Skip to main content
← Back to Ash & Ember Society

Privacy Policy

Effective Date: March 14, 2026

Last Updated: March 14, 2026

This Privacy Policy describes how Ash & Ember LLC, a Utah limited liability company ("Ash & Ember," "we," "us," or "our"), collects, uses, shares, and protects information when you use Ash & Ember Society (the "Service"). By using the Service, you agree to this Privacy Policy and to our Terms of Service and End User License Agreement.

This Privacy Policy applies to the Service as accessed through any web browser or progressive web app. It does not apply to third-party websites, products, or services, even if linked from the Service.

1. Who We Are

The data controller for personal information collected through the Service is Ash & Ember LLC, with contact email support@ashember.vip. For users in the European Union or United Kingdom, references in this Privacy Policy to "controller" have the meaning given in the General Data Protection Regulation (GDPR) and the UK GDPR, respectively.

2. Information We Collect

We collect information in three categories: information you provide directly, information collected automatically, and information from third parties.

Information you provide directly. When you create an account, we collect your email address and password (the password is hashed and managed by our authentication provider; we do not store it in plain text). When you complete onboarding or update your profile, we collect optional information such as a display name, avatar photo, city, state or region, experience level, and membership tier preference. When you use core features, we collect the content you create, including humidor entries (cigar identifiers, quantities, purchase dates, prices paid, sources, aging start dates, notes), smoke and burn logs (ratings, written reviews, smoke duration, pairing drinks, timestamps), community posts and comments in the Lounge, photos you upload, and any feedback you submit.

Payment information. When you purchase a paid subscription, payment is processed by our payment processor, Stripe. We do not collect or store full payment card numbers. We receive limited information from Stripe, such as the last four digits of your card, card brand, expiration month and year, billing country, transaction identifiers, and subscription status. Your full card details are collected and stored by Stripe under Stripe's privacy policy.

Information collected automatically. When you use the Service, we and our service providers collect technical information about your device and use of the Service, including IP address, browser type and version, operating system, device type, language preferences, referring page, pages viewed, links clicked, timestamps of activity, approximate location derived from IP address, performance metrics (such as Largest Contentful Paint, Cumulative Layout Shift, Interaction to Next Paint, First Contentful Paint, and Time to First Byte), and crash and error diagnostics. This information is collected through standard web server logs and through our analytics and error-monitoring providers (Vercel Speed Insights and Sentry).

Location information. The Service may request your approximate or precise device location to surface nearby cigar shops and related content. Location access is optional and is requested through your browser or device. You can disable location access at any time through your browser or device settings.

Cookies and similar technologies. The Service uses cookies, local storage, session storage, IndexedDB, and a service worker to maintain your signed-in session, remember view preferences (such as your grid versus list toggle for browsing the cigar catalog), cache assets for performance and limited offline access, and support core features. The Service does not currently use third-party advertising cookies.

Information from third parties. We may receive information about you from our service providers (for example, payment confirmation events from Stripe) and from publicly available sources. If you choose to sign in using a third-party identity provider, we may receive basic profile information from that provider in accordance with the permissions you grant.

3. How We Use Information

We use the information we collect to operate, provide, maintain, secure, and improve the Service; to create and manage your account; to authenticate you; to process payments and manage subscriptions; to display your User Content within the Service; to personalize features such as aging alerts, smoking conditions based on your city, and content recommendations; to communicate with you about your account, transactions, support requests, and material changes to the Service or our policies; to surface nearby shops based on your location; to enforce our Terms of Service and EULA; to detect, prevent, and respond to fraud, abuse, security incidents, and other unlawful activity; to analyze and improve the performance, reliability, and usability of the Service; to develop new features; to comply with legal obligations; and to establish, exercise, or defend legal claims.

We do not sell your personal information, and we do not use it for cross-context behavioral advertising.

4. Legal Bases for Processing (EU and UK Users)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar data protection laws, we rely on the following legal bases to process your personal information: performance of a contract with you, where processing is necessary to provide the Service you have requested; our legitimate interests in operating, securing, analyzing, and improving the Service, provided those interests are not overridden by your rights and interests; your consent, where we ask for it (for example, for precise location access or for optional marketing communications); and compliance with a legal obligation, where we are required to process information under applicable law.

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. How We Share Information

We share personal information only in the following circumstances.

Service providers. We share information with vendors and service providers who perform services on our behalf. Current providers include Supabase (database, authentication, and file storage), Stripe (payment processing and subscription management), Google (Google Maps, Google Places, and Google Identity services where applicable), Vercel (hosting, edge delivery, and Speed Insights real-user monitoring), Sentry (error and performance monitoring), and Open-Meteo (public weather data for smoking conditions; queries are made with city or coordinate context). These providers are authorized to use personal information only as necessary to provide services to us.

Other users. The Service includes community features. Content you post in the Lounge, public profile fields you choose to display, ratings, reviews, and other content you submit to public areas of the Service may be visible to other users and, in some cases, to the public.

Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of company assets, or transition of service to another provider, your information may be transferred as part of that transaction, subject to standard confidentiality protections. We will notify you of any change in ownership or in the uses of your personal information that would require your consent.

Legal and safety. We may disclose information if we believe in good faith that disclosure is necessary to comply with a law, regulation, legal process, or governmental request; to enforce our Terms of Service or EULA; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Ash & Ember, our users, or others.

