Privacy Policy
Effective Date: May 13, 2026 · Version 3.5
Emmber, Inc., a Delaware corporation qualified to do business in the State of Florida, which operates the Pluse platform at pluse.to and the Pluse iOS application available on the Apple App Store (“Emmber,” “Pluse,” “we,” “us,” or “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you access or use the Pluse platform, the Pluse iOS application, and related services (collectively, the “Service”).
“Pluse” is the consumer brand and product name under which Emmber, Inc. provides the Service; “Emmber, Inc.” is the legal entity. References in this Policy to either “Emmber” or “Pluse” identify the same legal entity. Data subject requests, privacy inquiries, and notices received under either name are handled by Emmber, Inc.
This policy applies to all users of the Service, including business owners, authorized account users, and anyone whose personal information is processed through the Service. If you do not agree with this policy, do not use the Service.
Important Note on Defined Terms: In this Privacy Policy, “Your Data” and “User Content” have the same meaning as defined in Section 1 of the Terms of Service: any data, text, prompts, images, files, invoices, client records, financial data, time entries, or other materials that you upload, input, submit, or transmit to or through the Service. These terms are used interchangeably.
Table of Contents
- Information We Collect
- How We Use Your Information
- How We Share Your Information
- Data Retention
- Data Security
- Your Rights & Choices
- California Residents (CCPA/CPRA)
- EU/EEA Residents (GDPR)
- Florida Residents (Florida Digital Bill of Rights)
- Massachusetts Residents
- Other U.S. State Privacy Laws
- Cookies & Tracking
- Children’s Privacy
- International Data Transfers
- Data Breach Notification
- Data Disposal
- Changes to This Policy
- Contact Us
- Intellectual Property
- Pluse AI Assistant
1. Information We Collect
1.1 Information You Provide Directly
| Category | Examples | Why We Collect It |
|---|---|---|
| Identifiers | Name, email address, phone number, username, password (hashed) | Account creation, authentication, communications |
| Business Information | Business name, address, state, industry, incorporation type | Service personalization, legal compliance |
| Identity / Business Verification Documents | An uploaded image or PDF of your IRS-issued EIN-confirmation document (e.g., Form CP 575, Form SS-4, or Letter 147C), submitted through the dashboard from a paid account before certain payment-processing features are enabled. We do not request a raw EIN number; only the document. Files are validated against a fixed type list (PDF, JPG, PNG), capped at 10 MB, encrypted at rest with AES-256-GCM, and stored only in our internal upload area. We do not share these documents with any third party. | Fraud prevention; payment-processing gating; compliance with Stripe Connect and card-network business-verification expectations |
| Commercial Information | Client/customer names, invoices, expenses, products, services, revenue data, financial records | Core Service functionality |
| Employment-Related Information | Employee names, pay rates, hours worked, schedules (data you enter about your staff) | Employee management features |
| Financial Information | Bank account details for Stripe Connect payouts, billing address. We do NOT store credit card numbers — all card data is handled by Stripe. | Payment processing, payouts |
| Communications | Support messages, feedback, AI conversation history | Support, product improvement |
| Biometric Authentication Reference (iOS only) | On-device reference to Face ID / Touch ID enrollment used to gate access to credentials stored in the iOS Keychain. Pluse does not receive, transmit, or store the underlying biometric template — biometric data remains exclusively on your device under Apple’s control. | Biometric authentication on the iOS application |
1.2 Information Collected Automatically
| Category | Examples | Retention |
|---|---|---|
| Usage Data | Pages visited, features used, button clicks, actions taken, time spent | Active account duration |
| Device & Technical Data | Browser type, operating system, device type, screen resolution, language settings | Active account duration |
| Log Data | IP address, access timestamps, referring URLs, HTTP status codes, error logs | 90 days |
| Cookies & Session Data | Session tokens (authentication), CSRF tokens (security), preference cookies. See Section 12. | Session or up to 12 months |
1.3 Information from Third Parties
- Stripe: Payment status, transaction amounts, payout confirmations, and Stripe account identifiers for your connected account.
- Intuit QuickBooks Online: Accounting data synchronized with your explicit authorization, including customers, invoices, chart of accounts, and products.
- Google / Apple (OAuth): Basic profile information (name and email address) when you choose to sign in using these providers. We do not receive your password.
