Privacy policy

Last updated: May 2, 2026

The short version

Echo is a Chromium browser extension that captures the audio of the tab you're watching, transcribes it, and translates it into a language of your choice. To do this we send audio to a speech-to-text provider and the transcript to a translation model. That's it. We don't sell user data, we don't profile you for ads, and we don't share anything with third parties beyond the providers strictly required to make the captions work.

If you bring your own API keys (BYOK plan), we store them only on your devices and your audio + transcripts go directly from your browser to the provider you chose. Nothing transits our servers.

What we collect

From the extension itself

• Audio from the active video tab — only after you explicitly enable live captioning by clicking the Echo button on YouTube, Twitch, or Kick. Audio is streamed in short chunks (1–8 seconds) to the speech-to-text provider you selected (AssemblyAI, Groq, or DeepInfra) and is not stored on any server we control. The provider returns text, the audio is discarded.
• YouTube caption track data— when a video has its own captions, we read them via YouTube's public player API to display and translate without re-transcribing. This data is fetched from YouTube directly with your existing YouTube session.
• User preferences (target language, subtitle style, prompt templates, theme) — stored locally via chrome.storage.sync. If you're signed into Chrome, Google may sync this between your own devices. We never read this from our servers.
• BYOK API keys (OpenRouter, AssemblyAI, Groq, DeepInfra) — stored locally via chrome.storage.sync. They never leave your browser except in direct requests to the corresponding provider, which you have a contract with.

From the website (echolocalize.xyz) when you sign in

• Email address — for Google or email/password sign-in, stored by our auth provider Supabase.
• Authentication tokens — short-lived JWT and a refresh token in HTTP-only cookies, used to identify you on subsequent requests.
• Plan and subscription state— which tier you're on, when it renews, and whether your trial has ended.

Usage metrics (managed plans only)

On Pro / Pro Plus / Pro Max plans, when you use the managed translation backend we record per-request metadata for billing and anti-abuse:

• Request timestamp, plan tier, target language
• Token counts (input + output) — not the text itself
• Source platform (youtube / twitch / kick) and content type (vod / live)

We do notstore the source transcript, the translated text, or any video identifiers (no record of which videos you watch). BYOK plans skip this entirely — your requests don't pass through our servers.

Third parties that receive data

Each of these is a separate company we contract with. We've picked them because they're necessary to make the product work; we don't share data with anyone else.

• Supabase (auth + database) — receives your email address and stores your subscription state. Used because it provides hosted PostgreSQL and authentication that we manage on your behalf. Supabase privacy policy.
• AssemblyAI (speech-to-text) — receives audio chunks when you use AssemblyAI Universal-Streaming for live transcription. Audio is processed in real time and not retained for training under their data-protection commitments. AssemblyAI privacy policy.
• OpenRouter (translation routing) — receives your transcripts and translation prompts when you use the managed translation backend. OpenRouter routes to the underlying model provider; we configure the route to disable provider-side training on your data where supported. OpenRouter privacy policy.
• Groq and DeepInfra — only used if you choose them as your speech-to-text provider with your own API key (BYOK). We never see those requests.
• Google — only if you sign in with Google OAuth. We receive your email + name as you authorize. The use of information received from Google APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.
• Lemon Squeezy (payments, when paid plans go live) — handles checkout and subscription billing. We receive billing status, never raw payment instruments. Lemon Squeezy privacy policy.

What we don't do

• We don't sell or rent user data to anyone.
• We don't use your data to train models.
• We don't use any data we receive from Google APIs, or from the Echo extension, for personalized advertising, ad targeting, or building a profile of you.
• We don't use any user data to determine creditworthiness or for lending decisions.
• We don't allow humans on our team to read your transcripts. The only exceptions are: (a) you explicitly send us a snippet for a support ticket, (b) we're investigating a security incident, or (c) we're legally compelled.
• We don't track which videos or streams you watch. The extension fetches caption tracks from the page you're on, but no video URL or identifier is sent to our servers.
• We don't inject ads, affiliate links, or content modifications into the pages you visit.

How long we keep data, and how to delete it

• Audio chunks — never persisted. Transit-only.
• Transcripts and translations — never persisted on our servers. They live in your browser tab until you close it.
• Account data (email, subscription state) — kept for as long as your account exists. You can delete your account at any time from echolocalize.xyz/accountusing the “Delete my account” button. Deletion cascades to usage logs, anomaly events, and beta records. Audit-trail rows we're legally required to keep are anonymized (your user ID is set to NULL) within 24 hours.
• Usage metrics — daily aggregates kept for 90 days for billing reconciliation, then deleted.
• Local extension storage— wiped when you uninstall the extension. To clear it manually without uninstalling: right-click the Echo icon → Manage extension → Clear data, or clear it from inside the popup's Reset button.

Security

• All network traffic uses HTTPS or WSS (encrypted in transit).
• Authentication tokens are stored in HTTP-only, Secure, SameSite=Lax cookies — they're not accessible to JavaScript and don't travel cross-site.
• Account data at rest is encrypted by Supabase (managed Postgres with disk-level AES encryption).
• BYOK API keys never transit our servers; they're used only in direct browser-to-provider requests.

Children

Echo is not directed at children under 13 and we don't knowingly collect data from them. If you believe we have, contact us and we'll delete it.

International users

Echo is operated from outside the EU. If you're in the EU/EEA, UK, or California, you have the right to access, correct, export, and delete your data. Account deletion (above) covers all of this for the data we hold; for third-party providers, follow the privacy policy links above.

Changes to this policy

If we change anything material, we'll update the “last updated” date at the top of this page and, for significant changes, notify signed-in users by email before the change takes effect.

Contact

Questions, deletion requests, or anything else: hello@echolocalize.xyz.

This privacy policy is provided as required by the Chrome Web Store User Data Policy.