Effective Date: October 7, 2025. Last Updated: October 7, 2025

Summary

• Data Collection: We collect basic information (like your name, email, and profile details) to run and personalize the platform.

• AI Interactions: Your interactions with our AI (Echos) may help us improve the platform, but we take steps to protect your privacy.

• Data Sharing: We don't sell your personal data, and any sharing (like with cloud providers) is done securely and only to deliver the service.

• Your Control: You control your data – you can request access, corrections, or deletion, and opt out of certain uses anytime.

• Cookies & Analytics: Our platform uses cookies and analytics tools to enhance your experience. You can manage these in your browser or settings.

1. Introduction
2. What This Privacy Policy Covers
3. Personal Data We Collect
4. How We Use Your Personal Data
5. AI Model Training and Improvement
6. Content Moderation and Human Review
7. How We Disclose Your Personal Data
8. Biometric Information
9. Cookies and Tracking Technologies
10. Data Security
11. Data Storage and International Transfers
12. Data Retention
13. Personal Data of Children
14. U.S. State Privacy Rights
15. Exercising Your U.S. Privacy Rights
16. European Union, UK, and Other International Rights
17. Contact Information

1. Introduction

Echofly, LLC (“Echofly,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our services. By accessing or using Echofly’s platform (the “Services”), you acknowledge that you have read and agree to the practices described in this Policy. If you do not agree, please discontinue use of the Services.

Your use of Echofly’s Services is at all times subject to our Terms of Service (and any other relevant terms), which incorporate this Privacy Policy. Any capitalized terms not defined in this Policy have the meanings given to them in our Terms. We may update this Privacy Policy from time to time as we continue to improve our Services or if legal requirements change. If we make material changes, we will notify you by posting a notice on our website or contacting you via email or other means.

Your continued use of the Services after any changes indicates your acceptance of the updated Policy.

2. What This Privacy Policy Covers

This Privacy Policy covers how Echofly handles “Personal Data,” which means any information that identifies or relates to an identifiable individual. It includes personal information or similar terms as defined under applicable data protection laws. This Policy applies to data we collect through your use of our Services (including our website and platform). It does not cover data handling practices of third-party services that we do not own or control, including any third-party websites or services that you may access through our platform. Echofly is not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies separately.

3. Personal Data We Collect

Categories of Personal Data: Echofly collects various categories of Personal Data either directly from you, automatically through your interaction with the Services, or from third parties (as described below). In the last 12 months, we may have collected the following categories of Personal Data:

Profile and Contact Data: This includes information such as your first and last name, email address, phone number, username or account identifier, and any contact information you provide. We collect this when you register for an account, create a profile, or communicate with us. For creators (experts who create AI profiles or “Echos”), we may also collect additional profile details such as a biography, expertise, or credentials you choose to provide on your public profile.
Account Credentials: When you register, we collect the information you use to authenticate your account (e.g. username and password). Passwords are stored in an encrypted form.
User Profile Information: Any information you choose to add to your profile on the platform, which might include a profile photo, avatar, display name, location, or other details. Depending on your settings, some profile information may be public to other users on the platform (for example, learners may see a creator’s profile and vice versa). Private profile data (such as account settings or preferences) is also stored to personalize your experience.
User-Provided Content: All content you create, upload, or otherwise provide while using Echofly. This includes creator-generated content (such as training materials, documents, knowledge bases, prompts, or other data you upload to create or improve your AI profile (“Echo”) and user-generated content (such as the questions you ask an Echo, messages, chat transcripts, feedback, or other communications on the platform). We collect and store this content to operate the Services. Please note that content you provide might contain Personal Data if you include personal information about yourself or others, so you should only upload or share information you are comfortable being used as described in this Policy.
Usage Data and Device Information: When you use our Services, we automatically collect certain technical data about your visit. This includes information like your IP address, device identifiers, device type, browser type, operating system, referral URLs, pages or features you access, date and time of access, and interaction logs (such as clicks, chat session durations, and other usage metrics). We use cookies and similar tracking technologies (described below) to help collect this data. This Usage Data helps us understand how you interact with our platform, enables certain features, and aids us in maintaining the security and performance of the Services.
Analytics Data: We may use third-party analytics providers (for example, Google Analytics or similar tools) that set their own cookies or identifiers to collect information about how users navigate through and use our Services. This information can include pages visited, time spent, and actions taken, which we use to analyze user engagement and improve our platform.
Contact and Correspondence: If you contact us for support or otherwise (for example, via email or through a support portal), we will collect the information you provide in those communications (such as your name, email, and the content of your inquiry) in order to respond to you and resolve any issues. We may also collect contact information if you choose to subscribe to marketing communications (with your consent).
Geolocation Data: We may infer an approximate location from your IP address or choose to collect location information (e.g. country or city level location) to customize content (for example, language or regional settings) and for compliance (such as tax calculation or legal requirements by region). We do not collect precise GPS location without your explicit permission.
Sensitive Personal Data: In general, we do not actively collect sensitive personal information unless you choose to provide it. Sensitive data may include information like government-issued IDs, financial information, health or biometric identifiers, or information about your race, ethnicity, religious or philosophical beliefs, union membership, genetic data, etc. The Services do not require such data for general use. However, creators who sign up to monetize or verify their identity may be asked to provide certain identifiers (for example, a driver’s license or other ID) for identity verification or compliance purposes. In such cases, that information is collected and used only for verification and compliance, and is handled with enhanced security. We do not use sensitive personal data to infer characteristics about you for marketing or any other purposes.
Biometric Data (Creators, if applicable): If you are a creator who opts to upload images, videos, or audio of yourself to create a more lifelike AI profile (for example, to give your Echo a face or voice resembling yours), we may collect data from that content that could be considered biometric identifiers or information. This might include facial geometry (from photos or videos) or voiceprints (from audio recordings) to enable the Service to generate an avatar or voice that imitates you. We describe how we handle this data in the Biometric Information section below.
Children’s Data: Echofly is not intended for use by children under the age of 13 (or 16 in certain jurisdictions, such as the EU, as noted in Personal Data of Children below). We do not knowingly collect information from children in these age groups. If we discover we have inadvertently collected such data, we will delete it.

