Summary

Data Collection: We collect basic information (name, email, profile details) to run and personalize the platform.

AI Interactions: Your interactions with Echos help us improve the platform. You can opt out of AI training.

Data Sharing: We don't sell your personal data. We share data with service providers only to deliver the Services.

Your Control: You can access, correct, delete, or port your data. You can opt out of AI training and marketing communications.

Cookies & Analytics: We use cookies to enhance your experience. You can manage preferences via our Cookie Settings.

Contents

Introduction

What This Privacy Policy Covers

Personal Data We Collect

How We Use Your Personal Data

AI Model Training and Improvement

Content Moderation and Human Review

How We Disclose Your Personal Data

Biometric Information

Cookies and Tracking Technologies

Data Security

Data Storage and International Transfers

Data Retention

Personal Data of Children

U.S. State Privacy Rights

European Union, UK, and Other International Rights

Exercising Your Privacy Rights

Contact Information

1. Introduction

Echofly, LLC ("Echofly," "we," "us," or "our") is committed to protecting your privacy.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Services.

By accessing or using Echofly, you acknowledge that you have read and agree to this Policy. If you do not agree, please do not use the Services.

This Privacy Policy is part of our Terms of Service. We may update it from time to time. If we make material changes, we will provide at least 30 days' notice via email, in-app notification, or a prominent website notice. Continued use after changes indicates acceptance.

2. What This Privacy Policy Covers

This Privacy Policy covers how Echofly handles "Personal Data". Information that identifies or relates to an identifiable individual.

This Policy applies to:

• Data collected through our website and platform
• Data you provide when creating an account or using features
• Data collected automatically through your use of the Services

This Policy does not apply to:

• Third-party services we do not own or control
• Third-party websites or services you may access through our platform

Echofly is not responsible for third-party privacy practices. We encourage you to review their privacy policies separately.

3. Personal Data We Collect

Categories of Personal Data

Profile and Contact Data

• Name, email address, phone number, username
• Profile photo, avatar, display name, location (optional)
• For Creators: biography, expertise, credentials

Account Credentials

Username and password (stored encrypted)

User-Provided Content

• Questions you ask Echos
• Chat transcripts and messages
• Feedback, ratings, and reviews
• For Creators: training materials, documents, knowledge bases, prompts, media uploads

Voice-Agent Transcripts

• When you use our voice-agent feature, your audio is processed by a third-party provider and transcribed
• We store only text transcripts, not raw audio recordings or voiceprints
• Transcripts may include personal information or sensitive content you share

Usage Data and Device Information

• IP address, device identifiers, device type, browser type, operating system
• Pages or features accessed, date and time of access
• Clicks, session durations, interaction logs
• Referral URLs

Analytics Data

• Data collected by third-party analytics providers (Google Analytics, PostHog)
• Pages visited, time spent, actions taken
• Aggregated and anonymized user engagement metrics

Geolocation Data

• Approximate location (country or city level) inferred from IP address
• Used to customize content, language settings, and comply with tax/legal requirements
• We do not collect precise GPS location without explicit permission

Referral Data

• Referral codes and links
• Email addresses of referred users (provided by you)
• Information about successful referrals for reward tracking

Biometric Data (Creators, if applicable)

If you upload photos, videos, or voice recordings to create a realistic Echo, we may process: Facial geometry (from photos/videos); Voice patterns (from audio recordings)

Used solely to generate avatars or voice that resemble you

See Section 8 for complete biometric data handling

Sensitive Personal Data

We generally do not actively collect sensitive data (government IDs, financial information, health data, race/ethnicity, religious beliefs, etc.)