2. How We Use Your Information
We process your information only for the purposes described below. For GDPR purposes, the legal basis for each processing activity is noted.
| Purpose | Details | Legal Basis (GDPR) |
|---|---|---|
| Providing the Service | Processing invoices, tracking expenses, managing employees, generating reports, processing payments | Contract performance |
| Payment Processing | Facilitating invoice payments via Stripe, calculating fees, managing payouts | Contract performance |
| AI Assistant | Analyzing your business data to provide insights and recommendations within the Service. Your business data is not used to train the AI models. See Section 2.1 for details. | Contract performance |
| Account Management | Authentication, account security, billing, plan management | Contract performance |
| Communications | Service notifications, payment confirmations, security alerts, support responses | Contract performance / Legitimate interest |
| Product Improvement | Analyzing aggregated, anonymized usage metadata (such as feature usage frequency and error rates) to fix bugs, improve the Service, and develop new features. This does not include the content of your business data or AI conversations. | Legitimate interest |
| Security & Fraud Prevention | Detecting and preventing unauthorized access, fraud, and abuse | Legitimate interest / Legal obligation |
| Legal Compliance | Responding to lawful legal requests, enforcing our Terms, complying with tax and financial regulations | Legal obligation |
2.1 AI Data Practices
Pluse’s AI assistant processes your business data to generate insights, recommendations, and analysis. The following describes how your data is used in connection with your AI:
Data Your AI Accesses: When you interact with your AI, the assistant may access your invoices, client records, expenses, time entries, financial summaries, and other business data you have entered into the Service, solely to generate relevant responses to your queries.
Communication Processing Notice: Your text-based inputs to your AI (prompts, queries, and instructions) are transmitted to and processed by Pluse’s AI infrastructure. Your conversation history (queries and responses) is recorded and stored for the duration of your active account. This notice is provided in compliance with all-party consent and notification statutes, including M.G.L. c. 272, § 99 (Massachusetts), Cal. Penal Code § 632 (California), and equivalent statutes in other jurisdictions. Your continued use of your AI after receiving this notice constitutes your informed consent to such processing. For the full AI processing consent disclosure, see Terms of Service Section 12.1.
What We Do NOT Use for AI Training: Your business data (invoices, client records, financial data, the specific content of your prompts and AI conversations) is never used to train, fine-tune, or improve the underlying AI models.
What We May Use: Pluse may use anonymized, aggregated interaction metadata — meaning statistical information such as feature usage frequency, query category distribution (e.g., “20% of queries relate to invoicing”), average conversation length, and error rates — to monitor Service performance, improve AI capabilities, and develop new features. This metadata is derived from usage patterns across all users, does not contain the content of your business data or prompts, and cannot be used to identify you or reconstruct your data.
AI Conversation History: The content of your AI conversations is stored for the duration of your active account to provide you with conversation history and to improve your in-session experience. Conversation history is deleted within 30 days of account closure.
No Automated Decision-Making with Legal Effect: Your AI does not make decisions that produce legal or similarly significant effects on any person. All decisions remain with you, the user. Your AI is a decision-support tool requiring your independent review and professional judgment.
3. How We Share Your Information
We do not sell your personal information. We share your information only in the following circumstances:
3.1 Service Providers (Processors)
We engage trusted third-party service providers who process data on our behalf, subject to written data processing agreements that restrict their use of your data:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing, Stripe Connect | Invoice amounts, payer details, business account identifiers |
| Intuit, Inc. (QuickBooks) | Accounting synchronization (with your authorization) | Invoices, customers, accounts, products you authorize |
| DigitalOcean, LLC — DigitalOcean Gen AI Platform | Cloud hosting, database infrastructure, and AI processing (Pluse AI) via DigitalOcean’s managed Gen AI Platform | Application data; Pluse AI chat messages and the specific business context needed to answer a query (see Section 20) |
| Google (OAuth) | Authentication (sign-in only) | Name, email address (received from Google with your consent) |
| Apple (Sign in with Apple) | Authentication (sign-in only) | Name, email address (received from Apple with your consent) |
A current, complete list of subprocessors is maintained at pluse.to/legal/subprocessors. We will provide at least thirty (30) days’ prior notice (via email or in-app notification) before engaging a new subprocessor that processes personal data.
3.2 Your Customers
When you send an invoice through Pluse, the invoice recipient sees your business name, the invoice details you created, and Pluse’s payment instructions. The recipient interacts with Pluse’s hosted payment page to complete a transaction. Pluse’s privacy practices govern how we handle recipient data collected at that point.
3.3 Legal Requirements
We may disclose your information if required by applicable law, regulation, subpoena, court order, or legitimate request from a government authority. We will notify you of such requests where legally permitted to do so.
3.4 Business Transfers
If Pluse is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice via email or through the Service at least 30 days before your information becomes subject to a materially different privacy policy.
3.5 With Your Consent
We may share your information for any other purpose with your explicit prior consent.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Duration of active account, plus 30 days after closure (grace period), then deleted |
| Business & financial records (invoices, expenses, transactions) | 7 years after account closure (U.S. tax and financial record-keeping requirements) |
| Payment records | Per Stripe’s data retention policies and applicable financial regulations |
| Server/access logs | 90 days |
| AI conversation history | Duration of active account; deleted within 30 days of account closure |
| Support communications | 3 years from last interaction |
| Backup data | Overwritten within 90 days on a rolling basis |
You may request deletion of your data by contacting support@pluse.to. Some data may be retained as required by law, for fraud prevention, or to resolve disputes notwithstanding a deletion request.
