EchoYears Privacy Policy
Effective Date: January 1, 2025
Last Updated: January 1, 2025
1. Introduction
Welcome to EchoYears ("we," "our," or "us"). We operate the EchoYears time capsule messaging service, available through our website at echoyears.com and app.echoyears.com, and our mobile applications for iOS and Android (collectively, the "Service").
This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service. By using EchoYears, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Name, email address, password, profile information
- Message Content: Text messages, photos, videos, audio recordings, and other media you choose to include in your time capsules
- Recipients: Names, email addresses, phone numbers, and relationship information for message recipients
- Payment Information: Billing information processed through Stripe (we do not store credit card numbers)
- Communication: Messages you send us for support or feedback
2.2 Information We Collect Automatically
- Device Information: Device type, operating system, browser type, mobile device identifiers
- Usage Data: How you interact with our Service, features used, time spent, click patterns
- Location Data: IP address, country, region, city, timezone (derived from IP address)
- Technical Data: Log files, cookies, web beacons, and similar tracking technologies
- Analytics Data: User behavior, session duration, page views, referral sources
2.3 Mobile App Permissions
Our mobile app may request the following permissions:
- Camera: To capture photos for your time capsule messages
- Photo Library: To attach existing photos to messages
- Microphone: To record audio messages
- Face ID/Touch ID: For secure biometric authentication (processed locally on your device)
- Notifications: To send delivery alerts and referral notifications
- Storage: To temporarily store media during message creation
3. How We Use Your Information
We use your personal information for the following purposes:
3.1 Service Provision
- Create and manage your account
- Store and schedule your time capsule messages
- Deliver messages at the specified times
- Process payments and manage subscriptions
- Provide customer support
3.2 Communication
- Send service-related notifications
- Deliver scheduled messages to recipients
- Send referral and promotional communications (with consent)
- Provide updates about new features and services
3.3 Analytics and Improvement
- Analyze usage patterns and user behavior
- Improve our Service and develop new features
- Conduct A/B testing and user research
- Generate anonymized statistics and insights
3.4 Marketing and Advertising
- Track advertising campaign effectiveness
- Personalize content and recommendations
- Manage referral programs
- Conduct targeted advertising (with consent)
4. Third-Party Services and Data Sharing
4.1 Service Providers
We share your information with trusted third-party service providers:
- Amazon Web Services (AWS): Cloud infrastructure, data storage, authentication (Cognito), email delivery (SES), file storage (S3)
- Stripe: Payment processing and subscription management
- Google Analytics & GTM: Website and app analytics, user behavior tracking
- Social Media Platforms: Facebook, Instagram, TikTok, Twitter, LinkedIn for advertising attribution and sharing functionality
4.2 Analytics and Marketing Partners
We use the following analytics and marketing services (with your consent):
- Google Tag Manager: Event tracking and analytics
- Facebook Pixel: Facebook and Instagram advertising attribution
- TikTok Pixel: TikTok advertising campaigns
- Twitter Universal Website Tag: Twitter advertising
- LinkedIn Insight Tag: LinkedIn advertising
4.3 Legal Requirements
We may disclose your information when required by law, including:
- Compliance with legal obligations
- Protection of our rights and property
- Investigation of potential violations
- Response to valid legal requests from authorities
4.4 No Sale of Personal Data
We do not sell, rent, or trade your personal information to third parties for monetary gain.
5. Data Security and Encryption
5.1 Encryption
- Message Content: All message titles and content are encrypted using AES encryption before storage
- Data in Transit: All data transmission uses TLS/HTTPS encryption
- Data at Rest: Data stored in AWS services uses server-side encryption
- Key Management: Encryption keys are managed through AWS KMS
5.2 Security Measures
- Multi-factor authentication support
- Biometric authentication on mobile devices
- Regular security assessments and updates
- Access controls and user permissions
- Secure data centers and infrastructure
5.3 Data Retention
We retain your personal information for as long as necessary to provide our services and comply with legal obligations:
- Account Data: Until account deletion plus 30 days
- Message Content: Until delivery date plus 1 year for support purposes
- Payment Data: As required by payment processors and tax laws
- Analytics Data: Up to 26 months in anonymized form
6. Cookies and Tracking Technologies
6.1 Cookie Categories
We use cookies and similar technologies with your consent:
- Necessary Cookies: Essential for authentication, security, and basic functionality (always active)
- Analytics Cookies: Google Analytics, user behavior tracking, performance monitoring
- Marketing Cookies: Social media pixels, advertising attribution, campaign tracking
- Functional Cookies: Personalization, chat widgets, social media embeds
6.2 Cookie Management
You can manage cookie preferences through:
- Our cookie consent banner (updated every 30 days)
- Browser settings to block or delete cookies
- Opt-out links provided by third-party services
- Your account settings for personalized preferences
7. Your Rights and Choices
7.1 GDPR Rights (EU/UK Residents)
Under GDPR, you have the following rights:
- Right to Access: Request copies of your personal data
- Right to Rectification: Correct inaccurate personal data
- Right to Erasure: Request deletion of your personal data
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a structured format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent for marketing and analytics
7.2 CCPA Rights (California Residents)
Under CCPA, you have the following rights:
- Right to Know: What personal information we collect and how it's used
- Right to Access: Request specific pieces of personal information
- Right to Delete: Request deletion of personal information
- Right to Opt-Out: Opt-out of data sales (not applicable as we don't sell data)
- Right to Non-Discrimination: Equal service regardless of privacy choices
7.3 General Rights
All users can:
- Access and update account information through your profile
- Delete your account and associated data
- Opt-out of marketing communications
- Manage cookie and tracking preferences
- Contact us with privacy concerns
8. International Data Transfers
Your personal information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place:
- AWS data centers with appropriate security certifications
- Standard contractual clauses for EU data transfers
- Privacy Shield frameworks where applicable
- Other legally recognized transfer mechanisms
9. Children's Privacy
EchoYears is not intended for children under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children. If we discover we have collected information from a child, we will delete it immediately. Parents who believe their child has provided information should contact us.
10. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or for legal reasons. We will:
- Post the updated policy on our website and app
- Update the "Last Updated" date
- Notify you of material changes via email or app notification
- Provide 30 days' notice for significant changes
Your continued use of EchoYears after changes constitutes acceptance of the updated policy.
11. Contact Information
12. Additional Information
12.1 Mobile App Specific Terms
- Biometric data (Face ID/Touch ID) is processed locally on your device and never transmitted to our servers
- Push notifications can be disabled through your device settings
- App permissions can be managed through your device's privacy settings
- Uninstalling the app does not delete your account data; use the in-app deletion feature
12.2 Data Breach Notification
In the event of a data breach affecting your personal information, we will:
- Notify affected users within 72 hours of discovery
- Report to relevant supervisory authorities as required
- Provide details about the breach and remediation steps
- Offer appropriate support and protection measures
12.3 Third-Party Links
Our Service may contain links to third-party websites, social media platforms, or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing personal information.
This Privacy Policy is designed to be compliant with GDPR, CCPA, and other applicable privacy laws. However, privacy laws are complex and evolving. This policy should be reviewed by qualified legal counsel before implementation.
© 2025 EchoYears, LLC. All rights reserved.