Privacy Policy

Last updated: March 29, 2026

The Short Version

Your data is yours. We don't sell it, train on it, or share it with anyone we don't have to. If you self-host, we never see your data at all.

What We Collect

Cloud-hosted users:

  • Your name and email (for account creation)
  • Your memories, tags, and domains (the content you store)
  • Usage data: API call counts, memory counts, search queries (for rate limiting and usage dashboards)
  • Payment information (processed by Stripe, we never see your card number)

Self-hosted users:

  • Your email (for license delivery and updates)
  • That's it. Your data stays on your machine. We don't have access to it.

Website visitors:

  • We use Vercel Analytics (privacy-friendly, no cookies, no personal data collected)
  • No third-party trackers, no ad networks, no cookies

How We Use Your Data

  • To provide the Echo Memory service (storing, searching, retrieving your memories)
  • To process payments (via Stripe)
  • To send you account-related emails (API key delivery, billing, critical security notices)
  • To enforce rate limits and usage tiers

We do NOT use your data to:

  • Train AI models
  • Sell to third parties
  • Target advertising
  • Build user profiles for marketing

Third-Party Services

  • Fly.io (cloud hosting): Your memories are stored on Fly.io infrastructure in the US-East (IAD) region. Fly.io Privacy Policy
  • Stripe (payments): Handles all billing. We never see your full card number. Stripe Privacy Policy
  • OpenAI (optional, cloud-hosted only): If you use semantic search, your search query is sent to OpenAI to generate an embedding vector. The query text is not stored by OpenAI per their API data usage policy. Self-hosted users can disable this entirely.

Data Security

  • All connections use HTTPS (TLS encryption in transit)
  • API keys are hashed with SHA-256 before storage (we never store raw keys)
  • Tenant isolation: your memories are scoped to your account and inaccessible to other tenants
  • Rate limiting per tenant to prevent abuse
  • Security-hardened: 25 fixes applied from adversarial review before beta launch

Data Retention

Your memories are stored as long as your account is active. If you delete your account, all data is removed within 30 days. You can delete individual memories at any time via the API.

Your Rights

  • Access: You can retrieve all your data via the API at any time
  • Delete: You can delete individual memories or your entire account
  • Export: Contact us for a full data export
  • Portability: Self-host at any time. Your cloud data can be migrated to a self-hosted instance

Children

Echo Memory is not intended for use by anyone under 13. We do not knowingly collect data from children.

Changes

We may update this policy. Material changes will be communicated via email. Check this page for the latest version.

Contact

Questions about your data? Email devontaew@textstonelabs.com

Textstone Labs LLC
Orlando, FL