Privacy Policy
This Privacy Policy describes how Emouna LLC ("Emouna," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit our website at emouna.com.mx (the "Site"), apply for or purchase our services, communicate with us, or use any mobile or web application that we publish (each an "App"). It also explains the rights and choices available to you. This Policy serves as our Notice at Collection for California residents and our privacy notice under the data protection laws identified in Section 12.
1. Who we are and what this Policy covers
Emouna LLC is a United States limited liability company that operates an AI-native product studio: we build custom software for clients ("build weeks"), teach people to build software with AI ("vibe coding training"), provide AI consulting, and publish our own mobile and web applications through platforms such as the Apple App Store and Google Play.
Emouna LLC is the data controller (or "business" under California law) for personal information covered by this Policy. This Policy applies to:
- the Site and any subdomains that link to this Policy;
- our application/intake forms, email, phone, and text communications;
- our service engagements (development, training, consulting), except where a signed agreement with a client contains its own data-protection terms, in which case that agreement controls for that engagement; and
- each App we publish, supplemented by that App's store listing and privacy label. If an App has its own privacy policy, that policy controls for that App and this one fills any gaps.
This Policy does not apply to third-party websites, products, or services we do not control, even if we link to them.
2. Information we collect
2.1 Information you provide directly
| Context | Data collected |
|---|---|
| Application / intake form | Full name; email address; phone number; whether you checked the consent box for calls/texts (and the time of submission); which offering you're interested in ("build it for me" or "teach me to build it"); budget range; timeline; and the free-text description of your project or app idea. |
| Email & other correspondence | Your address, the contents of the messages, and any attachments you send. |
| Training enrollment | Name, email, billing details handled by our payment provider, session attendance, and work you choose to share during training. |
| Client engagements | Business contact details, project requirements, credentials or content you give us to build your product, and billing records. Client project materials are handled under Section 9 and any signed agreement. |
| App accounts & content (where an App offers them) | Email address or sign-in identifier, display name if you set one, and content you create inside the App (for example, logs, notes, or settings). |
2.2 Information collected automatically
- Site analytics (first-party, server-side). For each page view we record: timestamp, page path, referring domain (if any), country (derived at our edge provider from the connection), and device class (mobile or desktop). These records contain no name, no account identifier, no cookie, and no IP address, and we cannot use them to identify or re-identify you.
- Form abuse prevention. When you submit our application form we record the submitting IP address alongside the submission, solely to enforce rate limits and investigate abuse.
- Infrastructure logs. Our hosting and security provider, Cloudflare, Inc., processes connection data (including IP addresses) transiently to route, cache, and defend traffic, under its own privacy commitments.
- App diagnostics. Our Apps may collect crash reports and basic device information (model, OS version, App version, language) to keep the App working. Where a platform-provided diagnostics service is used (such as Apple's opt-in analytics), it is governed by that platform's settings on your device.
2.3 Information from platforms and other sources
- Apple and Google. When you buy an App, an in-app purchase, or a subscription, Apple or Google processes the payment and sends us non-identifying transaction data (product purchased, timestamps, anonymized transaction identifiers, subscription status). We never receive your card number, billing address, or App Store credentials.
- Device frameworks you authorize. If you grant an App permission to use device capabilities — for example location, motion sensors, camera, microphone, Bluetooth accessories, or Apple HealthKit — the App receives only the data those permissions cover, for the purposes described in Section 8 and in the App itself.
3. What we do not collect and do not do
- We do not sell personal information, and we have not sold or shared personal information (as "sell" and "share" are defined in the California Consumer Privacy Act) in the preceding 12 months.
- We do not use advertising networks, ad SDKs, third-party analytics trackers, cross-site tracking, or social media pixels on the Site or in our Apps.
- We do not store payment card numbers — Apple, Google, or our payment processor handles them end to end.
- We do not buy data about you from data brokers, and we do not disclose personal information to data brokers.
- We do not use personal information for automated decisions that produce legal or similarly significant effects about you.
- We do not knowingly collect data from children under 13 (Section 14).
