Privacy Policy
Last updated: April 26, 2026
1. Summary (Your data, in short)
We do not train AI on your data. Neither we nor the external AI providers we use (OpenAI, z.AI) use data routed through the Platform to train their models.
60-day default retention. Chat messages, lead data, and session data are automatically deleted after 60 days. Data minimisation by design.
EU hosting. Data is stored in the EU (Railway). AI inference is performed via a US provider under EU SCCs and DPF.
You can export and delete your data at any time.
The subprocessor list is public, with 30-day prior notice before any change.
2. The data controller
Company name: Intersync Korlátolt Felelősségű Társaság (short: Intersync Kft.) Registered office: 1021 Budapest, Hűvösvölgyi út 32., Hungary Company registry number: 01-09-424781 Tax number: 32451096-2-41 Email: privacy@echoai.hu Website: https://echoai.hu
(hereinafter: Service Provider or EchoAI)
Data Protection Officer: not currently mandatory; for contact, please use privacy@echoai.hu.
3. Definitions
The terms used in this policy are interpreted under Article 4 of the GDPR. Notably:
Data subject: the natural person whose data we process.
Processing: any operation performed on personal data.
Controller: the entity determining the purposes and means of processing.
Processor: the entity processing data on behalf of the Controller.
Subprocessor: a third party engaged by the Processor to process data.
AI model: large language model (LLM) used to generate Platform responses.
4. The Service Provider's role: Controller vs Processor
EchoAI plays a dual role:
4.1 Controller role
The Service Provider acts as Controller with respect to:
the User's (Platform subscriber's) registration and account data;
the User's payment and billing data;
the User's usage metrics (which features, when);
system and security logs;
analytics about visitors of the Platform website.
4.2 Processor role
The Service Provider acts as Processor with respect to:
Content uploaded by the User (Knowledge Base: PDF, text, URL, CSV, YouTube);
the content of conversations conducted by End Users with the Platform chatbot;
contact data collected via Leads (personal data of End Users);
contract data stored in the Contract Assistant.
In these cases, the User (Platform subscriber) is the Controller, and the Service Provider acts on the User's instructions under the Terms + DPA.
5. Data subject categories
EchoAI processes data of three distinct data subject categories:
5.1 Platform user (User)
A natural person who registers and uses the Platform (typically an employee of the Service Provider's subscriber).
5.2 Website visitor (End User)
A person who chats with the embedded EchoAI chatbot on the User's website.
5.3 Third parties in Content
Where Content uploaded by the User or contract fields contain personal data of third parties. In these cases, the Service Provider is the data processor.
6. Data categories processed
6.1 Platform user (Controller role)
| Data category | Specific data | Legal basis | Purpose | Retention |
|---|---|---|---|---|
| Google OAuth authentication | Name, email, profile picture | GDPR 6.1.b (contract) | Account identification | Active account + 30 days |
| Billing data | Name, company, tax number, address (stored by Stripe) | GDPR 6.1.b and 6.1.c (legal obligation) | Invoicing, VAT | 8 years (Hungarian Acc. Act) |
| Usage metrics | Logins, feature usage, last activity | GDPR 6.1.f (legitimate interest) | Service improvement, security | 60 days |
| System logs | IP, user-agent, timestamp | GDPR 6.1.f | Security, incident handling | 6 months |
6.2 Website visitor / End User (Processor role; User as Controller)
| Data category | Specific data | Legal basis (determined by User) | Retention |
|---|---|---|---|
| Chat messages | End User's typed text + AI responses | User decides (contract, legitimate interest, consent) | 60 days default |
| Session cookie | Session ID, conversational state | Functional, 6.1.f | Until session end, max 60 days |
| File uploads | Documents uploaded into chat | User decides | 60 days |
| IP address, user-agent | Technical data from chat visitor | Security, GDPR 6.1.f | 60 days |
| Lead form: name | If voluntarily provided by End User | GDPR 6.1.a (consent) or 6.1.b | 60 days default; User may set their own retention |
| Lead form: email | If voluntarily provided | as above | as above |
| Lead form: phone | If voluntarily provided | as above | as above |
| Lead form: other | Free text, multiple choice | as above | as above |
6.3 Third parties in Content
Where the User uploads PDFs, URLs, CSVs, YouTube videos, or contract templates containing third-party data (names, emails, phone numbers):
The User is responsible for having an appropriate legal basis for including them (e.g. business contact, contracting party).
