Echo Platform Privacy Policy

Effective Date: September 9, 2025
Last Updated: September 9, 2025

This Privacy Policy describes how Merit Systems, Inc. ("Merit Systems," "we," "us," or "our") collects, uses, and protects your information when you use the Echo Platform ("Echo," "the Platform," or "our service").

By using Echo, you agree to the collection and use of information in accordance with this Privacy Policy. This Privacy Policy should be read in conjunction with our Terms of Service.

1. Information We Collect

Account Information

When you create an Echo account, we collect:

  • Identity Information: Name, email address, username
  • Authentication Data: Encrypted passwords, OAuth tokens from third-party providers (Google, GitHub)
  • Profile Information: Profile pictures, bio, preferences
  • Contact Information: Email address for communications and support

AI Usage Data

To provide our AI services and billing, we collect:

  • Prompts and Inputs: The text, questions, or instructions you submit to AI models
  • AI Responses: The content generated by AI models in response to your prompts
  • Usage Metrics: Token consumption, model selection, response times, costs
  • API Interactions: API calls, request/response data, error logs
  • Performance Data: Response quality, user satisfaction ratings

Application Data

If you develop applications using Echo, we collect:

  • App Information: App names, descriptions, settings, configuration
  • Developer Data: API keys, webhooks, integration details
  • User Analytics: User engagement, feature usage, performance metrics
  • Revenue Data: Transaction history, earnings, payout information

Technical Information

We automatically collect technical data including:

  • Device Information: Browser type, operating system, device identifiers
  • Connection Data: IP address, location (city/country level), internet service provider
  • Usage Patterns: Pages visited, features used, time spent, click patterns
  • System Logs: Error reports, security events, performance metrics

Financial Information

For billing and payments, we work with third-party processors to collect:

  • Payment Methods: Credit/debit card information (processed by Stripe)
  • Billing Information: Billing address, tax identification numbers
  • Transaction History: Payment amounts, dates, status, invoices
  • Tax Documentation: W-9, W-8BEN forms for developers receiving payments

2. How We Use Your Information

Core Service Operations

  • AI Processing: Forward your prompts to third-party AI providers and return responses
  • Account Management: Create and maintain your account, authenticate access
  • Billing and Usage: Track usage, calculate costs, process payments, generate invoices
  • API Services: Provide access to our APIs and manage rate limiting

Platform Improvement

  • Analytics: Analyze usage patterns to improve our services and user experience
  • Performance Monitoring: Monitor system performance and optimize response times
  • Security: Detect and prevent fraud, abuse, and security threats
  • Product Development: Develop new features and improve existing functionality

Communications

  • Service Communications: Account notifications, security alerts, service updates
  • Support: Respond to your questions and provide technical assistance
  • Marketing: Send information about new features, promotions (with opt-out options)
  • Legal Compliance: Fulfill legal obligations and enforce our terms

Developer Services

  • App Analytics: Provide insights about your application's usage and performance
  • Revenue Sharing: Calculate and process payments for developers
  • Integration Support: Help with API integration and troubleshooting

3. Information Sharing and Third-Party Services

Third-Party AI Providers

Echo integrates with multiple AI providers. Your prompts and usage data are shared with:

OpenAI

  • Data Shared: Your prompts, conversation history, usage metrics
  • Purpose: AI model processing and response generation
  • Privacy Policy: OpenAI Privacy Policy
  • Data Retention: Per OpenAI's API data usage policies

Anthropic

  • Data Shared: Your prompts, conversation history, usage metrics
  • Purpose: AI model processing and response generation
  • Privacy Policy: Anthropic Privacy Policy
  • Data Retention: Per Anthropic's API data usage policies

Google (Gemini)

  • Data Shared: Your prompts, conversation history, usage metrics
  • Purpose: AI model processing and response generation
  • Privacy Policy: Google Privacy Policy
  • Data Retention: Per Google AI API data usage policies

OpenRouter

  • Data Shared: Your prompts, conversation history, usage metrics
  • Purpose: AI model processing and response generation
  • Privacy Policy: OpenRouter Privacy Policy
  • Data Retention: Per OpenRouter's API data usage policies

Payment Processors

Stripe (Payment Processing)

  • Data Shared: Payment information, billing details, transaction data
  • Purpose: Process payments, handle subscriptions, manage billing
  • Privacy Policy: Stripe Privacy Policy

Terminal (Payout Processing)

  • Data Shared: Developer earnings, tax information, bank details
  • Purpose: Process payouts to developers, handle tax compliance
  • Privacy Policy: Terminal Privacy Policy

Analytics and Infrastructure

Vercel (Hosting and Analytics)

  • Data Shared: Usage analytics, performance metrics, error logs
  • Purpose: Host our application, provide performance insights
  • Privacy Policy: Vercel Privacy Policy

PostHog (Product Analytics)

  • Data Shared: User behavior, feature usage, anonymized metrics
  • Purpose: Understand product usage, improve user experience
  • Privacy Policy: PostHog Privacy Policy

