EchoAgain LogoEchoAgain

Privacy Policy

Last updated: December 13, 2024

1. Introduction

At EchoAgain ('EchoAgain,' 'we,' 'us,' or 'our'), we understand the profound emotional significance of recreating the voice of a deceased loved one. We are committed to handling their digital legacy with dignity, privacy, and security.

This Privacy Policy explains how we collect, use, store, process, share, and delete information when you use our website, applications, and voice-recreation tools (the 'Service'). By accessing or using the Service, you acknowledge that you have read this Policy and agree to its terms.

2. Lawful Basis for Processing

We process your personal data under the following legal bases as required by GDPR, UK GDPR, and similar privacy laws:

  • Consent: For biometric data (voice models) and Input Audio, we rely on your explicit, informed consent obtained at the time of upload. You may withdraw this consent at any time (see Section 10).
  • Contract: Processing necessary to fulfill our contractual obligations to you, including providing the voice recreation Service, account management, and customer support.
  • Legitimate Interests: For security, fraud prevention, and service improvement, where our interests do not override your fundamental rights.
  • Legal Obligation: Where processing is required to comply with applicable laws, regulations, or legal proceedings.

3. Information We Collect

We collect only the information necessary to operate the Service ethically, safely, and legally.

3.1 Information You Provide

  • Account Information: Name, email address, and payment details. We use secure third-party payment processors (e.g., Stripe) and do not store full credit card numbers.
  • Verification Data: To prevent misuse or impersonation, we may request documents proving authority over the deceased's voice (e.g., obituary, estate paperwork). Verification documents are encrypted and retained for the duration of your account plus the applicable statute of limitations (typically 4-6 years), solely for the purpose of legal defense and dispute resolution, after which they are permanently destroyed.
  • Input Audio ('Voice Data'): Audio you upload containing the voice of the deceased.
  • Generated Output: Your AI-generated voice model and any audio content produced using it.

3.2 Biometric Information (Consent Required)

Our technology analyzes Input Audio to create a digital voice model (voiceprint). Under certain laws (e.g., Illinois BIPA, Texas CUBI), this may be considered a biometric identifier.

EchoAgain does not use biometric data for identity verification, authentication, or surveillance purposes. Biometric data is used solely to generate and maintain a personalized voice model for memorial and commemorative purposes.

Written Release (BIPA Compliance): By checking the consent box during the upload process and submitting Input Audio, you are executing a written release and providing your explicit consent for EchoAgain to collect, store, and process your voiceprint (biometric data) for the specific purpose of voice synthesis and memorial services. This written release satisfies the requirements of biometric privacy laws, including Illinois BIPA.

By uploading Input Audio, you explicitly agree that:

  • You have lawful authority to provide consent on behalf of the deceased individual.
  • EchoAgain may store the Input Audio and Voice Model for the duration of your active subscription to support ongoing use of the Service.
  • Biometric information will be permanently destroyed when your account is deleted, after long-term inactivity, or as required by law.

3.3 Automated Data

We use cookies, log files, and device fingerprinting for:

  • Security and fraud prevention
  • Account integrity
  • Performance analytics

4. How We Use Your Information

  • To generate, host, and operate voice models for your account
  • To verify authority over the deceased's voice and prevent misuse
  • To comply with biometric privacy laws and data security standards
  • We do NOT use your Input Audio or Voice Models to train any public or generalized AI models. Input Audio is used strictly to fine-tune the Voice Model specific to your account. It is not used to train our foundational base models or shared with other users.

5. Authority to Recreate a Deceased Person's Voice

By using the Service, you represent and warrant that:

  • You are legally authorized (next-of-kin, executor, estate representative, etc.).
  • You are not violating any will, court order, or applicable law.
  • You will not use the generated voice for fraud, impersonation, harassment, or illegal activities.

EchoAgain may request proof of authority at any time and may suspend or terminate accounts lacking proper documentation.

6. Data Retention & Destruction

6.1 Active Subscriptions

  • Input Audio: Retained for as long as your subscription is active.
  • Voice Models (Biometric Data): Retained for as long as your subscription is active.
  • Generated Content: Stored while your account remains active unless you delete it.