Sources of Personal Data: We collect Personal Data from several sources:

Directly from You: Most information is provided directly by you. For example, you give us Profile and Contact Data when registering or filling in forms, and you provide User Content when interacting with an Echo or uploading materials. You also provide data by contacting support or opting into communications.
Automatically from Your Use of the Services: As you interact with our platform, we collect Usage Data and Analytics Data automatically through cookies, server logs, and other similar technologies. This automated collection is described further in Cookies and Tracking Technologies.
From Creators or Referrals: If another user (such as a creator) invites you to the platform or refers you, they may provide your name and email to us to send an invitation. Similarly, if you interact with a creator’s Echo through a shared link or external site, we might receive your information via that integration.
Third-Party Services: If you choose to link or log in to Echofly through a third-party account (for example, “Sign in with Google” or a social media account), we will receive certain information from that third party such as your name and email, as permitted by the provider and authorized by you. We may also obtain basic profile or contact information from publicly available sources or marketing partners, which we use to update records or reach out to potential users (only where lawfully permitted).

4. How We Use Your Personal Data

Echofly uses the collected Personal Data for the following business and commercial purposes (consistent with applicable laws):

Providing and Personalizing the Services: We use your information to create and manage your account, authenticate you when you log in, and provide you with the features and services you request. For example, we use your Profile Data to set up your user or creator account, and your User Content and preferences to personalize the platform experience (such as remembering your settings, language, or the Echos you follow).
Platform Functionality and Improvements: Your data (including usage patterns and feedback) helps us operate, maintain, and improve our Services. We analyze usage data and user interactions to debug issues, develop new features, and enhance the user experience. For creators, the content you provide is used to build and refine your AI profile (“Echo”, “Echos”); for users, your interactions help us improve the responsiveness and accuracy of the Echos. We also may use aggregated usage information to understand trends and user needs in order to make the Service better.
AI Model Training: We use creator-uploaded content and user interaction data to train, test, and improve the machine learning models that power our AI Echos. This can include analyzing chat transcripts, questions asked, and provided answers to refine the AI’s knowledge and performance. (See AI Model Training and Improvement below for more detail.)
Communication and Support: We use contact information (like your email) to send you service-related communications, such as account confirmations, important updates about the platform, security alerts, or customer support responses. If you reach out with a question or issue, we will use your information to respond and resolve it. We may also send you confirmations for transactions (e.g., if in the future you purchase a subscription or make a payment on the platform).
Moderation and Safety: We monitor user and creator activities, as permitted by law, to enforce our Community Guidelines and Terms of Service, prevent fraud, and ensure a safe environment. Personal Data and content may be used to detect, investigate, and address abusive behavior, content policy violations, or security issues. (See Content Moderation and Human Review for more detail on how we may review content.)
Marketing and Newsletters (with Consent): With your explicit consent, we may use your email or other contact data to send you newsletters, product updates, educational content, or promotional communications about Echofly’s offerings. You have full control over whether you receive marketing emails – we will only send them if you have opted in. Even after giving consent, you can opt out at any time (each marketing email will include an “unsubscribe” link, and you can also adjust your email preferences in your account settings or by contacting us). We do not send marketing communications without consent, and we do not share your contact information with third-party advertisers for their own marketing purposes.
Analytics and Product Research: We may use Personal Data and aggregated data to perform internal research and analytics. This helps us understand our user base, measure the effectiveness of certain features, and inform our business strategy. For example, we might analyze which topics are most popular among users or how creators are engaging with certain tools, all to improve the platform’s content and functionality.
Legal Compliance and Protection: We may use Personal Data as necessary to comply with applicable laws and regulations, and to respond to lawful requests or court orders. We also use data to enforce our agreements and protect the rights and safety of our users, creators, the public, and Echofly. This includes using information to prevent fraud, abuse, or other illegal activities, and to resolve disputes or enforce our Terms of Service.
Other Purposes with Notice and Consent: If we intend to use your Personal Data for a purpose that is materially different from the purposes listed in this Policy, we will inform you (for example, via an update to this Policy or by requesting your consent) and, if required, obtain your consent.

We will not use your Personal Data for purposes that are incompatible with those listed above without updating you and obtaining any necessary consent.

