Privacy Policy That's Actually Readable
We don't bury tracking disclosures in legal jargon. Here's exactly what we do (and don't do) with your data.
Last updated: February 7, 2026
Our Privacy Promise (TL;DR)
1. Data We Collect (Minimal)
We collect only what's essential to provide our service:
Email, name, company name (optional), industry selection
Phone numbers, names, and contact info you choose to save
File names, lead counts, compliance scores (for your reference)
Processed by Stripe. We never see your full card number.
Total leads scrubbed count and last scrub timestamp (for service operation — see Section 8 for details)
2. What We DON'T Collect (Technical Details)
Unlike most web services, we deliberately chose not to implement common tracking technologies:
We use privacy-first Plausible Analytics (no cookies, no personal data)
No Hotjar, FullStory, or similar tools watching your screen
We don't collect browser fingerprints, canvas data, or device IDs
No Facebook Pixel, Google Ads tracking, or retargeting
We only use country-level for security, no city or behavioral profiling
We don't build shadow profiles or track non-logged-in visitors
Why this matters: Many "privacy-focused" services still track you. We architecturally can't track you because we never built those systems. Our revenue comes from subscriptions, not your data.
3. How We Use Your Data
We use your data only to:
- •Provide DNC scrubbing and compliance services
- •Store your leads in your private CRM (you control this)
- •Generate real-time AI compliance insights (stateless)
- •Process payments through Stripe
- •Send transactional emails (receipts, password resets)
We will never: Sell, rent, or share your data with third parties for marketing purposes. Your leads stay yours. Period.
4. Data Storage & Retention
Your Personal Data
Your leads, upload history, and account information are stored while your account is active. You have complete control and can delete this data anytime.
Active Accounts
Your data is stored securely while your account is active. You control what stays and what goes.
After Cancellation
60-day grace period to export your data. After that, personal data is permanently deleted. Compliance logs are anonymized but retained for 5 years as required by law.
On-Demand Deletion
Request deletion anytime from Settings → Data & Privacy. Your leads, uploads, and account details are deleted permanently. Compliance logs are anonymized (detached from your account) but retained as required by federal law.
Upload Files
Uploaded files are processed and then deleted within 24 hours. We don't keep copies.
Federal Compliance Audit Logs (5-Year Retention)
Legal Requirement: Under the Telephone Consumer Protection Act (TCPA) and FTC regulations (47 CFR § 64.1200), we are legally required to maintain audit logs of DNC registry checks for 5 years.
What we log for compliance:
- •Date and time of each DNC check
- •Phone numbers checked
- •Check results (on DNC or not)
- •Your company name and industry
- •Purpose of check (lead scrubbing)
What we DON'T use compliance logs for:
- Profiling your behavior
- Marketing or advertising
- Selling to third parties
- Cross-user analytics
Privacy-First Compliance:
When you delete your data, we anonymize compliance logs (detach from your account) but retain them for the 5-year period as required by law. After 5 years, logs are automatically purged.
Summary: Personal data = your control, delete anytime. Compliance logs = federal requirement, anonymized on deletion, automatically purged after 5 years. Aggregate usage statistics = anonymized and retained for abuse prevention and capacity planning (see Section 8).
5. Your Rights
Right to Export
Download all your data anytime in CSV or JSON format from Settings.
Right to Delete
Delete all your data with one click. No waiting period, no "are you sure" emails.
Right to Access
See exactly what data we have about you. It's all visible in your dashboard.
6. California Privacy Rights (CCPA)
Do Not Sell My Personal Information
EchoSafe does NOT sell your personal information. We never have, and we never will.
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):
Right to Know
You can request details about what personal information we collect and how we use it. View all your data directly in your dashboard.
Right to Delete
Request deletion of your personal information. Go to Settings → Data & Privacy to delete immediately.
Right to Opt-Out of Sale
Not applicable — we do not sell personal information. Our business model is subscription-based, not data monetization.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights.
Our Commitment
- We have NEVER sold personal information in the past
- We do NOT currently sell personal information
- We have NO plans to sell personal information in the future
If our practices ever change, we will update this policy and provide you with the ability to opt-out before any sale occurs.
To exercise your California privacy rights: Email us at support@echosafe.app with the subject line "CCPA Request" or manage your data directly in Settings. We will respond within 45 days as required by law.
7. Data Deletion & Export
You have complete control over your data. Export or delete anytime from Settings → Data & Privacy.
What Gets Deleted
- All your leads (permanently)
- All upload jobs and results
- All CRM integration settings
- All notes, tags, and preferences
- Your account information (if you also close account)
What Remains (Compliance & Operations)
- Anonymized compliance audit logs (5-year federal requirement)
- Compliance logs are detached from your account and cannot be linked back to you
- Compliance logs automatically purged after 5 years
- Anonymized aggregate usage statistics (see Section 8 for full details)
- Never used for marketing, profiling, or selling to third parties
Why we can't delete compliance logs immediately:
The FTC requires businesses using the DNC registry to maintain audit trails for 5 years to prove compliance with TCPA regulations. This protects both you and us in case of regulatory audits.
