Privacy Policy

1. Introduction

EchoThread ("we", "us", "our") operates the echothread.io website, the EchoThread embeddable comment widget, and related services (collectively, the "Service"). This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data. Your use of the Service is also governed by our Terms of Service.

By using the Service you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Data controller

EchoThread is operated by VectraSEO LLC, a Pennsylvania limited liability company, which is the data controller for the personal data processed through the Service. For questions about this policy or your data, contact us at privacy@echothread.io.

3. Data we collect

3.1 Site owners (dashboard users)

• Account information: email address, display name, optional bio and avatar URL.
• Site configuration: site name, domain, shortname, moderation preferences.
• Authentication data: one-time magic link tokens (automatically deleted after use or expiry).

3.2 Commenters (embed widget users)

• Authenticated commenters: email address, display name, and avatar (via Google or GitHub OAuth).
• Imported or legacy guest commenters: optional guest name and email when present in migrated discussion data.
• Comment content: comment text, uploaded images, and link preview metadata.
• Technical data: IP address and user-agent string, collected with each comment submission.
• Reactions: vote/reaction type associated with your user ID.

3.3 Marketing-site attribution (echothread.io only)

To attribute later sign-ups to their source, the echothread.io public site stores:

• First-touch attribution stored in your browser: we keep utm_source, utm_medium, utm_campaign, utm_content, utm_term, the referring URL, and the landing path in your browser's localStorage for up to 90 days, so that if you sign up later we can attribute the signup to its source. This data lives only in your browser until/unless you create an account.
• First-party, aggregate funnel analytics: to measure how well our own marketing pages convert, echothread.io records anonymous step events (e.g. "viewed pricing", "started checkout") to our own servers — never a third-party analytics service. These events carry a random visitor id we generate in your browser (not linked to any cross-site identity, IP address, or email) plus the attribution fields above. They are used only in aggregate to compute conversion rates.

3.4 Data we do NOT collect

• We do not load third-party cookies, analytics, or trackers on the embed widget or commenter-facing pages.
• We do not serve advertisements or share data with ad networks.
• We do not sell your data.

4. How we use your data

• Authentication: to verify your identity via magic link email, Google OAuth, GitHub OAuth, or a passkey (WebAuthn). If you register a passkey, we store the resulting public-key credential and its identifier to let you sign in; we never receive your biometric data, which stays on your device.
• Service delivery: to display comments, manage sites, and deliver notifications.
• Moderation: IP addresses and user-agent strings help site owners manage spam and abuse.
• Service and notification emails: to send magic link sign-in emails and account/security messages, to notify you when someone replies to your comment (on by default), and to send an optional weekly digest of your unread notifications (off by default). You can turn reply notifications and the digest on or off at any time from your notification preferences in the dashboard; every notification email also links to those settings. We do not send marketing or promotional emails.
• Spam detection: when a new comment is submitted, its text is sent to Siftfy, our machine-learning classifier operated by EchoThread, which returns a spam probability score. Siftfy receives the comment text and minimal context; it does not receive your email, IP, or browser identifiers. See §6 for Siftfy's role as a sub-processor. We additionally apply local heuristics (keyword and pattern scoring) on the server.

5. Legal basis for processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract performance: processing necessary to provide the Service you signed up for (e.g., account creation, comment posting).
• Legitimate interest: spam prevention, security, and service improvement, balanced against your rights.
• Consent: where required by law, such as for optional data collection (e.g., guest email).

6. Third-party services and sub-processors

We use the following services to operate EchoThread:

• Amazon Web Services (AWS): database hosting (DynamoDB), email delivery (SES), and image storage (S3). Data is stored in the US East (N. Virginia) region. AWS Privacy Policy.
• DigitalOcean: application hosting and container registry. DigitalOcean Privacy Policy.
• CloudFront (AWS): content delivery for static assets and the embed widget.
• Siftfy (operated by EchoThread): machine-learning spam classifier that receives the text of each newly-submitted comment and returns a spam probability. Hosted in the same AWS region; does not receive email, IP, or browser identifiers.
• Stripe: subscription billing for paid plans. Stripe receives the data needed to process payments (name, billing address, card details handled directly by Stripe). Stripe Privacy Policy.
• Google OAuth: used for commenter authentication in the embed widget and for site-owner sign-in to the dashboard. When you sign in with Google we receive your email, name, and profile picture.
• GitHub OAuth: used for commenter authentication in the embed widget. When you sign in with GitHub, we receive your verified primary email, display name, username, and avatar. GitHub Privacy Statement.

We do not sell, rent, or share your personal data with any other third parties.

7. International data transfers

Your data is stored and processed in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on the following safeguards:

• AWS participates in the EU-US Data Privacy Framework.
• Standard contractual clauses (SCCs) where applicable.

8. Data retention

• Magic link tokens: automatically deleted after 15 minutes or upon use.
• Account data: retained for as long as your account is active. You may request deletion at any time.
• Comments: retained for as long as the associated site exists, unless deleted by the commenter or site owner.
• Uploaded images: retained for as long as the associated comment exists.

9. Your rights

Depending on your location, you may have some or all of the following rights:

GDPR (EEA, UK, Switzerland)

• Access: request a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your personal data ("right to be forgotten").
• Restriction: request that we limit processing of your data.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interest.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.
• You also have the right to lodge a complaint with your local data protection authority.

CCPA / CPRA (California)

• Right to know: what personal information we collect, use, and disclose.
• Right to delete: request deletion of your personal information.
• Right to opt out: we do not sell or share personal information for cross-context behavioral advertising.
• Non-discrimination: we will not discriminate against you for exercising your rights.

LGPD (Brazil)

• You have rights to confirmation, access, correction, anonymization, portability, deletion, and information about sharing with third parties.

PIPEDA (Canada)

• You have the right to access and challenge the accuracy of your personal information held by us.

To exercise any of these rights, contact us at privacy@echothread.io. We will respond within 30 days (or sooner where required by law).

10. Cookies and local storage

EchoThread does not set first-party cookies. We use your browser's local storage for:

• Authentication tokens (JWT) to keep you signed in. Removed when you log out.
• Marketing attribution on echothread.io: utm_source, utm_medium, utm_campaign, utm_content, utm_term, referrer, and landing path, kept for up to 90 days and used only to attribute a later sign-up. Stays in your browser until/unless you create an account.
• Anonymous funnel-analytics id on echothread.io: a random identifier used to stitch your own marketing-page steps into an aggregate conversion funnel. It is first-party (sent only to our servers, never a third-party tracker) and is not tied to any cross-site identity.

The authentication token is strictly necessary to provide the Service. The marketing-attribution and funnel-analytics items are not strictly necessary; they are set only on the echothread.io marketing site and are never loaded on the embed widget or commenter-facing pages. We do not use them for advertising or cross-site tracking. You can remove all of these items at any time by clearing local storage in your browser settings, and the Service remains usable without the non-essential items.

11. Children's privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@echothread.io and we will promptly delete it.

12. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Passwordless authentication (magic links, OAuth, and passkeys) to eliminate password-related breaches.
• HTTPS encryption for all data in transit.
• Encrypted storage at rest via AWS managed encryption.
• Short-lived authentication tokens with automatic expiry.

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it to security@echothread.io.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised effective date, and for material changes we will provide reasonable advance notice — for example, by email to the address on your account or by a notice on the Service — before the change takes effect. Where the law requires your consent for a new or changed use of your personal data, we will obtain that consent rather than rely on your continued use.

14. Contact us

If you have any questions about this Privacy Policy or our data practices, contact us at:

privacy@echothread.io