Creators who monetize may provide IDs for verification purposes only

We do not use sensitive data to infer characteristics about you

Children's Data

We do not knowingly collect information from children under 13 (or 16 in EU/UK)

If we discover such collection, we will delete it promptly

Sources of Personal Data

Directly from You

• Information you provide when registering, creating content, or contacting support
• Content you upload or input to create or interact with Echos

Automatically from Your Use

• Usage Data and Analytics Data collected through cookies, server logs, and similar technologies

From Other Users

• If another user invites or refers you, they may provide your name and email
• If you interact with a Creator's Echo through a shared link

From Third-Party Services

• If you use "Sign in with Google" or similar login, we receive basic profile information (name, email) as permitted by the provider and authorized by you
• We may obtain publicly available information or marketing data where lawfully permitted

4. How We Use Your Personal Data

We use Personal Data for the following purposes:

Providing and Personalizing the Services

• Create and manage your account
• Authenticate you when you log in
• Provide features and services you request
• Personalize your experience (settings, language, followed Echos)
• Remember your preferences

Platform Functionality and Improvements

• Operate, maintain, and improve the Services
• Analyze usage patterns and feedback
• Debug issues and develop new features
• For Creators: build and refine your AI profile (Echo)
• For Users: improve Echo responsiveness and accuracy
• Understand trends and user needs

AI Model Training

• Train, test, and improve machine learning models that power Echos
• Analyze chat transcripts, questions, and answers to refine AI knowledge and performance
• See Section 5 for more details and opt-out information

Communication and Support

• Send service-related communications (confirmations, updates, security alerts)
• Respond to your questions and resolve issues
• Send transaction confirmations (if applicable)

Marketing (with Consent)

• Send newsletters, product updates, educational content, or promotional communications
• Only if you have opted in
• You can unsubscribe at any time via email links or account settings

Moderation and Safety

• Monitor activities to enforce Community Guidelines and Terms of Service
• Prevent fraud, abuse, and security issues
• Detect and address content policy violations
• See Section 6 for content moderation details

Analytics and Product Research

• Perform internal research and analytics
• Understand our user base and measure feature effectiveness
• Inform business strategy (e.g., which topics are popular)

Referral Program Administration

• Track referral links and sign-ups
• Award discounts or upgrades for successful referrals
• Prevent fraud in the referral system

Legal Compliance and Protection

• Comply with applicable laws and regulations
• Respond to lawful requests or court orders
• Enforce our agreements
• Protect rights and safety of users, Echofly, and the public
• Prevent fraud, abuse, and illegal activities
• Resolve disputes

Other Purposes with Notice

If we intend to use your data for purposes materially different from those listed, we will inform you and obtain consent where required.

5. AI Model Training and Improvement

Artificial intelligence is core to Echofly. To provide and refine Echos:

Use of Creator Content

Materials you contribute (documents, text, media) are used to train and build the AI model underlying your Echo. This allows the AI to respond in a way that reflects your expertise and style.

Your content is treated confidentially and used only for creating your Echo and improving our models. It is not shared with other Creators or users except as part of the responses your Echo provides.

Use of User Interactions

When you interact with an Echo (ask questions, have conversations), those interactions and transcripts may be used to train, fine-tune, and improve our AI models.

Data Minimization and Safeguards

We strive to employ data minimization when using Personal Data for AI training. We may remove or obscure identifiers or sensitive details not necessary for model learning.

Our goal is to improve AI capabilities and Echo quality, not to retain personal details about specific individuals in the model.

Transparency and Choice

You can opt out of having your personal data used for AI model training via a toggle in your account settings or by emailing privacy@echofly.ai with subject "AI Training Opt-Out."

Opting out will not affect use of anonymized or aggregated data that cannot identify you. Opt-out requests are processed within 30 days. Note that data already used in previous training cycles may continue to inform existing models.

Where required by law, we will obtain your explicit consent before using your personal data for AI model training.

Important Notes

Content used for AI training is handled in accordance with this Policy and applicable law

It is not sold or made available in raw form to unrelated third parties

Training is done in-house or by service providers under strict controls

Models generalize from data and do not typically disclose verbatim Personal Data

We actively monitor and restrict AI models from outputting sensitive personal information

6. Content Moderation and Human Review

Echofly is dedicated to maintaining a safe platform.

Automated Monitoring

Our systems automatically scan or filter content (user queries, Echo responses, Creator materials) for:

• Policy violations
• Hate speech, explicit content
• Personal data (to prevent improper use)
• Other material that violates our guidelines

Human Review

Authorized Echofly staff or contractors may review content in these situations:

• Content flagged by automated systems
• Content reported by users as inappropriate
• Random sampling for quality assurance and AI improvement
• Investigation of policy violations or user complaints

Purpose of Review

Content review is conducted solely for:

• Moderation (ensuring compliance with Terms and Community Guidelines)
• Service improvement (refining AI responses)
• Support (assisting users and resolving issues)

Confidentiality

Staff and contractors who review content are under confidentiality obligations. We do not publicly disclose private conversations or Creator submissions except as needed to provide the Services.