The Service Provider acts as Processor on the User's instructions.
Retention is determined by the User's policy, defaulting to 60 days after active use.
6.4 Platform website (echoai.hu) visitors
| Data category | Data | Legal basis | Retention |
|---|---|---|---|
| Analytics | Page visits, device, source | Cookie consent (PostHog EU) | 6 months |
| Google Analytics | Sessions, events | Cookie consent | GA default |
| Functional cookie | Preferences, login | No consent required | Session |
7. Purposes of processing
Provision of the Platform service (account management, chat, knowledge base, leads, contracts, integrations)
Invoicing and accounting (legal obligation)
Customer support (contact with the User)
Security and fraud prevention (analysis of system logs)
Service improvement (based on anonymised, aggregated metrics)
Marketing (based on separate consent, optional newsletter)
8. Use of AI models and the training question
8.1 How it works
Responses on the Platform are generated by external large language model (LLM) providers:
OpenAI (USA) — primary provider for End User chat and Knowledge Base queries.
z.AI (USA) — secondary, used only for background operations (e.g. content indexing, metadata extraction); personal End User data is not transmitted to z.AI.
8.2 What happens to the data
When a User or End User sends a chat message or uploads content:
The Platform stores the data in a database hosted in Railway's EU region.
The data fragment needed for response generation (prompt + context) is sent via the OpenAI API to OpenAI's servers.
OpenAI generates and returns the response.
The response and the input are stored under the 60-day retention policy.
8.3 NO model training takes place
The Service Provider declares:
Neither the Service Provider, nor OpenAI, nor z.AI uses data routed through the Platform to train their own AI models.
Under the contract with OpenAI (OpenAI Enterprise Privacy terms), the Service Provider uses "zero data retention" or an equivalent option that excludes use for training purposes.
z.AI is used exclusively for non-personal, structural background tasks.
8.4 Automated decision-making (GDPR Art. 22)
AI responses generated by the Platform do not constitute "solely automated decision-making which produces legal effects concerning the End User or similarly significantly affects them" within the meaning of GDPR Article 22. Nevertheless, the End User and User have the option to review responses, discuss them, and seek a human contact (where the User makes such an option available on their website).
9. Subprocessors (data processors)
The Service Provider cooperates with the following third parties for data processing. This section contains the complete, current list; in case of changes, we update it under the 30-day prior notification procedure (see below).
| Name | Role | Data category | Country | Safeguard |
|---|---|---|---|---|
| OpenAI, LLC | Primary LLM inference | Chat input/output, Knowledge Base extracts | USA | EU SCCs 2021 + DPF (Data Privacy Framework) certified |
| z.AI | Background LLM (no personal data) | Anonymous structural data only | USA | EU SCCs 2021 |
| Railway | Hosting, database | All backend data | EU region | GDPR-compliant hoster |
| Cloudflare R2 | File storage (PDF, CSV, DOCX, images) | Uploaded files | Global / EU | GDPR-compliant, SCCs |
| Stripe Payments Europe Ltd. | Payment | Billing and payment data | Ireland (EU) / USA | SCCs |
| Postmark (ActiveCampaign) | Transactional email | Email address, email content | USA | EU SCCs + DPF certified |
| Google (OAuth + Analytics) | Authentication, analytics | Google profile data, visitor analytics | USA | DPF certified |
| PostHog EU | Product analytics | Anonymised usage events | EU region | GDPR-compliant |
Changes:
Before engaging a new subprocessor, we notify Users by email and in-Platform message at least 30 calendar days in advance.
The User has the right to object. If the Service Provider engages the subprocessor despite the User's objection, the User may cancel the subscription.
