/// LEGAL

Privacy Policy

Last updated: May 23, 2026

1. Who We Are

Escalera Labs S.L. ("EchoDeck", "we", "us", "our") is the data controller responsible for the processing of your personal data. We operate the echodeck.ai website and the EchoDeck desktop application (collectively, "EchoDeck Products").

This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your personal data.

2. Information We Collect

2.1 Information You Provide

  • [→] Account Information: Email address, display name, and profile picture when you register or sign in via Google/Discord OAuth.
  • [→] Payment Information: Processed securely by Stripe. We do not store your credit card details — Stripe handles all payment data.
  • [→] Support Communications: Content of messages when you contact us for help.

2.2 Information Collected Automatically

  • [→] Website Analytics: Anonymized page views, referral sources, browser type, and approximate region.
  • [→] App Diagnostics: Anonymized crash reports (error type, OS version, app version) to fix bugs. No audio data is ever included.
  • [→] Usage Data: Feature usage patterns (which sounds are popular, board configurations) to improve the product. This data is aggregated and not linked to individual accounts.

2.3 Information We Do NOT Collect

  • [✓] Audio content: Your sounds, clips, and voice recordings stored in EchoDeck are local to your device. We do not upload, store, or listen to your audio files.
  • [✓] Game audio: EchoDeck's context-awareness features process game audio locally. No game audio is transmitted to our servers.
  • [✓] Microphone audio: When using voice personas or TTS, audio processing happens locally (Local Pack) or via the third-party AI provider you selected (Cloud Pro). We do not intercept or store this audio.
  • [✓] Third-party app data: We do not access data from Discord, games, OBS, or other apps you use with EchoDeck.

3. How We Use Your Information

  • [→] Account Management: Create and manage your account, authenticate identity, manage subscriptions.
  • [→] Service Delivery: Provide, maintain, and improve EchoDeck Products, deliver updates.
  • [→] Product Improvement: Analyze anonymized usage data and crash reports to fix bugs and develop features.
  • [→] Billing: Process payments and manage subscription status via Stripe.
  • [→] Communications: Send product updates and important service notifications (opt-out available).

4. Legal Basis for Processing (GDPR)

  • [→] Contract Performance: Processing necessary to provide EchoDeck and manage your account (Art. 6(1)(b) GDPR).
  • [→] Legitimate Interests: Product improvement, security, and analytics (Art. 6(1)(f) GDPR).
  • [→] Consent: Marketing communications and optional diagnostics (Art. 6(1)(a) GDPR).
  • [→] Legal Obligation: Compliance with applicable laws (Art. 6(1)(c) GDPR).

5. Who We Share Your Data With

We do not sell your personal data. We share limited data only with service providers necessary to operate EchoDeck:

  • [→] Supabase — database and authentication
  • [→] Stripe — payment processing (PCI DSS compliant)
  • [→] Vercel — website hosting
  • [→] Google/Discord — OAuth sign-in (only when you choose these providers)
  • [→] AI Providers — OpenAI, ElevenLabs, Groq (only when you use Cloud Pro features; audio is processed per their privacy policies)

We do not share your data with advertisers or data brokers. We may disclose data if required by law.

6. Data Storage & Security

Account data is stored on Supabase infrastructure with encryption at rest and in transit. Passwords are hashed using industry-standard algorithms. All data transmission uses HTTPS/TLS. Payment data is processed by Stripe and never touches our servers.

While we implement commercially reasonable security measures, no system is 100% secure. In the event of a data breach, we will notify affected users and relevant supervisory authorities per applicable law.

7. Data Retention

  • [→] Account data: Retained for the lifetime of your account. Deleted within 30 days of account deletion request.
  • [→] Subscription data: Retained as required for billing, tax, and legal compliance.
  • [→] Crash reports: Anonymized, retained up to 90 days, then deleted.
  • [→] Analytics data: Aggregated and anonymized — not linked to individual accounts.

8. International Data Transfers

Escalera Labs S.L. is based in Spain (EU). Some service providers operate in the United States. Transfers outside the EEA are protected through European Commission Standard Contractual Clauses (SCCs), adequacy decisions, and appropriate contractual safeguards.

9. Cookies

  • [→] Essential cookies: Authentication session tokens. Required, cannot be disabled.
  • [→] Analytics cookies: Anonymized usage statistics. Can be disabled in browser settings.

We do not use advertising cookies, tracking pixels, or third-party marketing trackers.

10. Your Rights

Regardless of your location, we extend GDPR rights to all users:

  • [✓] Access: Request a copy of your personal data.
  • [✓] Rectification: Request correction of inaccurate data.
  • [✓] Erasure: Request deletion ("right to be forgotten").
  • [✓] Restriction: Limit processing in certain circumstances.
  • [✓] Data Portability: Receive your data in a structured format.
  • [✓] Objection: Object to legitimate-interest processing.
  • [✓] Withdraw Consent: Withdraw consent at any time.

Contact privacy@echodeck.ai to exercise any right. We respond within 30 days.

EU/EEA residents may lodge a complaint with the Agencia Española de Protección de Datos (AEPD).

11. Children's Privacy

EchoDeck Products are not directed at individuals under 16. We do not knowingly collect data from children under 16. If we learn we have collected such data, we will delete it promptly. Contact privacy@echodeck.ai if you believe a child has provided us with personal data.

12. Local vs Cloud Processing

EchoDeck offers both local and cloud AI processing. Here's what that means for your privacy:

  • [→] Local Pack users: All AI processing (transcription, context analysis, TTS) runs entirely on your device. Zero data leaves your computer. Maximum privacy.
  • [→] Cloud Pro users: Audio snippets are sent to third-party AI providers (OpenAI, ElevenLabs, Groq) for processing. These providers have their own privacy policies. We do not store the audio after processing.
  • [→] BYOK users: When using your own API keys, data is sent directly to the provider under your own account and terms.
  • [→] Free tier users: No AI processing occurs. Soundboard and clip features are fully local.

Your sound files, board configurations, and audio clips are always stored locally on your device. We do not have access to them.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a notice on our website. Continued use after changes constitutes acceptance.

14. Contact

Data Controller: Escalera Labs S.L.
Privacy inquiries: privacy@echodeck.ai
General legal: legal@echodeck.ai