Privacy Policy

Your privacy matters. This policy explains what we collect, why we collect it, how we use and share it, and the choices you have. It applies to (a) echo mobile app users (iOS and Android), (b) echo web users, (c) Advertisers using our ad tools, and (d) visitors to our websites.

Key definitions

• echo / echo app: our AI chat platform available on iOS, Android, and web that streams AI model responses and may display advertisements.
• Advertiser: a business using echo's tools to upload creatives, set budgets, and measure performance.
• Personal information: any information that identifies or can be reasonably linked to an individual or household.
• Cross-context behavioral advertising (CPRA): ads targeted based on activity across businesses, sites, apps, or services.

Information we collect

A. From echo mobile app users (iOS & Android)

• Account & identity:
  • Email address, password (hashed), display name
  • Apple ID or Google account information when you use Sign in with Apple or Google OAuth (name, email, unique identifier provided by Apple/Google)
  • Payout information if you participate in earnings/rebates (payment account details such as PayPal email or Venmo phone number, and where required by law, tax information)
• Chat content & metadata:
  • Messages you send to AI models
  • AI responses generated for you
  • Conversation history, timestamps, message metadata
  • Files and images you upload or attach to messages (stored on our servers)
  • Session IDs, token-level streaming metrics, latency data
• Device & technical information:
  • Device type, model, operating system version (iOS/Android)
  • Unique device identifiers (advertising ID, installation ID)
  • App version, SDK version
  • IP address and approximate location (derived from IP)
  • Network type (WiFi, cellular)
  • Crash logs, error reports, performance metrics
  • Screen size, device language and timezone settings
• Usage & analytics data:
  • App usage patterns, features accessed, screens viewed
  • Session duration, frequency of use
  • User interactions (taps, swipes, navigation)
  • Session replay data: We use PostHog analytics which includes session replay capabilities. This may record your interactions within the app (screen touches, navigation, UI interactions) to help us understand user behavior and improve the app. Session replays are anonymized and do not include sensitive text input from chat messages. You can opt out by contacting us.
  • Performance metrics (app startup time, screen load times)
• Camera & photo library access:
  • When you choose to attach images to conversations, we access your photo library or camera
  • Images are uploaded to our servers and stored in connection with your conversations
  • We do not access your photos without your explicit permission via system prompts
• Push notification data:
  • Push notification tokens from Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM)
  • Notification preferences and settings
  • Notification interaction data (opened, dismissed)
• Local storage:
  • Authentication tokens stored securely on your device
  • App preferences and settings
  • Cached conversation data for offline access
  • Message queue for offline message sending
• Ad interaction signals: when an ad is rendered, viewed, clicked, dismissed, or converted; basic device and session context for measurement (e.g., user agent, approximate location based on IP).
• Trust & safety features: signals we compute to prevent fraud and abuse (e.g., anomalous behavior patterns, duplicate accounts, invalid activity).
• Support communications: messages you send us via email or in-app support.

B. From web users

• Account & identity: name, email, username, password; OAuth data from social logins; payout info if participating in rebates.
• Chat content & metadata: messages, conversation history, timestamps, session data.
• Device & usage: IP address, browser type, OS, crash logs, performance metrics, cookie IDs.
• Ad interaction signals: ad impressions, viewability, clicks, conversions; device and session context.

C. From Advertisers

• Account & business info: company name, contact info, billing contacts, legal representative, tax/VAT IDs where applicable.
• Campaign data: creatives, titles, product URLs, categories, budgets, bids, targeting parameters, webhooks you configure, conversion signals.
• Payment info: invoicing details, payment method tokens (processed by our payment provider), transaction history.
• Platform usage: login history, role/permissions, API keys, audit logs.

D. From third parties & service providers

• Supabase: We use Supabase for backend data storage and authentication. Supabase processes your account data, chat messages, and files on our behalf under our data processing agreement.
• PostHog: We use PostHog for analytics and session replay. PostHog processes usage data, session recordings, and app performance metrics on our behalf.
• Apple & Google: When you use Sign in with Apple or Google Sign-In, we receive your name, email, and unique identifier from Apple/Google according to their terms.
• Expo / React Native: We use Expo's services for app distribution, crash reporting, and over-the-air updates (if enabled).
• Affiliate networks & merchants: basic conversion data when you click an affiliate link and complete an action (e.g., an order ID, amount, timestamp)—we do not receive your full payment card details from merchants.
• Payment processors: For payouts, we use third-party payment services (e.g., PayPal, Venmo) which have their own privacy policies.
• Compliance & KYC (when required for payouts): limited identity or sanctions-screening information from verification providers.

