Privacy Notice
Last updated: May 2026
This Notice explains how David ("we", "us") collects and uses personal data when you use Echo. We are the data controller for the personal data we process about you.
1. Data we collect
- Account data: email, name, login credentials.
- Profile & journal data: the goals, struggles, intentions, daily entries and other content you choose to share with Echo.
- Support messages: anything you send us by email.
- Usage & device data: pages visited, actions taken, IP address, browser/device identifiers.
2. Why we use it (and legal basis)
- Provide the Service and store your check-ins (contract performance).
- Generate AI replies and weekly letters using third-party model providers (contract performance).
- Account security and fraud prevention (legitimate interests, legal obligation).
- Improve the product and customer support (legitimate interests).
- Send transactional and, where permitted, marketing emails (consent or legitimate interests).
3. Who we share data with
- Service providers / subprocessors: hosting and database (Supabase), AI model providers used to generate Echo's replies.
- Merchant of Record: Lemon Squeezy, for sale of subscriptions, payments, tax compliance, invoicing and subscription management.
- Professional advisers: legal and accounting, where necessary.
- Authorities: where required by law.
4. International transfers
Some processors may be located outside your country. Where data is transferred from the UK/EEA, we rely on adequacy decisions or Standard Contractual Clauses to safeguard your data.
5. Retention
We keep account and journal data for as long as your account is active, plus a reasonable period afterwards (typically 30 days) to handle re-activation, support and legal claims, after which it is deleted or anonymised.
6. Your rights
Subject to applicable law (including GDPR for UK/EEA residents) you have the right to access, rectify, delete, restrict, port, or object to processing of your personal data, to withdraw consent, and to lodge a complaint with your data-protection supervisory authority. We respond to verified requests within one month.
7. Security
We use appropriate technical and organisational measures including encryption in transit, access controls and audit logging.
8. Cookies
We use essential cookies and local storage to keep you signed in and preserve your preferences. We do not use third-party advertising cookies.
9. Contact
Privacy questions or rights requests: agoodbrands@gmail.com