echoease
Back to echoease

Legal

Privacy Policy

Effective: March 10, 2026

At echoease, we take your privacy seriously. This Privacy Policy describes how we collect, use, store, and share information when you use the echoease platform, including our website, dashboard, APIs, and embeddable chat widget (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect your first name, last name, and email address. During onboarding, we may also collect your company name and website URL.

Business Content

To train your AI assistant, you may upload files, URLs, manual text entries, and Q&A pairs to your knowledge base. We store this content to provide the Service.

Chat Data

When end users interact with your AI assistant through the chat widget, we collect:

  • Chat messages (questions and AI-generated responses).
  • Session metadata, including approximate geographic location (country and city, derived from IP address), device type, and browser information.
  • Feedback provided by end users (thumbs up/down ratings).

We do not store end user IP addresses beyond what is necessary for geographic inference. End user IP addresses are not associated with individual identities.

Usage Data

We collect information about how you use the Service, including feature usage, page views, and interactions within the dashboard. This helps us improve the Service.

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers, bank account details, or other sensitive payment information on our servers. We receive and store transaction identifiers, subscription status, and billing history from Stripe.

2. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service, including training your AI assistant and delivering chat responses.
  • Process your payments and manage your subscription.
  • Generate analytics and insights about your AI assistant's performance.
  • Send transactional communications (account verification, billing notifications, service alerts).
  • Maintain security, prevent fraud, and enforce our Terms of Use.
  • Improve and develop new features for the Service.

We do not use your data for advertising purposes. We do not sell your data to third parties.

3. AI Data Processing

To power your AI assistant, your knowledge base content and end user queries are processed by third-party AI providers. Specifically:

  • Text Embeddings: Your knowledge base content is converted into numerical representations (embeddings) by Voyage AI. These embeddings are stored in our database to enable semantic search.
  • Chat Responses: End user questions and relevant knowledge base context are sent to AI language model providers (including OpenAI, Anthropic, and Mistral) to generate responses.
  • Web Scraping: When you add URLs to your knowledge base, the content of those pages is extracted using Firecrawl.

Data isolation: Your data is never combined with other customers' data for training, fine-tuning, or any purpose other than providing the Service to you. Each customer's knowledge base is completely separate.

4. Data Sharing

We share your information only with the following categories of service providers, and only to the extent necessary to provide the Service:

  • AI Providers (OpenAI, Anthropic, Mistral, Voyage AI, Firecrawl) — for AI processing as described above.
  • Stripe — for payment processing and subscription management.
  • Supabase — for database hosting and user authentication.
  • Vercel — for application hosting and serverless functions.
  • Resend — for transactional email delivery.
  • Upstash — for caching and rate limiting.

We may also disclose your information if required to do so by law, or if we believe in good faith that disclosure is necessary to comply with legal obligations, protect our rights, or ensure the safety of our users or the public.

5. Cookies & Tracking

We use minimal cookies and tracking technologies:

  • Authentication Cookies: Session cookies to keep you signed into your dashboard account.
  • Widget Sessions: The chat widget uses short-lived JSON Web Tokens (JWTs) for session management — not browser cookies. Widget sessions do not track end users across websites.

We do not use third-party advertising trackers, social media tracking pixels, or behavioral analytics cookies.

6. Data Retention

  • Account Data: Retained while your account is active, plus 14 days after account closure to allow for data export.
  • Knowledge Base Content: Retained while your account is active. Deleted when documents are removed or your account is closed.
  • Chat Data: Conversation history is retained while your account is active.
  • Payment Records: Retained as required by applicable tax and financial regulations.
  • After Account Deletion: All personally identifiable data is permanently deleted within 14 days of account closure. Backups are purged within 30 days.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Request your data in a structured, commonly used format.
  • Objection: Object to the processing of your personal data for certain purposes.

For users in the European Economic Area (EEA), these rights are provided under the General Data Protection Regulation (GDPR). To exercise any of these rights, please contact us at privacy@echoease.ai.

8. International Data Transfers

Your data may be processed in multiple regions, including the European Union and the United States, depending on the infrastructure used by our service providers (Supabase, Vercel, AI providers). Where data is transferred outside of the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or equivalent legal mechanisms.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

10. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit using TLS.
  • Row-level security (RLS) policies to ensure data isolation between customers.
  • Token-based authentication (JWT) for all API access.
  • Rate limiting to prevent abuse and unauthorized access attempts.

While we take security seriously, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or through a notice in the dashboard. The "Effective" date at the top of this page indicates when the policy was last updated. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: