Privacy Policy

Last updated: May 2025

1. Data controller

EchoPass is published by SWEBETECH, a simplified joint-stock company (SAS) with a share capital of €25,000, SIRET 920 980 307 00010, registered at 248 rue de l'Est, 69290 CRAPONNE (France). Contact: privacy@echopass.app.

2. Data collected

We collect only the data strictly necessary for the operation of the service:

  • Account data: email address, password (stored as a Bcrypt hash), registration date.
  • Check-in data: phone number (optional, if SMS check-in is enabled), check-in timestamps.
  • Messages and files: stored encrypted. We cannot read the content.
  • Technical logs: IP address (server access), error logs retained for 30 days.

3. Purposes of processing

  • Providing and improving the EchoPass service
  • Sending check-in notifications and messages upon trigger
  • Customer relationship management and support
  • Compliance with legal obligations

4. Legal basis

Processing is based on the performance of the contract (Terms of Service) for data necessary to the service, and on your consent for optional marketing communications.

5. Data retention

Your data is retained for the lifetime of your account. Upon account deletion, all your data is erased within 30 days. Accounting data is retained for 10 years as required by law.

6. Data sharing

We never sell your data. We may use sub-processors (hosting provider, SMS provider) bound by GDPR-compliant data processing agreements. All data is hosted in Switzerland.

7. Your rights

Under the GDPR, you have the following rights:

  • Right of access to your personal data
  • Right to rectification
  • Right to erasure (right to be forgotten)
  • Right to data portability
  • Right to object and restriction of processing

To exercise these rights, contact us at privacy@echopass.app. You may also lodge a complaint with your national data protection authority.

8. Cookies

EchoPass uses only a secure session cookie (HttpOnly, SameSite=Strict) required for authentication. No third-party cookies, no advertising trackers, no external analytics.

9. Security

Your messages are end-to-end encrypted with XChaCha20-Poly1305. Your password is never stored in plaintext. See our security page for technical details.

10. Changes

Any significant change to this policy will be notified by email with 30 days' notice.