How we use information

• Provide and improve echo:
  • Authenticate users and maintain account security
  • Process and deliver AI chat responses
  • Store and sync conversations across devices
  • Enable file uploads and sharing in conversations
  • Send push notifications about new messages and app updates
  • Maintain app performance, fix bugs, and enhance features
  • Provide offline functionality and message queuing
• Analytics & improvement:
  • Understand how users interact with the app
  • Identify and fix crashes and errors
  • Analyze session replays to improve user experience (anonymized)
  • Measure app performance and optimize load times
  • Research and develop new features
• Ads selection & measurement: infer broad intent from on-page context and your chat session to select relevant ads; measure impressions, viewability, clicks, and downstream conversions; attribute revenue (including affiliate commissions).
• Earnings & payouts: calculate earnings eligibility and amounts from task completion and ad interactions; process payments; meet tax and accounting obligations.
• Trust, safety, and anti-fraud: detect invalid traffic and abuse; compute a trust score that may affect earnings or account standing; take action on suspected fraud (e.g., hold or deny payouts, suspend accounts). You can appeal actions—see Your Choices & Rights.
• Communications: send push notifications, transactional messages (receipts, policy updates, security alerts) and, if you opt in, product updates or surveys.
• Legal compliance: comply with law, enforce terms, and protect echo, our users, advertisers, and the public.

Legal bases (EEA/UK only)

We rely on: Contract (to provide the service), Legitimate interests (security, product improvement, measurement with safeguards), Consent (cookies/marketing/analytics where required), and Legal obligation (tax/records).

When we share information

We do not sell your personal information. We may share (as defined by CPRA) limited identifiers and usage/ad interaction data for cross-context behavioral advertising where permitted and subject to your choices.

• Service providers / processors:
  • Supabase: Backend infrastructure, database hosting, authentication (bound by data processing agreement)
  • PostHog: Analytics, session replay, crash reporting (bound by data processing agreement)
  • Cloud storage providers: For uploaded files and images (Amazon S3 or similar)
  • Expo: App distribution, push notifications, crash reporting
  • Apple & Google: Push notification delivery (APNs, FCM), OAuth authentication
  • Email service providers: Transactional emails and notifications
  • Payment processors: PayPal, Venmo, or other payout services
  • All service providers are bound by contract to use data only on our behalf
• Affiliate networks & merchants: to attribute conversions when you follow an affiliate link.
• Ad & measurement partners: to serve, measure, and prevent fraud in ads (e.g., impression/click metadata, coarse location, device info). We do not provide your chat transcripts to advertisers. If you submit info inside an advertiser's form or site, that is governed by their policy.
• Corporate transactions: business transfer, merger, acquisition.
• Legal & safety: to comply with law, court orders, or protect rights, safety, and security.
• With your consent: when you direct us to share information with third parties.

Mobile app-specific data collection

iOS & Android permissions

The echo mobile app requests the following permissions:

• Camera: To take photos to attach to conversations. Only accessed when you explicitly tap the camera button. You can deny this permission and still use the app.
• Photo Library: To select existing photos to attach to conversations. Only accessed when you tap the image attachment button. You can deny this permission and still use the app.
• Notifications: To send you push notifications about new messages, responses, earnings updates, and app notifications. You can disable notifications in device settings at any time.
• Network Access: Required to communicate with our servers, send messages, and receive AI responses.

Data stored on your device

• Authentication tokens: Stored securely in device keychain/secure storage to keep you logged in
• Conversation cache: Recent messages cached locally for offline access and faster loading
• App preferences: Settings, theme preferences, notification preferences
• Pending messages: Messages queued for sending when you're offline are stored temporarily until connection is restored
• This data is stored only on your device and deleted when you uninstall the app or log out

