Privacy Policy

Last updated: August 14, 2025

This Privacy Policy explains how Humble Echo LLC (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with this website, our checkout pages, and any features, applications, communities, and content we control (collectively, the “Services”). By using the Services, you agree to the practices described here. If you’re not comfortable with this Policy, you may choose not to use the Services.

1. Scope & Who We Are

This Policy applies to information we process about visitors and registered users of the Services. It does not cover third-party websites, apps, or services that we do not control.

Controller. For information collected through the Services, Humble Echo LLC is the data controller.

2. Information We Collect

A. Information You Provide to Us

  • Account & Profile: email, username/handle (if applicable), age-affirmation (18+), preferences. Sign-up and login are currently handled via Google; we do not collect or store passwords.
  • Inputs & User Content: prompts, messages, uploaded images, and other content you submit to use the Services.
  • Payments: name, email, billing details, purchase history (processed by our payment providers; we do not store full card numbers).
  • Support: information you include in support requests or dispute communications.
  • Consent & Preferences: opt-ins/outs, cookie preferences, marketing choices.

B. Information Collected Automatically

  • Usage & Log Data: timestamps, features used, session IDs, crash reports, diagnostic data.
  • Device/Network: IP address, device type, OS/browser, language, time zone, referrer/UTM, approximate location (derived from IP).
  • Cookies & Similar Tech: pixels, local storage, and device identifiers (see Section 7).

C. Information from Third Parties

  • Payment Processors: payment status, fraud signals, chargeback events.
  • Analytics/Anti-Abuse: aggregate usage metrics, anomaly/fraud indicators.
  • Google Sign-In: account ID, email, and authentication token (subject to Google’s terms).

3. How We Use Information (Purposes & Legal Bases)

Service Operation (Contract; Legitimate Interests)

  • Provide, maintain, and improve core features (chat, image generation, account, subscriptions).
  • Authenticate users, process payments, and deliver digital access immediately after purchase.
  • Personalize settings and remember preferences.

Safety, Moderation, and Integrity (Legitimate Interests; Legal Obligation; Vital Interests)

  • Detect, prevent, and address violations of our Terms/Policies (e.g., prohibited content, fraud, spam).
  • Operate keyword/phrase and classifier-based safety filters; conduct human moderation where necessary.
  • Log and retain limited prompts/outputs to investigate abuse or bugs; report known child-sexual-abuse material to authorities where required by law.

Communications (Contract; Legitimate Interests; Consent where required)

  • Send service/transactional emails (receipts, changes to Terms/Policies, security alerts).
  • Respond to support and dispute requests.

Analytics & Improvements (Legitimate Interests; Consent where required)

  • Measure performance, troubleshoot, and improve model quality and user experience.

Training/Improving Models (Legitimate Interests)

  • Use de-identified and aggregated User Content to improve model performance and safety systems.

Marketing (Consent where required)

  • Send optional updates or offers. You can opt out at any time.

4. Payment Processing & Security

Payments are processed by PCI-DSS compliant providers over HTTPS. We do not store full card numbers or CVV; tokenized references may be retained by our processor to manage subscriptions, refunds, or disputes.

We may receive limited payment metadata (e.g., last 4 digits, expiration month/year, status, fraud assessment) for reconciliation and fraud prevention.

5. How We Share Information

We share information only as described below:

  • Vendors/Service Providers: hosting, storage/CDN, analytics, anti-abuse, email delivery, customer support tooling, and payment processors. These providers process data under contracts that restrict use to our instructions.
  • Safety & Legal: to comply with law, lawful requests, or to protect users, our rights, or the Services; to investigate and report known CSAM as legally required.
  • Business Transfers: if we engage in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction.
  • With Your Direction: if you ask us to share or export data (e.g., data portability requests).

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined by certain privacy laws.

6. Data Retention

We keep information only as long as necessary for the purposes described or as required by law. Illustrative windows (subject to change):

  • Account data: for the life of the account; up to 24 months after closure (to prevent fraud/abuse and for recordkeeping).
  • Prompts/Outputs & moderation logs: 12–24 months for safety, abuse investigations, and product improvement (if applicable).
  • Payments/transactions: at least 7 years for tax, accounting, and regulatory reasons.
  • Support tickets: 24 months after resolution.
  • Security logs: 12 months unless extended for investigation.

7. Cookies & Similar Technologies

We use cookies and similar technologies to:

  • remember settings and session state;
  • enable secure sign-in and payment;
  • measure performance and detect fraud/abuse.

Where required by law, we will request your consent for non-essential cookies and provide controls to update your preferences.

Categories we may use: Strictly Necessary, Functional, Performance/Analytics, Anti-Abuse/Security.

8. International Data Transfers

Information may be stored and processed in the United States and other countries where we or our service providers operate. Where required, we use appropriate safeguards for transfers, such as Standard Contractual Clauses (SCCs) approved by the European Commission or other legal transfer mechanisms.

9. Your Privacy Rights

Depending on your location, you may have some or all of the following rights:

  • Access: request a copy of your personal information.
  • Correction: ask us to correct inaccurate data.
  • Deletion: request deletion, subject to legal/operational exceptions (e.g., fraud prevention, accounting).
  • Portability: obtain a machine-readable copy of certain information.
  • Restriction/Objection: object to or restrict certain processing (e.g., analytics, training).
  • Consent Withdrawal: withdraw consent where processing is based on consent (e.g., marketing emails).
  • Do Not Sell/Share (California): we do not sell or share personal information for cross-context behavioral advertising; you can still exercise CPRA rights via the methods below.

How to Exercise. Email us (see Contact section below) with “Privacy Request” in the subject and specify your request. We may need to verify your identity and account ownership.

Appeal (US States with appeal rights). If we decline your request, you may appeal by replying to our decision email.

Supervisory Authority. If you are in the EEA/UK/Switzerland, you may lodge a complaint with your data protection authority.

10. Children & 18+ Policy

Our Services are for adults (18+) only. We do not knowingly collect information from anyone under 18. If we learn that a user is under 18, we will delete the account and associated data subject to legal obligations.

We maintain a zero-tolerance approach to child sexual exploitation and will report known violations to appropriate authorities.

11. Security

We use organizational and technical measures designed to protect information, including encryption in transit (HTTPS/TLS), access controls, logging/monitoring, vulnerability management, and data minimization. No system is 100% secure; please secure your Google account (e.g., strong password, multi-factor authentication) and use available security features.

For payments, see Section 4 (PCI-DSS compliant processors; no storage of full card numbers by us).

12. Automated Decisions & AI Outputs

The Services use AI systems to generate outputs and to operate safety and anti-abuse features. We may use automated rules (e.g., keyword/classifier flags) to restrict content or features where violations are suspected. We also use de-identified and aggregated content to improve model performance and safety systems. You may contact support if you believe an automated decision was made in error.

13. Third-Party Links & Social Features

The Services may link to third-party sites or services. We are not responsible for their privacy practices. Review their policies before providing information.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy and update the “Last updated” date. Material changes may be announced via in-product notice or email. Your continued use after the effective date means you accept the updated Policy.

15. Contact Us

If you have any privacy questions or concerns, contact [email protected] and we will respond promptly.

Scroll to Top