5. AI Model Training and Improvement

One of Echofly’s core features is the use of artificial intelligence to create AI Profiles (“Echos”) that users can interact with. To provide and refine this service:

Use of Creator Content: If you are a creator, the materials and knowledge you contribute (documents, text, media, etc. that you upload or input to create your Echo) will be used to train and build the AI model underlying your Echo. This means our systems analyze your content to enable the AI to respond in a way that reflects your expertise and style. We treat the content you provide with confidentiality; it’s used for the purpose of creating your Echo and improving our models, and is not shared with other creators or users except as part of the responses your Echo gives to its learners.
Use of User Interactions: When you (as a user or learner) interact with an Echo (for example, by asking it questions or having a conversation), those interaction logs and chat transcripts may be used to further train, fine-tune, and improve our AI models. Where required by law, we will obtain your explicit consent before using your personal data for AI model training. In jurisdictions with an opt-out right, we will provide a clear mechanism for you to opt out of such use.
Data Minimization and Safeguards: When using Personal Data for AI training, we strive to employ data minimization and security measures. For instance, if we use chat transcripts for training, we may remove or obscure identifiers or sensitive details that are not necessary for the model to learn from the interaction. Our goal is to improve the AI’s general capabilities and the quality of Echo responses, not to retain personal details about specific individuals in the model.
Transparency and Choice: We are committed to transparency about how your content and interactions help us improve our Services. By using the platform, you acknowledge and agree that your data may be used as described for AI development. In certain jurisdictions, you may opt out of having your personal data used for model training by contacting us at privacy@echofly.ai or adjusting your privacy settings (if available).

Important: Content used for AI training and improvement is handled in accordance with this Privacy Policy and applicable law. It is not sold or made available in raw form to unrelated third parties. Model training is done either in-house by Echofly or by our service providers under strict controls. The outcome of training is an AI model that can generalize from the data; the model does not typically disclose verbatim Personal Data from training examples, but rather learns patterns, language, and knowledge. However, to further protect privacy, we actively monitor and restrict our AI models from outputting sensitive personal information about individuals.

Note: You may opt out of having your personal data used for AI model training by emailing privacy@echofly.ai with ‘AI Training Opt-Out’ in the subject line or by using the privacy settings panel in your account (if available). This will not affect the use of anonymized or aggregated data that cannot identify you. Opt-out requests are processed within 30 days. An opt-out toggle will also be available in account settings as features evolve.

6. Content Moderation and Human Review

Echofly is dedicated to maintaining a respectful and safe platform. To achieve this, we implement content moderation practices:

Automated Monitoring: Our systems may automatically scan or filter content (including user queries, Echo responses, and creator-provided material) for policy violations or unsafe material. For example, we may use automated tools to detect hate speech, explicit content, personal data (to prevent improper use), or other material that violates our guidelines.
Human Review: While much of our moderation begins with automated tools, there are instances where human moderators or authorized Echofly staff may review content. This can include reviewing user interactions with Echos, especially if they are flagged by our systems or reported by users as inappropriate. Human review helps ensure accuracy of our moderation decisions and allows us to address nuanced situations that AI might not handle correctly.
Purpose of Review: Any content (including Personal Data within it) that is reviewed by our team is only reviewed for the purposes of moderation (ensuring compliance with our Terms of Service and Community Guidelines), service improvement, or support. For example, we might review a conversation between a user and an Echo if a user reports that the Echo gave harmful advice, so we can correct the AI and assist the user. Similarly, to improve our AI responses, our training team might review a random sample of anonymized interactions.
Confidentiality: We treat the content of user-creator interactions as private between you and the Echo, subject to the needs of operating the service. Echofly staff or contractors who review content are under confidentiality obligations. We do not publicly disclose the content of your conversations or creator submissions except as needed to provide the Services (for example, an Echo’s answer may be seen by any user interacting with that Echo, which is by design of the service).
Enforcement and Improvement: Moderation data might be used to warn or suspend accounts that violate policies, to refine our content filters, and to train our AI to better handle undesirable inputs or requests. This is part of our effort to create a community where users can learn and share knowledge safely.
Your Choices: If you encounter any content on the platform that you believe violates our policies or your privacy, you can report it to us. We will review and take appropriate action. Keep in mind that as a creator, the content you upload for your Echo should comply with our guidelines and not include personal information about others unless you have the legal right to include it.

7. How We Disclose Your Personal Data

We do not sell your Personal Data to third parties for profit, and we only share your Personal Data with third parties for the purposes described in this Policy. When we disclose data, we take steps to ensure the third parties will safeguard it and use it only for the intended purposes. The categories of recipients with whom we may share Personal Data include:

