Privacy Policy

Effective Date: February 24, 2026

1. Introduction

Welcome to Sembla, operated by DataLight LLC (“us”, “we”, or “our”). This Privacy Policy explains how we collect, use, process, and protect information that results from your use of our Service at https://sembla.ai.

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Our Terms of Service govern all use of our Service and together with this Privacy Policy constitute your agreement with us (“Agreement”).

2. Definitions

SERVICE means the platform available at https://sembla.ai operated by DataLight LLC.

PERSONAL DATA means data about a living individual who can be identified from those data or from those data combined with other information in our possession.

USAGE DATA means data collected automatically from the use of the Service or its infrastructure (for example, the duration of a page visit).

CUSTOMER DATA means the data you connect to or write within the Service, including data retrieved and stored from third-party tools you authorize via OAuth, and content you create in your workspace pages.

WORKSPACE CONTEXT means the structured, AI-transformed representation of your Customer Data as stored in your Sembla workspace pages.

COOKIES means small files stored on your device used to track activity and retain certain information.

DATA CONTROLLER means the entity that determines the purposes for which personal data are processed. DataLight LLC is the Data Controller for personal data processed under this policy.

DATA PROCESSORS (OR SERVICE PROVIDERS) means any natural or legal person who processes data on behalf of the Data Controller.

THE USER is the individual using our Service, corresponding to the Data Subject.

3. Information Collection and Use

We collect several types of information to provide and improve the Service to you.

4. Types of Data Collected

Personal Data

While using our Service, we may ask you to provide personally identifiable information that can be used to contact or identify you (“Personal Data”). This may include, but is not limited to:

  • Contact information (name, email address)
  • Professional information (role, company name, job title)
  • Account credentials and authentication tokens
  • Billing information (processed by Paddle — we do not store payment card details)
  • Feedback, support inquiries, and communications
  • Workspace configuration and preferences

We may use your Personal Data to contact you with newsletters, marketing, or promotional materials. You may opt out at any time by following the unsubscribe link.

Data from Connected Third-Party Tools

When you connect third-party workplace tools (such as Jira, YouTrack, Slack, GitLab, GitHub, Notion, Google Calendar, Confluence, or other supported integrations) via OAuth, we access, retrieve, and store data from those tools on your behalf. This may include:

  • Issues, tickets, and project data from project trackers
  • Messages and threads from messaging platforms
  • Pull requests, merge requests, and code metadata from version control systems
  • Calendar events and meeting data
  • Documents and pages from knowledge bases

This data is retrieved on a regular sync schedule and transformed into structured workspace pages stored on our servers. This persistent storage is what enables AI composition and cross-tool synthesis. You can view, edit, and delete all stored workspace content at any time through your dashboard. We access only the scopes you authorize during the OAuth flow.

Data About Third Parties

When you sync workplace tools, the retrieved data may include information about other individuals — such as colleagues, teammates, or counterparties — who appear in those tools. You are responsible for ensuring you have an appropriate basis to sync and process such data under applicable law. We process this data solely to build and maintain your workspace context and do not use it for any independent purpose.

Workspace Context and AI-Inferred Data

Sembla builds a workspace context from your connected tool data and your own written content. This includes an “About Me” profile derived from your stated preferences and inferences from your workspace activity. Inferred information is clearly labeled as such. You can view, edit, delete, or reject any inferred entry at any time.

Usage Data

We automatically collect information when you access the Service, including your IP address, browser type and version, pages visited, time and date of access, time spent on pages, and other diagnostic data.

Tracking Cookies Data

We use cookies and similar tracking technologies to operate the Service and improve your experience. You can configure your browser to refuse cookies; however, some parts of the Service may not function correctly without them.

Examples of cookies we use:

  • Session Cookies: To operate the Service during your session.
  • Preference Cookies: To remember your settings and preferences.
  • Security Cookies: For authentication and fraud prevention.

5. Use of Data

DataLight LLC uses collected data for the following purposes:

  • To provide, operate, and maintain the Service;
  • To sync and structure your connected tool data into your workspace;
  • To generate AI-powered context summaries, composition outputs, and action proposals;
  • To operate the MCP server feature that exposes your structured workspace context to external AI tools you authorize;
  • To notify you about changes to the Service or your subscription;
  • To provide customer support and respond to inquiries;
  • To monitor and analyze usage to improve the Service;
  • To detect, prevent, and address technical issues and security threats;
  • To process billing and subscription management through Paddle;
  • To send transactional and, where consented, marketing communications;
  • To fulfill any other purpose for which you provide information or grant consent.

6. AI Processing and Workspace Context

The core function of Sembla involves AI-driven transformation of your Customer Data. Connected tool data is processed by large language models (LLMs) to generate structured summaries, cross-reference entities, and compose work artifacts. This processing occurs on our infrastructure and via third-party LLM providers (see Service Providers below).

Your Customer Data is not used to train foundational AI models by our LLM providers under our data processing agreements with them. We process your data solely to deliver the Service to you.