4. How we use information
We use personal information to:
- Respond and provide services — review your application, hold your scope call, deliver development, training, and consulting engagements, and manage our client relationships;
- Operate our Apps — provide App features you request, maintain your account and content, honor purchases and subscriptions, and restore access across your devices;
- Communicate — send transactional messages (such as confirming we received your application, scheduling, invoices, service updates) and, only with your consent, marketing calls or texts (Section 6);
- Improve and secure — measure aggregate Site traffic, fix bugs and crashes, prevent spam, fraud, and abuse (including rate-limiting form submissions), and protect our systems and users;
- Comply and enforce — meet legal, tax, and accounting obligations; respond to lawful requests; enforce our Terms & Conditions; and establish, exercise, or defend legal claims.
We do not use personal information for purposes incompatible with these without telling you first and, where required, obtaining your consent.
5. Legal bases for processing (EEA, UK, and similar jurisdictions)
| Purpose | Legal basis |
|---|---|
| Responding to your application; delivering services and Apps you request; processing purchases | Performance of a contract, or steps at your request before entering one (GDPR Art. 6(1)(b)) |
| Marketing calls and texts; optional device permissions (location, sensors, HealthKit); optional communications | Consent (Art. 6(1)(a)), withdrawable at any time; health data is processed only with your explicit consent (Art. 9(2)(a)) |
| Aggregate analytics; security, anti-abuse and rate limiting; improving our Site, services and Apps; portfolio record-keeping | Legitimate interests (Art. 6(1)(f)) — running, protecting, and improving a small business in ways that do not override your rights |
| Tax, accounting, and other legal obligations; responding to lawful requests | Legal obligation (Art. 6(1)(c)) |
| Establishing, exercising, or defending legal claims | Legitimate interests / legal claims (Art. 6(1)(f), Art. 9(2)(f) where relevant) |
6. Calls and text messages (TCPA disclosure)
Our application form includes an optional, unchecked-by-default checkbox. If — and only if — you check it, you consent to receive calls and text messages from Emouna LLC at the number you provided, which may include automated technology, prerecorded messages, and marketing content about our services.
- Consent is not a condition of purchasing anything or doing business with us. If you leave the box unchecked, we will still process your application and may contact you by email, or by a normal, manually dialed call strictly to respond to your inquiry.
- Message frequency varies; message and data rates may apply, depending on your carrier.
- Opt out any time by replying STOP to any text (you may receive one final confirmation message), or by emailing jack@emouna.com.mx. Reply HELP for help.
- We record the fact, time, and source of your consent and honor revocations promptly. We do not share your phone number with third parties for their own marketing. Carriers are not liable for delayed or undelivered messages.
7. Cookies, analytics, and "Do Not Track"
The Site sets no cookies of its own and uses no third-party analytics or advertising trackers. Our analytics are first-party and server-side, as described in Section 2.2, and contain no identifiers. Our security provider (Cloudflare) may set strictly necessary security cookies (for example, bot-mitigation cookies) required to protect the Site; these are essential and are not used to profile you.
Because we do not track visitors across websites or over time, there is nothing for a browser "Do Not Track" or Global Privacy Control ("GPC") signal to switch off — but for clarity: we treat all visitors as if those signals were on, and since we do not sell or share personal information, no opt-out action is needed for GPC purposes under California law.
8. Health, fitness, sensor, and HealthKit data
Some of our Apps may — with your explicit permission — access device sensors (such as barometric pressure, motion, GPS, or heart rate through a paired device) or read from and write to Apple HealthKit. For any such data, we commit to the following, consistent with Apple's requirements:
- Health and sensor data is used only to provide the App feature you requested (for example, recording an activity session or displaying live sensor readings) and, where the App says so, to keep a history you can review.
- Health and sensor data is never used for advertising or marketing, never used for other use-based data mining, never sold, and never disclosed to data brokers, advertising platforms, or information resellers.
- HealthKit data is not shared with third parties at all, except at your explicit direction (for example, if you export or share a log yourself) or as required by law.
- Wherever the App's design allows, health and sensor data is stored on your device and in your personal iCloud/HealthKit stores rather than on our servers. Where an App does sync such data to our servers, its listing and in-App disclosures will say so explicitly.
- You can revoke access at any time in iOS Settings (Privacy & Security → Health / Location / Motion, or the App's own settings page). Revoking access stops new collection immediately.
- Health information from our Apps is informational and is not medical advice; see the safety terms in our Terms & Conditions.
9. AI systems and your data
We are an AI-native studio, so we want to be unambiguous about how AI intersects with your data:
- We do not train AI models on your personal information. Neither form submissions, correspondence, App data, nor client project materials are used to train machine-learning models by us.
