal obligations and defend legal claims.
We do not use your data to train machine-learning models. We do not sell, rent or share your data for advertising.
6. Sharing & subprocessors
We share limited data with vetted vendors that help us run the Service. Current subprocessors:
| Vendor | Purpose | Region |
|---|---|---|
| AWS | Hosting, storage, networking | US · EU |
| Cloudflare | DNS, DDoS, edge caching | Global |
| Stripe | Payments (billing data only) | US |
| Postmark | Service & transactional email | US |
| Sentry | Error monitoring | US |
We will post an update on this page at least 30 days before adding a new subprocessor that processes personal data.
7. How long we keep it
- Account data — while your account is active, plus 30 days after cancellation.
- Configuration — while your account is active, plus 30 days.
- Audit logs — 13 months by default; your organization can request longer or shorter retention.
- Telemetry — 30 days, then aggregated.
- Backups — rolling 35 days.
8. Your rights
Depending on where you live, you may have the right to access, correct, export, restrict, or delete the personal data we hold about you, and to object to our processing of it. To exercise a right, email privacy@embedportal.com with the word Privacy Request in the subject line. We will respond within 30 days.
If your organization is using Embedportal on your behalf, please also contact that organization — under applicable law they are the controller of data they process through the Service.
9. Security
We encrypt data in transit (TLS 1.3) and at rest (AES-256). Access to production is limited, logged and time-bound. Tokens that grant access to embedded dashboards are short-lived (≤ 5 minutes) and signed by your backend. We don’t yet hold SOC 2, ISO 27001 or HIPAA certifications — we’ll say so openly if we ever do.
10. Children
Embedportal is not designed for, and we do not knowingly collect personal data from, anyone under 16. If you believe we have, contact privacy@embedportal.com and we will delete it.
11. International transfers
We operate primarily in the United States. If you’re using the Service from outside the US, your information may be transferred to and processed there. We rely on Standard Contractual Clauses and equivalent mechanisms where required.
12. Cookies
We use a small number of strictly necessary cookies to keep you signed in and to protect against abuse. We do not use third-party advertising cookies on embedportal.com. For lightweight product analytics we use a cookieless, IP-anonymising tool.
13. Changes to this policy
When we materially change this policy, we’ll update the effective date at the top and, for bigger changes, email account owners at least 30 days before the change takes effect.