With your consent. We may share information for any other purpose disclosed to you and with your consent.

6. International Data Transfers

We are based in the United States, and our service providers operate in the United States and other countries. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions that may have different data protection laws than your country.

Where required by law, we rely on appropriate safeguards for international transfers, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms made available by our service providers. You may request a copy of the applicable safeguards by contacting us at support@ashember.vip.

7. Data Retention

We retain personal information for as long as your account is active and as needed to provide the Service. We retain certain information after account closure as needed to comply with legal obligations, resolve disputes, prevent fraud and abuse, enforce our agreements, maintain reasonable business records (including tax and accounting records), and back up our systems. Backup copies of deleted data may persist for a limited additional period before being overwritten in the ordinary course of our backup rotation. Aggregated or de-identified information that cannot reasonably be linked to you may be retained indefinitely.

8. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information. These include encryption in transit using HTTPS, password hashing handled by our authentication provider, access controls, role-based authorization at the database layer, logging and monitoring, and the resilience and watchdog mechanisms built into the Service. No security measure is perfect, and we cannot guarantee the absolute security of your information. You are responsible for safeguarding your account credentials and notifying us promptly of any suspected unauthorized access.

9. Your Choices and Rights

Account information. You can review and update most account information through the account management area of the Service. You can delete your account by contacting us at support@ashember.vip. Account deletion is subject to the retention practices described in Section 7.

Communications. You can opt out of non-transactional emails by following the unsubscribe instructions in those emails. We may still send transactional communications related to your account, security, and the Service.

Location. You can disable precise location access through your device or browser settings.

Cookies and local storage. Most browsers let you block or delete cookies and clear local storage. Disabling these may affect functionality, including your ability to remain signed in.

EU and UK rights. If you are located in the European Economic Area or the United Kingdom, you have the right to access your personal information; to correct inaccurate or incomplete information; to request deletion; to restrict or object to certain processing; to data portability; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority, including your local data protection authority or, in the United Kingdom, the Information Commissioner's Office.

To exercise these rights, contact us at support@ashember.vip. We will respond within the time required by applicable law. We may need to verify your identity before fulfilling your request.

10. California Privacy Rights (CCPA and CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the following rights regarding personal information we collect about you.

Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.

Right to delete. You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

Right to correct. You have the right to request that we correct inaccurate personal information.

Right to opt out of sale or sharing. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California law.

Right to limit use of sensitive personal information. To the extent we collect "sensitive personal information" as defined under California law, we do not use or disclose it for purposes that would require an opt-out under California law.

Right to non-discrimination. We will not deny you services, charge you a different price, or provide a different level of service because you exercise your privacy rights.

To exercise these rights, contact us at support@ashember.vip. You may designate an authorized agent to make a request on your behalf, subject to verification.

Categories of personal information we have collected in the past twelve months include identifiers (such as email address, account ID, and IP address), customer records (such as name and contact information you provide), commercial information (such as subscription and transaction history), internet or other electronic network activity information (such as device and usage data), geolocation data (approximate, and precise where you grant permission), audio, electronic, visual, or similar information (such as photos you upload), and inferences drawn from the foregoing. We have disclosed these categories to service providers as described in Section 5.

11. Utah Consumer Privacy Act

If you are a Utah resident, the Utah Consumer Privacy Act gives you the right to confirm whether we process your personal data, to access that data, to delete personal data you provided to us, to obtain a copy of your personal data in a portable format, and to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data. We do not engage in the sale of personal data or in targeted advertising as those terms are defined under Utah law. To exercise these rights, contact us at support@ashember.vip.

12. Other U.S. State Privacy Rights

Residents of other U.S. states with comprehensive consumer privacy laws (including, where applicable, Colorado, Connecticut, Virginia, Texas, Oregon, and others) may have additional rights regarding their personal information, including rights to access, correct, delete, port, and opt out of targeted advertising or sales. To exercise rights available to you under the law of your state, contact us at support@ashember.vip.

13. Children's Privacy

The Service is intended for adults of legal age to use tobacco products in their jurisdiction, which is at least twenty-one (21) years in the United States. The Service is not directed to children under thirteen (13) and we do not knowingly collect personal information from anyone under the applicable age. If we learn that we have collected personal information from a person below the applicable age, we will delete that information promptly. If you believe a minor has provided personal information to us, contact us at support@ashember.vip.

14. Do Not Track

Some browsers offer a "Do Not Track" signal. There is no widely accepted standard for how to respond to such signals, and the Service does not currently respond to them. Where required by law, the Service honors recognized opt-out preference signals such as the Global Privacy Control.

15. Third-Party Services and Links

The Service may include links to third-party websites, products, or services, or may surface information about third-party shops, brands, or vendors. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third party before providing personal information.

16. Service Providers' Policies

The third-party providers we use have their own privacy policies. We recommend reviewing them: Supabase, Stripe, Google, Vercel, Sentry, and Open-Meteo. The list of providers may change as the Service evolves; the current list is described in this Privacy Policy and in our Terms of Service.

17. Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects on you without human involvement.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects the most recent change. If we make material changes, we will provide notice through the Service or by email before the changes take effect. Your continued use of the Service after the changes take effect constitutes your acceptance of the updated Privacy Policy.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, contact us at:

Ash & Ember LLC

Email: support@ashember.vip

If you are located in the European Union or United Kingdom and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.