Privacy Policy

XECHO ("we," "us," or "our"), operated by XDRIP Digital Management LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

By using XECHO, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our services.

1. Information We Collect

Information You Provide

• Account Information: Email address, username, password, date of birth, profile picture
• Profile Information: Display name, bio, social links, artist/creator details
• Payment Information: Billing address, payment method details (processed by Stripe)
• Identity Verification: For creators - name, address, tax ID, government ID (KYC)
• Content: Music, podcasts, audiobooks, and other audio you upload
• Communications: Messages, support requests, feedback

Information Collected Automatically

• Usage Data: Streaming history, listening preferences, search queries, playlists
• Device Information: Device type, OS, browser type, unique identifiers
• Location Data: Country and region based on IP address
• Log Data: IP address, access times, pages viewed, referring URLs

Blockchain & Wallet Data

• Wallet Address: Public wallet addresses you connect to XECHO
• Transaction Data: Blockchain transactions related to your activity
• Note: We never have access to your private keys or wallet passwords

2. How We Use Your Information

To Provide Our Services

• Create and manage your account
• Process streaming, purchases, and subscriptions
• Distribute creator content and process payouts
• Personalize your listening experience and recommendations
• Enable social features (following, playlists, sharing)

To Improve Our Platform

• Analyze usage patterns and trends
• Develop new features and services
• Fix bugs and optimize performance

To Protect Our Platform

• Detect, prevent, and address fraud and abuse
• Enforce our Terms of Service
• Verify identity for KYC/AML compliance

3. Information Sharing

We may share your information with:

• Service Providers: Payment processors (Stripe), cloud hosting, analytics, email services
• Creators: Aggregated listener analytics, subscriber info for fan subscriptions
• Legal & Safety: In response to valid legal requests, to protect rights and safety
• Business Transfers: In connection with mergers, acquisitions, or asset sales

4. Cookies & Tracking

Types of Cookies

• Essential: Required for basic functionality, authentication, security
• Functional: Remember preferences (volume, language, theme)
• Analytics: Understand usage, measure performance, identify issues

Managing Cookies

Most browsers allow you to refuse or delete cookies. Disabling cookies may affect platform functionality. You can adjust preferences in your browser settings.

5. Data Storage & Security

Where We Store Data

• User account data on secure servers in the United States
• Content on IPFS decentralized storage
• Payment data processed and stored by Stripe (PCI-DSS compliant)

Security Measures

• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure authentication with hashed passwords
• Regular security audits and monitoring
• Access controls limiting employee access

No method of transmission over the internet is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security.

6. Your Rights & Choices

• Access: Request a copy of personal data we hold about you
• Correct: Update your account information at any time
• Delete: Delete your account through settings or by contacting support
• Control Marketing: Opt out via unsubscribe link or notification settings
• Data Portability: Request your data in a machine-readable format

To exercise these rights, contact us at privacy@xecho.pro

7. International Data Transfers

XECHO is based in the United States. If you access our platform from outside the US, your information will be transferred to, stored, and processed in the United States.

• EU/EEA Users: We rely on Standard Contractual Clauses for data transfers
• UK Users: We comply with UK GDPR requirements

8. Children's Privacy

• XECHO is not intended for children under 13
• Users aged 13-17 may use XECHO with parental consent
• Users must be 18+ to make purchases, connect wallets, or receive payouts
• We do not knowingly collect personal information from children under 13

Contact us at privacy@xecho.pro if you have concerns about a child's data.

9. Third-Party Services

XECHO uses the following third-party services:

• Stripe: Payment processing
• Google: Authentication (if you use Google Sign-In)
• IPFS: Decentralized content storage
• Supabase: Database and authentication

Our platform may contain links to external websites. We are not responsible for the privacy practices of other sites.

10. Data Retention

• Account Data: Retained while active, plus 30 days after deletion
• Transaction Records: Retained for 7 years for tax/legal compliance
• Usage Logs: Retained for up to 2 years
• Creator Content: Retained until removed by creator
• Support Communications: Retained for 3 years

11. California Privacy Rights (CCPA)

California residents have specific rights under CCPA:

• Right to Know: Request what personal information we collect and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of sales (we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate for exercising rights

Submit requests to privacy@xecho.pro. We respond within 45 days.

