EchoLing AI — Privacy Policy

Effective date: June 12, 2026 | Version 1.0

EchoLing AI ("we", "us", "our") is a real-time voice translation desktop application for Windows. The core design principle of the product is simple: your call content does not pass through or get stored on our servers. Call audio is streamed directly from your device to the Google Gemini API for real-time translation, and subtitle history and recordings are stored only on your own computer. This Privacy Policy explains what personal data we process, why, on what legal bases, and what rights you have. It is written to meet the requirements of the EU/UK General Data Protection Regulation (GDPR) and similar laws.

1. Who We Are and Scope

1.1 This Policy applies to the EchoLing AI Windows application and the website echolingai.com. The data controller is the operator of EchoLing AI; you can reach us at contact@echolingai.com.

1.2 This Policy does not cover third-party services that process data under their own policies, in particular Google (Gemini API) and Paddle (payments). Their roles are described in Section 4.

2. What Data We Process

To make the boundaries clear, we group data into three categories. Only category A is processed on our systems. Category B never leaves your device. Category C is exchanged directly between your device and Google.

A. Account and usage data (processed on our systems)

Email address — used to sign you in via one-time verification code and to identify your account. We do not store passwords.
Usage and balance data — translation minutes consumed, remaining minute balance, subscription/pack status, and timestamps of sessions (duration metadata only, never content).
Technical log data — sign-in timestamps, IP address, and app version, used for authentication, security, and abuse prevention.

This data is necessary to operate accounts and minute-based billing; without it we cannot provide the Service.

B. Local data (stored only on your device, never uploaded to us)

Subtitle history — bilingual transcripts of your sessions, saved locally as your archive.
Recordings — audio recordings of sessions, created only if you enable recording, saved locally.
Settings — language pair, device and interface preferences.

We do not upload, read, or back up this data. You can delete it at any time from within the app or from your file system.

C. Call audio (streamed directly to Google for translation; not stored by us)

While a translation session is running, microphone audio and system (loopback) audio are streamed in real time from your device to the Google Gemini API (model: gemini-3.5-live-translate), which returns translated speech and subtitles to your device. Our servers are not in this path: we do not receive, intercept, or store your call audio or transcripts. Under Google's paid-tier API terms, customer data submitted to the API is not used to train Google's models. Google's processing is governed by Google's API terms and privacy documentation.

3. Purposes and Legal Bases (GDPR Art. 6)

Providing the Service (account sign-in, minute accounting, real-time translation) — performance of a contract (Art. 6(1)(b)).
Payments and billing records — performance of a contract and compliance with legal obligations (Art. 6(1)(b), (c)).
Security, fraud and abuse prevention (log data, anomaly detection) — our legitimate interests in protecting the Service (Art. 6(1)(f)).
Service communications (verification codes, important account or policy notices) — performance of a contract (Art. 6(1)(b)).
Marketing emails, if any — only with your consent (Art. 6(1)(a)), which you may withdraw at any time.

We do not use your data for automated decision-making with legal effects, we do not build advertising profiles, and we do not sell personal data. We do not analyze the content of your conversations — we never have it.

4. Recipients and Processors

4.1 Google (Gemini API). Receives session audio directly from your device to perform real-time translation, as described in Section 2-C.

4.2 Paddle. Subscriptions and minute packs are sold by Paddle as Merchant of Record. Paddle processes your payment and billing details (such as card data, billing address, and tax information) as an independent controller under its own privacy policy. We receive transaction confirmations and tax-compliant records, but not your full card details.

4.3 Infrastructure providers. We use reputable hosting and email-delivery providers to operate accounts and send verification codes, bound by data processing agreements.

4.4 Legal requirements. We may disclose category A data where required by law, regulation, or valid legal process.

5. International Transfers

Our service providers (including Google and Paddle) may process data in countries other than your own, including the United States. Where data subject to the GDPR is transferred outside the EEA/UK, transfers rely on appropriate safeguards such as adequacy decisions or Standard Contractual Clauses implemented by the respective provider.

6. Retention

Account data: kept while your account is active. When you delete your account, we delete or anonymize your email address and usage records, except where retention is required by law (e.g., tax and accounting records of transactions).
Log data: kept for a limited period appropriate to security and abuse prevention, then deleted or anonymized.
Local data (category B): remains on your device under your control until you delete it.
Call audio (category C): not retained by us at all; Google's API retention is governed by Google's terms.

7. Security

Account and usage data are transmitted over encrypted connections (HTTPS/TLS) and stored with industry-standard technical and organizational measures, including access minimization and encryption of sensitive fields. Audio streams between your device and the Google Gemini API use encrypted connections.

8. Your Rights

Subject to applicable law (including the GDPR if it applies to you), you have the right to:

Access the personal data we hold about you and receive a copy;
Rectify inaccurate or incomplete data;
Erase your data ("right to be forgotten"), including by deleting your account;
Restrict or object to certain processing, including processing based on legitimate interests;
Data portability — receive data you provided in a structured, commonly used, machine-readable format;
Withdraw consent at any time, where processing is based on consent, without affecting prior processing;
Lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, email contact@echolingai.com. We will respond within the timeframes required by applicable law (under the GDPR, generally one month).

9. Recording Other People

If you enable local recording or rely on subtitle history of conversations involving other people, you are responsible for complying with the consent and notification laws that apply to you and to the other participants. See the EULA, Section 5.

10. Children

EchoLing AI is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced in the app or on echolingai.com before they take effect. The "Effective date" at the top indicates the latest revision.

12. Contact

Data controller: the operator of EchoLing AI

Website: echolingai.com

Email: contact@echolingai.com

Summary: we process your email address and minute usage to run your account; your call audio streams directly to the Google Gemini API and is never stored by us; your transcripts and recordings stay on your own computer.