PRIVACY POLICY

EchoFilter (“EchoFilter”, “we”, “our”) is a lead quality scoring service that analyzes form submissions to detect automated or low-quality traffic. Our contact address is hello@echofilter.com.

We collect two categories of data:

A) Account data (users who sign up)

• Email address and encrypted password (stored by Supabase Auth)
• Plan tier and API usage count

B) Session signals (collected via the SDK on your visitors)

• Behavioral telemetry: mouse movement patterns, keystroke timing, form fill duration
• Whether a paste action was detected
• Honeypot field status
• User-agent string
• A one-way hash of the visitor's IP address — the raw IP is never stored

• Names, phone numbers, or any personally identifiable information (PII) from your visitors
• Form field values or submitted content
• Cookies or persistent browser identifiers on visitor devices
• Raw IP addresses

• To compute a real-time TrustScore for each form submission
• To provide analytics to the account holder via the dashboard
• To improve detection accuracy (aggregated, anonymized signals only)
• To manage your subscription and send transactional emails

Session records are retained for 90 days, after which they are automatically deleted. Account data is retained for as long as your account is active. You may request deletion at any time by emailing us.

We do not sell your data. We share data only with:

• Supabase — database and authentication (EU or US region, SOC 2 compliant)
• Stripe — payment processing (PCI-DSS compliant). Stripe receives only your email and plan details, never session data.
• Vercel — hosting and edge compute

If you are in the European Economic Area, you have the right to access, correct, export, or delete your personal data. Our legal basis for processing account data is contractual necessity (Art. 6(1)(b) GDPR). Behavioral telemetry from your visitors is processed under legitimate interest (Art. 6(1)(f)) as it contains no PII.

To exercise your rights, email hello@echofilter.com and we will respond within 30 days.

All data is transmitted over TLS. Passwords are hashed by Supabase Auth (bcrypt). API keys are stored as opaque tokens. We do not have access to your password. Row-level security policies ensure each account can only access its own data.

EchoFilter uses a single session cookie to keep you logged in to the dashboard. No third-party tracking or advertising cookies are used. The EchoFilter SDK does not set any cookies on your visitors' browsers.

We may update this policy as the product evolves. Material changes will be communicated via email to registered users. The date at the top of this page reflects the most recent revision.

Questions or requests: hello@echofilter.com