Privacy Policy

EchoDeck is operated at echodeck.avianage.in. You can contact us at [email protected].

We collect the information needed to provide, secure, and maintain EchoDeck.

• Account data: email address and username, which are required to use the service.
• Authentication data: magic link tokens via Resend, not stored after use, and NextAuth session tokens stored as httpOnly cookies.
• Spotify OAuth tokens: stored encrypted and used solely to access your Spotify library on your behalf. We do not access your Spotify account beyond what you explicitly authorize during the OAuth flow.
• Queue data: YouTube video IDs and metadata such as title and thumbnail URL queued by users are stored to maintain stream queues. This data is not shared with YouTube or third parties.
• Usage data: stream activity, votes, and listening history associated with your account.

EchoDeck limits collection to data needed for the service.

• We do not collect payment card data. Payment data is handled entirely by Razorpay if billing is active.
• We do not store YouTube audio or video content.
• We do not store Spotify audio content.
• We do not sell your data to third parties.

We use your data only for operating EchoDeck and related account features.

• To provide and maintain the service.
• To authenticate you, including magic link email delivery via Resend.
• To associate your queued content and stream history with your account.
• To enforce usage quotas and RBAC roles.

The following third parties may process your data as part of delivering EchoDeck. Your data is only shared with these services to the extent necessary to deliver their specific function.

• YouTube / Google LLC: video playback via IFrame API. Google's Privacy Policy: policies.google.com/privacy.
• Spotify AB: library access via OAuth if connected. Spotify's Privacy Policy: spotify.com/legal/privacy-policy.
• Resend: transactional email for magic link delivery only. Resend's Privacy Policy: resend.com/legal/privacy-policy.
• Razorpay: payment processing if billing is active. Razorpay's Privacy Policy: razorpay.com/privacy.

We retain data only as long as needed for the service or your account.

• Account data is retained until you delete your account.
• Session tokens expire per NextAuth configuration.
• Spotify OAuth tokens are deleted when you disconnect Spotify or delete your account.

If you are in the EU/EEA, you have the rights listed below. To exercise these rights, email [email protected] or use the account deletion feature in Settings.

• Access your personal data.
• Correct inaccurate data.
• Request deletion of your data, also known as the right to erasure.
• Data portability.
• Withdraw consent at any time.

EchoDeck uses limited cookies required for authentication and optional analytics.

• Strictly necessary: NextAuth session cookie, httpOnly and secure, which cannot be disabled.
• Analytics: used only if you consented via the cookie banner.
• We do not use third party advertising cookies.

We use HTTPS, httpOnly cookies, and encrypted token storage. However, no system is 100% secure and we cannot guarantee absolute security.

We will notify you of material changes via email. Continued use after changes constitutes acceptance.

Privacy questions and requests may be sent to [email protected].