Service Providers (Processors): We employ trusted third-party companies and individuals to perform certain services on our behalf (“service providers”). This includes services like web hosting and cloud computing providers (for example, Amazon Web Services), analytics providers, communication tools, and payment processors. We may also use third-party AI model providers to process and generate responses (e.g., OpenAI, Anthropic). These providers act as processors under contractual obligations to handle data in compliance with privacy laws. For example, Echofly uses Amazon Web Services (AWS) as a cloud hosting provider to store and process data securely. These service providers are bound by contract to process Personal Data only under our instructions and to protect it. They are not permitted to use your data for their own unrelated purposes. We may add or change service providers as our business needs evolve (any future processors will be vetted for security and privacy commitments).
Creators (in Limited Contexts): If you interact with an Echo that was created by a third-party expert (a creator on our platform), certain information about your interaction may be shared with that creator. For example, a creator may be able to access chat transcripts or summaries of conversations that users have with their own Echo, as well as basic profile or contact data of those users (such as a username or the name on your profile, and possibly your question or feedback). This sharing occurs to allow the creator to improve their Echo’s content or provide follow-up mentorship or support. Creators are required to handle any personal data they receive through the platform in accordance with this Privacy Policy and our Terms (which include confidentiality obligations). Note: When you engage with a particular Echo, you are effectively allowing the creator of that Echo to receive the content of your interaction. If you prefer not to share with a creator, you should not engage with Echos created by third parties. Echofly does not share your data with creators other than what is necessary when you choose to interact with their content.
Other Users or Third Parties You Authorize: The platform may enable you to share certain content or connect with others at your discretion. For instance, you might choose to publish a question to an Echo in a community forum, share an interesting response on social media, or invite a friend to view a conversation. In such cases, any information you voluntarily disclose in these public or shared areas may be seen by others. Similarly, if you use a third-party integration (for example, publishing content from an Echo to another app), we will share data with that integration or third party at your direction.
Advertising and Marketing Partners: Echofly does not currently host third-party advertisements on the platform, but we may share limited data with partners who help us market our own Services. For example, we may use a marketing email platform to send newsletters (sharing your email address with that provider), or we might work with ad networks or social media platforms to show Echofly ads to potential new users (in which case we might use hashed or anonymized identifiers to target those campaigns). If we use cookies from advertising partners (see Cookies and Tracking Technologies), those partners might receive information about your device or browsing activity through their cookies on our site. Any such “sharing” is only used to provide or measure our advertisements and is subject to your opt-out rights (described under U.S. State Privacy Rights if applicable). We do not provide your contact information or personal details to third parties for their independent marketing use without your consent.
Affiliates: If Echofly, LLC in the future becomes part of a group of related companies (e.g., parent company, subsidiaries), we may share your data within that corporate family as necessary to provide the Services and for internal administrative purposes. Any affiliates will honor the commitments in this Policy. (As of the effective date, Echofly does not have any parent or subsidiary companies, but we include this for completeness.)
Legal and Compliance: We may disclose Personal Data when we believe in good faith that such disclosure is necessary to comply with a legal obligation or request (for example, in response to lawful requests by public authorities, such as a court order, subpoena, or government demand). We may also share information if we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or rights of any person, violations of our Terms of Service or policies, or as evidence in litigation in which we are involved.
Business Transfers: In the event of a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or other business transaction, your Personal Data may be transferred to a successor or affiliate as part of that transaction. If another company acquires Echofly or all or substantially all of our assets, that company will possess the Personal Data collected by us and will assume the rights and obligations regarding your data as described in this Privacy Policy. We will notify you (for example, via a prominent notice on our website or email) of any such change in ownership or transfer of assets.
Aggregated or De-Identified Data: We may also share data that has been aggregated or de-identified such that it can no longer be associated with any individual. For example, we might publish trends or insights (like “most popular topics this year”) or share aggregated usage statistics with partners. This information does not contain personal identifiers and is not considered Personal Data. We may disclose such data freely since it cannot identify any user.

When we share Personal Data with any third party, we take steps to ensure that appropriate safeguards are in place to protect your information in accordance with this Policy and applicable law. Aside from the circumstances listed above, we will not disclose your Personal Data to third parties without your consent.

8. Biometric Information

Echofly is aware of the sensitive nature of biometric data. In limited cases, creators may provide content that falls under the category of biometric information (as described earlier). This section explains how we handle such data:

Definition (Biometric Identifiers): Biometric identifiers can include unique personal identifiers like facial scans, voiceprints, or similar biometric characteristics. For instance, a video of a person can yield a facial geometry map, and an audio recording can yield a voice pattern signature. Some privacy laws (e.g., Illinois’s Biometric Information Privacy Act, “BIPA”) regulate the collection and use of such biometric identifiers and biometric information derived from them. Echofly endeavors to comply with all such laws where applicable.
Collection and Use: If you, as a creator, choose to upload photos, videos, or audio of yourself to create a more realistic Echo (a digital profile in your likeness), our system may process that content to extract biometric data (e.g., create a digital voice model or an avatar resembling your face). We use this biometric data solely to provide the service you requested — namely, to create, operate, and enhance your AI profile’s realistic qualities (voice, image, etc.) — and to improve our underlying models that support these features. We do not use biometric data for any unrelated purposes.
Consent: By voluntarily providing content that contains your biometric identifiers (such as your image or voice) and enabling features that utilize that content, you consent to our collection and use of this biometric information for the purposes described. Where required by law, we will obtain your explicit, informed, and written consent to process biometric data, and will inform you of the specific purpose and duration for which it will be used.
Disclosure of Biometric Information: We do not sell or share your biometric identifiers with third parties for their own use. The biometric data may be disclosed to our service providers as necessary to perform the processing (for example, a cloud processor that runs the algorithm to generate a voice clone). Any such service providers are contractually bound to strict privacy and security obligations and may only use the data to fulfill the service to Echofly. We may also disclose biometric information if required by law (such as a lawful subpoena), but we will contest requests we believe are invalid.
Storage and Retention: Echofly will store biometric data securely, using industry-standard safeguards (see Data Security below). We will retain biometric information only as long as needed for the purposes for which it was collected, and in accordance with applicable laws. For example, if you are a creator who has provided biometric data, we will retain that data for as long as your account is active and you are using the Echo associated with it. If you delete the biometric content or delete your account, we will delete the biometric data as well, typically upon account deletion or within a defined period thereafter unless otherwise required by law. Some state laws (like BIPA in Illinois) require that biometric data be destroyed when the initial purpose has been satisfied or within a certain time frame (e.g. within 3 years of your last interaction with us). Echofly will abide by these requirements. In any case, once we no longer need your biometric data for the purpose it was collected, we will permanently and securely delete it.
Security: Because of the sensitive nature of biometric identifiers, we apply heightened security measures to any such data. This may include encryption at rest and in transit, restricted access controls, and regular security audits.
Your Rights: Depending on your jurisdiction, you may have specific rights regarding biometric information. For instance, some laws give you the right to request deletion of your biometric data or to not be subject to its collection without consent. Echofly will honor all such rights in accordance with applicable law. If you have questions or requests related to biometric data, please contact us (see Contact Information at the end of this Policy).

