← Back

Privacy Policy

Last updated: 1 April 2026 · Effective: 1 April 2026

Ekcho is built around pseudonymity. We deliberately collect the minimum personal data necessary to operate. We do not collect your real name. We do not sell your data.

1. Who Controls Your Data

Pratesh John Mathew ("Ekcho"), operating individually, is the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Data Controller under the GDPR (for EU/EEA users).

Contact our Data Protection Officer: privacy@ekcho.net

2. What Data We Collect

Account data

When you register, we collect your chosen voice name and a password (stored as a bcrypt hash — we never see your actual password). We do not require your real name, email address, phone number, or date of birth. We generate an internal pseudonymous email address for your account which is never shown to you or anyone else.

Voice recordings

When you broadcast, your audio recording is uploaded and stored on Supabase Storage (servers in the EU or as configured by our Supabase project region). Your audio is processed by OpenAI Whisper to generate a text transcript for content moderation purposes. The transcript is stored alongside your broadcast.

Listening activity

We record which broadcasts you have listened to, your playback position, and whether you completed a broadcast. This is used to provide session memory (resume where you left off) and to generate completion statistics for broadcasters. This data is associated with your account, not your real identity.

Messages and notes

Messages sent between users ("notes") are stored in our database. They are only accessible to the participants in that conversation. We do not read your private messages except as required for moderation investigations following a report.

Unmask details

If you and another user mutually agree to unmask, the personal detail you choose to share (e.g. a first name or city) is stored permanently and is visible only to the person you shared it with. You control what you share and when.

Payment data

If you purchase Ekcho Pro or Credits, payments are processed by Lemon Squeezy. We receive confirmation of your payment and your subscription status but we do not receive or store your payment card details. Lemon Squeezy's privacy policy applies to payment processing.

Technical data

We collect IP addresses (for rate limiting and security), browser type, device type, and access logs. These are stored for up to 90 days and used for security purposes only.

Moderation data

Content moderation scores (from OpenAI Moderation API) are stored alongside broadcasts. If a broadcast is flagged or removed, we retain the moderation record for 2 years for accountability purposes.

3. Why We Process Your Data (Legal Basis)

Under the DPDP Act 2023 and GDPR, we process your data on these bases:

  • Contract performance: Account management, broadcasting, listening, messaging, payments
  • Legitimate interests: Platform security, fraud prevention, rate limiting, abuse detection
  • Legal obligation: Compliance with Indian law, court orders, government directions under the IT Act 2000
  • Consent: Optional features such as analytics sharing or email notifications (you can withdraw consent at any time in Settings)

4. How Long We Keep Your Data

Data typeRetention period
Account profileUntil you delete your account + 30 days
Voice recordingsUntil you delete the broadcast + 30 days
TranscriptsSame as broadcast
Listening historyUntil account deletion
Private messagesUntil account deletion or mutual deletion
Unmask detailsPermanent (by design — cannot be unseen once shared)
Payment records7 years (Indian financial regulations)
Moderation records2 years
Security logs (IP)90 days

5. Who We Share Your Data With

We do not sell your personal data. We share data only with:

  • Supabase (database, storage, authentication) — EU servers. Data Processing Agreement in place.
  • OpenAI (audio transcription via Whisper, content moderation) — USA. Audio is sent for transcription and then deleted. Transcripts may be used to improve OpenAI models unless you opt out via OpenAI's data controls.
  • Lemon Squeezy (payment processing) — your email and payment data only, for Pro subscribers and credit purchasers.
  • Resend (transactional email) — email address only, for account and service notifications.
  • Law enforcement / government authorities — when required by Indian law, court order, or government direction. We will notify you unless prohibited by law.

6. International Data Transfers

Ekcho is incorporated in India. Your data may be transferred to and stored in servers outside India (EU via Supabase, USA via OpenAI). These transfers are governed by Standard Contractual Clauses (SCCs) and Data Processing Agreements. For EU users, these transfers comply with GDPR Chapter V.

7. Your Rights Under the DPDP Act 2023

As a Data Principal under the DPDP Act 2023, you have the right to:

  • Access: Request a summary of your personal data we hold
  • Correction: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data (right to be forgotten). You can do this directly in Settings → Delete Account.
  • Grievance redressal: Lodge a complaint with us. We will respond within 72 hours and resolve within 30 days.
  • Nominate: Nominate another person to exercise your rights in the event of your death or incapacity

To exercise any of these rights, contact: privacy@ekcho.net. We will respond within 72 hours.

8. Your Rights Under GDPR (EU/EEA Users)

If you are in the EU or EEA, you additionally have the right to:

  • Data portability (receive your data in a machine-readable format)
  • Object to processing based on legitimate interests
  • Lodge a complaint with your local data protection authority

9. Children's Privacy

Ekcho is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us at trust@ekcho.net and we will delete the account immediately.

Users aged 13–17 may use Ekcho with parental consent. We take additional care with content moderation for interactions involving minors.

10. Security

We protect your data using encryption at rest and in transit (TLS 1.3), Row Level Security (RLS) in our database ensuring each user can only access their own data, bcrypt password hashing, rate limiting on all authentication endpoints, and regular security audits.

In the event of a data breach affecting your personal data, we will notify you and the relevant authorities within 72 hours as required by the DPDP Act.

11. Grievance Officer

As required under the Information Technology Act, 2000 and DPDP Act 2023, our Grievance Officer is:

Name: Pratesh John Mathew
Designation: Grievance Officer
Email: grievance@ekcho.net
Email: info@ekcho.net
Response time: Within 72 hours of receipt of complaint

12. Changes to This Policy

We will notify you of material changes to this Privacy Policy at least 14 days before they take effect, via in-app notification. The latest version is always available at ekcho.net/legal/privacy.

Terms of ServiceCommunity GuidelinesCookie PolicyCopyright