Retention of Reviewed Content

Content reviewed for moderation is retained only as long as necessary for moderation purposes, safety, and audit requirements.

Your Choices

If you encounter content that violates our policies or your privacy, report it to us. We will review and take appropriate action.

As a Creator, content you upload should comply with our guidelines and not include personal information about others unless you have the legal right to include it.

7. How We Disclose Your Personal Data

We do not sell your Personal Data to third parties for profit.

We share Personal Data only as described below and take steps to ensure third parties safeguard it.

Service Providers (Sub-Processors)

We use trusted third-party companies to perform services on our behalf:

Current Sub-Processors:

• Amazon Web Services (AWS) – Cloud hosting and infrastructure
• Stripe – Payment processing
• OpenAI – AI language models
• ElevenLabs – Customer support
• Google Analytics – Website analytics
• PostHog – Product analytics

Service providers act as processors under contractual obligations to:

• Handle data only under our instructions
• Protect it with appropriate safeguards
• Not use data for their own unrelated purposes

An updated list of sub-processors is available at privacy@echofly.ai.

Creators (in Limited Contexts)

If you interact with a Creator's Echo:

• The Creator may access chat transcripts or summaries of conversations with their Echo
• The Creator may see basic profile data (username, display name)
• This allows Creators to improve their Echo and provide follow-up support

Creators must handle personal data in accordance with this Policy and our Terms.

If you prefer not to share data with a Creator, do not interact with their Echo.

Other Users or Third Parties You Authorize

• If you publish content in public forums or share content on social media
• If you use third-party integrations at your direction
• Any information you voluntarily disclose in public areas may be seen by others

Referral Program Participants

When you use a referral link:

• We may inform the referrer that their link was used and a reward may be available
• We do not disclose your full personal details to the referrer

Marketing Partners

We do not host third-party advertisements. We may use limited data for our own marketing:

• Marketing email platforms (sharing your email to send newsletters)
• Ad networks or social media platforms (using hashed identifiers to target campaigns)

Any such sharing is only to provide or measure our advertisements. You have opt-out rights under U.S. state privacy laws if applicable.

Affiliates

If Echofly becomes part of a corporate group, we may share data within that group as necessary to provide the Services. Affiliates will honor this Policy.

Legal and Compliance

We may disclose Personal Data when we believe in good faith it is necessary to:

• Comply with legal obligations (court orders, subpoenas, government demands)
• Investigate, prevent, or take action regarding illegal activities or suspected fraud
• Protect the safety or rights of any person
• Enforce our Terms or policies
• Serve as evidence in litigation

Business Transfers

In the event of a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction:

• Your Personal Data may be transferred to a successor or affiliate
• The successor will assume rights and obligations regarding your data as described in this Policy
• We will notify you of any such change (e.g., via prominent notice or email)

Aggregated or De-Identified Data

We may share data that has been aggregated or de-identified so it can no longer identify individuals. This is not considered Personal Data and may be disclosed freely (e.g., trend reports, usage statistics).

8. Biometric Information

Echofly is aware of the sensitive nature of biometric data.

What is Biometric Data?

Biometric identifiers include unique personal identifiers like:

• Facial scans or geometry (from photos/videos)
• Voiceprints or vocal patterns (from audio recordings)

Some laws (e.g., Illinois's Biometric Information Privacy Act) specifically regulate biometric data.

Collection and Use

If you, as a Creator, upload photos, videos, or voice recordings to create a realistic Echo:

• Our system may process that content to extract biometric data
• Used solely to provide the requested service (generate avatar or voice resembling you) and improve related models
• Not used for any unrelated purposes

We do not store raw audio recordings or voiceprints. Voice data is processed by ElevenLabs and converted to text transcripts, which we store.

