EchoPod Privacy Policy

Welcome to EchoPod. This Privacy Policy explains how EchoPod B.V. ("EchoPod", "we", "us", "our") collects, uses, shares, and protects your personal data when you visit our website and use our AI-powered podcast generation services (collectively, the "Service").

EchoPod is committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the European Union's General Data Protection Regulation (GDPR). We believe in transparency and want you to understand how your data is handled. This policy applies to all users of our Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

For clarity, certain terms used in this policy have specific meanings:

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on Personal Data, such as collection, recording, storage, use, disclosure, or erasure.
• Data Controller: The entity that determines the purposes and means of the processing of Personal Data.
• Data Processor: An entity that processes Personal Data on behalf of the Data Controller.
• User Input: The text, scripts, documents, URLs, or any other content uploaded, submitted, or otherwise provided by you to the Service for the purpose of generating podcast audio Output.
• Output: The AI-generated podcast audio created by the Service based on your User Input.
• AI Models: The artificial intelligence algorithms and systems developed and/or utilized by EchoPod to provide the Service, including the generation of Output.

The Data Controller responsible for the processing of your Personal Data in connection with the Service under the GDPR is:

EchoPod B.V. determines the purposes for which and the means by which your Personal Data is processed.

We collect Personal Data necessary to provide, maintain, and improve our Service. The types of Personal Data we collect depend on how you interact with us and the Service.

3.1. Information You Provide Directly

Account Information: When you register for an EchoPod account, we collect information such as your name, email address, and password. If you subscribe to a paid plan or use the Service on behalf of an organization, we may also collect your company name and subscription plan details. We require this information to create and manage your account, provide access to the Service, and communicate with you. You are responsible for providing accurate and up-to-date information.

Payment Information: If you subscribe to a paid plan, we collect necessary billing information, such as your billing address and payment method details. Please note that payment processing is handled by our secure third-party payment processor (Stripe). EchoPod does not directly store your full credit card number or other sensitive payment card details. The processing of your payment information is subject to the privacy policy of our payment processor.

User Input: To use the core functionality of our Service, you must provide User Input, which includes the text, scripts, documents, URLs, or other materials you upload or enter for the purpose of generating podcast audio Output. Crucially, you acknowledge that your User Input may contain Personal Data, relating either to yourself or to third parties, depending entirely on the content you choose to submit. You are solely responsible for the content of your User Input. You represent and warrant that you have obtained all necessary rights, permissions, and consents required by law (including data protection laws like GDPR) to provide this User Input to us for processing as described in this Policy and our Terms & Conditions, especially if it contains Personal Data belonging to third parties or sensitive information. EchoPod does not screen User Input for the presence of Personal Data or verify your rights to use it.

Communications: We collect information you provide when you contact us for customer support, provide feedback, participate in surveys, or otherwise communicate with us.

3.2. Information We Collect Automatically

Usage Data: When you use the Service, we automatically collect information about your interactions, such as the features you use, the actions you take (e.g., generating podcasts, editing), the frequency and duration of your sessions, error logs, and performance metrics related to the Service. This helps us understand how the Service is used, diagnose issues, and improve functionality.

Device and Connection Information: We collect technical information about the device and connection you use to access the Service, including your Internet Protocol (IP) address, browser type and version, operating system, device identifiers, and general geographic location inferred from your IP address. This information aids in optimizing the Service for different devices and diagnosing connection issues.

Cookies and Similar Technologies: We use cookies (small data files stored on your device) and similar tracking technologies (like web beacons) to operate and improve the Service. These technologies help us recognize you, remember your preferences, analyze usage patterns, and ensure the security of the Service. For detailed information about the types of cookies we use, their purposes, and how you can manage your preferences, please see our Cookie Policy [Link to Cookie Policy].

3.3. Information from Third Parties (If Applicable)

Social Media Logins: If we offer the option to log in using third-party accounts (e.g., Google), and you choose to use it, we may receive certain profile information (such as your name and email address) from that platform, based on your permissions settings with that service.

