Privacy Policy.

Scope and Applicability

This Privacy Policy ("Policy") describes how Microhill LLC, doing business as EchoPai ("EchoPai," "we," "us," or "our"), collects, uses, stores, shares, and protects personal information when you access or use the EchoPai platform, website, and related services (collectively, the "Service").

By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our data practices, please discontinue use of the Service.

Information We Collect

2.1 Information You Provide Directly

2.2 Information Collected Automatically

2.3 Information from Third Parties

If you authenticate via Google OAuth, we receive from Google: your verified email address, full name, and profile picture URL. We use this solely to create and identify your EchoPai account. We do not receive your Google password or access to other Google services.

We do not purchase data from data brokers or marketing companies.

How We Use Your Information

We use your personal information only for the following purposes:

• Service Delivery: Account creation, authentication, subscription verification, and access control to gated features.
• Transactional Communications: Sending verification codes, subscription confirmations, password reset emails, and critical service announcements. We do not send marketing or promotional emails without your explicit opt-in consent.
• Security and Fraud Prevention: Detecting unauthorized access, preventing account abuse, and protecting the integrity of the Service.
• Service Improvement: Analyzing aggregated, anonymized usage patterns to improve product features and performance. No individual-level behavioral profiling.
• Legal Compliance: Meeting obligations under applicable law, responding to lawful government requests, and enforcing our Terms of Service.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on users.

How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

4.1 Service Providers (Sub-processors)

All sub-processors are contractually bound to process data only as instructed by us and to maintain appropriate security measures.

4.2 Legal Requirements

We may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or governmental request; (b) protect and defend the rights or property of EchoPai; (c) prevent or investigate possible wrongdoing in connection with the Service; or (d) protect the personal safety of users or the public.

Where legally permitted, we will notify affected users of government data requests before complying.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice (via email and/or a prominent notice on the Service) at least 30 days before your data is transferred and becomes subject to a different privacy policy.

Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Policy, or as required by law.

• Active Accounts: Retained for the duration of the account's existence plus 30 days after closure.
• Deleted Accounts: Personal identifiers (name, email) deleted within 30 days of deletion request. Anonymized statistical records may be retained indefinitely.
• Backup Data: Purged from all backups within 90 days of account deletion.
• Log Files: Automatically deleted after 180 days.
• Payment Records: Retained for 7 years to comply with U.S. tax and financial recordkeeping requirements.

Data Security

We implement industry-standard technical and organizational security measures, including:

• Encryption in Transit: All communications between your browser and our servers are encrypted using TLS 1.2+ (HTTPS).
• Password Hashing: Passwords are hashed using bcrypt with a salt factor of 12; plaintext passwords are never stored.
• Authentication Tokens: Session tokens are short-lived JWTs with a blocklist mechanism for immediate revocation upon logout.
• OTP Codes: One-time codes are stored in Redis with a maximum TTL of 10 minutes and invalidated immediately after use.
• Access Controls: Production database and server access is restricted to authorized personnel using multi-factor authentication.
• Regular Audits: We conduct periodic security reviews and vulnerability assessments.

While we take reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law within 72 hours of becoming aware.

Cookies and Tracking Technologies

7.1 What We Use

We use minimal local storage technologies to operate the Service:

• localStorage / sessionStorage: Stores your authentication token to maintain your logged-in session across page loads. This is strictly necessary for the Service to function.
• Functional Preferences: We may store UI preferences (e.g., selected filters) in localStorage to improve your experience.

7.2 What We Do NOT Use

• Third-party advertising or tracking cookies
• Cross-site tracking pixels or fingerprinting
• Analytics services that collect personally identifiable data (e.g., Google Analytics with PII)
• Retargeting or behavioral advertising technologies

7.3 Your Choices

You may clear localStorage data at any time through your browser settings. Clearing authentication tokens will log you out of the Service. Most browsers also allow you to block or delete cookies; however, blocking strictly necessary storage may impair Service functionality.

Because we do not use third-party advertising cookies, opt-out signals such as Global Privacy Control (GPC) or browser Do Not Track (DNT) have no material effect on our first-party data practices, though we honor them as a signal of your privacy preferences.

Children's Privacy (COPPA Compliance)

The Service is intended for users who are 18 years of age or older. We do not knowingly collect, solicit, or maintain personal information from children under the age of 13 ("children"), and the Service is not directed to children.

If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information as quickly as possible. If you believe we may have collected information from a child under 13, please contact us immediately at [email protected].

This practice is consistent with the requirements of the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.

California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information.

9.1 Your CCPA/CPRA Rights

9.2 How to Exercise Your Rights

Submit a verifiable consumer request by emailing [email protected] with the subject line "CCPA Rights Request." We will respond within 45 calendar days. We may need to verify your identity before processing your request. You may designate an authorized agent to submit requests on your behalf with written authorization.

9.3 "Shine the Light" Law

California Civil Code § 1798.83 permits California residents to request information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

International Users

The Service is operated from the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States and other jurisdictions where our cloud infrastructure operates, where privacy laws may differ from those in your home jurisdiction.

By using the Service, you consent to the transfer of your information to these jurisdictions in accordance with this Policy. We implement appropriate safeguards, including data processing agreements with sub-processors, to protect transferred data.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please note that we do not currently have a formal GDPR-compliant legal basis established (e.g., Standard Contractual Clauses). If you require GDPR-specific data handling, please contact us before using the Service.

Your Rights and Choices

Regardless of your location, you may exercise the following rights with respect to your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct your account information directly in the app's Account Settings, or contact us.
• Deletion: Request deletion of your account and associated personal data. Certain data may be retained for legal compliance purposes.
• Data Portability: Request an export of your account data in a machine-readable format.
• Opt-Out of Communications: Reply "UNSUBSCRIBE" to any marketing email to opt out. Transactional emails (e.g., verification codes) cannot be opted out while your account is active.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or within the timeframe required by applicable law). We may require identity verification before fulfilling requests.

Third-Party Services and Links

The Service aggregates Content from third-party financial news publishers, data providers, and market data services. These third parties operate under their own privacy policies and terms of service. EchoPai does not control how these third parties collect, use, or share data, and we are not responsible for their privacy practices.

The Service may contain links to external websites. Clicking such links will take you away from the Service, and you will be subject to the privacy practices of the destination site. We encourage you to review the privacy policy of any site you visit.

The Service does not integrate third-party advertising SDKs, social media share buttons, or tracking pixels from social networks.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page;
• Send an email notification to your registered email address at least 7 days before the changes take effect; and
• Display a prominent notice in the Service.

Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes. We encourage you to periodically review this page.

For significant changes that materially reduce your privacy rights, we will provide at least 30 days' notice and may seek affirmative re-consent where required by law.

Contact and Data Requests

For privacy-related inquiries, data access requests, or complaints, please contact:

If you believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with the appropriate data protection authority in your jurisdiction.