← Back to home

Privacy Policy

Last updated: May 1, 2026

This Privacy Policy describes how Karuwa Apps Pvt. Ltd. (“we,” “us,” or “our”), doing business as Echo, collects, uses, discloses, and protects information when you use our mobile application Echo and related services (collectively, the “Services”).

Echo is a mobile app in the Apple Health & Fitness category for journaling, habit-style reminders, streak tracking, AI-assisted chat or optional live AI voice, and similar self-care tools (for example, a “no contact” tracker). Echo supports everyday wellness routines; it is not an emergency service.

Age: Echo is offered as a 17+ app on the Apple App Store. The Services are intended for people who are at least 17 years old (or the minimum age shown for Echo in the app store in your region, if higher). If you are younger than that age, do not use Echo or provide us personal information.

Questions: support@aiecho.live

1. Information we collect

1.1 You provide

  • Account and profile: email address; password (for email sign-in); optional display name; profile photo if you choose one.
  • User content: text you type in AI chat; journal and guided journaling text; optional voice recordings or live-voice audio when you use those features; and limited in-app context you have provided that the app may attach to an AI request when a feature is designed to use it (for example relationship or breakup “phase,” streak or day counts, or similar progress fields—only what the product actually sends for that session).
  • Support: information you send when you contact us.

1.2 Automatically collected (app and backend)

  • Device and technical data: e.g. device type, operating system, app version, identifiers used for app functionality and security, and IP address when you use our servers or website.
  • Technical logs: log and usage data related to security, troubleshooting, and service operation.
  • Notifications: if you enable them, we schedule local reminders on your device (we do not describe these as remote marketing push unless we add that later).

Location: The Echo app does not request access to your device’s precise location (e.g. GPS). We do not collect location through a location permission. IP addresses may still be processed by us and our providers for connectivity, security, and approximate region (as with most internet services).

1.3 Sensitive information

Some information you choose to share in journals or chat may be sensitive (for example, relationship or personal-wellness topics you write about yourself). We process such content only to operate the Services you request and as described here.

1.4 Payments (subscriptions)

Purchases are processed through Apple’s In-App Purchase. We do not receive your full payment card number or card security code. Apple (and, where applicable, subscription management tools such as RevenueCat) may process subscription status, transaction identifiers, and related account metadata. See Apple’s privacy policy: https://www.apple.com/legal/privacy/ and RevenueCat: https://www.revenuecat.com/privacy.

1.5 Information from third parties

We receive limited profile and authentication information from Apple and Google when you use those sign-in options (for example, name, email or relay email, and identifiers), according to your settings with those providers.

2. How we use information

  • Provide, maintain, and improve Echo (including AI features you enable).
  • When you turn on AI features in the app, to generate AI responses via third‑party processors (OpenRouter—including underlying language model providers—and Google for live voice services such as Gemini Live): we send the categories of content and optional session/profile context described in Section 5, only as permitted by your in-app consent and settings.
  • Create and secure your account; authenticate you.
  • Process subscriptions and entitlements.
  • Communicate with you about the Services, security, and policy updates.
  • Respond to your requests and support inquiries.
  • Protect safety, integrity, and security; comply with law; enforce our terms.

Legal bases (EEA/UK): Where GDPR/UK GDPR applies, we rely on appropriate bases such as performance of a contract (providing Echo), legitimate interests (security, product improvement, where not overridden by your rights), consent where required (for example optional AI or non-essential cookies on our website, as applicable), and legal obligation where applicable.

3. How we share information

3.1 Third-party AI services (feature → recipient → data)

When you opt in to AI in the Echo app and use an AI feature, we share personal data with the processors below so that feature can run. This sharing does not occur for AI generation until you have given permission in the app; you can change or withdraw that choice in Settings → Privacy & AI (or the equivalent screen name in the product).

  • Text replies (chat, guided prompts, journaling-aware replies): OpenRouter receives your typed chat, relevant journal or guided journaling text included in that request, and any limited profile or progress context (for example phase label or day count) the session sends—and OpenRouter transmits requests to underlying model providers it uses—to return generated text.
  • Live voice / streaming audio: Google (including services such as Gemini Live or comparable Google multimodal/voice APIs we enable) receives microphone audio from the session, text derived from speech where applicable, and any session or profile context the voice feature is designed to include—to return generated audio or text responses.

Privacy policies for these AI processors: OpenRouter privacy; Google privacy policy. For Google’s AI developer terms and related disclosures, see also Google AI services terms where applicable to the APIs we use.

We share information with other service providers that process data on our behalf and need it to perform their work, including for example:

  • Supabase (authentication, database, storage)
  • Hosting / API infrastructure for our backend
  • Moderation or safety tools where we use them to filter or assess content
  • RevenueCat for subscription status and related analytics, where used
  • Apple for Sign in with Apple and In-App Purchase
  • Google for Google sign-in and, on our website, Google Analytics as described below

We enter into written agreements with our processors (including AI infrastructure providers) that require appropriate safeguards for personal information, processing on our instructions (as a processor or sub-processor where that concept applies), confidentiality, assistance with privacy requests where applicable, and permitted subprocessors only as allowed by contract. We do not sell your personal information for money. When we rely on subprocessors, we expect our primary vendors to impose comparable obligations downstream. No method of processing is perfectly secure; see Security below. We may disclose information if required by law or to protect rights and safety.

4. Cookies and analytics (website)

Our marketing or informational website may use cookies and similar technologies. We may use Google Analytics on the website to understand traffic and usage. For details and choices, see our Cookie Policy.

The Echo mobile app does not include Google Analytics in the same way a web browser does; website visitors are subject to the Cookie Policy where applicable.