Export Your Data
Before deleting, you can export all your data in CSV or JSON format. This includes leads, upload history, and compliance audit logs associated with your account. Go to Settings → Data & Privacy → Export Data.
8. Anonymized Usage Data (Retained After Deletion)
When you delete your account, we retain certain anonymized, aggregate usage statistics that cannot be linked back to you personally. We believe in full transparency about this practice.
What We Retain (Anonymized)
- •Total number of leads processed through our system
- •Aggregate scrub counts and timestamps
- •Upload volume statistics (counts only, no file contents)
These are numerical totals only — no names, emails, phone numbers, or any personally identifiable information is retained.
Why We Retain This Data
- Abuse Prevention: Detect patterns of system abuse such as repeated signups to exploit free trials or scrub limits
- Capacity Planning: Understand system demand to ensure reliable performance during peak usage
- Regulatory Compliance: Demonstrate system-wide DNC check volumes to regulators if required
- Billing Integrity: Maintain accurate records of service usage for dispute resolution
Privacy Guarantees for Retained Data
What we DON'T track: We do not track login frequency, session duration, page views, feature usage, or any behavioral data. We deliberately removed login tracking from our system as part of our privacy-first commitment.
9. Third-Party Services
We use these trusted services to operate EchoSafe. Each has strong privacy commitments:
Database and authentication. SOC 2 Type II certified. Data stored in US.
AI insights. Enterprise privacy: zero data retention, no training on your data.
Payment processing. PCI DSS Level 1 certified. See detailed Stripe section below.
Transactional emails only. No marketing, no tracking pixels.
10. Stripe Payment Processing (Privacy-First Configuration)
We use Stripe for payment processing because they're the industry leader in payment security. Here's exactly what Stripe collects and how we've configured it for privacy:
What Stripe Collects (Required)
- •Credit/debit card details (Stripe holds these, we never see full card numbers)
- •Billing address for payment verification
- •Transaction history for receipts and disputes
- •Email for payment receipts
Our Privacy-First Configuration
- Stripe Radar (fraud fingerprinting) set to minimal mode
- No Stripe marketing cookies enabled
- Stripe Analytics tracking disabled
- Payment data shared only for processing (not marketing)
About Stripe's Fraud Detection
Stripe's standard integration includes device fingerprinting for fraud prevention. This is industry-standard for payment security. We've configured Stripe to use their minimal data collection mode, which:
- • Reduces fingerprinting to what's necessary for fraud prevention
- • Does not share data with third parties for advertising
- • Complies with GDPR and CCPA requirements
Stripe's Privacy Policy: Payment data is governed by Stripe's privacy policy at stripe.com/privacy. We only receive the last 4 digits of your card, card brand, and expiration date for display purposes.
11. CRM Integrations & Third-Party Data Sharing
EchoSafe offers optional integrations with third-party real estate CRM platforms. These integrations are entirely user-initiated—no data is shared with any CRM unless you explicitly connect one and enable syncing.
Supported CRM Platforms
- •Follow Up Boss — Connected via OAuth 2.0 (industry-standard secure authorization)
- •Lofty (formerly Chime) — Connected via API key
- •KVCore / BoldTrail — Connected via API key
What Data Is Shared
When you sync leads to a connected CRM, only clean leads (those not on the DNC registry) are transmitted. DNC-blocked leads are never sent to any third party. The following fields may be included:
- Name, phone number, email address
- Address (street, city, state, zip)
- DNC compliance status tag (e.g., “echosafe-clean”)
- Risk score and verification timestamp (stored as CRM custom fields)
- Tags and source attribution
Credential Security
- All API keys and OAuth tokens are encrypted at rest using AES-256-GCM
- Credentials are tested before saving and encrypted immediately
- OAuth tokens auto-refresh securely; we never store passwords
- All data transmitted to CRMs uses HTTPS (TLS encryption in transit)
Your Control
- Auto-sync is off by default—you must explicitly enable it
- You can disconnect any CRM integration at any time, which deletes all stored credentials
- Deleting your EchoSafe account removes all integration data and encrypted credentials
Important: Once lead data is synced to a third-party CRM, that data is governed by that CRM's own privacy policy. EchoSafe cannot delete data that has already been transmitted to Follow Up Boss, Lofty, or KVCore. To manage data in those platforms, please use their respective account settings.
12. AI Privacy Guarantees
Our AI compliance insights are powered by Claude (Anthropic) with enterprise privacy guarantees:
13. Security Measures
- •All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- •Row-Level Security (RLS) ensures you only access your own data
- •Regular security audits and penetration testing
- •Secure password hashing with industry-standard algorithms
- •Automatic session expiration and secure cookie handling
14. Contact Us
Questions about privacy? We're here to help:
General Support: support@echosafe.app
Business Inquiries: braxton@echosafe.app
Security Concerns: braxton@echosafe.app
Company: EchoSafe Systems, LLC
Response Time: Within 24 hours
15. Policy Changes
We'll notify you of any material changes to this policy via email at least 30 days before they take effect. You can always find the current version here.
Ready to Experience Privacy-First DNC Compliance?
Start your 7-day free trial. Cancel anytime. Delete anytime. $47/month unlimited.