Third-party SDKs & analytics

• PostHog Analytics:
  • Collects: App usage events, screen views, user interactions, device information, session duration
  • Session Replay: Records anonymized session replays showing how you interact with the app (screen touches, navigation, scrolling). Text input in chat messages is masked and not recorded. Session replays help us identify UI issues and improve user experience.
  • Purpose: Analytics, crash reporting, product improvement
  • Privacy policy: posthog.com/privacy
• Expo Platform Services:
  • Collects: Crash logs, error reports, app performance data
  • Purpose: App stability, debugging, performance monitoring
  • Privacy policy: expo.dev/privacy
• Supabase:
  • Processes: Account data, chat messages, uploaded files, application state
  • Purpose: Backend infrastructure and data storage
  • Privacy policy: supabase.com/privacy
• MediaNet (Advertising):
  • Collects: Ad impressions, clicks, device information, approximate location
  • Purpose: Serve and measure advertisements
  • Privacy policy: media.net/privacy-policy

B. From web users

• Account & identity: name, email, username, password; OAuth data from social logins; payout info if participating in rebates.
• Chat content & metadata: messages, conversation history, uploaded files, timestamps, session data.
• Device & usage: IP address, browser type, OS, crash logs, performance metrics, cookie IDs.
• Ad interaction signals: ad impressions, viewability, clicks, conversions; device and session context.

C. From Advertisers

• Account & business info: company name, contact info, billing contacts, legal representative, tax/VAT IDs where applicable.
• Campaign data: creatives, titles, product URLs, categories, budgets, bids, targeting parameters, webhooks you configure, conversion signals.
• Payment info: invoicing details, payment method tokens (processed by our payment provider), transaction history.
• Platform usage: login history, role/permissions, API keys, audit logs.

Data retention

• Chat content & uploaded files: Up to 18 months from last access, or until you delete conversations. You can delete individual conversations or all data via the app or by contacting us.
• Account data: For the life of your account plus up to 90 days after account deletion (for fraud prevention and audit). You can request immediate deletion subject to legal retention requirements.
• Analytics & session replay data: Up to 12 months for product improvement and debugging.
• Ad & measurement logs: Up to 24 months for reporting, fraud audits, and accounting.
• Earnings, payouts, and tax records: Up to 7 years or as required by law.
• Crash logs & error reports: Up to 90 days.
• We may retain de-identified or aggregated data indefinitely for research and improvement.

Security

We use industry-standard safeguards to protect your data:

• Encryption: All data transmitted between your device and our servers is encrypted using TLS/HTTPS. Data at rest is encrypted using industry-standard encryption.
• Authentication: Passwords are hashed and never stored in plain text. Authentication tokens are stored in device secure storage (iOS Keychain, Android Keystore).
• Access controls: Role-based access controls, least-privilege principles, audit logging.
• Monitoring: Continuous security monitoring, vulnerability scanning, and incident response procedures.
• Third-party security: Our service providers (Supabase, PostHog, cloud storage) maintain SOC 2 Type II or equivalent security certifications.

No system is 100% secure. We will notify you of significant data breaches as required by law.

Your choices & rights

Account & data management

• Access your data: Request a copy of your personal information we hold.
• Correct your data: Update your profile information in app settings or request corrections.
• Delete your data:
  • Individual conversations: Swipe to delete conversations in the app
  • Account deletion: Request full account and data deletion by emailing support@echollm.io with "Delete My Account" in the subject line. We will delete your account and associated data within 30 days, subject to legal retention requirements.
  • Note: Deleted data cannot be recovered. Some data may be retained for legal compliance (e.g., tax records, fraud investigations).
• Export your data: Request a machine-readable copy of your chat history and account data.

Privacy controls

• Push notifications: Disable in iOS Settings → Notifications → echo, or Android Settings → Apps → echo → Notifications.
• Analytics & session replay: Opt out by emailing support@echollm.io with "Opt Out of Analytics" in the subject.
• Camera & photo access: Revoke at any time in device settings. The app will still function without these permissions.
• Marketing preferences: Unsubscribe from promotional emails via the link in any marketing email.
• Opt-out of cross-context behavioral ads: Use Do Not Sell or Share… or email us.
• Cookie controls (web only): Adjust via Cookie Settings or your browser.

Appeal automated decisions

If our automated systems (e.g., trust score, fraud detection) adversely affect you (such as denying earnings or suspending your account), you can request human review by emailing support@echollm.io with "Appeal Decision" in the subject line. We will review your case within 30 days.