Data Subject Access During Retention. Even after account closure, if your data is still within a retention period described above, you may exercise your rights of access under applicable data protection law (including CCPA/CPRA, GDPR, Florida DPSA, and other applicable state privacy laws) by submitting a data subject access request as described in Section 6. Such requests may require identity verification and may be fulfilled in a format different from the self-service export available during your active account.
5. Data Security
Pluse maintains a comprehensive Written Information Security Program (“WISP”) in compliance with 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts). Because 201 CMR 17.00 imposes the most prescriptive state-level data security requirements in the United States, Pluse maintains this standard as its baseline for all users, regardless of location. The WISP designates a responsible employee, establishes administrative, technical, and physical safeguards scaled to Pluse’s data environment, and is reviewed and updated at least annually or upon any material change to business operations.
Our technical and organizational security measures include:
- HTTPS/TLS 1.2+ encryption for all data in transit (satisfying 201 CMR 17.04(3) and equivalent state encryption requirements);
- AES-256 encryption for personal information at rest, including database fields containing names combined with financial account information, Social Security numbers, or government-issued identification numbers (satisfying 201 CMR 17.04(5) and providing the encryption safe harbor under M.G.L. c. 93H, § 1);
- Role-based access controls with unique user credentials and no vendor-default passwords (201 CMR 17.04(1)–(2));
- Multi-factor authentication for all Pluse personnel with access to production systems;
- CSRF token protection on all authenticated requests;
- JWT-based authentication with secure token handling and configurable expiration;
- Parameterized database queries to prevent SQL injection;
- Input validation and output encoding;
- Up-to-date firewall protection and reasonably current operating system security patches (201 CMR 17.04(6));
- Current anti-malware software with regular updates (201 CMR 17.04(7));
- Regular monitoring for unauthorized access to personal information (201 CMR 17.04(4));
- Stripe PCI DSS Level 1 compliance for all card data (we never see, transmit, or store raw card numbers);
- Webhook signature verification for all Stripe events; and
- Documented incident response procedures with mandatory post-incident review (201 CMR 17.03(2)(j)).
Pluse requires all third-party service providers with access to personal information to maintain security measures at least as protective as those described in the WISP, enforced through written contractual obligations (201 CMR 17.03(2)(f)).
While we implement commercially reasonable security measures meeting or exceeding the standards described above, no system is completely secure. You are responsible for protecting your login credentials and notifying us promptly of any suspected unauthorized access.
6. Your Rights & Choices
Regardless of where you are located, you have the following rights with respect to your personal information:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate or incomplete information.
- Deletion: Request deletion of your account and personal data, subject to legal retention requirements.
- Export: Download your business data (invoices, expenses, reports) from within the dashboard. Request a full account data export by emailing us.
- Opt-Out of Communications: Opt out of non-essential marketing or product update emails via your account Settings or by emailing us.
To exercise any of these rights, visit Privacy Choices or contact us at support@pluse.to. We will respond within 30 days. We may need to verify your identity before processing certain requests.
7. California Residents — CCPA/CPRA Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights. In the preceding 12 months, we have collected personal information in the following CCPA-defined statutory categories:
| CCPA Category | Examples Collected | Disclosed To | Retention Period |
|---|---|---|---|
| A — Identifiers | Name, email, IP address, account ID | Stripe, DigitalOcean, QuickBooks, Google, Apple | Account duration + 30 days (profile); 90 days (IP/logs) |
| B — Personal Info (§1798.80(e)) | Name, address, bank account info (Stripe Connect) | Stripe | 7 years after account closure (financial records) |
| C — Protected Classifications | Not collected intentionally | N/A | N/A |
| D — Commercial Information | Invoice records, purchase history, services rendered | QuickBooks (with auth), Stripe | 7 years after account closure |
| E — Biometric Information | On-device biometric authentication reference (Face ID / Touch ID enrollment) used solely to gate access to iOS Keychain credentials. Pluse does not receive, transmit, or store the underlying biometric template; biometric data remains on your device. | Not disclosed to third parties (biometric data does not leave your device) | Until you disable biometric authentication or uninstall the iOS application |
| F — Internet/Electronic Activity | Usage data, features accessed, log data | DigitalOcean | Account duration (usage); 90 days (logs) |
| G — Geolocation | Approximate location derived from IP address; precise location only where you tag a work entry with location and have granted iOS Location permission | DigitalOcean | 90 days (IP-derived); duration of related time entry (precise) |
| H — Professional/Employment Info | Business type, employee data you enter | DigitalOcean, QuickBooks | Account duration + 30 days; 7 years for financial records |
| K — Inferences | AI business insights derived from your data | Not disclosed to third parties | Account duration; deleted within 30 days of closure |
7.1 Your CCPA/CPRA Rights
- Right to Know: Request disclosure of the personal information we have collected, used, shared, or sold about you in the past 12 months.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. You do not need to opt out.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information (as defined by CPRA, including biometric information and precise geolocation) beyond what is necessary to provide the Service. The limited sensitive personal information we process (such as account login credentials, biometric authentication references stored on your device, and precise geolocation associated with time entries you elect to tag) is used solely for the purposes of providing the Service, and we do not use it for the purpose of inferring characteristics about you.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
7.2 Global Privacy Control (GPC)
Pluse recognizes and responds to the Global Privacy Control (GPC) signal as a valid opt-out of the sale and sharing of personal information. If your browser sends a GPC signal, we treat it as an opt-out request. Since we do not sell or share data, no practical action is required in response, but the signal is acknowledged.
