Privacy Policy

Last updated: 2026-06-08

This Privacy Policy explains what personal data EchoRelay collects, why we collect it, how we store it, and what rights you have. It applies to echorelay.dev and the EchoRelay API service.

1. Who we are

EchoRelay is the data controller for personal data you provide directly (account email, billing details, support correspondence). For payment processing, Paddle.com Market Ltd acts as the data controller of cardholder data — we never see or store full card numbers.

2. What we collect

  • Account data: email address, hashed password, TOTP secret, optional display name.
  • Usage metadata: API request counts, timestamps, status codes, tenant slug. Stored for billing and operational metrics.
  • Billing data: tier or pack purchased, invoice IDs, billing country. Payment-card data is processed by Paddle, not by us.
  • Server logs: IP addresses, user-agent strings, request paths. Kept for up to 90 days for abuse prevention and debugging.
  • Cookies: a single session cookie for authentication and an optional 2FA "trusted device" cookie. No third-party advertising trackers.

3. What we do not store

The bodies of HTTP requests you relay through EchoRelay are processed in transit only — they are not persisted after delivery, retry attempts, or dead-letter handling are complete. We do not inspect payload contents for marketing, analytics, or training purposes.

4. Why we process it

  • To provide the service you signed up for (contract).
  • To bill you and meet our accounting obligations (legal obligation).
  • To prevent fraud, abuse, and security incidents (legitimate interest).
  • To respond to your support requests (contract / legitimate interest).

5. Who we share it with

The complete, authoritative list of sub-processors who may process your personal data on our behalf — with the data categories, region, and transfer mechanism for each — is maintained in §5 of our DPA. We update it within 24 hours of any change. Material changes are notified by email to customers on signed DPAs at least 30 days in advance.

We do not sell personal data. We disclose data to law enforcement only when compelled by a valid legal request from a competent authority.

6. Where it lives

Production data is stored on infrastructure located in the European Union. Some sub-processors (Cloudflare, Paddle) operate global networks and may process metadata outside the EU; transfers rely on standard contractual clauses where applicable.

7. Retention & account closure

  • Account closure. When you close your account, your personal data is erased — immediately and permanently. We erase your name, email address, and any other identifying information we hold. Any unused credit value you are carrying is refunded to your original payment method (see the Refund Policy). We retain only what the law requires us to keep: invoice records and accounting data are retained for the statutory period required by applicable tax and accounting law. That data cannot identify you to any party other than the competent authorities who may require it.
  • Server logs: up to 90 days.
  • Request logs (the inbound API calls you relay through us): searchable for a per-plan window, then hard-deleted at expiry. These rows hold request metadata only (method, path, status, timing) — never request bodies or headers. Check your plan details in the panel for your retention window.
  • Usage metadata: aggregated indefinitely; row-level data up to 24 months.

8. Your rights

Under GDPR and equivalent laws you have the right to: access the personal data we hold about you; correct inaccurate data; request erasure of your personal data (the right to be forgotten); restrict or object to processing; and request portability. You can exercise your right of erasure directly by closing your account in the panel — this erases your personal data immediately. To exercise any other right, or if you prefer to make a request directly to us, email [email protected]. We respond within 30 days. You may also lodge a complaint with your local data-protection authority.

9. Security

We use TLS for all customer-facing traffic, hash passwords with a modern KDF, encrypt sensitive secrets at rest, and require two-factor authentication for account login. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you and the relevant authorities as required by law.

10. Changes

Material changes to this policy will be announced by email and on the website at least 14 days in advance.

11. Contact

Privacy questions: [email protected].

Currency: