Mother's Day SaleSave 30% on every plan with code MOTHER26
EchoWish

Privacy Policy

Last updated: April 2026

EchoWish (“we,” “us,” or “our”), a company registered in Finland, operates the echowish.ai website and related services. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable Finnish and EU data protection laws.

1. Data Controller

EchoWish is the data controller for the personal data processed through our Service. For any data protection inquiries, contact us at: privacy@echowish.ai

2. Personal Data We Collect

We collect the following categories of personal data:

a) Account Information

  • Email address
  • Full name
  • Phone number (optional)
  • Account password (encrypted)

b) Order Information

  • Recipient name and your relationship to them
  • Occasion, personality traits, and special memories you share for song creation
  • Photos you upload for slideshows or keepsake magnets
  • Blessing/greeting card messages
  • Shipping address (for physical products)

c) Payment Information

  • Payment is processed by Stripe. We do not store your credit card details.
  • We retain transaction IDs, amounts, and payment status for order fulfillment and accounting.

d) Technical Data

  • IP address, browser type, device information
  • Pages visited, time spent, and referral sources (only with your cookie consent)

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

  • Contract performance: Creating your custom song, processing your order, shipping physical products, handling revisions
  • Legitimate interest: Improving our Service, preventing fraud, providing customer support
  • Consent: Sending marketing emails (you can opt out anytime), analytics tracking via cookies
  • Legal obligation: Tax reporting, responding to legal requests

4. Cookies and Analytics

We use the following types of cookies:

  • Essential cookies: Required for authentication and core functionality. These are always active and do not require consent.
  • Analytics cookies: We use Meta Pixel to understand how visitors interact with our site. These are only activated after you provide consent via our cookie banner.

You can change your cookie preferences at any time by clearing your browser's local storage and refreshing the page. The consent banner will reappear.

5. Data Sharing and Third Parties

We share your data with the following third-party processors, solely for the purpose of providing our Service:

  • Supabase - Database and authentication (data stored in EU region)
  • Vercel - Website hosting
  • Stripe - Payment processing
  • Resend - Transactional email delivery
  • Printful - QR greeting card printing and shipping
  • AI music generation provider - Song creation (we share only the song prompt, not your full personal details)
  • Meta (Facebook) - Analytics via Meta Pixel (only with your consent)

We do not sell your personal data to any third party. We do not use your personal stories or memories for AI model training.

6. International Data Transfers

Some of our service providers are based outside the EU/EEA. Where data is transferred outside the EU, we ensure adequate protection through Standard Contractual Clauses (SCCs) or the service provider's compliance with equivalent data protection frameworks.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Order data and songs: Retained for the lifetime of your account to allow access to your songs and revision history.
  • Payment records: Retained for 7 years as required by Finnish accounting law.
  • Analytics data: Retained by Meta according to their data retention policies.

8. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Correct inaccurate personal data (you can update your profile at any time)
  • Right to erasure: Request deletion of your account and all associated data via your account settings or by contacting us
  • Right to restriction: Request that we limit how we process your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interest or for direct marketing
  • Right to withdraw consent: Withdraw your consent for analytics cookies or marketing at any time

To exercise any of these rights, contact us at privacy@echowish.ai. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS/SSL), secure authentication, and access controls. Payment data is handled entirely by Stripe and never touches our servers.

10. Children's Privacy

Our Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.

11. Supervisory Authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto):

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice on our website. The “Last updated” date at the top reflects the most recent revision.

13. Contact Us

For any questions about this Privacy Policy or your personal data, contact us at: privacy@echowish.ai