- Client work. When we build software for clients, we use commercial AI coding tools and model APIs configured under business terms that do not permit the provider to train on our inputs. We do not paste client secrets or end-customer personal data into AI tools except as needed to perform the engagement and under those protections.
- AI features in Apps. If an App includes AI-powered features that send content to a model provider for processing, the App will disclose this, the content is used only to return the feature's result, and the provider is bound not to train on it. We do not send health or HealthKit data to AI model providers.
- Your project idea from the application form is read by humans (and our own systems) to evaluate your application — nothing more.
10. How we disclose information
We disclose personal information only as follows:
10.1 Service providers (processors)
Companies that process data on our behalf, under contracts limiting their use of it to providing services to us:
| Provider | Role | Data involved |
|---|---|---|
| Cloudflare, Inc. (USA) | Website hosting, security, edge network, and database storage | Site traffic; form submissions; analytics records |
| Zoho Corporation | Business email | Email correspondence; application notifications |
| Apple Inc. | App distribution, payments, subscriptions | Transaction data; App diagnostics per your device settings |
| Google LLC | App distribution and payments (Android) | Transaction data; App diagnostics per your device settings |
| AI model providers (e.g., Anthropic) | Processing for engineering work and any disclosed in-App AI features | Only the content needed for the feature or engagement; no training on inputs |
10.2 Other disclosures
- Legal. When required by law, subpoena, court order, or other lawful process; to respond to lawful requests from public authorities; or to protect the rights, property, or safety of Emouna, our users, or the public. Where lawful and practicable, we will attempt to notify you before disclosing your data in response to legal process.
- Business transfers. If Emouna is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction; this Policy will continue to apply to it, and we will notify you of any successor's material changes.
- Professional advisers. Lawyers, accountants, and insurers under confidentiality obligations, where needed.
- With your direction or consent. For example, if you ask us to introduce you to a partner.
- Aggregated / de-identified data. We may use and share statistics that cannot reasonably identify you (for example, "X% of applicants want a booking app"), and we commit to not attempting to re-identify de-identified data.
11. Data retention
| Category | Retention period |
|---|---|
| Application form submissions | Up to 24 months after last contact, unless you become a client (then for the client relationship + records period) or request deletion sooner |
| TCPA consent records and opt-outs | At least 4 years (statute-of-limitations record-keeping), stored even after deletion requests as a suppression record |
| Form-abuse IP records | Automatically irrelevant after rate-limit windows; purged with routine database maintenance, no later than 12 months |
| Site analytics | Indefinite — contains no personal identifiers |
| Email correspondence | Duration of the relationship + up to 7 years for business records |
| Client engagement and billing records | 7 years (tax/accounting requirements) |
| App account data | Life of the account; deleted within 30 days of account deletion, except minimal transaction records we must keep |
| Health/sensor data stored on-device or in HealthKit | Controlled by you on your device; we do not hold it |
When retention ends, we delete or irreversibly de-identify the data. Backups purge on their own rotation shortly after.
12. Your rights and choices, by region
12.1 Everyone, everywhere
Regardless of where you live, you may email jack@emouna.com.mx to: (a) request a copy of the personal information we hold about you; (b) correct it; (c) delete it; (d) withdraw any consent you gave (including SMS consent); or (e) object to a use of your data. We respond within 30 days, verify requests using the email or phone number we have on file, and never discriminate against you for exercising rights. If we deny a request (for example, data we must legally retain), we will explain why, and you may appeal by replying to our decision.
12.2 European Economic Area, United Kingdom, and Switzerland
You additionally have the rights of access, rectification, erasure, restriction of processing, data portability, and objection (including to legitimate-interest processing), and the right to withdraw consent without affecting prior processing (GDPR Arts. 15–21). You may lodge a complaint with your local supervisory authority (for the UK, the ICO at ico.org.uk). We do not conduct automated decision-making described in GDPR Art. 22.
12.3 California (CCPA/CPRA)
California residents have the rights to know/access, delete, correct, and port personal information; to opt out of sale or sharing (we do neither); to limit use of sensitive personal information (we use none beyond what is necessary to provide requested services); and to non-discrimination. In the preceding 12 months we collected these categories of personal information: identifiers (name, email, phone, form IP); customer records (billing information for services); commercial information (services considered or purchased); internet activity (non-identifying page-view analytics); geolocation (country-level only from the Site; precise location only in Apps that request it); sensory/health data (only in Apps you authorize, held on-device where possible); and inferences (none beyond evaluating your application). Sources, purposes, and recipients are as described in Sections 2, 4, and 10. You may use an authorized agent with written permission; we will verify the request as described above. Requests under California Civil Code §1798.83 ("Shine the Light"): we disclose no personal information to third parties for their direct marketing.
