Privacy Policy

I. About This Document

APPVANGUARDS SRL, with registered office in Romania, Ilfov County, Tamaşi village, Corbeanca commune, str. Chișinău nr. 42, Prestige Residence residential area, lot 43, room 3, 1st floor, registered with the Trade Registry under no. J23/5638/2023, having unique registration code RO41268079 (hereinafter referred to as the "Company", the "Controller", "we", or similar designations), owns and operates the Echo iOS application (the "Application").

This document is intended to inform you, as a user of the Application, about how your personal data is processed. It also explains the rights you have in relation to your data and how you may exercise them.

We may periodically update this Privacy Policy to reflect legislative or operational changes, in which case we will publish updated versions within the Application and on our website. We recommend reading this notice carefully before using Echo or providing us with any personal data.

If the user entering into a service agreement with the Company is a legal entity purchasing services on behalf of one or more natural persons, that user is responsible for informing those individuals about the processing of their personal data by the Company, as described in this Privacy Policy. The Company accepts no responsibility for a legal-entity user's failure to inform the relevant data subjects.

II. Definitions

• GDPR refers to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• Personal data means any information that identifies you directly or indirectly, including but not limited to your name, email address, device identifiers, usage behaviour, or any combination of data that may lead to your identification.
• Direct identification refers to data such as your name or email address. Indirect identification occurs when information is combined with other data to identify a person (e.g. via device identifiers or usage patterns).
• Data subject means any natural person whose data is processed by the Company. If you use Echo, you are a data subject under applicable data protection law.
• Controller is the entity that determines the purposes and means of processing personal data. For this Application, the Company is the data controller responsible for the information collected through Echo.

III. Purposes, Legal Bases, and Categories of Personal Data Processed

In the context of your use of Echo, we process your personal data for the following purposes:

III.1 — Application Operation and Security

When you use Echo, your device automatically transmits certain technical information to our servers, including:

• IP address of your device;
• Date and time of access;
• Device type, operating system version, and app version;
• Session duration and feature interaction patterns.

We process this data on the basis of our legitimate interest in ensuring the security and proper functioning of the Application (Article 6(1)(f) GDPR). Audio is never collected without your explicit action of starting a recording session.

III.2 — Account Creation and Management

To create an account in Echo, the following information is required:

• Name and email address (when registering with email, Google, or Apple).

Within your account, we also process:

• Account data: information provided at registration and any subsequent changes (e.g. name, email, password updates);
• Account settings: preferences and configurations set within the app, including the selected visual theme;
• Usage history: log of features used and interactions within the app.

Legal basis: performance of a contract with you — specifically the Terms and Conditions you accept when activating your account (Article 6(1)(b) GDPR).

III.3 — Core Service: Voice Journaling, AI Processing, and Goal Tracking

By using Echo, you create and manage personal content that is processed to deliver the core functionality of the Application:

• Voice recordings and transcriptions: Audio you record is transcribed on-device using Apple's Speech Recognition framework. The resulting text is then transmitted to our secure servers for AI processing.
• Journal entries: Transcribed text and any manually edited entries, including their sentiment, emotional tone, and AI-extracted insights.
• Goal data: Goals you create, including their category (fitness, career, finance, relationships, personal development, creativity), milestones, progress tracking data, and linked actions.
• Conversation history: Messages sent through Echo's conversational interface, used to provide contextual AI responses.
• AI-generated content: Summaries, insights, sentiment classifications, and goal linkage suggestions produced by our AI models based on your entries.

We do not use your journal content to train AI models for third parties. AI processing is performed exclusively to deliver your personalised experience within Echo.

Legal basis: performance of a contract with you (Article 6(1)(b) GDPR) and our legitimate interest in improving the quality and reliability of the Application (Article 6(1)(f) GDPR).

III.4 — Subscription Contracts

For the provision of paid features within Echo, we process the following data in connection with your subscription:

• Account data: Name and email, to identify your account and associate the subscription with it;
• Subscription data: Tier purchased, subscription status, renewal date, and activation status — as provided to us by Apple's App Store;
• Transaction reference: Order reference numbers and transaction dates, for the purpose of verifying access rights.

We do not directly collect or store your payment card information. All billing is handled by Apple's App Store.

Legal basis: performance of a contract (Article 6(1)(b) GDPR) and compliance with our legal obligations relating to invoicing and accounting (Article 6(1)(c) GDPR).

III.5 — Payment Processing via Apple App Store

All in-app purchases and subscription payments are processed by Apple Inc. through the App Store. Apple acts as an independent data controller for payment processing purposes. We receive only the subscription status information necessary to activate your access to paid features.

For details on how Apple processes your payment data, please refer to Apple's Privacy Policy at apple.com/legal/privacy.

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

III.6 — Commercial Communications

With your explicit consent, we may send you commercial communications by email, including information about new features, tips for getting the most out of Echo, and promotional offers applicable to subscriptions.

You may withdraw your consent and unsubscribe at any time via the unsubscribe link included in every email or through your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

This does not affect essential service communications such as security alerts, processing status notifications, or account-related messages, which are sent on the basis of contract performance.

Legal basis: your consent (Article 6(1)(a) GDPR) and our legitimate interest in informing users about relevant service updates (Article 6(1)(f) GDPR).

III.7 — Other Purposes

We may also process your personal data for the following purposes:

• Responding to authority requests in accordance with our legal obligations (Article 6(1)(c) GDPR);
• Resolving disputes on the basis of our legitimate interest in exercising or defending our legal rights (Article 6(1)(f) GDPR) — in such cases data is retained for the duration of applicable limitation periods;
• Anti-fraud and security checks to detect and prevent illegal activities, Terms and Conditions violations, or attempts to compromise the Application, on the basis of our legitimate interest in protecting the integrity and security of the service (Article 6(1)(f) GDPR).