7.3 How to Submit a CCPA Request
Email support@pluse.to with “CCPA Request” in the subject line. We will verify your identity and respond within 45 days. We may extend the response period by an additional 45 days (90 days total) where reasonably necessary, with notice to you.
You may designate an authorized agent to submit requests on your behalf. We will require written proof of authorization and may verify your identity directly.
8. EU/EEA Residents — GDPR
Pluse is a U.S.-based company that does not currently target or actively market the Service to individuals located in the European Union or European Economic Area. However, if you are located in the EU/EEA and access or use the Service, Pluse acknowledges that the General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to our processing of your personal data, and the following provisions shall apply.
8.1 Data Controller
Emmber, Inc. is the data controller for personal information processed through the Service for account management, billing, and Service improvement purposes. For personal data you submit about your own customers, employees, or other third parties, Pluse acts as data processor on your behalf; such processing is governed by the Data Processing Agreement (DPA) available at pluse.to/legal/dpa.
Point of Contact: For GDPR-related inquiries, contact legal@pluse.to. Pluse has not designated a Data Protection Officer under GDPR Article 37, as Pluse does not engage in regular and systematic monitoring of EU data subjects on a large scale, nor does Pluse process special categories of personal data on a large scale. If these conditions change, Pluse will appoint a DPO and update this Policy accordingly.
8.2 Legal Bases for Processing
Pluse processes personal data of EU/EEA residents under the following legal bases:
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing the Service (invoicing, payments, client management) | Art. 6(1)(b) — Performance of a contract |
| Payment processing via Stripe | Art. 6(1)(b) — Performance of a contract |
| AI assistant (processing your business data to generate insights) | Art. 6(1)(b) — Performance of a contract |
| Account management, authentication, billing | Art. 6(1)(b) — Performance of a contract |
| Service notifications, security alerts | Art. 6(1)(b) — Contract; Art. 6(1)(f) — Legitimate interest |
| Aggregated usage analytics for product improvement | Art. 6(1)(f) — Legitimate interest (improving the Service; minimal impact on data subjects given anonymization) |
| Security and fraud prevention | Art. 6(1)(f) — Legitimate interest; Art. 6(1)(c) — Legal obligation |
| Compliance with legal obligations | Art. 6(1)(c) — Legal obligation |
8.3 Your GDPR Rights
You have the right to: access your data (Art. 15); request rectification (Art. 16); request erasure (Art. 17); restrict processing (Art. 18); data portability (Art. 20); object to processing based on legitimate interest (Art. 21); and lodge a complaint with your local supervisory authority.
To exercise any of these rights, contact legal@pluse.to. We will respond within thirty (30) days. If additional time is required, we will notify you within the initial 30-day period and may extend the response period by up to sixty (60) additional days.
8.4 International Data Transfers
Your data is processed and stored in the United States. Transfers from the EU/EEA to the U.S. rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated into our data processing agreements with U.S.-based service providers and into the DPA with respect to data we process on your behalf. By using the Service from the EU/EEA, you acknowledge that your data will be transferred to the U.S. under these transfer mechanisms.
8.5 Data Protection Impact Assessments
Pluse conducts data protection impact assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, including the processing of business data by the AI assistant. DPIAs are reviewed and updated as Pluse introduces new features or materially changes its data processing practices. Summaries of relevant DPIAs are available upon request by contacting legal@pluse.to.
8.6 Right to Object to Profiling
You have the right to object to automated decision-making and profiling. AI does provide insights derived from your data, but no decisions with legal or similarly significant effects are made solely by automated means. To object to AI processing your data, contact us and we will explore accommodations, which may include disabling AI functionality for your account.
9. Florida Residents — Florida Digital Bill of Rights
If you are a Florida resident, the Florida Digital Bill of Rights (FDBR), effective July 1, 2024, provides you with the following rights regarding your personal data. This section supplements (and does not replace) the general rights described in Section 6.
9.1 Your Rights Under the FDBR
- Right to Access: You have the right to confirm whether Pluse is processing your personal data and to access such data in a portable and readily usable format.
- Right to Correct: You have the right to correct inaccuracies in your personal data.
- Right to Delete: You have the right to delete personal data you have provided to us or that we have obtained about you, subject to certain exceptions (such as data retained for legal compliance or to complete a transaction you requested).