By handling biometric information carefully and transparently, Echofly aims to provide innovative features (like realistic AI profiles) while respecting your privacy and complying with privacy regulations.

Note: Where required by law, we will obtain explicit, written consent before collecting or processing any biometric data. Such consent will describe the purpose and duration of retention of biometric data. Biometric data will be permanently deleted upon withdrawal of consent or within three years of your last interaction with Echofly, whichever is earlier, unless otherwise required by law.

Important: By uploading voice recordings, photos, or videos to Echofly, you expressly consent to our collection and use of this biometric data in accordance with this Privacy Policy.

9. Cookies and Tracking Technologies

Like many online platforms, Echofly uses cookies and similar tracking technologies to recognize you and your devices, improve your experience, and collect information about usage of our Services. You may manage your cookie preferences at any time via our Cookie Settings tool, which provides granular controls over which categories of cookies (essential, functional, analytics, marketing) you allow. Our site recognizes Global Privacy Control (GPC) signals and other browser-based opt-out preferences where required by applicable laws:

What Are Cookies: Cookies are small text files stored on your browser or device by websites, apps, or advertisements. They serve various functions, like enabling features or remembering preferences. We also use related technologies like web beacons (pixel tags), local storage, and scripts for similar purposes. For simplicity, we refer to all these as “cookies.”
Types of Cookies We Use:
- Essential Cookies: These are necessary for the website and Services to function properly. For example, they allow you to log in, load content, or navigate between pages. Without these cookies, certain features you request (like staying logged in or accessing secure areas of the site) cannot be provided.
- Functional Cookies: These cookies remember your preferences and settings to personalize your experience. For instance, they may retain your chosen language, region, or display preferences so we can greet you by name or tailor the content to be more relevant to you when you return. Disabling these might affect some of the convenience and customization of the Service.
- Analytics/Performance Cookies: We use these to collect information about how users interact with our Services. This data includes things like which pages are visited, how long users stay, and which features are used. Analytics cookies help us understand usage patterns, identify any issues in user experience, and measure the effectiveness of our content and features. For example, we may use Google Analytics or similar tools; these providers set their own cookies to gather information (which may be transmitted to and stored on their servers). We use the insights from these cookies to improve our product. (Google’s use of data collected via its cookies is subject to Google’s Privacy Policy. You can opt out of Google Analytics as described below.)
- Advertising/Marketing Cookies: Echofly does not presently host third-party ads, but we may use cookies related to our marketing efforts. These cookies may record information about your visit to our site (such as pages viewed or links clicked) and may be used to deliver Echofly advertisements on other websites you visit, tailored to your interests (this is known as retargeting or interest-based advertising). They may also help measure the performance of our ad campaigns. For example, if we run an ad on a social media platform and you click it, a cookie might let us know if you later signed up on Echofly, which helps us gauge the ad’s effectiveness. These advertising cookies might be placed by third-party advertising networks or social sites with whom we collaborate. Any data obtained in this way may be considered a “share” or even a “sale” under certain privacy laws (because the third-party may use it to show you ads), but rest assured we do not permit these third parties to use your information for their own purposes beyond supporting our marketing.
Your Choices for Cookies: When you first visit our site, you may be presented with a cookie notice or preferences tool that allows you to accept or reject certain cookies (except strictly necessary ones). Even after accepting, you can always adjust your browser settings to refuse or delete cookies. Most web browsers provide options to manage cookies on a site-by-site basis or to block cookies entirely. You can typically find these settings in your browser’s “Options” or “Preferences” menu. Additionally:
- To opt out of Google Analytics, you can install the Google Analytics Opt-out Browser Add-on which prevents Google Analytics from collecting data on your visits.
- For interest-based advertising, many advertising partners are members of industry groups that offer centralized opt-out tools. For example, you can visit the Network Advertising Initiative’s opt-out page or the DAA’s opt-out page for choices about interest-based ads.
- If our cookie management tool is available (for instance, a “Cookie Settings” link on our site), you can use it to fine-tune your preferences at any time.
Please note: If you disable cookies, certain features of the Services might not function properly. For example, you may need to re-enter your login information or preferences on each visit, and some personalization features might not remember your settings.
Do Not Track: Some browsers have a “Do Not Track” (DNT) feature that lets you tell websites you do not want to be tracked across different sites. Currently, our Services do not respond to DNT signals because there is no consensus on how to interpret them and we operate as described in this Policy regardless of a DNT signal. We will update our practices if a uniform standard for DNT is established. In the meantime, you can use the cookie and opt-out options described above to control tracking.

By using our Services with cookies enabled in your browser settings, you are essentially consenting to our use of cookies as described here. We provide transparency and controls so you can make informed choices about your privacy and the use of cookies.

10. Data Security

We take reasonable and appropriate measures to protect your Personal Data from loss, theft, misuse, and unauthorized access, disclosure, alteration, or destruction. Echofly’s security program includes technical, administrative, and physical safeguards designed to protect the data we maintain. Some of the key security practices we employ are:

Encryption: We use encryption to protect data in transit and at rest. For example, our website and APIs are secured via HTTPS (TLS) to encrypt data transmitted between your device and our servers. Sensitive data (such as passwords and any payment information, if applicable) is stored in encrypted form.
Access Controls: We limit access to Personal Data to employees, contractors, and service providers who need to know that information to operate, develop, or support our Services. All such persons are subject to confidentiality obligations. We enforce role-based access and require strong authentication for anyone accessing critical systems.
Network & System Security: Our infrastructure (hosted on reputable providers like AWS) is secured and routinely tested. We use firewalls, intrusion detection systems, and monitoring to protect against unauthorized network access. Security patches and updates are applied regularly to our software and systems.
Testing and Assessments: We periodically review our security measures and may conduct vulnerability assessments or penetration testing to identify and address potential weaknesses. We also maintain an incident response plan to handle any security incidents swiftly and effectively.
Contractual Safeguards: When we share data with service providers (such as AWS or others), we ensure they implement appropriate security measures. Our contracts with processors require them to protect Personal Data in line with legal requirements and industry standards.