Consent

By voluntarily uploading content containing your biometric identifiers (image or voice) and enabling features that use it, you consent to our collection and use of this biometric information.

Where required by law, we will obtain your explicit, informed, and written consent, including:

• The specific purpose of collection
• Duration of retention

Disclosure of Biometric Information

We do not sell or share biometric identifiers with third parties for their own use.

Biometric data may be disclosed to service providers (e.g., cloud processors, AI providers) as necessary to perform processing. These providers are contractually bound to strict privacy and security obligations.

We may disclose biometric information if required by law, but we will contest requests we believe are invalid.

Storage and Retention

Biometric data is stored securely using industry-standard safeguards (encryption, access controls).

We retain biometric information only as long as needed for the purposes collected:

• While your account is active and you use the associated Echo
• If you delete biometric content or your account, we will delete the biometric data upon account deletion or within a defined period
• Some laws (like Illinois BIPA) require deletion when the initial purpose is satisfied or within 3 years of your last interaction. We comply with these requirements.

Once we no longer need biometric data, we permanently and securely delete it.

Security

Because of the sensitive nature of biometric identifiers, we apply heightened security measures:

• Encryption at rest and in transit
• Restricted access controls
• Regular security audits

Your Rights

Depending on your jurisdiction, you may have specific rights regarding biometric information (e.g., right to deletion, right to not be subject to collection without consent).

If you have questions or requests related to biometric data, contact us at privacy@echofly.ai.

Important: Where required by law, we will obtain explicit, written consent before collecting or processing biometric data. Biometric data will be permanently deleted upon withdrawal of consent or within three years of your last interaction, whichever is earlier, unless otherwise required by law.

9. Cookies and Tracking Technologies

This section serves as Echofly's complete cookie policy.

Like many platforms, we use cookies and similar technologies (pixel tags, local storage, scripts. Collectively "cookies") to recognize you, improve your experience, and collect usage information.

Your cookie choices are stored until you change them or clear your browser data.

What Are Cookies?

Cookies are small text files stored on your browser or device by websites, apps, or advertisements. They enable features and remember preferences.

Types of Cookies We Use

Essential Cookies (Always Enabled) These are necessary for the website to function properly and cannot be turned off:

• Remember your cookie preferences and privacy choices
• Maintain security and prevent unauthorized access
• Deliver content and enable basic site features
• Support error handling and site navigation

Performance, Analytics, and Measurement Cookies (Optional) With your permission, these help us understand how the Services are used so we can improve:

• Learn which pages, buttons, and widgets people use
• Optimize your experience by understanding interaction patterns
• Count views and measure feature effectiveness
• Gather aggregated data about performance to detect issues and improve
• Test updates and build new functionality
• Deliver marketing campaigns and measure effectiveness
• Understand device usage to personalize experience across devices

Information collected is aggregated and anonymous. We do not use these cookies to identify individual visitors.

Third-Party Cookies

We use these analytics providers:

• Google Analytics – Website analytics (subject to Google's Privacy Policy)
• PostHog – Product analytics

These providers set their own cookies to gather information, which may be transmitted to and stored on their servers.

Managing Your Cookie Preferences

Cookie Settings Tool When you first visit our site, you'll see a cookie banner allowing you to accept or reject optional cookies. You can adjust preferences anytime via our Cookie Settings tool.

Browser Settings You can manage cookies through your browser's settings (usually in "Options" or "Preferences"). Most browsers allow you to:

• Refuse or delete cookies
• Manage cookies on a site-by-site basis
• Block cookies entirely

Opt Out of Specific Services

Google Analytics: Install the Google Analytics Opt-out Browser Add-on

Interest-Based Advertising: Visit NAI Opt-Out or DAA Opt-Out

Global Privacy Control (GPC) We honor Global Privacy Control signals and similar browser-based opt-out preferences where required by law.

Note: If you disable cookies, certain features may not function properly (e.g., you may need to re-enter login information or preferences on each visit).

Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. Currently, our Services do not respond to DNT signals because there is no consensus on interpretation. We will update our practices if a uniform standard is established.

You can use the cookie and opt-out options described above to control tracking.

Consent

By using our Services with cookies enabled in your browser, you consent to our use of cookies as described here. We provide transparency and controls so you can make informed choices.

