We use analytics cookies. Learn more.

FirstEcho
← Back to home

Privacy Policy

Last updated: February 18, 2026

This Privacy Policy explains how FirstEcho (“we,” “us,” or “our”) collects, uses, and protects your personal data when you use the FirstEcho web application and related services (the “Service”).

1. Data Controller

The data controller responsible for your personal data is:

FirstEcho
Email: contact@mail.firstecho.app

2. Information We Collect

We collect the minimum information needed to provide and improve our Service:

  • Account information: Email address and password when you create an account.
  • Baby profiles: Baby name, date of birth, and optional photo that you choose to provide.
  • Usage data: Sign learning progress, practice sessions, and app interactions.
  • Practice videos: If you use the AI practice feature, video frames are processed in real time and are not stored on our servers after analysis.
  • Payment information: Billing details are collected and processed directly by Stripe. We do not store your card number or banking details.
  • Device and browser data: Browser type, device type, and anonymized interaction data collected through analytics tools (see Section 7).

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases as defined by Article 6 of the EU General Data Protection Regulation:

  • Contract performance: Processing your account data, baby profiles, and learning progress is necessary to provide the Service you signed up for.
  • Consent: Analytics cookies and tracking technologies are only activated after you provide consent (see Section 7). You may withdraw consent at any time.
  • Legitimate interest: We may process anonymized, aggregated data to improve our content and Service, where this does not override your rights.
  • Legal obligation: We may retain certain data where required by applicable tax, accounting, or other laws.

4. How We Use Your Information

  • Provide age-appropriate sign language recommendations.
  • Track and display your learning progress.
  • Process payments through Stripe.
  • Provide AI-powered practice feedback using Google Gemini (see Section 6).
  • Send transactional emails (account confirmation, password reset).
  • Improve our content and user experience through anonymized analytics (with your consent).

We do not sell your personal data to third parties. We do not use your data for advertising or profiling beyond what is described in this policy.

5. Children's Data

FirstEcho is designed for use by parents and caregivers aged 18 and older. We do not knowingly collect data directly from children. Baby profile data (name, date of birth, optional photo, and learning progress) is entered by adult users about their children and is stored within the parent's account.

In compliance with the US Children's Online Privacy Protection Act (COPPA) and EU GDPR Article 8, we rely on the parent or guardian to provide and manage all data relating to their child. If you believe data about a child has been submitted without proper parental consent, contact us immediately and we will delete it.

6. AI-Powered Features

Our practice mode uses Google Gemini to analyze video frames of sign language attempts and provide real-time feedback. When you use this feature:

  • Video frames are sent to Google Gemini's API for processing.
  • Frames are processed in real time and are not permanently stored by us. Google temporarily retains API data (including frames) for up to 55 days for operational purposes like abuse detection, as per their Gemini API Logs Policy. Data is not retained beyond this period.
  • If using the free tier of the API, Google may use anonymized data to improve their models and services. We use the paid tier to prevent this.
  • No automated decisions with legal or similarly significant effects are made based on AI analysis. The feedback is purely educational.

You can use FirstEcho without the AI practice feature.

7. Cookies and Tracking Technologies

We use the following technologies:

  • Essential cookies: Required for authentication and session management. These cannot be disabled as they are necessary for the Service to function.
  • PostHog analytics: Product analytics to understand how users interact with the Service. Uses localStorage. Only activated with your consent.
  • Vercel Analytics: Privacy-focused web analytics for performance monitoring. Only activated with your consent.

You can manage your consent preferences at any time via the cookie settings accessible from the bottom of any page. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

8. Third-Party Services and Sub-Processors

We share data with the following third-party services only as necessary to operate the Service:

  • Supabase (US) — Authentication and database hosting.
  • Stripe (US) — Payment processing. Subject to Stripe's Privacy Policy.
  • Vercel (US) — Application hosting and edge delivery.
  • PostHog (US) — Product analytics (consent required).
  • Google Gemini (US) — AI-powered practice feedback (only when you use the practice feature).
  • Resend (US) — Transactional email delivery.

9. International Data Transfers

Your data may be transferred to and processed in the United States, where our sub-processors operate. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • The European Commission's Standard Contractual Clauses (SCCs) where applicable.
  • Sub-processor compliance with the EU-US Data Privacy Framework where certified.

10. Data Retention

  • Account data: Retained for as long as your account is active.
  • Baby profiles and progress: Retained for as long as your account is active. Deleted when you delete your account.
  • Payment records: Retained for 7 years after the transaction as required by tax and accounting regulations.
  • Analytics data: Anonymized and retained for up to 24 months.

When you delete your account, all personal data is permanently removed within 30 days, except where retention is required by law.

11. Your Rights

Depending on your location, you may have the following rights under GDPR, UK GDPR, the California Consumer Privacy Act (CCPA), or other applicable laws:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate data.
  • Erasure: Delete your account and personal data.
  • Data portability: Receive your data in a structured, machine-readable format.
  • Restrict processing: Request limitation of processing in certain circumstances.
  • Object: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.

You can exercise most of these rights directly from your account settings (profile page). For any requests, email contact@mail.firstecho.app. We respond within 30 days.

12. Right to Lodge a Complaint

If you are in the EEA or UK, you have the right to lodge a complaint with your local Data Protection Authority if you believe your data has been processed unlawfully. A list of EU DPAs is available at edpb.europa.eu.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know: What personal information we collect, use, and disclose.
  • Right to delete: Request deletion of your personal information.
  • Right to opt-out: We do not sell personal information.
  • Non-discrimination: We will not discriminate against you for exercising your rights.

14. Security

We protect your data using industry-standard measures including encryption in transit (TLS), row-level security on all database tables, and secure authentication via Supabase Auth. No system is 100% secure, and we encourage you to use a strong, unique password.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before taking effect. The “Last updated” date at the top reflects the most recent revision.

16. Contact

For privacy questions, data requests, or complaints, contact us at: contact@mail.firstecho.app