5. Artificial intelligence

Permission before sharing. Echo does not send your chat, journals, guided journal text, or voice/audio inputs to third-party AI services for model inference until you opt in through the in-app consent flow. You can turn AI features off or adjust them at any time in Settings → Privacy & AI (or the equivalent path in the app). When AI is disabled or you have not consented, we do not send that content to OpenRouter or Google for AI generation as described here (ordinary account, security, or non-AI hosting may still use providers listed in Section 3).

Who receives what (plain language).

  • OpenRouter (text / models behind it): Used for features that produce written AI replies—such as chat, journaling-aware assistant messages, or guided prompts that call the model. Data that can be transmitted when you use such a feature includes: the text you type in chat; journal or guided journal excerpts the feature includes in the request; device/session identifiers our backend uses to route the request; and limited profile or progress context the app is designed to attach (for example display name, breakup phase label, day or streak counts)—only fields actually sent for that interaction. OpenRouter routes requests to underlying third-party model providers; those providers process the prompt content to generate output.
  • Google (e.g. Gemini Live / streaming voice): Used when you start a live voice or similar session. Data that can be transmitted includes: streamed or recorded audio from your microphone; transcripts or text derived from that audio; session metadata needed to keep the connection; and the same kinds of optional journal or profile context if the voice feature is built to send them for personalization.

Use of outputs. AI responses are generated for your session; they may be inaccurate or inappropriate. Do not rely on them for urgent safety decisions—use emergency services when needed.

Where to read more. Sharing with these vendors is summarized in Section 3.1. Their public privacy materials: OpenRouter; Google.

6. Social sign-in (Apple and Google)

If you sign in with Apple or Google, we receive certain information from that provider as permitted by your settings with them. We use it to operate your account. Their use of your information is governed by their policies: Apple — Apple Privacy Policy; Google — Google Privacy Policy. If you use Google APIs in ways subject to Google’s API Services User Data Policy, we comply with those requirements for that use.

7. International transfers

We are based in the United States. If you access Echo from outside the United States, your information may be processed in the U.S. and other countries where we or our providers operate. For transfers from the EEA, UK, or Switzerland subject to applicable law, we rely on appropriate safeguards such as the Standard Contractual Clauses (including through our vendors’ agreements) unless another valid mechanism applies.

8. Retention

We keep information for as long as needed to provide the Services, comply with law, resolve disputes, and enforce agreements. When you delete your account or ask us to delete personal information where applicable, we delete or anonymize it subject to legal retention needs and backup cycles.

9. Security

We implement reasonable technical and organizational measures to protect information. No method of transmission or storage is 100% secure.

10. Minors

Echo is not directed at children under 13 (U.S. Children’s Online Privacy Protection Act category). We do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe we have collected information from a child under 13, contact us at support@aiecho.live and we will take appropriate steps to delete it.

Separately, Echo is listed as 17+ on the App Store and is intended for users who meet that age requirement (see Age above). We do not knowingly collect personal information from users who do not meet the applicable minimum age for the Services.

11. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or export your personal information; to object to or restrict certain processing; to withdraw consent where processing is based on consent; and to lodge a complaint with a supervisory authority (EEA/UK).

To exercise rights: email support@aiecho.live. We may need to verify your request.

Cookie preferences (website): use the controls described in our Cookie Policy where applicable.

12. U.S. state privacy disclosures

Residents of certain U.S. states may have additional rights under state law (including access, correction, deletion, portability, and opt-out of certain processing such as “sale,” “sharing,” or targeted advertising, where those terms apply).

Sale / sharing: We do not sell personal information for money. Depending on configuration, some website analytics could be considered “sharing” for cross-context behavioral advertising under California law — we aim to configure analytics and consent tools to match our practices; contact us to opt out of rights-based requests as applicable.

12.1 Categories collected (CPRA-style summary)

The table reflects categories of personal information we may collect as described in this Policy. “Collected” means we collected it in the past 12 months or expect to collect it as the Services operate.

Category Examples (illustrative) Collected
A. IdentifiersName, email, IP, device identifiers, account IDYes
B. Customer records (Cal. Civ. Code § 1798.80)Name, contact informationYes
C. Protected classificationRace, religion, etc.No
D. Commercial informationSubscription or purchase records (via Apple)Yes
E. Biometric informationVoiceprints used solely as biometric identifiersNo*
F. Internet or network activityApp/website interaction, technical logs, analytics on websiteYes
G. Geolocation dataPrecise GPS from the Echo appNo**
H. Audio, electronic, visualVoice you send for AI or chat; profile photoYes
I. Professional / employmentJob applications, etc.No
J. Education informationStudent recordsNo
K. InferencesProfiles used for automated decisions with legal effectNo***
L. Sensitive personal informationAccount credentials; certain user-generated journaling or reflection content you provideYes

* We process voice audio you choose to send for features like AI chat or live voice; we do not use the Echo app to collect standalone “voiceprint” biometric templates for identity verification.

** The Echo app does not request device location permission. IP-based processing may still occur.

*** We do not build cross-context marketing profiles from inferences as described in typical “profiling for ad targeting” CPRA examples; AI responses may use session or saved context to operate features.

12.2 California “Shine the Light”

California residents may request information about disclosure of certain categories of personal information to third parties for their direct marketing purposes. Contact support@aiecho.live.

13. Changes

We may update this Policy. We will post the updated version and revise the “Last updated” date.

14. Contact

Karuwa Apps Pvt. Ltd. (Echo)
Email: support@aiecho.live

Review, update, or delete: use in-app account tools where available, or email support@aiecho.live.