IV. Categories of Data Subjects

Within Echo, we process personal data relating to the following categories of individuals:

• Anonymous visitors — individuals who access our website or download the app without creating an account, whose data may be processed automatically for technical and security purposes (e.g. IP address, session data).
• Registered users — individuals who create and manage an account in Echo, whose data is processed to deliver and improve the Application's core functionality (name, email, journal entries, goals, conversation history).
• Paying subscribers — registered users who purchase a subscription, whose data is processed in connection with subscription management and our legal obligations regarding billing.

All data subjects benefit from the rights granted under applicable data protection law, including the rights of access, rectification, erasure, objection, and portability, as described in Section VII below.

V. Recipients of Personal Data and Transfers Outside the EEA

In connection with the processing activities described above, your data may be shared with or disclosed to the following categories of third parties:

• Cloud infrastructure and hosting providers that host the Application's backend servers;
• Authentication providers (Apple and Google) for the purpose of enabling sign-in;
• Apple Inc., as the payment processor for in-app subscriptions;
• Email service providers, for the delivery of account and service-related communications;
• Analytics providers, for monitoring Application performance and stability;
• Public authorities, accountants, auditors, lawyers, and other professional advisors, where their role requires it or where disclosure is required by law;
• Third-party acquirers, to the extent that our assets or operations are transferred in whole or in part, where personal data forms part of the transferred assets.

All transfers described above are carried out in compliance with the principles of data minimisation — we share only the personal data strictly necessary for the stated purposes.

Some of our service providers are located outside the EU/EEA, including in the United States. In such cases, we ensure that appropriate legal safeguards are in place in accordance with Chapter V of the GDPR (e.g. European Commission adequacy decisions or Standard Contractual Clauses).

VI. Data Retention Periods

Personal data is processed and retained for no longer than necessary for the purposes for which it was collected, subject to any longer retention periods required by applicable law:

• Technical/session data (III.1): Retained for the duration of the session or for up to 2 years, depending on the nature of the data.
• Account data (III.2): Retained for the duration of your account and for an additional period of 2 years following account deletion.
• Journal entries, goals, and AI-generated content (III.3): Retained for the duration of your account. If you delete your account, this data is deleted within 30 days, unless legal obligations require longer retention.
• Subscription contract data (III.4): Retained for the duration of the contract and for an additional 3 years following its termination, or for the duration of any related legal proceedings.
• Payment and transaction data (III.5): Retained for 5 years from the date of the transaction, in accordance with applicable accounting and fiscal legislation. Where disputes exist, data is retained until final resolution.
• Commercial communication data (III.6): Retained until you withdraw your consent or unsubscribe, but for no longer than 3 years from your last interaction with the Application.
• Data processed for other purposes (III.7): Retained for the period required by applicable law or, in the absence of such an obligation, for 3 years from the date the matter is resolved.

Upon expiry of these retention periods, personal data is deleted and/or anonymised in the Company's records and databases.

VII. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to ensure a level of security commensurate with the risks involved. These include measures to protect confidentiality, integrity, and availability, and to guard against unauthorised or unlawful processing, accidental loss, alteration, disclosure, or access.

Specifically:

• All data in transit is encrypted using TLS;
• Authentication tokens are stored securely in your device's Keychain and are never stored in plaintext;
• Access to backend systems is restricted and subject to regular security review.

Users with an Echo account are responsible for all activity carried out under their account. Please notify us immediately of any unauthorised use of your account or any suspected security breach. Notwithstanding such notification, we shall not be liable for losses arising from unauthorised account use that is not attributable to the Company.

VIII. Your Rights

As a data subject, you have the following rights in relation to the personal data we process about you. We will respond to all requests free of charge and without undue delay, within one month of receipt. This period may be extended by up to two additional months where justified by the complexity of the request.

• Right to information: You have the right to receive clear and transparent information about how your personal data is processed. This Privacy Policy fulfils that obligation.
• Right to withdraw consent: Where we process your data on the basis of your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right of access: You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data along with information about the processing.
• Right to rectification: You have the right to obtain correction of inaccurate personal data or completion of incomplete personal data without undue delay.
• Right to erasure: You may request that we delete the personal data we process about you where: the data is no longer necessary for the purposes for which it was collected; you object to processing based on legitimate interests; the data has been unlawfully processed; or deletion is required to comply with a legal obligation. Exceptions apply where retention is necessary for freedom of expression, legal compliance, archiving, or the establishment, exercise, or defence of legal claims.
• Right to restriction of processing: You may request that we restrict processing of your data where you contest its accuracy (pending verification), the processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of whether our legitimate grounds override yours.
• Right to data portability: Where we process your data by automated means on the basis of your consent or contract performance, and the data was provided by you, you have the right to receive it in a structured, commonly used, machine-readable format and to request its transmission to another controller, where technically feasible.
• Right to object: Where processing is based on our legitimate interests or those of a third party, you may object at any time on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defence of legal claims.

To exercise any of the above rights, please contact us by email at: privacy@tryechojournal.app.

Right to lodge a complaint: If you have a concern about how we handle your personal data, we encourage you to contact us first so we can address it directly. You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) via its website: www.dataprotection.ro, or with the supervisory authority of your country of residence.

IX. Contact

For any questions, clarifications, or requests relating to this Privacy Policy or the processing of your personal data, please contact us at:

• Email: privacy@tryechojournal.app