The Service Provider ensures that it concludes a written agreement with each subprocessor containing data protection obligations equivalent to those in this policy — in particular regarding security measures, confidentiality, and the prohibition on using Personal Data to train their own models (notably: OpenAI, z.AI).
10. Processor relationship (DPA, GDPR Article 28)
When the Service Provider processes personal data on the User's instructions (see Section 4.2 — Processor role; e.g. chat content of End Users on the User's website, lead data, or personal data contained in content uploaded to the User's knowledge base), the Service Provider acts as data processor under GDPR Article 28.
The detailed terms of this relationship — in particular the subject matter and duration of processing, the parties' obligations, technical and organisational measures (TOMs), subprocessor management, audit rights, incident notification, return and deletion of data, and international transfers — are set out in the Data Processing Agreement (DPA).
10.1 Availability of the DPA
Online version (publicly available): echoai.hu/dpa
Separately signable PDF version for B2B (corporate customers, compliance needs): available upon request at privacy@echoai.hu.
10.2 The DPA as part of the Terms
Whether accepted online or as a separately signed version, the DPA forms an inseparable part of the Terms. By accepting the Terms, the User also accepts the online version of the DPA.
10.3 Conflict
If the DPA and other provisions of the Terms conflict regarding the processing of personal data, the DPA prevails.
10.4 Detailed Security Overview
Upon B2B request, we provide a detailed security overview (TOMs, infrastructure, access controls, incident response protocol): security@echoai.hu.
11. International data transfers
11.1 Storage location
Primary storage: EU region (Railway, Cloudflare R2 EU, PostHog EU).
AI inference: USA (OpenAI), but data is not used for training, and OpenAI-side retention is set to "zero retention" or stored for at most 30 days for abuse monitoring.
11.2 Legal basis for US transfers
Since OpenAI, Postmark, and Google are US providers, personal data is transferred to the USA. The legal basis:
EU Standard Contractual Clauses (SCCs) 2021 — concluded by the Service Provider for OpenAI and Postmark.
EU-US Data Privacy Framework (DPF) — OpenAI, Postmark, and Google are DPF-certified. The DPF provides an adequate level of protection under the EU Commission's adequacy decision.
Supplementary technical measures: TLS encryption, access restrictions, declarations.
11.3 The UK
For UK data subjects, UK GDPR and the UK International Data Transfer Addendum (IDTA) apply, in addition to the SCCs.
12. Retention periods in detail
| Data | Retention | Method of deletion |
|---|---|---|
| Account personal data | During active subscription + 30 days | Automatic deletion upon account termination |
| Chat messages (End User) | 60 days | Automatic, daily batch |
| Lead data | 60 days (or User-initiated export, deletion) | Automatic or manual |
| Uploaded Content (PDF, text, URL, CSV, YouTube) | Until User deletes, or account closure + 30 days | User or system |
| Contract templates and generated contracts | Until User deletes | User |
| Accounting documents (invoices) | 8 years (Hungarian Accounting Act § 169) | Cannot be deleted due to legal obligation |
| System logs | 6 months | Automatic rotation |
| Backups | At most 90 days | Backup rotation |
| Analytics (PostHog, GA) | 6 months (PostHog) / GA default | Provider-specific |
13. Cookies and tracking technologies
This section also serves the role of the Cookie Notice (in lieu of a separate Cookie Policy).
13.1 What is a cookie?
A cookie is a small text file stored by the browser on the visitor's device. The Platform uses cookies, local storage (localStorage), and similar technologies.
