Skip to content

Privacy Policy

Effective date: March 22, 2026

EchoThread does not sell reader data, run ads, or use cross-site tracking. We collect only the account, site, and comment data needed to operate the service, moderate discussions, prevent abuse, and support exports or deletion requests.

1. Introduction

EchoThread ("we", "us", "our") operates the echothread.io website, the EchoThread embeddable comment widget, and related services (collectively, the "Service"). This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data.

By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Data controller

EchoThread is the data controller for the personal data processed through the Service. For questions about this policy or your data, contact us at privacy@echothread.io.

3. Data we collect

3.1 Site owners (dashboard users)

  • Account information: email address, display name, optional bio and avatar URL.
  • Site configuration: site name, domain, shortname, moderation preferences.
  • Authentication data: one-time magic link tokens (automatically deleted after use or expiry).

3.2 Commenters (embed widget users)

  • Authenticated commenters: email address, display name, and avatar (via Google or GitHub OAuth).
  • Imported or legacy guest commenters: optional guest name and email when present in migrated discussion data.
  • Comment content: comment text, uploaded images, and link preview metadata.
  • Technical data: IP address and user-agent string, collected with each comment submission.
  • Reactions: vote/reaction type associated with your user ID.

3.3 Data we do NOT collect

  • We do not use third-party cookies or cross-site tracking.
  • We do not serve advertisements or share data with ad networks.
  • We do not use third-party analytics services (e.g., Google Analytics).
  • We do not collect payment or financial information (the Service is currently free).

4. How we use your data

  • Authentication: to verify your identity via magic link email, Google OAuth, or GitHub OAuth.
  • Service delivery: to display comments, manage sites, and deliver notifications.
  • Moderation: IP addresses and user-agent strings help site owners manage spam and abuse.
  • Transactional emails: to send magic link sign-in emails. We do not send marketing emails.
  • Spam detection: comment content is analyzed using built-in keyword-based scoring. No third-party spam services are used.

5. Legal basis for processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract performance: processing necessary to provide the Service you signed up for (e.g., account creation, comment posting).
  • Legitimate interest: spam prevention, security, and service improvement, balanced against your rights.
  • Consent: where required by law, such as for optional data collection (e.g., guest email).

6. Third-party services

We use the following third-party services to operate EchoThread:

  • Amazon Web Services (AWS): database hosting (DynamoDB), email delivery (SES), and image storage (S3). Data is stored in the US East (N. Virginia) region. AWS Privacy Policy.
  • Google OAuth: used for commenter authentication in the embed widget. When you sign in with Google, we receive your email, name, and profile picture. Google Privacy Policy.
  • GitHub OAuth: used for commenter authentication in the embed widget. When you sign in with GitHub, we receive your verified primary email, display name, username, and avatar. GitHub Privacy Statement.
  • DigitalOcean: application hosting and container registry. DigitalOcean Privacy Policy.
  • CloudFront (AWS): content delivery for static assets and the embed widget.

We do not sell, rent, or share your personal data with any other third parties.

7. International data transfers

Your data is stored and processed in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on the following safeguards:

  • AWS participates in the EU-US Data Privacy Framework.
  • Standard contractual clauses (SCCs) where applicable.

8. Data retention

  • Magic link tokens: automatically deleted after 15 minutes or upon use.
  • Account data: retained for as long as your account is active. You may request deletion at any time.
  • Comments: retained for as long as the associated site exists, unless deleted by the commenter or site owner.
  • Uploaded images: retained for as long as the associated comment exists.

9. Your rights

Depending on your location, you may have some or all of the following rights:

GDPR (EEA, UK, Switzerland)

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your personal data ("right to be forgotten").
  • Restriction: request that we limit processing of your data.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interest.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time.
  • You also have the right to lodge a complaint with your local data protection authority.

CCPA / CPRA (California)

  • Right to know: what personal information we collect, use, and disclose.
  • Right to delete: request deletion of your personal information.
  • Right to opt out: we do not sell or share personal information for cross-context behavioral advertising.
  • Non-discrimination: we will not discriminate against you for exercising your rights.

LGPD (Brazil)

  • You have rights to confirmation, access, correction, anonymization, portability, deletion, and information about sharing with third parties.

PIPEDA (Canada)

  • You have the right to access and challenge the accuracy of your personal information held by us.

To exercise any of these rights, contact us at privacy@echothread.io. We will respond within 30 days (or sooner where required by law).

10. Cookies and local storage

EchoThread does not use cookies. We store authentication tokens (JWT) in your browser's local storage to keep you signed in. These tokens are removed when you log out. No third-party cookies or tracking technologies are used.

11. Children's privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@echothread.io and we will promptly delete it.

12. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Passwordless authentication (magic links) to eliminate password-related breaches.
  • HTTPS encryption for all data in transit.
  • Encrypted storage at rest via AWS managed encryption.
  • Short-lived authentication tokens with automatic expiry.

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it to security@echothread.io.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

14. Contact us

If you have any questions about this Privacy Policy or our data practices, contact us at:

privacy@echothread.io

EchoThread EchoThread

© 2026 EchoThread. Privacy-first comments for the modern web.

Updated