While we strive to safeguard your information, no method of transmission over the internet or method of electronic storage is 100% secure. Thus, we cannot guarantee absolute security. You should also play a role in protecting your data. Keep your account credentials secure – use a unique, strong password and do not share it. Remember to log out of your account and close your browser when you have finished using the Services, especially if using a shared or public device. If you believe that your interaction with us or your data might no longer be secure (for example, if you suspect the security of your account has been compromised), please contact us immediately so we can help address the issue.

11. Data Storage and International Transfers

Echofly is a global service. By using our platform, you understand that your Personal Data may be transferred to and stored on servers outside of your home country or region. Specifically, most user data will be stored in cloud servers operated by Amazon Web Services (AWS) or similar providers. These servers may be located in the United States or other countries. International Data Transfers: If you are located outside the United States (for example, in the European Economic Area, United Kingdom, or elsewhere), be aware that we may transfer Personal Data to jurisdictions that may not have the same level of data protection laws as your home country. In such cases, we take steps to ensure appropriate safeguards are in place to protect your information:

We rely on Standard Contractual Clauses (SCCs), the UK Addendum, or equivalent legal safeguards for cross-border data transfers. These safeguards are implemented in contracts with our subprocessors (such as AWS) to ensure your data is protected in compliance with applicable laws.
We may also rely on your explicit consent for certain cross-border transfers when legally permitted, or as otherwise allowed by GDPR (for instance, when a transfer is necessary to perform a contract with you, such as providing our Services internationally).
Our major service providers (like AWS) are certified under internationally recognized security standards and, where applicable, may also implement their own transfer safeguards (for example, participating in frameworks or having Binding Corporate Rules).

We want you to feel confident about how we handle international data flows. If you would like more information about the safeguards we use for cross-border transfers, you can contact us (see Contact Information below). Data Location: Generally, user data for Echofly is stored in the United States. However, depending on our service architecture and future expansions, data may be processed in other regions (for example, if we deploy regional servers to reduce latency or comply with local requirements). We will inform users if we significantly change where data is stored. Regardless of location, this Privacy Policy will apply to our handling of your Personal Data.

A full list of subprocessors is available upon request at privacy@echofly.ai.

12. Data Retention

We retain Personal Data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. This means:

If you have an account with Echofly, we will generally keep your Profile Information and account data for as long as your account is active. This allows us to provide you with the Services on an ongoing basis.
Content that you create (such as Echo training data or chat interactions) will be stored as long as needed for the operation of the platform and improvement of our models, which typically correlates to the lifespan of your account or the specific Echo. If you delete specific content (for example, a creator removes an uploaded document or a user deletes a particular post if such functionality exists), we will cease using that content going forward, but residual copies may remain in system backups for a limited time.
If you choose to close your account, we will initiate deletion of your Personal Data. We aim to delete or anonymize the majority of your data within a reasonable period following your request or account closure (often within 30 days). Some data may be kept longer if necessary for legitimate business interests or legal obligations (see below).
In some cases, even if you do not actively delete your account, we may anonymize or delete data that is no longer needed. For example, we might automatically purge certain log data after it ages beyond a certain point, or we might de-identify interaction data that hasn’t been used for a long time.

Retention for Legal or Legitimate Purposes: We may retain certain Personal Data for longer periods if necessary for:

Compliance with Laws: We might need to keep information to comply with tax, accounting, or other legal obligations. For instance, transaction records might be kept for financial reporting or auditing for a number of years as required by law.
Dispute Resolution and Enforcement: If we believe there’s a possibility of a legal claim or dispute relating to your data or use of the Services, we may retain relevant information until that issue is resolved. We also retain data as needed to enforce our agreements or to investigate violations (e.g., retaining a record of a banned user to prevent future abusive behavior).
Safety and Fraud Prevention: Even after account deletion, some information (like device information or logs) may be retained internally for a limited time to detect fraud, protect against malicious activity, or improve security (for example, retaining logs to identify patterns of abuse).

When Personal Data is no longer required for the purposes for which it was collected, or upon your valid request (see Your Rights sections), we will either delete it or anonymize it so it can no longer be associated with you. We also regularly review the data we store and delete or de-identify records that are no longer needed. Backup and Archival: Please note that removing data from our active systems may not immediately remove all residual traces of it from our backup or archival systems. If we have backups that are encrypted and retained for disaster recovery, your information might remain in those archives until they are rotated out or destroyed in accordance with our data retention policy. During that interim period, we ensure the data remains securely stored and is not accessed except if needed for disaster recovery.

13. Personal Data of Children

Echofly is not directed to children, nor do we knowingly collect personal information from anyone under the age of 13 (and for certain jurisdictions, under the age of 16). Our Terms of Service prohibit children from using the platform. If you are under 13 years old (or under 16 in the EU/UK or other regions where a higher age of consent is required), do not use Echofly or provide any Personal Data to us.

If you are located in the European Union or other jurisdictions with higher age thresholds, you must be at least 16 years old (or have verifiable parental consent) to use Echofly’s Services.