California privacy notice (CPRA)

• Categories collected: identifiers (email, device IDs, IP); internet/activity data (app usage, analytics); commercial data (earnings, conversions); geolocation (coarse, from IP); audio/visual (uploaded images); inferences (trust score for fraud prevention).
• Sensitive personal information:
  • Account credentials (password - hashed only)
  • If required for payouts: precise location for tax purposes, government IDs for verification
  • We use sensitive data only for disclosed purposes and do not use it to infer characteristics about you
• We do not sell personal information. We may share limited identifiers/activity data for cross-context behavioral advertising unless you opt out at Do Not Sell or Share.
• Rights: know, delete, correct, portability, opt-out of sale/share, limit use of sensitive data, non-discrimination. Submit requests via Data Request Form or email.
• Retention: See Data Retention section above.
• Authorized agents: We accept requests from authorized agents with proper verification.

European Economic Area (EEA) & UK rights (GDPR)

• Right to access: Request confirmation of processing and a copy of your data.
• Right to rectification: Correct inaccurate personal data.
• Right to erasure ("right to be forgotten"): Request deletion of your data.
• Right to restrict processing: Limit how we process your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent: Where processing is based on consent.
• Right to lodge a complaint: Contact your local data protection authority if you believe we've violated GDPR.

Children's privacy

echo and our services are not directed to children under 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at support@echollm.io and we will delete it.

International data transfers

We are U.S.-based and our servers are located in the United States. If you access echo from outside the U.S., your information will be transferred to, stored, and processed in the United States. We use appropriate safeguards for international transfers:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Supplementary measures to protect your data

Cookies & tracking technologies

Web & mobile web:

• Strictly necessary: Login sessions, security, load balancing (cannot be disabled)
• Functional: Preferences, language settings
• Analytics: Usage patterns, performance, crash reporting (PostHog)
• Advertising/measurement: Ad selection, frequency capping, conversion attribution

Mobile app: The native app does not use traditional cookies but uses similar technologies:

• Local storage (AsyncStorage) for preferences and cache
• Device identifiers for analytics and crash reporting
• Advertising identifiers (IDFA on iOS, AAID on Android) for ad measurement (you can reset these in device settings)

Manage web preferences at Cookie Settings. For mobile, adjust in device settings or contact us to opt out of analytics.

Changes to this policy

We may update this policy from time to time. We'll post the new version with a new "Last updated" date and, if changes are material, provide additional notice via:

• Email to your registered address
• In-app notification
• Prominent notice on our website

Continued use of echo after changes constitutes acceptance of the updated policy.

Contact us

Privacy questions, data requests, or general support:
Email: support@echollm.io
Response time: We aim to respond within 30 days (45 days for complex requests)

If we cannot resolve your concern, you may have the right to contact your local data protection authority or file a complaint with the relevant regulatory body.

Additional disclosures

Advertiser-specific disclosures

• Controller/Processor roles: echo is a controller for data we collect via our services. For advertiser-provided data used solely to run their campaigns (e.g., creatives, targeting, webhooks), echo acts as a processor under a Data Processing Addendum (DPA) upon request.
• Measurement & fraud: we compute quality and trust signals to protect the ecosystem; we share aggregated performance reports with advertisers. We do not share users' chat transcripts.
• Third-party tags & webhooks: if you place tags or send us conversion webhooks, you're responsible for providing required notices and obtaining any necessary consents from your users.

echo mobile app-specific disclosures

• Dynamic ad insertion: ads may be inserted into AI chat responses based on conversation context; insertion is designed to be helpful and minimally disruptive.
• Affiliate links: some ads are affiliate links. echo may earn a commission if you make a purchase. Conversion data is shared with the affiliate network/merchant to attribute the transaction; we don't receive your full payment details from the merchant.
• Limits on advertiser access: advertisers receive aggregated or de-identified reports; they do not receive your chat content or personal identity from echo unless you provide it directly to them via their forms or websites.
• Offline functionality: Messages sent while offline are queued locally and automatically sent when connection is restored.
• Push notifications: Contain message previews or app updates. Managed by Apple (APNs) or Google (FCM) according to their privacy policies.

State-specific rights

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): Similar rights to California users (access, delete, correct, opt-out of targeted advertising). Submit requests via our Data Request Form or email.

Compliance & certifications

• GDPR-compliant (European Economic Area, UK, Switzerland)
• CPRA/CCPA-compliant (California)
• COPPA-compliant (Children's Online Privacy Protection Act - we do not target or knowingly collect data from children under 13)
• Our service providers maintain SOC 2 Type II or equivalent certifications