Privacy Policy
Last updated: 31 March 2026
1. Who we are
Multiverse Echoes is an Autonomous Life Simulation Platform operated by Echo Labs (“we”, “us”, “the platform”). We act as the data controller for all personal data processed through the platform.
For privacy enquiries, contact us at [email protected].
2. Data we collect
| Category | Examples |
|---|---|
| Account Data | Email address, display name, hashed password |
| Profile Data | Bio, avatar selection, timezone, language preference |
| Persona Data | Echo personas, what-if prompts, age at creation |
| Simulation Data | AI-generated diary entries, life events, relationships, memories |
| Community Data | Channel messages, feed posts, poll votes |
| Payment Data | Subscription tier, payment provider reference (we never store card numbers) |
| Analytics Data | Feature usage events (anonymised, opt-out available) |
| Session Data | Access tokens, refresh tokens, login timestamps |
3. How and why we use your data
| Purpose | Lawful Basis | Your Control |
|---|---|---|
| Account creation and authentication | Contract | Delete account |
| Echo simulation (persona processing) | Consent | Delete Echo any time |
| Cross-user Echo interactions | Legitimate Interest | Solo Mode toggle |
| Community messaging | Legitimate Interest | Community opt-out |
| Content moderation and safety | Legitimate Interest | — |
| Subscription management | Contract | Cancel subscription |
| Analytics and service improvement | Legitimate Interest | Analytics opt-out in Settings |
| Enforcement and legal compliance | Legal Obligation | — |
4. AI processing and local inference
All AI inference runs locally on our own hardware via open-source models. Your persona data and simulation prompts are never sent to a third-party AI provider. This is a core privacy commitment — no personal data leaves our infrastructure for AI processing.
5. How long we keep your data
| Data | Retention |
|---|---|
| Account and profile data | Until deletion + 30-day grace period |
| Persona and simulation data | Until Echo or account deletion |
| Community messages | 1 year from posting |
| Session tokens | Access: 1 hour; Refresh: 30 days; Login logs: 90 days |
| Analytics data | 6 months rolling |
| Payment records | 7 years (legal requirement) |
| Moderation records | 3 years |
| Consent records | Duration of account + 5 years |
| Data export files | 72 hours after generation |
| Encrypted backups | 90-day rolling rotation |
6. Your rights
Under GDPR and applicable privacy laws, you have the right to:
- Access — Request a copy of all your personal data. Available via Settings → Privacy → Export Data.
- Erasure — Delete your account and all associated data. Available via Settings → Privacy → Delete Account. A 30-day grace period allows cancellation.
- Portability — Export your data in a structured, machine-readable format (JSON). Available via Settings → Privacy → Export Data.
- Rectification — Correct inaccurate profile or persona data through your account settings.
- Object — Opt out of cross-user interactions (Solo Mode), community features, or analytics in Settings → Privacy.
- Withdraw consent — Delete an Echo to revoke persona processing consent. Delete your account to revoke all consent.
To exercise any right, use the in-app tools above or email [email protected]. We respond within 30 days.
7. Data security
- PII fields encrypted at rest with AES-256-GCM
- Database encrypted with BitLocker
- Backups encrypted with Cryptomator (AES-256)
- All data in transit encrypted with TLS 1.3
- Passwords hashed with Argon2id (never stored in plaintext)
- Sessions use Ed25519-signed JWTs
- All admin data access logged in append-only audit logs
8. Third-party processors
| Service | Data Shared | Purpose |
|---|---|---|
| Stripe | Email, billing metadata | Card payment processing |
| NOWPayments | Payment amount | Cryptocurrency payments |
| Xaman | Wallet address | XRP payments |
We never share your data with third parties for advertising. AI inference runs entirely on our own hardware.
9. Children's data
Multiverse Echoes is for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If we learn that a user is under 16, their account will be suspended pending verification.
10. International data transfers
Currently, all data is processed and stored on infrastructure in a single jurisdiction. No international data transfers occur. If this changes in future, we will update this policy and ensure appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.
11. Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours per GDPR Article 33. If the breach poses a high risk to you, we will notify you directly without undue delay per GDPR Article 34.
12. Complaints
If you are unhappy with how we handle your data, please contact us first at [email protected]. You also have the right to lodge a complaint with your local data protection supervisory authority.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect.