your thoughts deserve
harder walls than this.

Echos of Mind holds your emotional patterns.

Your journal entries. Your mood drift across weeks. The quiet signals your behavior sends before your conscious mind catches up.

This is not usage data. This is not preferences or browsing history.

This is the interior record of a human life.

We take that seriously in a way that goes beyond compliance requirements.

We cannot read what you write.

All sensitive personal content — journal entries, mood check-ins, reflections, and behavioral data — is protected with end-to-end encryption (E2EE).

This is not a metaphor for “we use HTTPS.” It means your data is encrypted on your device before it leaves your hands. By the time it reaches our infrastructure, it is already unreadable to us.

What this means technically

• –Encryption happens on-device before transmission
• –Keys are derived from your credentials and controlled by your device
• –Our servers store ciphertext — not readable content
• –HTTPS (TLS 1.2+) encrypts all data in transit
• –Data at rest is encrypted at the storage layer
• –No Echos of Mind employee can read your journal in normal operation

What this means for you

• –Your words are private even from us
• –If your encryption keys are lost and account recovery is not enabled, encrypted data cannot be restored — this is deliberate
• –We would rather lose your data than betray your privacy

We use a minimal, deliberate infrastructure stack. Not because we are small. Because fewer surfaces means fewer risks.

We disclose only what serves your ability to make a trust decision — not our full technical inventory.

Where your data lives

Your personal data — journal entries, mood check-ins, behavioral history, account information — is stored on our own encrypted infrastructure. It is not shared with any third-party analytics or advertising service.

Authentication and push notifications are handled by a third-party infrastructure provider operating under enterprise-grade security standards (ISO 27001, SOC 2 Type II). This provider does not store your personal app data.

Access controls

• –Database access is restricted to minimum-required permissions
• –No broad admin access to user data exists in day-to-day operations
• –Service credentials are stored in secure vaults, never in code
• –Backend access is logged and auditable

What we do not use

• –No advertising SDKs
• –No third-party analytics that receive personal content
• –No cross-app tracking
• –No data brokers or data-sharing arrangements

Data residency

Your personal app data is stored on our own infrastructure. We are actively evaluating options to bring data residency closer to our primary user base in India, and will update this page and notify users when that changes.

Authentication and notification services are processed by a third-party provider with infrastructure in the United States.

Your data has one job. Serving you.

We collect the minimum data required to run the product. We use it only to generate the insights that go back to you. Nothing else.

What we collect

• –Account information (name, email — for authentication only)
• –Content you create (journal entries, mood check-ins, reflections)
• –Technical data (device info, crash reports — for app stability only)
• –IP address (collected temporarily on form submission for spam prevention only — not stored with your personal profile)

What we do not collect

• –Location data
• –Contacts
• –Browsing history
• –Biometric data
• –Any data unrelated to your self-awareness practice

How insights are generated

All pattern detection compares your current data against your own historical data only. No population comparison. No benchmarking against other users. No external models trained on your content.

A pattern is only shown to you when multiple signals align across a sustained period. If certainty is low, we say nothing. We would rather stay silent than mislead.

How pattern models work

Behavioural pattern detection runs on our internal models. We do not send your journal content to third-party AI services for inference. Your words remain encrypted and within our system.

Inner Circle — the only data-sharing feature

The only way personal behavioural signals leave your account is through Inner Circle, which you must explicitly configure. Inner Circle shares a notification trigger — not your content — with up to 3 nominated contacts. Your journal entries remain encrypted throughout. This feature is off by default. Nothing is shared until you activate it.

Retention

Your data is retained for as long as your account is active. You may delete your account and all associated data at any time from within the app settings.

Upon deletion:

• –All personal data is permanently removed
• –Deletion propagates through backup cycles within 30 days
• –No shadow copies are retained for profiling or future use

Echos of Mind is operated from India and complies with Indian data protection law as a baseline — not as a ceiling.

Digital Personal Data Protection Act (DPDP), 2023

India's primary data protection framework. We comply with all applicable provisions:

• –Lawful basis for processing — explicit consent obtained at account creation
• –Purpose limitation — data used only for the purpose it was collected
• –Data minimisation — we collect only what is necessary
• –Storage limitation — data retained only as long as needed
• –Security safeguards — technical and organisational measures commensurate with the nature of data held
• –Grievance redressal — designated Grievance Officer with defined response SLA
• –Data breach notification — mandatory reporting to the Data Protection Board of India and affected users
• –Right to nominate — users may register a nominee to exercise rights on their behalf

Information Technology Act, 2000

We comply with the IT Act 2000 and associated rules, including the Reasonable Security Practices and Procedures and the Sensitive Personal Data or Information (SPDI) Rules.

Play Store — Data Safety Declaration

Our Play Store Data Safety section exactly mirrors what is written here and in our Privacy Policy. No data type is collected or shared beyond what is disclosed. No advertising use of data.

Grievance Officer

Under India's Digital Personal Data Protection Act, 2023, you are a Data Principal with the following rights:

Some commitments matter more as negatives.

• –We will not sell your data
• –We will not use your data for advertising
• –We will not share your content with third parties for any commercial purpose
• –We will not build a profile of you to compare against others
• –We will not use push notifications to drive engagement loops
• –We will not quietly expand what we collect or share
• –We will not train AI models on your personal content
• –We will not claim impossibility when we mean improbability

If something breaks — and we cannot promise it never will — here is exactly what happens, and in what order.

In the event of a breach

First 24 hours: we confirm what happened and how far it reached.

Then: we notify the Data Protection Board of India as required by DPDP Act, 2023.

Then: we tell you. Directly. By email. Not a vague notification. A plain account of:

• –What happened
• –What data was affected
• –What we have done or are doing
• –What you can do

We do not delay notification to manage reputation.

If you believe your data has been compromised

Contact us immediately:

If you discover a security vulnerability in our app or website, we want to know. We are building carefully, and good-faith researchers make that easier.

We commit to

• –Acknowledge your report within 48 hours
• –Investigate and respond with our findings within 14 days
• –Fix confirmed vulnerabilities before public disclosure, in alignment with coordinated disclosure best practices
• –Never pursue legal action against good-faith security researchers
• –Credit researchers publicly if they wish to be credited

We ask that you

• –Report directly to us before disclosing publicly
• –Avoid accessing, modifying, or deleting user data in your research
• –Give us reasonable time to resolve before disclosure

A record of meaningful security and compliance updates. Not every patch — only what affects how your data is handled.

Future entries will appear here as they occur.

Security questions, compliance requests, vulnerability reports, data rights, or anything else — one address handles all of it.