10. Data Security

We take reasonable and appropriate measures to protect Personal Data from loss, theft, misuse, unauthorized access, disclosure, alteration, or destruction.

Security Measures

Encryption

• Data in transit: HTTPS (TLS) encryption for website and APIs
• Data at rest: Sensitive data (passwords, payment info) stored encrypted

Access Controls

• Access to Personal Data limited to employees, contractors, and service providers who need it
• All such persons are subject to confidentiality obligations
• Role-based access and strong authentication required

Network & System Security

• Infrastructure hosted on reputable providers (AWS)
• Firewalls, intrusion detection, and monitoring
• Regular security patches and updates

Testing and Assessments

• Periodic security reviews
• Vulnerability assessments or penetration testing
• Incident response plan for security incidents

Contractual Safeguards Service providers are contractually required to implement appropriate security measures and protect Personal Data in line with legal requirements.

Your Responsibilities

While we strive to protect data, no system is 100% secure. You should:

• Use a unique, strong password
• Do not share your password
• Log out after using the Services, especially on shared devices
• Notify us immediately if you suspect a security issue: support@echofly.ai

11. Data Storage and International Transfers

Echofly is based in the United States. Most user data is stored on U.S. servers provided by Amazon Web Services (AWS).

International Data Transfers

By using our Services, you understand that Personal Data may be transferred to and stored on servers outside your home country or region, including the United States.

If you are located outside the U.S. (e.g., in the EU/EEA, UK):

• We take steps to ensure appropriate safeguards are in place
• We rely on Standard Contractual Clauses (SCCs), the UK Addendum, or equivalent legal safeguards for cross-border transfers
• These safeguards are implemented in contracts with sub-processors (like AWS)
• We may also rely on your explicit consent for certain transfers when legally permitted

Our major service providers (like AWS) are certified under internationally recognized security standards and may implement their own transfer safeguards.

Data Location

Generally, user data is stored in the United States. Depending on our architecture and future expansions, data may be processed in other regions (e.g., regional servers to reduce latency or comply with local requirements).

We will inform users if we significantly change where data is stored. Regardless of location, this Privacy Policy applies to our handling of your Personal Data.

If you have questions about safeguards for cross-border transfers, contact privacy@echofly.ai.

12. Data Retention

We retain Personal Data as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law.

Active Accounts

We keep Profile Information and account data while your account is active

Content you create (Echo training data, chat interactions) is stored as long as needed for platform operation and AI improvement

Account Deletion

If you delete your account:

• We will initiate deletion of your Personal Data
• Most data will be deleted or anonymized within 30 days
• Some data may be retained longer for legitimate business interests or legal obligations (see below)

Archived Data and Backups

• If you delete specific content, we will cease using it going forward
• Residual copies may remain in system backups for a limited time (not publicly accessible)
• Transcripts and content may be archived (not fully deleted) to allow account reactivation
• You can request deletion of archived data

Retention for Legal or Legitimate Purposes

We may retain data longer for:

• Legal Compliance: Tax, accounting, or other legal obligations (e.g., financial records retained for auditing)
• Dispute Resolution: If there's a possibility of a legal claim or dispute
• Safety and Fraud Prevention: Logs or records to detect abuse patterns (e.g., banned user records)

When Personal Data is no longer required, we delete or anonymize it. We regularly review stored data and delete or de-identify records no longer needed.

Backup and Archival

Removing data from active systems may not immediately remove it from backups retained for disaster recovery. During that interim, data remains securely stored and is not accessed except for recovery purposes. Backups are rotated out or destroyed per our retention policy.

13. Personal Data of Children

Echofly is not directed to children, nor do we knowingly collect personal information from anyone under:

• 13 years old (in the U.S. and most jurisdictions)
• 16 years old (in the EU/UK or other regions with higher age thresholds)

Our Terms of Service prohibit children from using the platform.

If We Learn of Child Data Collection

If we discover we have inadvertently collected Personal Data from a child without proper consent, we will:

• Terminate the account
• Delete the information promptly

Parents and Guardians

If you believe your child has provided personal information to us, contact us immediately at privacy@echofly.ai. We will investigate and delete the information.

