echo
Terms·Privacy·Community guidelines

Privacy Policy

Effective May 11, 2026

This Privacy Policy explains what information Echo collects, how we use it, and the choices you have. Echo is operated by the Echo team (“we”, “us”).

1. What we collect

You give us

  • Account info: your email, username, optional display name and bio, and (if applicable) your provider ID from a sign-in provider like Google or Apple.
  • Voice recordings:the audio you record in response to daily prompts. These are stored as audio files in our hosting provider's storage.
  • Reactions and saved voices: the emojis you tap and the recordings you bookmark.

Automatic

  • Device and log data: IP address, user agent, device type, OS, time zone, and approximate location (city-level, derived from IP).
  • Usage data: pages visited, features used, recording duration, session length. We use this to improve the product.
  • Cookies: Echo uses essential cookies for authentication. We do not use third-party advertising cookies.

2. How we use information

  • To provide the Service (auth, recording, the daily feed).
  • To keep the Service safe (rate limiting, abuse detection, moderation).
  • To improve the product (anonymous usage analytics).
  • To communicate with you (transactional emails like launch day, replies to support requests).
  • To comply with legal obligations.

We do not sell your personal information. We do not use your voice recordings to train AI models.

3. Who we share with

  • Service providers that help us operate (e.g., Supabase for database and storage, Vercel for hosting, Resend or Postmark for email, Cloudflare for DDoS protection, Sentry for error tracking, PostHog for analytics).
  • Other Echo users see your voice recordings (unless marked anonymous) and your public profile (username, display name, bio, voice archive).
  • Law enforcement or to comply with the law, including mandatory reporting of suspected child exploitation to the National Center for Missing & Exploited Children (NCMEC).

4. Your rights and choices

  • Access: you can view your profile and recordings in-app.
  • Correction: you can edit your profile any time in Settings.
  • Deletion: you can delete any recording from its menu; you can delete your entire account from Settings. Account deletion removes your profile and recordings within 30 days from active systems; encrypted backups are purged on rolling 30-day cycle.
  • Export: email privacy@echoapp.io to request a copy of your data.
  • Opt-out of analytics:if you enable “Do Not Track” in your browser or use the in-app toggle in Settings, we won't collect anonymous usage analytics about you.

5. EU / UK users (GDPR)

If you are in the EU, EEA, UK, or Switzerland, you have the right to access, correct, delete, restrict, port, or object to processing of your personal data. The legal bases we rely on are:

  • Performance of a contract (to provide the Service).
  • Legitimate interests (safety, fraud prevention, product improvement).
  • Consent (for analytics if applicable).
  • Legal obligation (to comply with law).

To exercise your rights, email privacy@echoapp.io. You may also lodge a complaint with your local data protection authority.

6. California residents (CCPA / CPRA)

You have the right to know, delete, and correct personal information, and to opt out of the sale or sharing of personal information. Echo does not sell or share your personal information for cross-context behavioral advertising.

7. Children

Echo is not for children under 13 (or 16 in some EU countries). We do not knowingly collect data from children under those ages. See our Terms for the full age policy.

8. Data retention

  • Recordings: kept while your account is active. Deleted recordings are removed within 30 days.
  • Account info: kept while your account is active. On deletion, removed within 30 days (from backups on rolling 30-day cycle).
  • Logs and error reports: 90 days.
  • Reports of abuse: until resolved, plus 1 year.

9. Security

We use encryption in transit (TLS) and at rest, follow least-privilege access, and use multi-factor authentication for our team. No system is 100% secure; if you believe your account is compromised, contact us at security@echoapp.io.

10. International transfers

Echo is hosted in the United States. If you access the Service from outside the US, you understand your information will be processed in the US under standard contractual clauses where applicable.

11. Changes

We will notify you by email or in-app of material changes at least 7 days before they take effect.

12. Contact

Privacy questions: privacy@echoapp.io
Security: security@echoapp.io
Everything else: hello@echoapp.io

This document is a plain-language Privacy Policy. It is not legal advice. You should have an attorney review it for your specific jurisdiction before launching at scale.