EchoreplyBack to site

Privacy Policy

Last updated: May 15, 2026

Echoreply (“Echoreply”, “we”, “us”) is a software-as-a-service product operated by Nuvo Ventures LLC. This policy explains what data we collect when you use our website at getechoreply.com and the associated app, how we use it, and who we share it with.

1. What we collect

Account data. When you sign up, we collect your email address, the name on your Google account (if you sign in with Google), and the business information you provide during onboarding (business name, description, preferred reply tone).

Google Business Profile data. If you connect your Google Business Profile, we receive an OAuth access token that lets us read your reviews and post replies on your behalf. We store the token encrypted at rest and use it only for the actions you authorized. We do not access any Google service outside the Business Profile scope you granted.

Review content. The text of reviews left on your business, the reviewer's public display name, star rating, and timestamps. This content is public on Google and we never publish it elsewhere.

AI-generated replies. We store the replies our system generates so you can review, edit, and approve them. Reply text is sent to Anthropic (the AI model provider) at generation time.

Payment data. Payments are processed by Stripe. We never store card numbers, CVCs, or banking details on our servers. Stripe sends us a subscription status (active, trialing, canceled) and a customer ID we use to link your subscription to your account.

Usage data. Standard server logs (IP address, user agent, request paths, timestamps) for security and debugging. We do not use third-party analytics that build advertising profiles.

2. How we use it

We use the data above to:

  • Operate the service (fetch your reviews, generate and post replies on your behalf).
  • Authenticate you and keep your account secure.
  • Process subscription payments through Stripe.
  • Send transactional emails (sign-in links, billing notifications, important service updates).
  • Detect abuse, fraud, and security incidents.
  • Improve the product by analyzing aggregated, non-identifying usage patterns.

We do not sell your data. We do not show third-party ads in the product. We do not use your reviews or generated replies to train external AI models.

3. Who we share it with

We share specific data with vendors that help us run the service. Each vendor sees only what they need to do their job:

  • Supabase hosts our database and handles authentication. Your account record and reviews live there.
  • Vercel hosts the application servers. Logs and request data pass through Vercel infrastructure.
  • Stripe processes payments. Your card details go directly to Stripe, never through Echoreply.
  • Google provides the OAuth flow and the Business Profile API. Reviews flow through Google's APIs.
  • Anthropic is the AI model provider. We send review text to generate replies. Anthropic processes the data per their no-training policy for API customers.
  • Email providers deliver our transactional emails.

We will disclose data to law enforcement or regulators if required by a valid legal process. We will notify you when permitted by law.

4. Retention

We keep your data for as long as your account is active. If you cancel, we retain your data for 90 days in case you reactivate, then delete it. Activity logs and billing records may be retained longer to comply with tax and accounting law.

5. Your rights

You can:

  • Access the data we hold about you. Email us and we will export it.
  • Delete your account at any time. Email us or use the in-app sign out + cancel flow.
  • Disconnect your Google Business Profile from your Google account settings. Once revoked, we stop fetching new data and our stored token becomes useless.
  • Update incorrect information in the app settings.
  • Object to processing or withdraw consent. Note that some processing is required to provide the service. If you withdraw consent, we may have to close the account.

If you are in the European Economic Area, the UK, or California, you have additional rights under GDPR, UK GDPR, and CCPA respectively. To exercise them, email us at the address below.

6. Security

We use TLS in transit, encrypted storage at rest, role-based access controls inside the team, and row-level security in the database so accounts cannot see each other's data. We do our best, but no system is perfectly secure. If we ever detect a breach that affects your data, we will notify you within 72 hours.

7. International transfers

Our infrastructure is hosted in the United States. If you access the service from outside the US, your data is transferred to the US for processing. We rely on standard contractual clauses with our subprocessors for cross-border transfers where applicable.

8. Children

Echoreply is a B2B product for business owners. It is not intended for children under 18 and we do not knowingly collect data from minors. If you believe a minor has used the service, contact us and we will delete the account.

9. Changes

We may update this policy. When we make material changes, we will notify active customers by email at least 14 days before the change takes effect. The “Last updated” date at the top reflects the latest revision.

10. Contact

Questions, requests, or complaints? Email hello@getechoreply.com. We typically reply within 2 business days.

Echoreply is a product of Nuvo Ventures LLC, registered in the United States.

Read our Terms of Service →