We comply with laws protecting children's privacy, including the U.S. Children's Online Privacy Protection Act (COPPA) and relevant international regulations.

14. U.S. State Privacy Rights

Residents of certain U.S. states (California, Colorado, Connecticut, Utah, Virginia, and others) have specific privacy rights under state laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Your Rights

Right to Know/Access Request disclosure of:

• Categories of personal information we collect, use, disclose, sell, or share
• Categories of sources
• Business or commercial purposes
• Categories of third parties with whom information is shared
• Specific pieces of information we have about you
• A portable copy of your personal data

Right to Delete Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal requirements, completing transactions, detecting security incidents).

Right to Correct Request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing Opt out of "sale" of your personal information or "sharing" for cross-context behavioral advertising.

We do not sell your personal data for money. The only potential "sharing" is use of certain advertising or analytics cookies, which could be construed as sharing with third-party networks.

You can control such cookies via our Cookie Settings or by using Global Privacy Control (GPC) signals.

Right to Limit Use of Sensitive Personal Information If we collect sensitive information (e.g., precise geolocation, race/ethnicity, health data), you may limit our use to what is necessary to provide the Services.

We do not use sensitive personal information for purposes beyond providing the Services (we do not use it for profiling or targeted advertising).

Non-Discrimination You have the right not to receive discriminatory treatment for exercising your privacy rights. We will not deny Services, charge different prices, or provide lesser quality because you exercised your rights.

California "Shine the Light"

California's "Shine the Light" law (Civil Code §1798.83) allows California residents to request information about disclosure of personal information to third parties for their direct marketing.

We do not disclose personal information to third parties for independent direct marketing without consent. California users may contact us for clarification.

Nevada Residents

Nevada law allows residents to opt out of certain personal data sales. We do not sell personal information as defined under Nevada law. If that changes, we will update this Policy and provide an opt-out method.

15. European Union, UK, and Other International Rights

If you are located in the European Union (EU), European Economic Area (EEA), United Kingdom (UK), or certain other countries with comprehensive data protection laws, you have specific rights under the General Data Protection Regulation (GDPR) or equivalent local laws.

Your Rights

Right to Access Request confirmation of whether we are processing your personal data and access to that data, along with information about how we use it.

Right to Rectification Request correction of inaccurate or incomplete personal data. You can also make certain changes directly via your account settings.

Right to Erasure ("Right to Be Forgotten") Request deletion of your personal data in certain circumstances:

• Data no longer needed for the purposes collected
• You withdraw consent (where consent was the basis for processing)
• You object to processing and we have no overriding legitimate interest
• Processing is unlawful

This right is not absolute; we may retain data as allowed by law (e.g., legal obligations, legal claims).

Right to Restrict Processing Request that we pause processing of your personal data in certain scenarios:

• You contest data accuracy (while we verify)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of overriding grounds)

When restricted, we store data but do not use it further until the restriction is lifted (with notice to you).

Right to Data Portability Request a copy of certain personal data in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.

Applies to personal data you provided to us, which we process by automated means based on consent or a contract.

Right to Object Object to processing of your personal data when:

• Processing is based on our legitimate interests or a task in the public interest
• You are subject to direct marketing

If you object, we will evaluate whether our legitimate grounds override your privacy rights. You have an unconditional right to object to direct marketing. If you object, we will stop.

Right to Withdraw Consent Where we rely on your consent to process personal data (e.g., optional marketing, certain cookies), you have the right to withdraw consent at any time.

Withdrawal does not affect the lawfulness of processing before withdrawal. If you withdraw consent, we will stop the processing based on consent (and possibly delete the data if no other basis applies).

Automated Decision-Making Echofly's Services involve AI profiles responding to queries, but these interactions are not decisions that produce legal or similarly significant effects on you.

We do not make solely automated decisions about you that have legal effects or similarly significant impacts without human involvement, as defined under GDPR Article 22.

If we ever engage in such decision-making, we will ensure compliance and your right to certain protections (like human review).