When We Share Information

We may share your information in these circumstances:

  • Service Providers: With third parties who help us operate our platform
  • Legal Requirements: When required by law, court order, or government request
  • Safety and Security: To protect our users, platform, or public safety
  • Business Transfers: In connection with mergers, acquisitions, or asset sales
  • With Your Consent: When you explicitly authorize us to share information

What We Don't Share

We do not:

  • Sell your personal information to third parties
  • Share your prompts with other Echo users (unless you explicitly share them)
  • Use your data to train our own AI models
  • Share more information than necessary to provide our services

4. Data Security and Protection

Security Measures

We implement multiple layers of security to protect your data:

Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Authentication: Multi-factor authentication support, secure password policies
  • Access Controls: Role-based access, principle of least privilege
  • API Security: Rate limiting, API key management, secure endpoints

Infrastructure Security

  • Cloud Security: AWS/Vercel security controls, secure data centers
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Monitoring: 24/7 security monitoring, anomaly detection
  • Incident Response: Established procedures for security incidents

Operational Security

  • Employee Training: Security awareness training for all staff
  • Background Checks: Screening for employees with data access
  • Regular Audits: Security assessments and penetration testing
  • Compliance: SOC 2 Type II compliance (in progress)

Data Breach Response

In the event of a data breach, we will:

  • Immediately investigate and contain the breach
  • Notify affected users within 72 hours when legally required
  • Provide detailed information about what data was affected
  • Offer guidance on protective steps you can take
  • Report to relevant authorities as required by law

5. Data Retention and Deletion

Retention Periods

Account Data

  • Active Accounts: Retained while your account is active
  • Closed Accounts: Personal data deleted within 30 days of account closure
  • Legal Hold: May be retained longer if required for legal proceedings

AI Usage Data

  • Prompts and Responses: Retained for 90 days for debugging and billing
  • Usage Metrics: Retained for 2 years for analytics and billing history
  • Error Logs: Retained for 1 year for system improvement

Financial Data

  • Payment Records: Retained for 7 years for tax and legal compliance
  • Tax Documents: Retained as required by applicable tax laws
  • Transaction History: Retained for 5 years for dispute resolution

Analytics Data

  • Aggregated Analytics: Retained indefinitely (anonymized)
  • Individual Usage Patterns: Retained for 2 years
  • Security Logs: Retained for 1 year

Data Deletion

You can request deletion of your data by:

  • Using account deletion features in your dashboard
  • Contacting us at privacy@merit.systems
  • Following our data subject rights procedures (see Section 7)

Note: Some data may be retained for legal compliance even after deletion requests.

6. International Data Transfers

Global Operations

Echo operates globally, and your data may be transferred to and processed in:

  • United States: Primary data processing and storage
  • European Union: EU users' data may be processed in EU data centers
  • Third-Party Locations: AI providers and service providers may process data globally

Transfer Safeguards

When transferring data internationally, we ensure appropriate safeguards:

  • Adequacy Decisions: Transfers to countries with adequate data protection
  • Standard Contractual Clauses: EU-approved contractual protections
  • Binding Corporate Rules: Internal policies ensuring consistent protection
  • Certification Schemes: Privacy Shield successors and similar frameworks

Data Processing Locations

AI Providers

  • OpenAI: Primarily US-based processing
  • Anthropic: US-based processing
  • Google: Global processing, may include EU data centers
  • OpenRouter: Variable locations depending on selected models

Infrastructure Providers

  • Vercel: Global edge network, data residency options available
  • AWS: Multiple regions, EU data residency for EU users

7. Your Privacy Rights

General Rights

Depending on your location, you may have the following rights:

Access Rights

  • Data Access: Request copies of your personal data
  • Processing Information: Learn how we process your data
  • Third-Party Sharing: Information about data sharing with third parties

Control Rights

  • Rectification: Correct inaccurate or incomplete data
  • Deletion: Request deletion of your personal data ("right to be forgotten")
  • Portability: Export your data in a machine-readable format
  • Restriction: Limit how we process your data

Objection Rights

  • Processing Objection: Object to processing based on legitimate interests
  • Marketing Opt-Out: Unsubscribe from marketing communications
  • Automated Processing: Object to automated decision-making

Region-Specific Rights

European Union (GDPR)

EU users have enhanced rights under the General Data Protection Regulation:

  • Right to data protection by design and default
  • Right to lodge complaints with supervisory authorities
  • Enhanced consent requirements for data processing
  • Right to withdraw consent at any time

California (CCPA/CPRA)

California residents have specific rights under state privacy laws:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information
  • Right to non-discrimination for exercising privacy rights

Other Jurisdictions

We extend similar privacy rights to users in other jurisdictions with applicable privacy laws.

Exercising Your Rights

To exercise your privacy rights:

  1. Account Settings: Many rights can be exercised through your account dashboard
  2. Privacy Request Form: Submit requests through our privacy portal
  3. Email: Contact us at privacy@merit.systems
  4. Identity Verification: We may require identity verification for security

We will respond to valid requests within 30 days (or as required by applicable law).