- Right to Data Portability: You have the right to obtain a copy of your personal data in a readily usable format that allows transfer to another entity without hindrance.
- Right to Opt Out of Targeted Advertising: You have the right to opt out of the processing of your personal data for the purpose of targeted advertising. Pluse does not process your personal data for targeted advertising. No opt-out is necessary.
- Right to Opt Out of the Sale of Personal Data: You have the right to opt out of the sale of your personal data. Pluse does not sell your personal data. No opt-out is necessary.
- Right to Opt Out of Profiling: You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. The AI assistant provides business insights and recommendations, but does not make automated decisions that produce legal or similarly significant effects on you. If you wish to opt out of AI processing, contact support@pluse.to and we will accommodate your request by disabling AI features for your account.
9.2 Sensitive Data
Under the FDBR, “sensitive data” includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data. Pluse does not intentionally collect sensitive data as defined by the FDBR, except for: (a) on-device biometric authentication references for users who enable Face ID or Touch ID on the iOS application (which are processed exclusively on your device and never transmitted to Pluse), and (b) precise geolocation that you affirmatively associate with a time entry, used only for that time entry’s display purpose. If Pluse ever determines that processing additional sensitive data is necessary for a new feature or purpose, we will obtain your affirmative consent before processing such data.
9.3 Data Protection Assessments
The FDBR requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, the sale of personal data, profiling, and the processing of sensitive data. Pluse conducts data protection assessments for applicable processing activities and maintains documentation of such assessments. As Pluse does not engage in targeted advertising, the sale of personal data, or processing of sensitive data beyond on-device biometric authentication and user-tagged precise geolocation, the primary assessment relates to the use of the AI assistant for business data analysis.
9.4 Children’s Data
The FDBR includes enhanced protections for personal data of individuals under the age of 18. Pluse’s Service is intended for business use by individuals aged 18 and over (see Terms of Service, Section 2). If personal data of individuals under 18 is submitted to the Service by a user (for example, as part of client records), Pluse processes such data solely as a data processor on the user’s behalf, in accordance with the Data Processing Agreement. Pluse does not knowingly collect personal data directly from individuals under 18.
9.5 How to Exercise Your Florida Rights
To exercise any FDBR right, email support@pluse.to with “Florida Privacy Request” in the subject line, or visit Privacy Choices. We will verify your identity and respond within forty-five (45) days. We may extend the response period by an additional fifteen (15) days where reasonably necessary, with notice to you.
If we decline to take action on your request, you may appeal the decision by emailing legal@pluse.to with “FDBR Appeal” in the subject line. We will respond to the appeal within sixty (60) days. If the appeal is denied, you may contact the Florida Attorney General’s office to file a complaint.
9.6 Non-Discrimination
Pluse will not discriminate against you for exercising your rights under the FDBR, including by denying goods or services, charging different prices or rates, or providing a different level or quality of the Service.
10. Massachusetts Residents
Massachusetts imposes specific data security, breach notification, and consumer protection requirements on any entity that owns, licenses, stores, or maintains personal information about a Massachusetts resident, regardless of where the entity is located. This section supplements (and does not replace) the general rights described in Section 6.
10.1 Massachusetts Personal Information
Under M.G.L. c. 93H, § 1 and 201 CMR 17.02, “personal information” means a Massachusetts resident’s first name and last name (or first initial and last name) in combination with any one or more of: (a) Social Security number; (b) driver’s license number or state-issued identification number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, PIN, or password, that would permit access to a resident’s financial account. If you are a Massachusetts resident and have provided such information to Pluse (or if such information is contained in data you upload to the Service), the protections in this section apply.
10.2 Written Information Security Program (WISP)
Pluse maintains a comprehensive Written Information Security Program in compliance with 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts). Our WISP includes the safeguards described in Section 5 of this Privacy Policy, including encryption of personal information in transit and at rest, role-based access controls, multi-factor authentication, regular security monitoring, service provider oversight, incident response procedures, and annual program review. The WISP is maintained as our baseline security standard for all users nationwide.
10.3 Data Breach Notification — Massachusetts
In the event of a breach of security involving personal information of Massachusetts residents, Pluse will comply with M.G.L. c. 93H, § 3, including:
- Notifying the Massachusetts Attorney General and the Director of the Office of Consumer Affairs and Business Regulation (OCABR) as soon as practicable and without unreasonable delay;
- Notifying each affected Massachusetts resident as soon as practicable and without unreasonable delay, including: the resident’s right to obtain a police report, instructions for requesting a security freeze, and information about the steps Pluse is taking to address the breach;
- If Social Security numbers are compromised, offering affected Massachusetts residents at least eighteen (18) months of free credit monitoring services, without requiring a waiver of any legal right as a condition of enrollment (M.G.L. c. 93H, § 3A); and
- Disclosing in the notification to the AG and OCABR whether Pluse maintains a Written Information Security Program (which Pluse does).
