Legal
At ECHO, your privacy is fundamental. This policy explains what data we collect, how we use it, and your rights.
We collect your name, email address, and account credentials when you sign up. When you create a capsule, we store the message content, media files, recipient information, and opening date. We also collect basic usage analytics (page views, feature usage) to improve the product.
Your data is used solely to provide the ECHO service: storing your capsules, delivering them on time, and sending transactional emails. We never sell your data to third parties. We never use your capsule content for advertising, training, or any purpose other than delivering it to your intended recipients.
All capsule content is encrypted at rest with AES-256-GCM. Media files are stored on AWS S3 with 99.999999999% durability. Data is transmitted over TLS 1.3. Encryption keys are managed server-side with strict access controls; while our infrastructure technically has access to the keys needed to operate the service, we never access your capsule contents for any purpose other than delivering them to your intended recipients.
You have the right to access, correct, export, or delete your personal data at any time. Under GDPR, you can also request data portability and object to processing. To exercise any of these rights, contact us at privacy@echo.app.
Account data is retained until you delete your account. Capsule content is retained indefinitely for as long as the service is active, so your memories are preserved. You can request deletion of your capsules at any time through your account settings. Payment records are retained as required by law, typically 10 years. Analytics data is retained for 30 days.
We process your data under the following legal bases: (1) Consent — when you create an account and agree to our terms, you consent to the processing of your data for the service. You may withdraw consent at any time. (2) Contract performance — processing necessary to deliver capsules, send notifications, and provide the core ECHO service. (3) Legitimate interest — limited analytics to improve the product, fraud prevention, and security monitoring. (4) Legal obligation — retaining payment and transaction records as required by applicable law.
Your data may be processed by third-party services located outside the EU, including: Vercel (hosting, USA), AWS S3 (storage, USA), Stripe (payments, USA), Resend (emails, USA). These transfers are protected by Standard Contractual Clauses (SCCs).
We use the following sub-processors to provide the ECHO service: Vercel (hosting and edge functions), AWS / Amazon Web Services (S3 file storage), Stripe (payment processing), Resend (transactional emails), and Google (OAuth authentication). Each sub-processor is bound by data processing agreements and processes data only as necessary to provide their respective services.
You have the right to lodge a complaint with a supervisory authority, in particular the CNIL (Commission Nationale de l'Informatique et des Libertés) in France: www.cnil.fr.
For privacy-related questions, contact our Data Protection Officer at privacy@echo.app.
Last updated: March 2026