6.2 Inactive Accounts & Cancelled Subscriptions

  • Grace Period: After cancellation, we may retain your data temporarily for billing resolution or reactivation.
  • Periodic Data Reviews: We perform periodic data hygiene reviews and purge data from lapsed accounts.
  • Maximum Retention Limit: To comply with biometric privacy laws (e.g., BIPA), all biometric data, Input Audio, and Voice Models are retained for a maximum of 3 years of inactivity. However, we reserve the right to delete this data sooner (as early as 30 days after account delinquency) as outlined in our Terms of Service.
  • Delinquent Accounts: Per our Terms of Service, data associated with delinquent accounts may be deleted after 30 days of non-payment, regardless of the maximum retention period.

6.3 User-Requested Deletion

You may request immediate deletion at any time via:

Verified deletion requests are processed within 30 days.

7. Data Security

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • Biometric data stored in isolated, access-controlled systems
  • No employee may access your Input Audio without explicit permission

7.1 Data Breach Notification

In the event of a data breach that affects your personal data, we will:

  • Notify affected users without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required by GDPR).
  • Notify relevant supervisory authorities as required by applicable law.
  • Provide information about the nature of the breach, the data affected, and the measures taken to address it.
  • Communicate recommendations for steps you may take to protect yourself.

We maintain incident response procedures to detect, investigate, and respond to potential data breaches promptly.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. These countries may have different data protection laws than your own.

When we transfer personal data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers where required.
  • Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission.
  • Data Processing Agreements: All third-party processors are bound by contractual obligations to protect your data.

Our primary data processing and storage occurs in the United States. Cloud infrastructure providers (such as AWS and Google Cloud) may process data in multiple regions subject to these safeguards.

9. Information Sharing

We do not sell your information. Data is only shared with:

  • Cloud infrastructure providers (e.g., AWS, Google Cloud)
  • AI processing partners (contractually restricted from using your data for training)
  • Legal authorities when required by law

9.1 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your personal data (including Voice Models and Input Audio) may be transferred to the acquiring entity. However, any acquirer will be required to honor the commitments made in this Privacy Policy, specifically regarding the prohibition of using Voice Models for public AI training and the protection of biometric data. We will notify you via email and/or a prominent notice on our website before any such transfer occurs and before your data becomes subject to a different privacy policy.

10. Your Privacy Rights

Depending on your location, you may have rights under CCPA, CPRA, GDPR, UK GDPR, BIPA, and similar laws:

  • Right to know what data we hold
  • Right to access and request copies
  • Right to correct inaccuracies
  • Right to delete your data (including biometric data)
  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to opt-out by closing your account
  • Right to limit the use of Sensitive Personal Information (California CPRA): You may request that we limit our use of sensitive personal information (including biometric data) to only what is necessary to provide the Service.

10.1 How to Exercise Your Rights

To exercise any of these rights, submit your request to [email protected]. Please include:

  • Your full name and account email
  • The specific right(s) you wish to exercise
  • Any details necessary to locate or process the request

10.2 Response Timeline

We will acknowledge your request within 5 business days and provide a substantive response within 30 days of receiving a verified request. If we require additional time (up to 60 additional days for complex requests), we will notify you of the extension and the reasons for it.

10.3 Verification

To protect your privacy, we may need to verify your identity before processing your request. This may include confirming your email address or requesting additional information to match our records.

10.4 Right to Withdraw Consent

Where we rely on your consent to process your data (including biometric data), you have the right to withdraw that consent at any time. To withdraw consent:

  • Email [email protected] with the subject line "Withdraw Consent"
  • Specify what data or processing you are withdrawing consent for

Upon withdrawal of consent for biometric data:

  • We will stop processing your Input Audio and Voice Models within 7 business days.
  • All associated biometric data will be permanently deleted within 30 days.
  • Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
  • Certain account features requiring voice models will become unavailable.

11. Children's Privacy

Our Service is strictly for users 18 years and older. We do not knowingly collect information from anyone under 18. If we discover that a user is under 18, we will immediately terminate the account and delete all associated data.

If you believe someone under 18 has provided information to us, please contact us at [email protected] so we can take appropriate action.

12. Governing Law & Disputes

This Privacy Policy is governed by the laws of the State of Wyoming. Disputes involving privacy or biometric data must be resolved through binding arbitration unless prohibited by applicable law.

13. Contact Information

For privacy or support inquiries: Email: [email protected]