8. Cookies and Tracking Technologies

Types of Cookies We Use

Essential Cookies

  • Authentication: Keep you logged in during your session
  • Security: Prevent cross-site request forgery and other attacks
  • Load Balancing: Ensure optimal server performance
  • Preferences: Remember your settings (theme, language)

Analytics Cookies

  • Usage Analytics: Understand how users interact with our platform
  • Performance Monitoring: Track page load times and errors
  • Feature Usage: Measure adoption of new features

Marketing Cookies (Optional)

  • Conversion Tracking: Measure effectiveness of marketing campaigns
  • Retargeting: Show relevant ads on other websites
  • Social Media Integration: Enable sharing and social login features

Third-Party Cookies

We may use third-party cookies from:

  • Vercel Analytics: Performance and usage analytics
  • PostHog: Product analytics and user behavior tracking
  • Stripe: Payment processing and fraud prevention
  • OAuth Providers: Google, GitHub for authentication

Managing Cookies

You can control cookies through:

  • Browser Settings: Disable or limit cookies in your browser
  • Cookie Preferences: Use our cookie consent manager
  • Opt-Out Tools: Use industry opt-out tools for advertising cookies
  • Private Browsing: Use incognito/private browsing modes

Note: Disabling essential cookies may affect platform functionality.

9. Children's Privacy

Age Restrictions

Echo is not intended for use by children under 18 years of age. We:

  • Do not knowingly collect personal information from children under 18
  • Require users to confirm they are at least 18 years old
  • Will delete any information we discover was collected from children
  • Encourage parents to monitor their children's internet usage

Parental Controls

If you believe your child has provided information to Echo:

  • Contact us immediately at privacy@merit.systems
  • We will promptly delete the account and associated data
  • We will implement measures to prevent future access

Educational Use

For educational institutions using Echo:

  • Institutions must verify user ages and obtain appropriate consents
  • Enhanced privacy protections apply to educational data
  • Compliance with FERPA and similar education privacy laws

10. Changes to This Privacy Policy

Updates and Notifications

We may update this Privacy Policy to:

  • Reflect changes in our services or business practices
  • Comply with new legal requirements
  • Improve our privacy practices
  • Address user feedback and concerns

How We Notify You

For material changes, we will notify you by:

  • Email: Notice sent to your registered email address
  • Platform Notice: Prominent notice on our platform
  • In-App Notification: Alert when you next use Echo
  • Version History: Maintain a changelog of policy updates

Effective Date of Changes

Changes become effective:

  • Immediately: For clarifications that don't change your rights
  • 30 Days: For material changes affecting data processing
  • Upon Consent: For changes requiring explicit consent

Your continued use of Echo after changes become effective constitutes acceptance of the updated Privacy Policy.

11. Contact Information and Data Protection

Privacy Team Contact

For privacy-related questions, concerns, or requests:

Privacy Officer
Merit Systems, Inc.
Email: privacy@merit.systems
Address: 224 West 35th Street, Ste 500 #2218, New York, NY 10001

Data Protection Representative (EU)

For EU users, our EU Data Protection Representative can be contacted at:
Email: eu-privacy@merit.systems

Supervisory Authority

EU users have the right to lodge complaints with their local supervisory authority regarding our data processing activities.

Response Times

We aim to respond to privacy inquiries within:

  • General Questions: 5 business days
  • Data Subject Requests: 30 days (as required by law)
  • Urgent Security Matters: 24 hours

12. Specific Privacy Practices for AI Services

AI Prompt Handling

When you submit prompts to AI models through Echo:

Data Flow

  1. Prompt Reception: Your prompt is received and logged by Echo
  2. Pre-Processing: We may apply content filtering and safety checks
  3. Third-Party Transmission: Prompt is sent to the selected AI provider
  4. Response Handling: AI response is received and returned to you
  5. Usage Tracking: Token usage and costs are calculated and stored

Prompt Privacy Considerations

  • Visibility: Your prompts are visible to the AI provider you select
  • Retention: AI providers have their own data retention policies
  • Training: Some providers may use API data for model improvement
  • Privacy Options: Some providers offer enhanced privacy modes

Data Minimization

We practice data minimization by:

  • Only collecting data necessary for service operation
  • Regularly purging old prompt data
  • Anonymizing analytics data where possible
  • Limiting employee access to personal data

AI Model Selection and Privacy

Different AI providers have different privacy practices:

Privacy-First Options

  • Some providers offer models with enhanced privacy protections
  • Options for processing without data retention
  • Models that don't use API data for training

User Control

  • Choose AI providers based on their privacy practices
  • Opt for providers with stronger data protection
  • Understand trade-offs between features and privacy

This Privacy Policy is designed to be transparent about our data practices. If you have any questions or concerns, please don't hesitate to contact our privacy team at privacy@merit.systems.

By using Echo, you acknowledge that you have read, understood, and agree to this Privacy Policy.