The “About Me” profile within your workspace is built from your stated preferences and inferences derived from your usage patterns. Inferred entries are updated on a nightly basis. All inferences are visible to you in the dashboard, and you may edit, delete, or permanently reject any entry.

7. Retention of Data

We retain your Personal Data for as long as necessary to provide the Service and fulfill the purposes described in this policy. Upon account deletion, your workspace data and personal information are deleted within 30 days, except where retention is required by law.

8. Transfer of Data

Your information, including Personal Data, may be transferred to and processed on servers located outside your country of residence. DataLight LLC takes all steps reasonably necessary to ensure your data is treated securely and in accordance with this Privacy Policy.

9. Disclosure of Data

We may disclose personal information we collect or that you provide in the following circumstances:

(a) Disclosure for Law Enforcement
Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities.

(b) Business Transaction
If DataLight LLC is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

(c) Other Cases
We may also disclose your information:

  • To our subsidiaries and affiliates;
  • To contractors, service providers, and other third parties we use to support our business;
  • To fulfill the purpose for which you provide it;
  • With your consent in any other cases;
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of the Company, our users, or others.

10. Data Security

We implement industry-standard physical, procedural, and electronic security measures to protect your Personal Data, including encryption in transit and at rest. OAuth access tokens for connected tools are stored securely and never exposed in plaintext. MCP API tokens you generate are shown once at creation and are your responsibility to secure thereafter.

11. Your Data Protection Rights Under GDPR

If you are a resident of the European Union (EU) and European Economic Area (EEA), you have certain data protection rights covered by GDPR. If you wish to be informed what Personal Data we hold about you or want it to be removed from our systems, please email us at hello@sembla.ai. In certain circumstances, you have the following rights:

  • The right to access, update, or delete the information we hold about you.
  • The right of rectification if your information is inaccurate or incomplete.
  • The right to object to our processing of your Personal Data.
  • The right of restriction on the processing of your personal information.
  • The right to data portability in a structured, machine-readable format.
  • The right to withdraw consent at any time where processing is based on consent.

12. Your Rights Under CalOPPA

CalOPPA is the first state law in the nation to require commercial websites to post a privacy policy. According to CalOPPA we agree to the following:

  • Users can visit our site anonymously;
  • Our Privacy Policy link includes the word “Privacy” and can easily be found on the home page;
  • Users will be notified of any privacy policy changes on our Privacy Policy page;
  • Users are able to change their personal information by emailing us at hello@sembla.ai.

Our Policy on “Do Not Track” Signals: We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place.

13. Your Rights Under CCPA

If you are a California resident, you are entitled to learn what data we collect about you, ask to delete your data, and opt out of its sale. To exercise your data protection rights, you can make the following requests:

(a) What personal information we have about you.
We will return the categories of personal information we have collected, the sources, the business purpose, and the specific pieces of information. You are entitled to ask up to two times per twelve-month period.

(b) To delete your personal information.
We will delete the personal information we hold about you as of the date of your request and direct any service providers to do the same.

(c) To stop selling your personal information.
We do not sell your personal information for monetary consideration. To exercise your California data protection rights, contact us at hello@sembla.ai.

14. Service Providers

We employ third-party companies and individuals to facilitate our Service. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Analytics

Cloudflare Analytics — privacy-preserving web analytics. Privacy Policy

Large Language Models

Anthropic (Claude) — LLM provider for AI composition and context synthesis. Anthropic processes this data under our API agreement and does not use it to train foundational models. Privacy Policy

Hosting and Infrastructure

Supabase — database and authentication infrastructure. Privacy Policy

Cloudflare — DNS, CDN, and edge infrastructure. Privacy Policy

Payments

Paddle — payment processing, billing, and subscription management as our Merchant of Record. We do not store or have access to your payment card details. Privacy Policy

15. Use of Google User Data

(a) Google OAuth for Authentication

If you choose to sign up or log in using your Google account, we access your basic profile information (name, email address, and Google account ID) solely to create and manage your account. This data is not shared with third parties and not used for advertising.

(b) Connected Google Services

When you connect a Google service (such as Google Calendar), we may access account identifiers and calendar data to provide our sync and AI composition features. OAuth tokens are stored securely and used only to access your data on your behalf. You may revoke our access at any time via your Google Account settings.

Compliance and Limitations

We do not sell or share Google user data with third parties. DataLight LLC’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

16. MCP Server and External AI Tools

If you enable the MCP (Model Context Protocol) server feature, your structured workspace context is made accessible to external AI tools via API tokens you generate within the Service. Tokens are read-only by default. We log MCP access events for security and auditing purposes.

17. Links to Other Sites

Our Service may contain links to third-party websites not operated by us. We have no control over and assume no responsibility for the content or privacy practices of any third-party sites.

18. Children's Privacy

Our Services are not intended for use by children under the age of 18. We do not knowingly collect personally identifiable information from children under 18. If you become aware that a child has provided us with Personal Data, please contact us.

19. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Effective Date” at the top. Changes are effective when posted.

20. Contact Us

If you have any questions about this Privacy Policy, please contact us at: hello@sembla.ai