Privacy Policy

Effective date: August 14, 2025
Controller: EchoType
Contact: echotypecontact@gmail.com

1) What we collect

• Account data: Email address, password hash (managed by Firebase Auth), Firebase UID.
• Billing data: We use Stripe. We receive non-card details such as customer ID, subscription status, invoices, and payment intent metadata. We do not store full card numbers.
• Operational/app data: Minimal profile (e.g., theme preference), subscription status attached to your user record, and event logs needed to operate Cloud Functions/webhooks.
• Typed content: Your text is processed locally by EchoType and is not sent to our servers.
• Waitlist/feedback (optional): If you join a waitlist or contact us, we store your submitted email/message.
• Automatically collected: Basic device/browser info and service logs (e.g., request timestamps, error logs). We do not run behavioral advertising trackers.

2) Why we collect it (legal bases)

• Provide and secure the Service (contract, legitimate interests).
• Process payments and manage subscriptions (contract, legal obligation).
• Communicate with you about the Service (legitimate interests/consent where required).
• Comply with law (e.g., tax, fraud prevention).

3) Third-party processors

We use trusted vendors to run the Service:

• Google Firebase (Authentication, Firestore, Hosting, Cloud Functions)
• Stripe (payments, customer portal)

4) Cookies & local storage

We use strictly necessary cookies/local storage to keep you signed in and remember settings (e.g., theme). We do not use third-party advertising cookies.

5) Data retention

• Account & subscription records: while your account is active, then up to 7 years where needed for tax/audit.
• Logs: typically 90 days unless needed to investigate issues.
• Waitlist/feedback: until we send the update or you ask us to delete it.

6) Your choices & rights

• Access, correction, deletion, portability. Email us or use in-app tools to update or delete your account.
• Marketing. If we ever send newsletters, you can unsubscribe.
• GDPR (EEA/UK). You may have additional rights and can object or restrict processing where applicable. Legal bases: contract, legitimate interests, consent (where used), legal obligation.
• CCPA/CPRA (California). We do not “sell” or “share” personal information for cross-context advertising. You can request access or deletion.

Submit requests at echotypecontact@gmail.com. We may ask you to verify your identity.

7) Children’s privacy

EchoType is not directed to children under 13 (or 16 in the EEA/UK). Do not use the Service if you are under the applicable age.

8) Security

We use industry-standard measures (encryption in transit, access controls, least-privilege). No system is perfectly secure; please keep your account credentials safe.

9) International transfers

We and our processors may process data in the United States and other countries. We rely on approved transfer mechanisms where required (e.g., SCCs).

10) Changes

We’ll update this Policy when needed and post the new effective date. For material changes, we’ll provide reasonable notice.

11) Contact

Questions or privacy requests: echotypecontact@gmail.com