Note: Consumer breach notices to Massachusetts residents will not include the nature of the breach or the number of residents affected, as prohibited by M.G.L. c. 93H, § 3.
10.4 Encryption Safe Harbor
Pluse encrypts personal information (as defined under Massachusetts law) both in transit (TLS 1.2+) and at rest (AES-256). Under M.G.L. c. 93H, § 1, the breach notification obligation does not apply to encrypted data if the encryption key has not been compromised. Pluse maintains its encryption practices in part to preserve this safe harbor for Massachusetts residents.
10.5 Consumer Protection (Chapter 93A)
Pluse’s data security and privacy practices are maintained in compliance with M.G.L. c. 93A (Massachusetts Consumer Protection Act). The Massachusetts Attorney General has authority to enforce data security violations as unfair or deceptive trade practices under Chapter 93A, § 4, including the data security requirements of 201 CMR 17.00. Pluse’s WISP, encryption standards, and incident response procedures are designed to meet or exceed the standards enforced by the AG under this authority.
10.6 AI Processing Disclosure — Massachusetts
Massachusetts is an all-party consent jurisdiction under M.G.L. c. 272, § 99 (the Massachusetts Wiretap Statute). The AI assistant processes text-based communications only (not voice or audio). For the avoidance of doubt, Pluse provides clear, conspicuous notice of AI processing in the Terms of Service (Section 12.1), and your continued use of the AI assistant after receiving such notice constitutes your informed consent to the processing described therein.
10.7 Massachusetts Data Privacy Legislation
Pluse monitors developments in Massachusetts data privacy legislation, including any successor or amendment to the Massachusetts Data Privacy Act introduced in recent legislative sessions. If Massachusetts enacts a comprehensive data privacy law, Pluse will update this section to address any additional rights and obligations imposed by the new law and will provide notice in accordance with Section 17 of this Policy.
10.8 How to Exercise Your Massachusetts Rights
To exercise any right related to your personal information under Massachusetts law, email support@pluse.to with “Massachusetts Privacy Request” in the subject line. We will verify your identity and respond within thirty (30) days.
11. Other U.S. State Privacy Laws
Pluse is committed to complying with applicable state privacy laws. The following provides additional information for residents of states with comprehensive consumer privacy statutes. These rights supplement (and do not replace) the general rights in Section 6.
11.1 Virginia (VCDPA), Connecticut (CTDPA), Colorado (CPA), Texas (TDPSA), Utah (UCPA), and Oregon (OCPA)
If you are a resident of Virginia, Connecticut, Colorado, Texas, Utah, or Oregon, you have rights similar to those described in the Florida section (Section 9), including the rights to access, correct, delete, and port your personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling activities. As noted above, Pluse does not sell personal data, does not engage in targeted advertising, and does not engage in profiling that produces legal or similarly significant effects.
To exercise your rights under any of these state laws, email support@pluse.to with “[State] Privacy Request” in the subject line (e.g., “Virginia Privacy Request”). We will respond within the timeframes required by applicable law (generally 45 days, with possible extensions). If we deny your request, you may appeal as described in the applicable state’s law.
11.2 Additional States
As additional U.S. states enact comprehensive consumer privacy laws (including, but not limited to, Delaware, Iowa, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Rhode Island, and Tennessee, as those laws come into force), Pluse will update this section to address state-specific requirements. We monitor legislative developments and will provide notice of material updates in accordance with Section 17 of this Policy.
12. Cookies & Tracking Technologies
We use a minimal set of cookies necessary to operate the Service:
| Cookie Type | Purpose | Duration | Can You Opt Out? |
|---|---|---|---|
| Session / Authentication | Keeps you logged in; required for the Service to function | Session (expires on logout or browser close) | No — essential to the Service |
| CSRF Token | Security protection against cross-site request forgery; required for the Service to function | Session | No — essential to the Service |
| Preference Cookies | Remembers your cookie consent choice, theme, and display preferences | Up to 12 months | Yes — reset at Privacy Choices |
We do not use third-party advertising or social media cookies. No cookies from Google Ads, Facebook Pixel, or any similar advertising network are present on our platform.
12.1 Privacy-Friendly Page Analytics (Plausible)
On our public marketing and login pages (such as /LoginPageNew.php and the pluse.to landing pages), we use Plausible Analytics to count page visits and understand which features bring people to the site. Plausible is a privacy-focused, EU-hosted analytics service that:
- does not use cookies of any kind;
- does not set persistent identifiers in your browser or device;
- does not track you across sessions, sites, or devices;
- does not collect personal data — it records aggregate metrics such as page URL, referrer, screen size category, and country (derived from IP and then discarded);
- does not share data with advertising networks or any third parties.
The Plausible script does not run inside the authenticated Service (i.e., once you are signed in to your dashboard). Plausible is also not loaded inside the Pluse iOS application. For full details, see Plausible’s data policy at plausible.io/data-policy. Because Plausible is cookieless and processes no personal data, no consent banner or opt-out is provided or required; you can also block the script using any standard content blocker.
