Privacy Policy

This Privacy Policy explains how EchoPilot ("EchoPilot", "we", "our") collects, uses, stores, and protects information when you use our mobile app, our website, and any integrations you choose to connect. By using EchoPilot you agree to the practices described below.

Summary

• EchoPilot is a voice-first productivity app. It transcribes voice notes, extracts structured actions (tasks, reminders, events, notes, emails), and lets you route approved actions to services you connect.
• Before sending personal data to a third-party AI service, EchoPilot asks for permission in the app and identifies the data sent and the processor receiving it.
• EchoPilot only accesses data from connected services after you explicitly authorize the connection, and only performs actions you confirm inside the app.
• EchoPilot does not sell user data. We do not use Google user data for advertising. We do not train generalized machine-learning models on Google user data.
• You can disconnect any integration at any time. You can request account or data deletion by emailing support@echopilotapp.com.

Information we collect

• Account information - email address, display name, authentication identifiers issued by Supabase, and subscription state.
• Voice and content data - audio recordings you create, their transcripts, extracted action cards, follow-up messages, and related metadata such as session timestamps and timezone.
• Integration data - OAuth credentials and minimum sync metadata (provider identifiers, external resource IDs, sync status, last-synced timestamps) for the services you connect.
• Technical data - device model, OS version, app version, anonymized usage events, and crash diagnostics used to operate and improve the service.

How we use information

• To transcribe your voice notes and convert transcripts into structured action cards.
• To store your sessions, actions, preferences, and integration settings so you can revisit and refine them.
• To route approved actions to the destination you select, only after you tap the explicit confirmation control inside the app.
• To provide support, security, debugging, abuse prevention, and product improvement.

Third-party AI processing

EchoPilot uses LatentKit as its third-party AI processor for speech-to-text transcription, structured action extraction, and AI follow-up refinement. LatentKit may route language-model requests to one or more model providers configured under EchoPilot's LatentKit policy, and EchoPilot may rotate between these providers to maintain reliability and quality. These providers currently include DeepSeek, Google (Gemini), OpenAI, and Anthropic.

When you allow AI processing in the app, EchoPilot may send LatentKit the following data only as needed to provide the requested feature:

• Audio recordings for speech-to-text transcription.
• Transcripts, follow-up messages, recent session thread context, selected action titles/bodies, and action metadata for extraction or refinement.
• Timezone, enabled destination names, display name, and default destination preferences so the AI can resolve dates and route actions accurately.

EchoPilot does not sell this data or use it for advertising. We require processors that receive user data to provide the same or equal protection described in this policy and to process data only to provide EchoPilot's user-facing features.

Google API user data

EchoPilot integrates with the following Google APIs at your option. Each scope is requested only because it is required for a specific user-facing feature.

Google Tasks (https://www.googleapis.com/auth/tasks)

• Why we need it: To create, update, complete, and delete Google Tasks that you generate from a voice note inside EchoPilot.
• What we access: Tasks on your default or selected task list. We read task IDs for tasks EchoPilot creates so we can update them later.
• How we store it: OAuth tokens encrypted at rest. Minimum sync metadata (task ID, sync status, timestamps).

Google Calendar

• Why we need it: To create, update, and delete calendar events that you approve in EchoPilot.
• What we access: Event details needed for EchoPilot-created events, including title, date/time, location, notes, external IDs, and sync status.
• How we store it: OAuth tokens encrypted at rest plus minimum event sync metadata.

Google Drive

• Why we need it: To create and update documents or text files that you approve from note actions.
• What we access: Files EchoPilot creates or is authorized to manage under the granted Drive scope, plus file IDs and sync status.
• How we store it: OAuth tokens encrypted at rest plus minimum file sync metadata.

Slack user data

EchoPilot requests Slack access only when you connect Slack from Integrations.

• Why we need it: To post note actions you approve to the Slack channel selected during installation.
• What we access: The selected workspace/channel metadata and permission to post messages as the EchoPilot app.
• How we store it: OAuth bot tokens encrypted at rest, plus minimum channel and sync metadata.

Other connected services and device destinations

• Todoist, Notion, and Microsoft services - if you connect them, EchoPilot stores encrypted OAuth credentials and sends only the approved action data required to create, update, send, or remove the item you confirm.
• Apple Reminders and Device Calendar - EchoPilot requests device permissions when needed and writes approved reminders/events through the device APIs.
• Apple Notes and Mail - EchoPilot opens the iOS share sheet or mail composer with approved content; it does not silently save to Notes or send Mail unless a future API integration explicitly supports it.

Google API Services User Data Policy - Limited Use

EchoPilot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

• Google user data is used only to provide or improve user-facing features the data was granted for.
• We do not transfer Google user data to third parties except as necessary to provide those features, comply with law, or as part of a merger or acquisition with continued policy adherence.
• We do not use Google user data to serve advertising.
• Humans do not read Google user data except with your explicit consent, for security or legal reasons, or when aggregated and anonymized.

How long we keep your data

• Voice notes, transcripts, and action cards are retained while your account is active. You can delete individual sessions or actions in the app.
• OAuth credentials are retained only while an integration is connected. Disconnecting deletes stored tokens.
• Account deletion removes personal data within 30 days, except where retention is required by law.

Security

We use industry-standard safeguards including encrypted-at-rest OAuth credentials, HTTPS in transit, and least-privilege access controls. No internet service can guarantee absolute security.

Your choices

• Enable, disable, or disconnect integrations in the EchoPilot app at any time.
• Revoke EchoPilot's access from myaccount.google.com/permissions.
• Delete your account from inside the app under Settings > Delete account. See Account deletion for steps and retention details.
• Request data export or other privacy actions at support@echopilotapp.com.

Third-party processors

• Supabase - authentication, database, and file storage.
• LatentKit - speech-to-text transcription, structured action extraction, and AI follow-up refinement.
• Language-model providers (DeepSeek, Google Gemini, OpenAI, Anthropic) - language-model processing through LatentKit policy for action extraction and refinement; EchoPilot may rotate between these providers.
• PostHog - product analytics when configured.
• RevenueCat - subscription management.
• Sentry - crash and error reporting.
• Vercel - application hosting.
• Connected integration providers - Google, Todoist, Slack, Notion, Microsoft, Apple device services, and Mail only when you connect, enable, or confirm sending an action to those destinations.

Children

EchoPilot is not directed to children under 13. We do not knowingly collect personal information from children.

International users

EchoPilot may process information in the United States. By using the service you understand your information may be transferred and processed there.

Changes

We may update this policy as the product evolves. Material changes are reflected in the "Last updated" date above.

Contact

Privacy questions and data-deletion requests: support@echopilotapp.com. Account deletion steps are available at Account deletion. We respond to verified privacy requests within five business days.