13.2 Cookie categories used
13.2.1 Strictly necessary (functional) cookies
These are essential to the operation of the Platform. They do not require consent, since they are necessary for the service explicitly requested by the User.
| Cookie | Purpose | Retention |
|---|---|---|
| session_id | Maintaining the login session | Until session end |
| echoai_org | Remembering the active Organization | 30 days |
| csrf_token | Cross-site request forgery protection | Until session end |
| echoai_chat_session | Chat conversation state | 24 hours |
13.2.2 Analytics cookies
Cookies used for product and marketing analytics. Explicit consent is required.
| Cookie | Provider | Purpose | Retention |
|---|---|---|---|
| ph_* (e.g. ph_ingestion_id) | PostHog EU | Product usage analytics (feature usage, heatmaps) | 1 year |
| _ga, _ga_* | Google Analytics | Visitor statistics, source tracking | 2 years |
| _gid | Google Analytics | User identification per session | 24 hours |
13.2.3 Marketing cookies
We currently do not use marketing (advertising, retargeting) cookies. If this changes, we will notify Users in advance and request separate consent.
13.3 Cookie consent
On first visit to the Platform, a cookie consent banner appears:
Necessary only — only functional cookies are active.
Accept all — analytics cookies are also active.
Settings — choice per category.
Consent may be modified at any time via the "Cookie settings" link at the bottom of the website. Changes take effect from the moment of change; previously collected data based on consent is not retroactively affected (but the User may request deletion under Section 15).
13.4 How to disable in your browser
You can also disable cookies via your browser settings:
Note: If you disable strictly necessary cookies, certain Platform features will not be available.
13.5 Do Not Track
We respect the "Do Not Track" (DNT) browser signal — when DNT is active, analytics cookies are not set by default.
14. Security measures
The Service Provider implements appropriate technical and organisational measures, including:
Encryption in transit: TLS 1.2+ for all connections.
Encryption at rest: AES-256 in the database and file storage.
Access management: role-based access control (RBAC), two-factor authentication for administrative access.
Audit logging: security-relevant logs for 6 months.
Backup: daily automated backup, point-in-time restore.
Vulnerability management: regular security updates, dependency audits.
Data processing agreements: signed with every subprocessor.
15. Data subject rights (GDPR Chapter III)
The data subject (User and End User alike) is entitled to:
15.1 Rights
Right to information (GDPR Articles 13-14) — this policy serves this purpose.
Right of access (Article 15) — to obtain a copy of their data.
Right to rectification (Article 16) — correction of inaccurate data.
Right to erasure ("right to be forgotten") (Article 17).
Right to restriction of processing (Article 18).
Right to data portability (Article 20) — in structured, machine-readable format.
Right to object (Article 21) — to processing based on legitimate interest.
Right not to be subject to automated decision-making (Article 22).
Right to withdraw consent (Article 7(3)).
15.2 Practical guide
Platform user: most rights can be exercised in self-service mode within the Platform (profile editing, Organization deletion, export functions).
End User: contact the User directly (who is the Controller), or write to privacy@echoai.hu — we will mediate and assist.
Response time: the Service Provider responds within 1 month of receiving a request, with an extension of up to 2 additional months in justified cases.
Fee: requests are free of charge, except for excessive, repetitive, or manifestly unfounded requests.
16. Children's data
The Platform may not be used by persons under 16 years of age. The Service Provider does not knowingly collect data on data subjects under 16. If the Service Provider learns that a person under 16 has provided data without verified parental consent, it deletes the data without delay.
17. Personal data breach
17.1 Notification to the authority
In case of a personal data breach, the Service Provider notifies the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to the rights of natural persons.
17.2 Notification to the data subject
If the breach involves a high risk, the Service Provider also informs the data subject without undue delay.
17.3 Internal procedure
The Service Provider has an internal incident response procedure including: detection, classification, containment, investigation, notification, learning.
18. Complaints and supervisory authority
18.1 Contact the Service Provider
If you have a data protection concern, please contact the Service Provider first:
Email: privacy@echoai.hu
18.2 NAIH
You may file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information:
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Postal address: 1363 Budapest, Pf. 9., Hungary
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu
18.3 Right to judicial remedy
In case of a violation, the data subject may bring proceedings before a court. Proceedings may be brought before the court of the Service Provider's registered office or the data subject's place of residence.
19. Changes to this policy
19.1 Modification
The Service Provider reserves the right to unilaterally modify this policy. For material changes, the Service Provider notifies Users at least 30 calendar days prior to the effective date.