12. European Privacy Rights (GDPR / UK GDPR / Switzerland)

Legal Bases for Processing (GDPR Art. 6)

• Contract (Art. 6(1)(b)): To provide our services to you
• Consent (Art. 6(1)(a)): For marketing and optional features; you can withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3))
• Legitimate Interests (Art. 6(1)(f)): For security, fraud prevention, AI-detection on uploaded content, and improvement of the Platform
• Legal Obligation (Art. 6(1)(c)): Tax reporting, anti-money-laundering, lawful requests

Your Rights under GDPR / UK GDPR / revFADP

The Regulation (EU) 2016/679 (GDPR), the UK General Data Protection Regulation as incorporated into UK law, the UK Data Protection Act 2018, and the Swiss Federal Act on Data Protection (revFADP, in force 2023-09-01) grant you the following rights:

• Access (Art. 15): Obtain a copy of your data
• Rectification (Art. 16): Correct inaccurate data
• Erasure (Art. 17): Request deletion ("right to be forgotten")
• Restriction (Art. 18): Limit processing of your data
• Portability (Art. 20): Receive data in a portable format
• Object (Art. 21): Object to processing based on legitimate interests, including direct marketing
• No solely-automated decisions (Art. 22): Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not engage in such automated decision-making)
• Complaint (Art. 77): Lodge a complaint with your supervisory authority. EU residents may contact their member-state Data Protection Authority. UK residents may contact the Information Commissioner’s Office (ico.org.uk). Swiss residents may contact the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

Cross-border data transfers

When we transfer personal information from the EEA, the United Kingdom, or Switzerland to the United States or other jurisdictions not deemed adequate by the European Commission or the UK Government, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Agreement (or its Addendum to the EU SCCs), and the Swiss-adapted SCCs as approved by the Federal Data Protection and Information Commissioner. We complement the SCCs with supplementary measures (encryption in transit and at rest, key-management separation, access controls, audit logging).

EU Article 27 representative

As a controller offering services to data subjects in the EU without an establishment in the EU, we are appointing an Article 27 representative. Until that appointment is in place, EU data subjects may contact our Privacy Office at privacy@xecho.pro. UK users: our UK team constitutes a UK establishment for purposes of UK GDPR Art. 3, so a separate Art. 27 representative is not required.

Data Controller: XDRIP Digital Management LLC, Colorado Springs, CO, USA

13. United States — state privacy laws

In addition to the rights described in Section 11 (CCPA / CPRA), residents of the following U.S. states have rights under their state’s privacy law, subject to its specific requirements and exceptions:

• California: California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act
• Colorado: Colorado Privacy Act, C.R.S. § 6-1-1301 et seq., and Rules at 4 CCR 904-3
• Virginia: Consumer Data Protection Act, Va. Code § 59.1-575 et seq.
• Connecticut: Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-515 et seq.
• Utah: Utah Consumer Privacy Act, Utah Code § 13-61-101 et seq.
• Florida: Florida Digital Bill of Rights, Fla. Stat. § 501.701 et seq.
• Texas: Texas Data Privacy and Security Act, Tex. Bus. & Com. Code § 541.001 et seq.
• Oregon: Oregon Consumer Privacy Act, ORS 646A.570 et seq.
• Montana: Montana Consumer Data Privacy Act
• Iowa: Iowa Consumer Data Protection Act
• Delaware: Delaware Personal Data Privacy Act
• Tennessee: Tennessee Information Protection Act (and the Tennessee ELVIS Act, Tenn. Code § 47-25-1101 et seq., for voice / likeness)
• New Hampshire: New Hampshire Privacy Act
• New Jersey: New Jersey Data Privacy Act
• Minnesota: Minnesota Consumer Data Privacy Act
• Washington: My Health My Data Act, RCW 19.373 (see Section 13.1)

Common rights across these statutes include the right to confirm whether we process your personal data, access it, correct inaccuracies, delete it, obtain a portable copy, opt out of sale, opt out of targeted advertising, opt out of profiling that produces legal or similarly significant effects (we do not engage in such profiling), and appeal a privacy-rights decision. To exercise any right, contact privacy@xecho.pro. To appeal a decision, contact legal@xecho.pro.

13.1 Washington — Consumer Health Data (My Health My Data Act, RCW 19.373)

For Washington residents, mood-state inferences, therapeutic-listening context inferences, and similar derived signals from your listening behavior may constitute “consumer health data” under RCW 19.373.020(8). We treat such inferences with the heightened protections that act requires: we obtain consent for collection, sharing, or sale of consumer-health data; we do not sell consumer-health data; and we honor your right to access, deletion, and revocation of consent.

13.2 Colorado — universal opt-out signal (Global Privacy Control)

For Colorado residents (and for any other resident whose state law recognizes the signal), we honor the Global Privacy Control (GPC) as a valid universal opt-out of the “sale” or “sharing” of personal information for cross-context behavioral advertising under 4 CCR 904-3, Rule 5.07. Because we do not currently engage in such practices, GPC is honored as a no-op confirmation; if our practices change, GPC will continue to suppress any new in-scope processing for your browser.