Privacy Policy

Data Controller

Information We Collect

• Account Data: Email address, securely hashed password, birthdate, and gender (for Big Five test norm comparisons).
• Coaching Conversations: Your chat messages with Echome are analyzed to extract Insights (discoveries about you) and Goals (personal development objectives) and build your Knowledge Graph.
• Big Five Personality Test: Your answers to 120 questions from the scientific IPIP-NEO-120 test, measuring five major dimensions (Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism) and 30 facets.

How We Use Your Data

• Providing personalized coaching conversations based on your personality profile and conversation history
• Building and maintaining your dynamic personality profile, which evolves through your conversations with Echome
• Improving our AI models and coaching quality (only with anonymized data)

Legal Basis (GDPR Art. 6 & 9)

• Explicit Consent (Art. 9(2)(a)): We obtain your explicit consent before the personality test and use of coaching services.
• Contract Performance (Art. 6(1)(b)): Processing is necessary to provide the coaching service you requested.

Data Security & Encryption

Your sensitive personality data is protected by industry-leading encryption and security measures:

• Encryption in Transit: All data transfers between your device, our servers, and third-party services are secured with TLS encryption. This ensures your conversations and personal data cannot be intercepted.
• Encryption at Rest: Your data is encrypted at rest using AES-256 encryption in MongoDB Atlas and Google Cloud Platform. Even in the unlikely event of unauthorized access, your data remains unreadable.
• Access Control: Strict role-based access controls limit data access to authorized personnel with a legitimate operational need. Access is logged and regularly audited.
• Security Audits: Regular security reviews and penetration testing ensure our systems meet the highest security standards.

Data Processors & Third Parties

We work with the following trusted services that may have access to your data:

• OpenRouter / Google Gemini: AI processing for coaching conversations. Your messages are sent to Gemini for response generation. No user data is permanently stored with third-party providers.
• MongoDB Atlas: MongoDB Atlas - Secure, encrypted database storage for your profile, insights, and conversation history.
• Google Cloud Platform: Google Cloud Platform (GCP) - Web application hosting with global infrastructure for fast loading times worldwide.

Data may be transferred to the USA. Transfers are based on Standard Contractual Clauses (SCCs) approved by the EU Commission. Data Processing Agreements (DPAs) are in place with all processors pursuant to Art. 28 GDPR.

Data Storage & Deletion

Your data is stored as long as your account is active. You can export all your data (JSON format) or request complete deletion at any time through the Privacy Settings in your profile. After account deletion, all personal data is irreversibly removed within 30 days.

Your GDPR Rights

You have comprehensive rights regarding your data, which you can exercise directly in your profile under 'Privacy Settings':

• Right of Access (Art. 15)
• Right to Rectification (Art. 16)
• Right to Erasure (Art. 17)
• Right to Object (Art. 21)
• Data Portability (Art. 20)
• Withdraw Consent (Art. 7)

Cookies & Local Storage

We use minimal cookies and local storage:

Minimum Age

Echome is intended for users aged 16 and older. The Big Five personality test is validated for adults. We do not knowingly collect data from persons under 16. If we suspect an underage user, the data will be deleted immediately.

Right to Complain to Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates GDPR. The responsible authority depends on your place of residence.