You may manage or delete cookies through your browser settings. Disabling essential cookies will prevent you from logging in or using the Service.
12.2 Do Not Track
Pluse does not currently respond to “Do Not Track” (DNT) browser signals, as there is no universally accepted standard for how online services should respond to DNT signals. Our privacy practices (as described in this Policy) apply uniformly regardless of whether a DNT signal is detected. For information on our response to Global Privacy Control (GPC) signals, see Section 7.2.
13. Children’s Privacy
The Service is intended solely for business use by individuals 18 years of age or older. Pluse does not knowingly collect, use, or disclose personal information directly from children under the age of 13 in violation of the Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501–6506; “COPPA”), nor from individuals under the age of 18 in any manner that conflicts with state laws providing enhanced protections for minors (including the California Privacy Rights Act and the Florida Digital Bill of Rights).
Pluse takes affirmative steps to prevent the collection of personal information from minors, including: (a) requiring users to represent that they are at least 18 years old when creating an account (Terms of Service, Section 2); (b) declining to integrate features (such as advertising or behavioral profiling) that are directed at children; and (c) declining to design or market the Service to children.
If we become aware that we have inadvertently collected personal information directly from a child under 13, or personal information from an individual under 18 in a manner inconsistent with applicable state law, we will:
- Promptly delete the information from our active systems;
- Disable the related account if applicable;
- Refund any subscription fees collected from the affected account, if applicable; and
- Document the incident as part of our compliance program.
If you believe a person under the applicable age has provided us with personal information, please contact us at support@pluse.to with the subject line “Minor Account Concern” and we will act promptly.
Where personal data of minors is contained within data you upload to the Service (for example, as part of client records or employee data), Pluse processes such data solely as a data processor on your behalf, and you are responsible for obtaining any required parental consent or other authorization under applicable law.
14. International Data Transfers
Pluse is headquartered and operated in the United States. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the U.S. U.S. data protection laws may differ from those in your country. For EU/EEA residents, see Section 8.4 for applicable transfer safeguards, including Standard Contractual Clauses.
15. Data Breach Notification
In the event of a breach of security that creates a substantial risk of identity theft or fraud, or that otherwise triggers notification obligations under applicable law, we will:
- Notify affected users by email as soon as reasonably practicable and without unreasonable delay, and in accordance with the notification timelines of all applicable jurisdictions, including: without unreasonable delay for Massachusetts residents under M.G.L. c. 93H, § 3; no later than 30 days for Florida residents under the Florida Information Protection Act (FIPA); within 72 hours for EU/EEA residents under GDPR Article 33 (to the extent applicable); and within the timeframes required by all other applicable state breach notification laws;
- Notify applicable government authorities where required by law, including the Massachusetts Attorney General and the Massachusetts Office of Consumer Affairs and Business Regulation (for breaches affecting Massachusetts residents), the Florida Department of Legal Affairs (for breaches affecting Florida residents), and equivalent authorities in other states as required;
- Provide affected users with information about what occurred, what data was involved, and steps they can take to protect themselves, including the right to obtain a police report, instructions for requesting a security freeze, and information about available identity theft prevention and mitigation services;
- For breaches involving Social Security numbers of Massachusetts residents, offer at least eighteen (18) months of free credit monitoring without requiring a waiver of legal rights as a condition of enrollment (M.G.L. c. 93H, § 3A);
- Disclose in notifications to the Massachusetts AG and OCABR whether Pluse maintains a Written Information Security Program (WISP); and
- Conduct a post-incident review and update the WISP as warranted (201 CMR 17.03(2)(j)).
Encryption Safe Harbor. To the extent that compromised data was properly encrypted and the encryption key was not also compromised, notification may not be required under certain state laws (including Massachusetts and several other states that provide an encryption safe harbor). Pluse maintains encryption of personal information in transit and at rest specifically to preserve this safe harbor.
Additional data breach notification obligations between Pluse and users for whom Pluse acts as a data processor are set forth in the Data Processing Agreement.
16. Data Disposal
When Pluse disposes of records containing personal information — whether in connection with account termination, expiration of data retention periods, or routine data lifecycle management — electronic records will be destroyed through secure deletion methods that render personal information incapable of being practicably read or reconstructed, in compliance with M.G.L. c. 93I, § 2 (Massachusetts) and equivalent data disposal requirements in other jurisdictions. Paper records containing personal information, if any, will be shredded, pulverized, or otherwise rendered unreadable prior to disposal. Pluse requires all third-party service providers to comply with equivalent data disposal standards through contractual obligations.
17. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect. Non-material changes (e.g., formatting, typo corrections) may be made without prior notice. The “Effective Date” at the top of this page reflects the date of the most recent update. Continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.
18. Contact Us
For questions, concerns, or to exercise your data rights:
- Email: support@pluse.to
- Privacy/Legal: legal@pluse.to
- GDPR Inquiries: legal@pluse.to
- Website: pluse.to
To manage your privacy choices directly, visit Privacy Choices.