Service Providers/Partners: We may receive information from third-party service providers, such as analytics providers or marketing partners, who assist us in operating and improving the Service.

The nature of podcast generation means User Input can be diverse and potentially include sensitive topics. Providing such input implies acknowledgement of its processing as outlined herein, reinforcing the importance of user responsibility for the content they submit.

We process your Personal Data only for specified, explicit, and legitimate purposes, and we rely on valid legal bases under Article 6(1) of the GDPR for each processing activity. We are committed to transparency regarding these activities.

The table below details the main purposes for which we process your Personal Data, the types of data involved, and the legal basis we rely on:

We do not sell your Personal Data. We only share your Personal Data with third parties in the following circumstances and based on appropriate legal grounds:

• Service Providers (Subprocessors): We engage trusted third-party companies and individuals to perform services on our behalf, acting as Data Processors. These include providers for cloud hosting (e.g., AWS, Google Cloud, Azure), payment processing (e.g., Stripe), customer support platforms (e.g., Zendesk), analytics services (e.g., Google Analytics), and email delivery services. These providers only have access to the Personal Data necessary to perform their tasks, are contractually obligated to protect your data, and are prohibited from using it for any other purpose.
• AI Technology Partners: [Include if applicable] To provide certain advanced AI functionalities within the Service, we may partner with specialized third-party AI technology providers. In such cases, it may be necessary to share certain data, potentially including your User Input, with these partners solely for the purpose of enabling that specific functionality within our Service. We ensure such partners adhere to strict confidentiality and data protection standards. Transparency regarding the involvement of such partners is essential given the nature of the data processed.
• Legal Requirements and Law Enforcement: We may disclose your Personal Data if required to do so by law, regulation, or in response to valid requests from public authorities (e.g., a court order, subpoena, or law enforcement request).
• Business Transfers: In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your Personal Data may be transferred as part of that transaction. We will notify you of any such deal and outline your choices in that event.
• Protection of Rights and Safety: We may share Personal Data when we believe in good faith that disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of our users, employees, or the public, including enforcing our agreements, policies, and terms of use.
• With Your Consent: We may share your Personal Data with other third parties when we have your explicit consent to do so.

EchoPod B.V. is based in the Netherlands, within the European Economic Area (EEA). However, some of the third-party service providers we use may be located or process data outside the EEA, including in countries like the United States, which may not have data protection laws deemed equivalent to those in the EEA by the European Commission.

When we transfer your Personal Data outside the EEA to such countries, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR requirements (Chapter V). These safeguards typically include:

• Transferring data to countries that have received an "adequacy decision" from the European Commission.
• Implementing Standard Contractual Clauses (SCCs) approved by the European Commission between EchoPod and the third-party recipient.
• Implementing supplementary measures alongside SCCs where necessary, following relevant guidance from European data protection authorities.

By using our Service, you acknowledge that your Personal Data may be transferred to, stored, and processed in countries outside the EEA as described above.

We implement appropriate technical and organizational measures designed to protect the security and confidentiality of your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption: Encrypting data both in transit and at rest.
• Access Controls: Limiting access to Personal Data to authorized personnel who need it for their job functions, based on the principle of least privilege.
• Secure Infrastructure: Utilizing secure cloud infrastructure with robust physical and network security measures.
• Regular Assessments: Conducting regular security assessments and vulnerability scanning.
• Employee Training: Providing data protection and security training to our employees.
• Incident Response: Maintaining procedures to detect and respond to security incidents.

While we take data security seriously, please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee absolute security.

You also play a role in keeping your data secure. You are responsible for maintaining the confidentiality of your account password and for all activities that occur under your account. Please choose a strong password and notify us immediately if you suspect any unauthorized use of your account.

