Privacy Policy

We built Echo to be useful, respectful, and transparent. This policy explains what we collect, how we use it, and the choices you have—written in plain language.

Last Updated: October 2025

Quick summary: Echo processes calls and messages on behalf of your business. We store the minimum data needed to book appointments and send transactional texts. We never sell personal data. You can request access or deletion at any time by emailing privacy@echoassistant.org.

1) Information We Collect

A. From Business Owners (Platform Users)

  • Business details: name, address, phone number, email, logo/brand assets.
  • Configuration data: services offered, durations and buffers, pricing, policies (deposits/no-show), business hours, staff names and schedules.
  • Calendar connections: Google Calendar OAuth tokens/refresh tokens (stored encrypted) and calendar identifiers.
  • Account data: usernames, hashed passwords (if applicable), session/telemetry logs, device and browser metadata.
  • Payment data (future): subscription and billing details processed by Stripe; we do not store full card numbers.
  • Support content: emails, chat messages, and problem reports.

B. From End Customers (Callers / Texters)

  • Contact details: phone number (caller ID/SMS), name if provided, and preferred contact method.
  • Appointment data: requested service, date/time preferences, staff preferences, confirmations/reschedules/cancellations.
  • Communications: call audio (if recording is enabled with notice), call transcripts, voicemails, and SMS content.
  • Consent preferences: SMS opt-in/opt-out (STOP / START / HELP) and do-not-contact flags.
  • Usage logs: timestamps, message delivery status, basic technical metadata.

C. Automatically Collected

  • Server logs, error events, and performance metrics.
  • Cookies or local storage for authentication sessions and preferences.

2) How We Use Your Information

  • Answer and route calls/chats and respond to common questions using AI.
  • Book, reschedule, and cancel appointments on connected calendars.
  • Send transactional SMS (confirmations, reminders, reschedules, cancellations) on behalf of the business.
  • Improve quality by training prompts, evaluating transcripts, and measuring latency/accuracy (we do not sell personal data).
  • Secure the service via auditing, fraud detection, and abuse prevention.
  • Provide support and communicate about changes, outages, or policy updates.
  • Comply with law and carrier requirements (e.g., A2P 10DLC rules).

We rely on lawful bases consistent with GDPR principles, including performance of a contract (running Echo for your business), legitimate interests (service quality and security), and consent where required (e.g., SMS opt-in, call recording disclosures).

3) SMS & Phone Call Data (TCPA)

Important: Echo supports transactional texting only. Marketing or promotional messages require a separate, explicit opt-in program and are not included by default.
  • Consent: We send texts only with the business’s direction and when the customer has provided consent, including verbal consent during a call handled by Echo, website chat initiation, or other documented opt-in captured by the business.
  • Identification: Messages identify the business (e.g., “Echo for {SalonName}”).
  • Opt-out: Customers can reply STOP to opt out at any time and HELP for assistance. We honor and log opt-out requests and prevent further messages until the customer opts back in (e.g., START).
  • Message type & frequency: Transactional confirmations and reminders related to an appointment; frequency varies based on activity.
  • Charges: Message and data rates may apply.
  • Recording & transcription: If the business enables recording, Echo plays a consent prompt where required and stores transcripts as configured.
  • Carrier rules: We comply with Twilio A2P 10DLC policies and may throttle or block messages that jeopardize deliverability or compliance.

4) Third-Party Service Providers

We share data with vendors solely to operate Echo. These providers process data under contracts and only as instructed by us:

  • Twilio – phone numbers, voice calls, SMS delivery.
  • Google Calendar – availability checks and booking.
  • OpenAI – language processing to generate responses.
  • Deepgram – speech recognition and transcription.
  • ElevenLabs – text-to-speech / voice synthesis.
  • Railway – application hosting and runtime.
  • Neon – managed PostgreSQL database storage.
  • Stripe (future) – subscription billing and payments.

We may also disclose information if required by law or to protect the rights, property, or safety of Echo, our users, or others.

5) Data Storage & Security

  • Encryption: data in transit via TLS; sensitive secrets and OAuth tokens stored encrypted at rest.
  • Access controls: least-privilege access, role-based admin tools, audit logging.
  • Isolation: multi-tenant separation using per-tenant scoping and application safeguards.
  • Secure development: key management, regular updates, and monitoring for anomalous activity.

No method of transmission or storage is 100% secure; we work to protect your data but cannot guarantee absolute security.

6) Data Retention

  • Account & configuration data: kept while your account is active and as needed for legal/operational purposes.
  • Appointments & messages: retained according to business settings (e.g., transcripts/recordings may be auto-deleted after a chosen period).
  • Logs & telemetry: typically 30–180 days, unless required longer for security and compliance.
  • Opt-out lists: retained to honor future opt-outs unless you request purge.

7) Your Rights

Subject to local law, you may request to access, correct, export, or delete your personal information, or object to certain processing. You can:

  • Use in-app settings to edit or download business data;
  • Reply STOP to SMS to opt out of further texts; and
  • Email us at privacy@echoassistant.org for privacy requests. We may need to verify your identity.

8) California Privacy Rights (CCPA)

For California residents, we describe the categories of personal information collected above. We use and disclose this information for the business purposes described in this Policy. We do not sell personal information or share it for cross-context behavioral advertising. You may exercise your access, deletion, and correction rights by emailing privacy@echoassistant.org. We will not discriminate against you for exercising your rights.

9) Children’s Privacy

Echo is intended for business use and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided information, contact us and we will delete it.

10) International Data Transfers

Echo is operated in the United States. If you access the service from outside the U.S., your information may be transferred to, stored, and processed in the U.S. and other countries where our providers operate. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for international transfers.

11) Changes to this Policy

We may update this Privacy Policy to reflect operational or legal changes. If changes are material, we will provide reasonable notice (for example, in-app or by email). The updated Policy becomes effective when posted.

12) Contact Us

Questions or requests? Email our privacy team at privacy@echoassistant.org.

13) TCPA Compliance Statement

Echo supports TCPA compliance for transactional messaging. The business remains responsible for collecting and documenting consent from its customers and for honoring opt-out requests.
  • Consent capture: Consent may be obtained during a phone call handled by Echo (verbal opt-in), via website/chat initiation, or other clear opt-in flows provided by the business.
  • Transactional vs. marketing: Echo sends appointment-related texts (confirmations, reminders, reschedules, cancellations). Marketing requires a separate, explicit opt-in program and is outside this service by default.
  • Opt-out / help: Reply STOP to end messages; HELP for help. We log and enforce opt-out status.
  • Identification: Messages identify the business (e.g., “Echo for {SalonName}”).
  • Frequency & charges: Message frequency varies. Message and data rates may apply.
  • Recordkeeping: We retain opt-in/out metadata to demonstrate compliance and prevent unwanted messages.