Privacy Policy

Introduction

Welcome to ECHO ("we," "our," or "us"). ECHO is a professional supervision tool designed specifically for psychotherapists and mental health professionals. We are deeply committed to protecting your privacy and the confidentiality of your clinical data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our macOS application and related services.

We understand that as a mental health professional, you handle extremely sensitive information about your clients. That's why we have built ECHO with a privacy-first architecture that ensures your consultation records and professional reflections remain completely confidential. Please read this Privacy Policy carefully to understand our practices regarding your data.

By using ECHO, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our application.

Our Privacy Philosophy

ECHO is built on the principle of "privacy by design." We believe that privacy is not just a feature but a fundamental right, especially when it comes to sensitive clinical information. Our approach can be summarized in three core principles:

• Data Minimization: We only collect the absolute minimum data necessary to provide our services. We do not collect, store, or process any of your consultation content on our servers.
• Local-First Architecture: All your clinical data is stored locally on your device using industry-standard AES-256 encryption. Your data never leaves your device unless you explicitly choose to sync it via iCloud, which uses end-to-end encryption.
• Zero-Knowledge Design: We have designed our systems so that we cannot access, read, or analyze your consultation records even if we wanted to. We have no technical means to decrypt or view your data.

Information We Collect

Information You Provide Directly

• License Key: When you purchase ECHO, you receive a License Key that activates the application. We store a hashed version of this key to validate your license. The License Key itself does not contain any personally identifiable information.
• Support Requests: If you contact us for support, we may collect your email address and any information you choose to provide in your communication with us.

Information We Do NOT Collect

To be absolutely clear about what we do NOT collect:

• We do NOT collect or access your consultation records or session notes
• We do NOT collect or access your AI supervision reports
• We do NOT collect or access any information about your clients
• We do NOT require or collect your name, email address, or other personal information for application use
• We do NOT use tracking cookies or analytics within the application
• We do NOT sell, rent, or share any data with third parties for marketing purposes

Automatically Collected Information

ECHO may automatically collect minimal technical information to ensure proper functioning:

• License Validation: When you activate your license, our server receives a request to validate the license key. This request may include a device identifier to enforce the single-device activation policy.
• Credit Balance: We maintain a record of your credit balance on our secure servers to enable the credit-based supervision analysis feature.
• Application Version: To provide software updates, we may check your current application version.

How Your Data Is Stored

Local Storage

All your consultation records, session notes, and AI supervision reports are stored locally on your Mac using Apple's Core Data framework. This data is encrypted using AES-256 encryption, the same standard used by banks and government agencies worldwide. The encryption key is derived from your device's secure enclave, ensuring that even if someone gains physical access to your device, they cannot access your data without proper authentication.

iCloud Sync (Optional)

If you choose to enable iCloud sync, your data is synchronized across your devices using Apple's iCloud Private Container. This sync feature uses end-to-end encryption, meaning:

• Your data is encrypted before it leaves your device
• The encryption keys are stored only on your devices
• Neither Apple nor we can decrypt your synced data
• Only devices signed into your Apple ID can access the data

You can disable iCloud sync at any time in the application settings. Disabling sync will keep your data local to each device.

AI Processing and Supervision Reports

When you request an AI supervision analysis, your consultation content is temporarily processed to generate the supervision report. Here's how this works:

• Temporary Processing: Your consultation content is sent securely to our AI processing service to generate the supervision report. This transmission uses TLS 1.3 encryption.
• No Storage: After the supervision report is generated, the original consultation content is immediately deleted from our processing servers. We do not store, log, or retain any of your consultation data.
• No Training: Your consultation data is never used to train AI models. Each analysis is processed independently and discarded immediately after.
• Local Storage: The generated supervision report is sent back to your device and stored locally with the same AES-256 encryption as your other data.

Data Security

We implement comprehensive security measures to protect your information:

• AES-256 Encryption: All local data is encrypted using the Advanced Encryption Standard with 256-bit keys
• Secure Enclave Integration: On supported Macs, encryption keys are protected by the Secure Enclave hardware
• TLS 1.3: All network communications use the latest TLS protocol for secure transmission
• Regular Security Audits: We conduct regular security assessments and penetration testing
• Access Controls: Strict access controls limit who can access our infrastructure
• No Backdoors: We do not implement any backdoors or master keys that could compromise your data

Your Rights and Choices

You have complete control over your data:

• Access: All your data is stored locally on your device. You have full access to it at all times.
• Deletion: You can delete any or all of your data directly from the application at any time. Deleted data cannot be recovered.
• Export: You can export your data in standard formats for backup or migration purposes.
• iCloud Control: You can enable or disable iCloud sync at any time.
• License Transfer: If you need to transfer your license to a new device, contact our support team.

Third-Party Services

ECHO uses the following third-party services:

• Lemon Squeezy: We use Lemon Squeezy for payment processing and license management. When you purchase ECHO, Lemon Squeezy processes your payment and provides you with a License Key. Please review Lemon Squeezy's privacy policy for information about their data practices.
• Apple iCloud: If you enable iCloud sync, Apple processes your encrypted data according to their privacy policy. We use Apple's private CloudKit container, which provides additional privacy protections.
• AI Processing: Our AI supervision analysis uses secure, API-based AI services. As described above, no data is stored or used for training.

International Users

ECHO is designed to comply with major privacy regulations worldwide, including GDPR (European Union), CCPA (California), and other applicable privacy laws. Our privacy-first architecture inherently provides many of the protections required by these regulations:

• Local data storage means your data never crosses borders unless you choose iCloud sync
• Minimal data collection eliminates most data processing concerns
• You have complete control over your data at all times

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we may also provide notice through the application.

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of ECHO after any modifications indicates your acceptance of the updated Privacy Policy.

Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@echo.gifts