EchoListen
← Echo/Privacy

Privacy
doctrine.

Echo holds intimate memory. The trust required for that is non-negotiable. This page explains, in plain language, what we hold, why we hold it, and how you stay in control.

VERSION · v1.0/LAST UPDATED · MAY 6, 2026/READING TIME · 6 MIN
§00

Preamble

Echo is a long-term cognitive layer. It exists to remember the things founders forget — decisions, emotional tone, recurring patterns, moments of clarity. Memory of this kind is intimate, and the trust required to hold it is non-negotiable.

This policy describes — in plain language — what we collect, why we collect it, where it lives, who can access it, and how you can take it back at any time. If anything below is unclear, write to privacy@talktoecho.com and a human will reply.

§01

The doctrine

Trust is Echo's foundation. We choose long-term trust over short-term growth. Always.

  • We never sell your data. Not aggregated. Not anonymized. Not in any form.
  • We never train models on your reflections. Your entries are not used to improve Echo's AI or any third-party model.
  • We never share with advertisers. Echo carries no advertising and integrates no advertising SDKs.
  • You own your memory. Export everything, anytime. Delete everything, anytime.
§02

What we collect

We only collect what Echo needs to do its job. Nothing else.

Category

Account information

Apple or Google identity token used to sign in. We store an opaque user ID, an email if you've granted it, and your display name if you've set one.

Category

Voice & video entries

Audio (and optionally video) you record inside Echo. Stored on private object storage with signed access URLs.

Category

Transcripts & summaries

Text generated from your voice entries, plus the structured insights, mood signals, and patterns Echo derives from them.

Category

App usage signals

Crash reports and minimal diagnostic events (e.g. "recording failed") to keep Echo reliable. No behavioral profiling.

We do not collect your contacts, your location, your browsing history, your health data, or biometric identifiers. Echo does not fingerprint your device.

§03

Why we collect it

Every byte we hold has one of three purposes — and only those three:

  1. 01

    Operate

    Authenticate you, store your reflections, deliver Echo's features.

  2. 02

    Reflect

    Generate transcripts, summaries, and patterns from your own entries — for your eyes only.

  3. 03

    Improve reliability

    Diagnose crashes and protect against abuse. Aggregated, never tied to your reflections.

§04

AI & third-party processors

Echo uses a small number of carefully chosen processors to operate. Each one is bound by a data-processing agreement that forbids using your content for their own purposes.

SupabaseEU/USAuthentication & encrypted database (Postgres with row-level security).
Cloudflare R2Global edgeEncrypted object storage for voice, video, and exports.
OpenAI / AnthropicUSTranscript generation and reflective summaries. Zero-retention API endpoints. Not used to train any model.
RevenueCatUSSubscription receipts only — no reflection content ever leaves the device for billing.
Sentry (optional)EUCrash reporting. Stack traces only, no personal content.
§05

Security

Your reflections are encrypted at rest (AES-256) and in transit (TLS 1.3). Authentication uses Apple Sign In or Google ID tokens via Supabase's secure flows. Session tokens live in iOS Keychain or Android Keystore — never in plain storage.

Database access is gated by row-level security policies that ensure one user's data is never reachable from another's session. Object storage is accessed only through short-lived signed URLs.

We are a small, security-conscious team. If you find a vulnerability, please disclose it responsibly to security@talktoecho.com.

§06

Your rights

You can exercise all of the following from inside the app, or by writing to privacy@talktoecho.com.

  • Access

    Receive a complete copy of your data.

  • Export

    Download all entries, transcripts, and insights.

  • Rectify

    Correct anything that is inaccurate.

  • Delete

    Erase your account and all associated content within 30 days.

  • Restrict

    Pause processing while preserving your data.

  • Object

    Object to specific processing activities.

§07

Children

Echo is intended for adults. We do not knowingly collect data from anyone under 16. If you believe a child has created an Echo account, write to us and we will delete it.

§08

International transfers

Echo may transfer data outside your country of residence (notably between the EU and the US) when required by our processors. These transfers are governed by Standard Contractual Clauses approved by the European Commission, and equivalent safeguards elsewhere.

§09

Retention

We keep your reflections for as long as your Echo account exists, so that the long-term memory remains intact. When you delete your account, all associated voice, video, transcripts, summaries, and metadata are permanently erased within 30 days.

Backups are encrypted, rotated, and pruned within 90 days. Crash telemetry is retained for 90 days.

§10

Changes to this policy

If we update this policy in any meaningful way, we will notify you inside the app and by email at least 30 days before the change takes effect. The version number and last-updated date at the top of this page will always reflect the current policy.

§11

Contact

For privacy questions, data requests, or anything you don't want to send to a generic inbox:

privacy@talktoecho.com

Echo · A long-term cognitive layer

End of policy

Echo is memory with intelligence. Trust is the part that lets memory mean anything at all.

← Back to Echo