19. Intellectual Property
Pluse’s intellectual property rights — including software ownership, copyrights, trademarks (Pluse™, Lux™, The Pluse™), trade secrets, patents, licensing restrictions, third-party attributions, and DMCA procedures — are governed by Section 8 (Intellectual Property) of our Terms of Service. These protections apply to all forms of the Service, including the Pluse AI iOS application available on the Apple App Store and the web platform at pluse.to.
Your ownership of data you upload to or create through the Service (“Your Data”) is addressed in both Section 4 (Data Retention) of this Privacy Policy and Section 8.4 of the Terms of Service. In summary: you retain full ownership of Your Data, and Pluse’s license to process it is limited to providing the Service and terminates when your account is closed.
For the complete intellectual property policy, including trademark usage guidelines, open-source attributions, and copyright infringement reporting, please refer to the Terms of Service.
20. Pluse AI Assistant
Pluse includes an AI assistant (“Pluse AI”) you can chat with to get answers about your business. This section explains how your data is handled when you use it. This section supplements (and where more specific, controls over) the general AI description in Section 2.1.
20.1 When data is shared
Pluse AI is off by default. The first time you open it, you see a disclosure screen and must tap “I agree, continue” before any data is sent. You can revoke this consent at any time in Settings › Privacy › Pluse AI data sharing, which disables the assistant until you opt back in. Revoking consent or logging out clears the stored consent on your device, so the next user of the device will be asked again before any data is shared.
20.2 What data is shared
When you chat with Pluse AI, we send the following to our AI processor to generate a response:
- The text of the messages you type in the chat, and recent prior messages in the same conversation for context.
- Relevant business data from your Pluse account that is needed to answer your question, which may include:
- Invoices and client names (when you ask about billing, overdue invoices, or aging).
- Expense totals, categories, vendor names, and recent transactions (when you ask about spending, costs, or tax reports).
- Revenue, profit, sales figures, and margins (when you ask about performance).
- Client, employee, time-tracking, project, product/service, and chart-of-accounts details when relevant to your question.
We do not send your passwords, authentication tokens, payment card numbers, connected bank credentials, or any data from features outside of your Pluse account.
Data about your customers and staff. If you ask Pluse AI a question that requires it (for example, about an overdue invoice or payroll), the relevant information about your customers or employees — which may include names, amounts owed, and pay-related details — is included in what we send to the AI processor on your behalf. When you use Pluse AI in this way, you are responsible for ensuring you have the right to share this information with a sub-processor under your own privacy notices and applicable law.
20.3 Who receives the data
Your messages and the business data described above are processed by DigitalOcean Gen AI Platform, DigitalOcean’s managed AI infrastructure. DigitalOcean acts as our sub-processor and is bound by a Data Processing Addendum that requires them to protect your data to at least the same standard described in this Privacy Policy, including encryption in transit and at rest, access controls limited to personnel who need access to operate the service, and breach-notification obligations.
Pluse contractually requires DigitalOcean and any underlying foundation-model providers in the processing chain to refrain from using your data to train, fine-tune, or improve their public or foundation AI models. Your data is not used to train DigitalOcean’s, any foundation-model provider’s, or any other third party’s public or foundation AI models.
20.4 Retention
Chat transcripts and the associated business context are stored on our servers so that you can see your conversation history inside the app. You can clear your chat history at any time from within the Pluse AI screen, and conversation history is deleted within thirty (30) days of account closure (see Section 4). A short-term copy of request and response data is retained for up to ninety (90) days in system logs for abuse prevention, security investigations, and service reliability, after which it is purged on a rolling basis.
20.5 Your rights and controls
- Revoke consent at any time in Settings › Privacy › Pluse AI data sharing. Pluse AI will be disabled for your account until you opt back in, and no further data will be sent to the AI processor.
- Delete your chat history from within the Pluse AI screen.
- Export or delete your account data at any time by exercising the rights described in Section 6. State-specific rights (California, Florida, Massachusetts, GDPR, and others) apply to AI data the same as to any other personal data we process.
- Object to profiling. Pluse AI does not make decisions that produce legal or similarly significant effects about any person; all decisions remain with you. You retain the rights described in Sections 8.6 and 9.1.
20.6 Material changes to this disclosure
If we materially change what data is shared, who it is shared with, or how it is used, we will present the updated disclosure inside the app and ask you to consent again before any further data is sent. Non-material changes (such as clarifying language or correcting typos) may be made without re-prompting; the “Effective Date” at the top of this Policy reflects the most recent update.
Emmber, Inc. is a Delaware corporation qualified to do business in the State of Florida. The “Pluse” name and the Pluse platform are operated by Emmber, Inc.
© 2024–2026 Emmber, Inc. All rights reserved. Pluse™ and Lux™ are trademarks of Emmber, Inc.