We retain your Personal Data only for as long as necessary to fulfill the purposes for which we collected it, as outlined in Section 4, including for the purposes of satisfying any legal, accounting, or reporting requirements, and resolving disputes. The retention period depends on the type of data and the purpose of processing.

• Account Information: We retain your account information for as long as your account remains active. If you delete your account, we will delete this information within a reasonable timeframe, subject to any legal obligations to retain certain data for longer periods (e.g., financial transaction records).
• User Input: User Input provided for podcast generation is processed to create the Output and is also used for the mandatory purpose of AI model training and service improvement (as per Section 4). We retain User Input for a period necessary to fulfill these purposes, including ongoing model refinement and quality assurance. You can delete your User Input and associated Output through the Service interface, which will remove it from active systems subject to backup cycles. However, insights or patterns learned by the AI Models from your Input prior to deletion may persist as part of the model's general knowledge, but the specific Input itself will no longer be directly accessible or used for future training once deleted from our active systems and subsequent backups.
• Usage Data and Logs: We generally retain usage logs and technical data for a limited period necessary for security analysis, troubleshooting, and service improvement, after which it is typically deleted or anonymized.
• Anonymized Data: We may retain data that has been aggregated or anonymized (so that it can no longer be associated with you) indefinitely for research, analytics, and service improvement purposes.

We will delete or anonymize your Personal Data when it is no longer required for the stated purposes or upon your valid request for erasure, subject to legal exceptions.

If you are located in the European Economic Area (EEA), you have specific rights regarding your Personal Data under the GDPR. EchoPod is committed to facilitating the exercise of these rights:

• Right of Access (Art. 15): You have the right to request confirmation of whether we process your Personal Data and, if so, to access copies of that data and receive information about the processing (such as purposes, categories of data, recipients, etc.).
• Right to Rectification (Art. 16): You have the right to request the correction of inaccurate Personal Data concerning you and to have incomplete data completed.
• Right to Erasure ('Right to be Forgotten') (Art. 17): You have the right to request the deletion of your Personal Data under certain circumstances (e.g., if the data is no longer necessary for the purposes collected, if you withdraw consent and there's no other legal ground, if you object and there are no overriding legitimate grounds, or if the data was unlawfully processed).
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your Personal Data under certain conditions (e.g., while verifying the accuracy of data you contest, if processing is unlawful but you oppose erasure, if we no longer need the data but you require it for legal claims, or pending verification of overriding legitimate grounds after you object).
• Right to Data Portability (Art. 20): Where processing is based on your consent or on a contract, and carried out by automated means, you have the right to receive the Personal Data you provided to us in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller without hindrance from us.
• Right to Object (Art. 21): You have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data based on our legitimate interests (Art. 6(1)(f)). We must then stop processing unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. You also have the absolute right to object to processing for direct marketing purposes. Note: Given the mandatory processing of User Input for AI training based on Performance of Contract (Section 4), the Right to Object may not apply to this specific processing activity.
• Right to Withdraw Consent (Art. 7): If we rely on your consent as the legal basis for processing (e.g., for marketing emails), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

The EchoPod Service is not intended for or directed at individuals under the age of 18. We require users to be at least 18 years old to create an account and use our Service. We do not knowingly collect Personal Data from children under 18. If we become aware that we have inadvertently collected Personal Data from a child under 18 without verification of parental consent where required, we will take steps to delete that information as quickly as possible. If you are a parent or guardian and believe that your child under 18 has provided us with Personal Data, please contact us immediately using the details in Section 14.

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Service, or applicable law. We will notify you of any material changes by posting the updated policy on our website, updating the "Last Updated" date at the top, and/or by sending you a notification through the Service or via email. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your Personal Data. Your continued use of the Service after any changes become effective constitutes your acknowledgment of the updated policy.

If you have any questions, comments, or concerns about this Privacy Policy, our data practices, or if you wish to exercise your data protection rights, please contact us at legal@echo-pod.ai.