If we learn that we have inadvertently collected Personal Data from a child under the relevant age without proper consent, we will take steps to delete that information promptly. For example, if a child were to sign up by using a false age, once discovered, we would terminate the account and purge any associated data to the extent feasible. If you are a parent or guardian and you believe your child under the age of 13 (or 16, as applicable) has provided personal information to us, please contact us immediately (see Contact Information below). We will investigate and, if appropriate, delete the information from our records. We recognize the importance of safeguarding children’s privacy and will comply with all applicable laws such as the U.S. Children’s Online Privacy Protection Act (COPPA) and relevant international regulations that protect minors.

14. U.S. State Privacy Rights

Some U.S. states (such as California, Colorado, Connecticut, Utah, and Virginia, among others) have enacted privacy laws that provide residents with specific rights regarding their personal information. Echofly is committed to complying with applicable state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar laws in other states. If you are a resident of one of these states, you may have some or all of the following rights:

Right to Know/Access: You may have the right to request that we disclose what personal information we collect, use, disclose, and (if applicable) sell or share. This typically includes the categories of personal information, the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom information is shared, and the specific pieces of information we have about you. You may also have the right to request a portable copy of the personal data we hold about you.
Right to Delete: You have the right to request deletion of personal information that we have collected from you, subject to certain exceptions (for example, we may retain data as required by law or for legitimate business purposes such as completing transactions you’ve requested or detecting security incidents).
Right to Correct: You may have the right to request that we correct inaccurate personal information that we maintain about you. We strive to keep our records accurate, but if you find any errors, you can ask us to fix them.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the “sale” of your personal information or the “sharing” of your personal information for cross-context behavioral advertising (as those terms are defined under applicable law). Echofly does not sell your personal data for money. The only potential “sharing” we do that might fall under these laws is the use of certain advertising or analytics cookies, which could be construed as sharing data with third-party advertising networks or analytics providers. We provide you with control over such cookies (see Cookies and Tracking above) and honor opt-out signals as described below.
Right to Limit Use of Sensitive Personal Information: If we collect any information considered “sensitive” under law (for example, precise geolocation, race/ethnicity, health information, etc.), certain laws (like CPRA) allow you to limit our use of that information to only what is necessary to perform the Services. Echofly does not use sensitive personal information for purposes beyond what is necessary to provide the Services (we do not use it for profiling or targeted advertising). If in the future we were to have secondary uses for sensitive data, we would provide an opt-out or obtain consent as required.
Non-Discrimination/Retaliation: You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights. This means we will not deny you our Services, charge you a different price, or provide a lesser quality of service just because you exercised any of your rights under these privacy laws.

Other State-Specific Rights:

California “Shine the Light”: Separate from CCPA, California’s “Shine the Light” law (Civil Code §1798.83) allows California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. As noted above, Echofly does not disclose personal information to third parties for independent direct marketing without consent. California users may contact us to request further information or to clarify our practices under this law.
Nevada Residents: Nevada law allows residents to opt out of certain kinds of personal data sales. Echofly does not currently sell personal information as defined under Nevada law. If that were to change, we would update this Policy and provide a method to opt out.

Please note that these rights are not absolute and may be subject to conditions or limitations. For example, if fulfilling a deletion request would interfere with our legal obligations or certain internal uses that are legally allowed, we may deny that request with an explanation. Similarly, we might not provide specific pieces of information in response to an access request if it poses a security risk (for instance, never will we provide you your password or any sensitive authentication info in response to a request).

15. Exercising Your U.S. Privacy Rights

Note: To exercise your rights to access, correct, delete, or port your data, email privacy@echofly.ai with ‘Privacy Request’ in the subject line. We will verify your identity and respond within 30 days, or as required by applicable law.

If you are a resident of California or another state with applicable privacy rights, and you wish to exercise any of the rights described above, you or your authorized agent may submit a request to us. Here’s how:

Contact us via email: You can email your request to privacy@echofly.ai (or another designated contact, if provided). Please include your name, the email associated with your Echofly account (if you have one), the state you reside in, and specify which right(s) you wish to exercise (e.g., “California Access Request – right to know categories and specific pieces of information” or “Request to delete my data”).
Online form (if available): We may provide a web form on our site to submit privacy requests for certain rights. If such a form is available, we will link it in this Privacy Policy or on a “Do Not Sell or Share My Info” page accessible from our website footer.

Verification: For your privacy and security, we will need to verify your identity when you make a request. This is to ensure we do not disclose or delete information to the wrong person. We may ask you to provide additional information that matches our records (for example, confirming specific profile details or a recent transaction). If you have a password-protected account with us, we may ask you to make the request through your logged-in account or to re-authenticate. Authorized agents must provide proof of their authorization to act on your behalf and we may still ask you to verify your identity directly. We will respond to privacy requests within the timeframe required by law (generally within 45 days for CCPA/CPRA, with the possibility of a 45-day extension when necessary). If we need more time, we will let you know the reason and extension period in writing. We will deliver our response via your account or email whenever possible. If we cannot fulfill your request, we will explain the reasons (e.g., we could not verify your identity, or the request is exempt from action under an exception). Opt-Out of Sale/Sharing: As noted, Echofly does not sell your personal data, and the only potential “sharing” relates to cookies. If you want to ensure you opt out of any sharing for advertising purposes, you can do the following:

Use our cookie preference tool to decline advertising cookies (if available on our site).
Use the Global Privacy Control (GPC) or a browser-based do-not-sell signal: If your browser or extension sends a recognized opt-out preference signal (such as GPC), we will treat that as a valid opt-out of sale/sharing under applicable laws for that browser on our site.
Email us at privacy@echofly.ai with the subject “Do Not Sell or Share My Personal Information” and provide your identity details so we can apply it to your account if one exists.