12.4 Other U.S. states
Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others) have equivalent rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, or profiling — none of which we engage in. Exercise any of these via Section 12.1, including the appeal process described there.
12.5 Mexico (LFPDPPP)
Because our Site operates at a .com.mx domain, we also honor the ARCO rights under Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares: Acceso (access), Rectificación (correction), Cancelación (cancellation/deletion), and Oposición (objection), plus revocation of consent. Send ARCO requests to jack@emouna.com.mx with your name, a means to verify your identity, and a description of the data concerned; we respond within the statutory period. You may also contact Mexico's data protection authority (INAI) if unsatisfied.
12.6 Nevada
Nevada residents may opt out of the sale of covered information; we do not sell covered information, but you may still register the request via Section 12.1.
13. App accounts, permissions, and deletion
- Privacy labels. Every App we publish carries an accurate App Store privacy "nutrition label" (and Google Play data-safety form) describing exactly what that App collects. If a label and this Policy differ for that App, the more specific and more protective statement applies.
- Permissions. Each sensitive capability (location, sensors, camera, microphone, HealthKit, Bluetooth, notifications) is requested at the point of use with an explanation, works only after you approve it, and can be revoked in device settings at any time without losing unrelated functionality.
- Account deletion. Any App that lets you create an account also provides an in-App path to delete that account and its associated data, as required by Apple. Deletion takes effect within 30 days (immediately where feasible), except minimal records of transactions we are legally required to keep. You can also request deletion by email.
- Subscriptions. Deleting an App or an account does not cancel an App Store subscription — manage subscriptions in your device's store settings (see our Refund Policy).
- Offline-first. Where an App can deliver its features without a server, we design it to keep your content on your device and in your personal iCloud backups, rather than on infrastructure we operate.
14. Children's privacy
The Site, our services, and our Apps are intended for general audiences and are not directed to children under 13 (or the higher minimum age in your jurisdiction, such as 16 in parts of the EEA). We do not knowingly collect personal information from children. If we learn we have collected personal information from a child without verifiable parental consent, we will delete it promptly. If you believe a child has provided us personal information, contact jack@emouna.com.mx. Apps that may appeal to mixed audiences will use age screens or platform age ratings as appropriate; none of our Apps serve behavioral advertising to anyone, children included.
15. Security
We protect personal information with technical and organizational measures appropriate to its sensitivity, including: TLS encryption for all data in transit to the Site and Apps; encryption at rest with our infrastructure providers; access to personal data limited to personnel who need it, protected by strong authentication (including hardware-backed or multi-factor credentials); separation between our public Site and data stores; server-side input validation and rate limiting on public endpoints; and prompt application of security updates. No system is perfectly secure; if we learn of a breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law, without undue delay.
16. International data transfers
We are based in the United States and our providers process data primarily in the United States and other countries where they operate. These countries may have data-protection laws different from your own. Where we transfer personal information from the EEA, UK, or Switzerland, we rely on safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum), our providers' participation in the EU–U.S. Data Privacy Framework where applicable, and supplementary technical measures like encryption. You may request more information about the safeguards applied to your data via Section 19.
17. Third-party links and services
The Site and our Apps may link to third-party websites or rely on third-party services (for example, Apple's subscription management screens, carrier messaging, or a client's own product). Their privacy practices are their own; this Policy does not cover them, and we encourage you to read their policies.
18. Changes to this Policy
We may update this Policy as our services, Apps, or the law evolve. The "Last updated" date above always reflects the current version. For material changes, we will provide reasonable prominent notice — such as a notice on the Site, an in-App notice, or an email where we have one for you — before the change takes effect, and where required by law we will seek renewed consent. Archived prior versions are available on request.
19. How to contact us
Website: emouna.com.mx
We respond to privacy inquiries and rights requests within 30 days. If you are in the EEA/UK and believe we have not resolved your concern, you may contact your supervisory authority; in Mexico, INAI; in California, the California Privacy Protection Agency.