Right to Lodge a Complaint If you believe we have infringed your data protection rights, you have the right to lodge a complaint with a supervisory authority:

• EU residents: Your local data protection authority (list here)
• UK residents: Information Commissioner's Office (ICO) at ico.org.uk

We encourage you to contact us first so we can address your concerns directly.

Legal Bases for Processing

GDPR requires that we inform you of our legal justification for processing your personal data:

Contractual Necessity Processing necessary to fulfill our contract with you (Terms of Service). This includes handling account information, providing Services, and performing transactions or support.

Legitimate Interests Processing necessary for our legitimate interests or those of others, provided those interests are not overridden by your data protection rights. This includes:

• Improving our Services
• Securing our platform
• Conducting analytics
• Showing relevant marketing (for our own services)
• Communicating product updates

Consent For certain processing, we rely on your consent:

• Sending marketing emails (where required by law)
• Using non-essential cookies
• Processing sensitive personal data (if ever applicable beyond what's strictly necessary)

You can withdraw consent as described above.

Legal Obligation Sometimes we must process or retain data to comply with laws (e.g., retaining certain records for tax, legal reporting, or responding to lawful requests).

If you have questions about legal bases or want more detail on how specific data is processed, contact privacy@echofly.ai.

16. Exercising Your Privacy Rights

You can exercise your privacy rights in several ways:

Account Settings

Many privacy preferences can be managed directly in your account settings:

• Update profile and contact information
• Opt out of AI training (toggle)
• Control feedback visibility (toggle)
• Manage marketing communications preferences (toggle)
• Manage cookie preferences (via Cookie Settings tool)

Email Requests

For requests that cannot be completed via account settings, email privacy@echofly.ai with:

• Subject line indicating your request type (e.g., "Privacy Request – Access," "Privacy Request – Deletion," "AI Training Opt-Out")
• Your name and the email associated with your Echofly account
• Your state or country of residence (if applicable to your rights)
• Specific details of your request

Verification

For your privacy and security, we will need to verify your identity before processing requests. We may ask you to:

• Confirm specific profile details or recent transactions
• Re-authenticate through your logged-in account
• Provide additional information that matches our records

Authorized Agents

If you use an authorized agent to submit a request on your behalf, the agent must provide proof of authorization. We may still ask you to verify your identity directly.

Response Timeline

We will respond to privacy requests within the timeframe required by law:

• CCPA/CPRA: Generally within 45 days, with possible 45-day extension if needed (with written notice)
• GDPR: Within one month, with possible extension (with written notice)

If we need more time, we will inform you of the reason and extension period. We will deliver responses via your account or email whenever possible.

If We Cannot Fulfill Your Request

If we cannot fulfill your request, we will explain the reasons (e.g., could not verify identity, request is exempt under an exception, or prohibited by law).

No Fees

There is no fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request (with explanation).

Opt-Out Mechanisms

Opt-Out of Sale/Sharing (U.S. States)

• Use our Cookie Settings tool to decline advertising cookies
• Use Global Privacy Control (GPC) or similar browser signal (we will treat it as a valid opt-out)
• Email privacy@echofly.ai with subject "Do Not Sell or Share My Personal Information"

Once processed, we will not "sell" or "share" your personal data unless you later provide permission.

Opt-Out of AI Training

• Use the toggle in your account settings, or
• Email privacy@echofly.ai with subject "AI Training Opt-Out"

We will process your opt-out within 30 days. This will not affect use of anonymized or aggregated data.

Opt-Out of Marketing

• Click "unsubscribe" in any marketing email, or
• Adjust preferences in account settings, or
• Email privacy@echofly.ai with subject "Marketing Opt-Out"

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your Personal Data, please contact us:

• General Privacy Questions: privacy@echofly.ai
• Support: support@echofly.ai
• Data Subject Requests: privacy@echofly.ai
• AI Training Opt-Out: privacy@echofly.ai (subject: "AI Training Opt-Out")
• Do Not Sell/Share: privacy@echofly.ai (subject: "Do Not Sell or Share My Personal Information")

Mailing Address:

Echofly, LLC

2222 W. Grand River Ave Ste A,

Okemos, Ingham County,

MI 48864 US

We are committed to working with you to resolve any concerns about your privacy.

Your privacy is important to us. Thank you for trusting Echofly with your information.