Once processed, we will not “sell” or “share” your personal data unless you later provide permission (to the extent required by law, we won’t ask for reauthorization for at least 12 months). We will not retaliate or discriminate against you for exercising any of these rights. If you have any questions about your U.S. privacy rights or need assistance, please contact us.

16. European Union, UK, and Other International Rights

If you are located in the European Union, European Economic Area (EEA), United Kingdom, or certain other countries with comprehensive data protection laws, you have specific rights regarding your Personal Data under the General Data Protection Regulation (GDPR) or equivalent local laws. Echofly is committed to upholding these rights for our users. These rights include:

Right to Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to access that data and receive information about how we use it. Essentially, you can ask us for a copy of the personal information we hold about you.
Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or update it. You can also make certain changes directly by logging into your account and editing your profile information.
Right to Erasure: Commonly known as the “right to be forgotten,” this allows you to request deletion of your personal data in certain circumstances. For example, if the data is no longer needed for the purposes it was collected, or if you withdraw consent (where applicable) and we have no other legal ground for processing, or if you object to processing and we have no overriding legitimate interest to continue, etc. Please note this right is not absolute – sometimes we may retain data as allowed by law (e.g., to comply with a legal obligation or for the establishment, exercise, or defense of legal claims).
Right to Restrict Processing: You can ask us to restrict or ‘pause’ the processing of your personal data in certain scenarios. This might apply if you contest the accuracy of the data (while we verify it), or if the processing is unlawful but you prefer restriction over deletion, or if we no longer need the data but you need us to keep it for legal claims, or if you have objected to processing (pending verification of overriding grounds). When processing is restricted, we will still store your data, but not use it further until the restriction is lifted (with notice to you).
Right to Data Portability: You have the right to request a copy of certain personal data in a structured, commonly used, machine-readable format, and to have that information transmitted to another controller, where technically feasible. This right applies to personal data you provided to us, which we process by automated means and based on your consent or a contract with you (e.g., your profile information or content you’ve provided, to the extent it’s personal data).
Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests (or those of a third party) or when performing a task in the public interest. If you object, we will evaluate whether our legitimate grounds for processing override your privacy rights. You also have an unconditional right to object to any direct marketing we send you – if you object, we will stop sending marketing communications. In the context of Echofly, you might object to uses of data for platform improvement or analytics; if we agree and cannot demonstrate compelling reasons to continue, we will cease processing that data for those purposes.
Right to Withdraw Consent: In cases where we rely on your consent to process personal data (for example, for optional marketing emails or certain cookies), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing that occurred before the withdrawal. If you withdraw consent, we will stop the processing that was based on consent (and possibly delete the relevant data if no other basis applies).
Automated Decision-Making: Echofly’s Services involve AI profiles responding to user queries, but these interactions are not decisions that produce legal or similarly significant effects on you. We do not make solely automated decisions about you that have legal effects or similarly significant impacts without human involvement as defined under GDPR Article 22. If we ever engage in automated decision-making in other contexts, we will ensure compliance with the law and your right to certain protections (like human review of decisions).
Right to Lodge a Complaint: If you believe we have infringed your data protection rights or processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. For EU residents, this is typically your local data protection authority (contact details can be found on the European Data Protection Board website). For UK residents, it’s the Information Commissioner’s Office (ICO). We encourage you to contact us first, so we have the opportunity to address your concerns directly.

Legal Bases for Processing: The GDPR (and similar laws) require that we inform you of our legal justification for processing your personal data. Depending on the context, Echofly processes personal data under one or more of the following bases:

Contractual Necessity: We process data to fulfill our contract with you, the user. For example, when you sign up for Echofly and agree to our Terms, we rely on this basis to handle your account information, provide the Service functionalities, and perform any transactions or support you request.
Legitimate Interests: We process data as needed for our (or others’) legitimate interests, provided those interests are not overridden by your data protection rights. This includes using data to improve our Services, secure our platform, conduct analytics, show limited relevant marketing (for our own services) to users, and communicate with you about product updates. When we rely on this basis, we consider and balance any potential impact on your rights.
Consent: For certain processing activities, we rely on your consent. Examples include sending marketing emails (where required by law), using non-essential cookies, or processing sensitive personal data (if ever applicable beyond what’s strictly necessary). When consent is our basis, you have full control and can withdraw it as noted above.
Legal Obligation: Sometimes we must process or retain data to comply with laws – for instance, retaining certain records for tax, legal reporting or responding to lawful requests from authorities.

If you have questions about the legal bases or want more detail on how a particular type of data is processed, feel free to contact us. Exercising Your Rights (EU/UK and others): You can exercise your rights by contacting us at privacy@echofly.ai with your request. We may need to verify your identity (similar to the process described for U.S. rights) before fulfilling the request. We will respond within one month of receiving a request, or inform you of any extension needed. There is no fee for exercising your rights unless the requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request (we would provide an explanation). We extend privacy rights to all our users where feasible. Even if you are not in a jurisdiction with specific privacy laws, you can still contact us to request access or deletion of your data, and we will do our best to honor such requests consistent with our legal obligations and the capabilities of our systems.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how Echofly handles your Personal Data, please contact us:

Email: privacy@echofly.ai

We are here to help and will respond promptly.

Your privacy is important to us, and we welcome your feedback. Thank you for trusting Echofly. We are committed to protecting your information and enabling you to use our platform with confidence in its privacy and security practices.

Privacy Policy