2026 Global Compliance Deep-Enhancement Edition — Effective Date: June 1, 2026. This document has been comprehensively upgraded to cover EU Digital Services Act (DSA) transparency requirements, all 50 US state privacy laws, AI content disclosure, and 2026 global data sovereignty changes.
ECHODATAGRIDAPEX ("we," "us," "our," or the "Company") is a UK-registered research and development studio headquartered at St John's Innovation Centre, Cambridge, United Kingdom. This Privacy Policy applies to all our mobile applications published on the Apple App Store and Google Play Store (collectively, the "Apps"), our website at echodatagridapex.com (the "Site"), and any related services we offer (collectively, the "Services").
Our products include but are not limited to: Pet Health Archive, Renovation Cost Engine, Language Memory Tool, Wardrobe Inventory, Sheet Music Archive, and Monthly Expense Suite, plus all current and future apps in our ecosystem.
Core Principle: We adhere to a "minimum necessary" data collection philosophy and a "local-first" data processing architecture. Wherever technically feasible, your data is processed and stored exclusively on your device, encrypted at rest, and never uploaded to our servers.
This policy is drafted in compliance with: EU GDPR (Regulation 2016/679), UK-GDPR, EU Digital Services Act (DSA, Regulation 2022/2065), EU AI Act (Regulation 2024/1689), California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas Data Privacy and Security Act, Florida Digital Bill of Rights, Oregon Consumer Privacy Act, Tennessee TIPA, Montana MCDPA, Iowa SF 262, Indiana CDPA, Brazil LGPD (Law 13.709/2018), China PIPL/CSL/DSL, India DPDP Act 2023, Saudi Arabia PDPL, Canada PIPEDA/Quebec Law 25, Japan APPI, South Korea PIPA, Singapore PDPA, Australia Privacy Act 1988, and other applicable regional regulations effective as of 2026.
We strictly adhere to the "minimum necessary" principle. Through compliant technical means, we collect only the following information, used exclusively to maintain IAA (in-app advertising) and IAP (in-app purchase) systems, optimize user experience, and prevent fraud. All collection complies with global privacy regulations, and we never collect information unrelated to our services.
We do not collect specific user-entered content, private messages, or personal data through these instruments.
Used for order verification, refund processing, financial reconciliation, and payment fraud prevention.
Supplementary Note: All collected data is encrypted at rest and in transit using industry-standard AES-256 and TLS 1.3. Data is stored on compliant servers with strictly controlled access — every access is logged for audit purposes.
To achieve lawful monetization, service optimization, and anti-fraud purposes, we share necessary data only with the following compliant third-party ecosystems. The sharing process strictly follows the "minimum necessary, encrypted transmission, fully controllable" principle. We do not share any sensitive personal information. You may view the privacy policies of these partners via their respective websites.
Function: Real-Time Bidding (RTB), ad fill rate optimization, monetization efficiency. Shared data includes only anonymized device information and ad display/click data, never associated with real user identity.
Function: Track advertising installation effectiveness, identify fraudulent installs, prevent ad fee theft. Shared data includes only anonymized device information and installation attribution data, used for anti-fraud validation. No private user information is collected.
Function: Process in-app purchase transactions and verify order validity. Shared data includes only order-related information (excluding sensitive payment information), used for transaction reconciliation and order verification. Strictly follows Apple and Google's official data processing standards.
Through our mediation platforms, additional demand partners may serve ads within our applications. These partners include (but are not limited to):
Each demand source is integrated through our mediation layer with consent signals (TCF v2.2, GPP) passed through. Users in applicable regions can opt out of personalized advertising through the in-app privacy settings without losing access to non-personalized ad experiences.
Supplementary Note: We sign strict confidentiality agreements and Data Processing Agreements (DPAs) with all third-party partners, clearly defining data usage scope, retention period, and security responsibilities. We regularly audit third-party compliance. If any third party engages in improper data handling, we will immediately terminate the partnership and pursue appropriate remedies. Users can review the third-party sharing list and scope via in-app settings, and may withdraw authorization (withdrawal may affect advertising revenue and partial service availability).
We strictly adapt to the privacy regulations of all countries and regions worldwide. Combined with the latest policy changes in 2026, we have formulated differentiated compliance provisions for key regions to ensure end-to-end service compliance.
The legal grounds under which we process user data include: performance of the service agreement with the user, obtaining the user's explicit consent, and pursuing our legitimate interests (such as fraud prevention and service optimization). All data processing activities comply with Article 6 of the GDPR / UK-GDPR.
In accordance with Article 27 GDPR, our appointed EU and UK representatives will be made available for contact via contact@echodatagridapex.com. Response time: no more than 7 business days.
We strictly follow the latest transparency requirements of the EU Digital Services Act (DSA). We publicly disclose advertising placement rules, algorithmic recommendation logic, and content moderation standards. We publish regular transparency reports, clearly specifying data processing workflows and third-party partnership details, and accept supervision by EU regulatory authorities. If our applications involve user-generated content (UGC), we will publicly disclose content moderation mechanisms, complaint handling procedures, and violation handling standards to ensure users' right to information.
EU / UK users have the right to access, correct, and delete personal data at any time, to withdraw data processing consent, to request a copy of their personal data (data portability), and to lodge complaints with the European Data Protection Board (EDPB) or the UK Information Commissioner's Office (ICO).
We expressly commit that we will not sell users' personal information to any third party (including advertisers and data brokers). However, according to the legal definitions of California CPRA and Virginia VCDPA, sharing device IDs and other non-sensitive information with third parties to achieve advertising personalization may be considered "data sharing." We will clearly inform users of such sharing in-app. Users have the right to opt out of such sharing at any time.
We fully respect the "Do Not Track" setting in the device system. If a user enables this setting, we will stop collecting user behavioural trajectory data and will no longer use it for personalised advertising or recommendations. We will retain only the minimum data necessary to maintain service operation.
We strictly follow the Brazilian General Data Protection Law (LGPD). Explicit user authorization must be obtained before collecting personal information, with clear notification of purpose, scope, and method. We protect Brazilian users' rights to access, correct, delete, and withdraw consent. A dedicated compliance officer handles Brazilian user data requests. User data is stored on servers within Brazil and is not transferred abroad without approval from the Brazilian National Data Protection Authority (ANPD).
We follow the Personal Information Protection Law (PIPL), Data Security Law (DSL), and the Provisions on Promoting and Regulating Cross-border Data Flows. Explicit consent must be obtained before collecting personal information. Local data storage requirements are fulfilled — user data of users in China is stored on servers within mainland China. We do not improperly collect sensitive personal information and cooperate with the Cyberspace Administration of China (CAC) for regulatory inspections.
We follow the Digital Personal Data Protection Act (DPDP Act 2023). Data collection boundaries are clearly defined. Data is collected only after obtaining the user's written consent. A Data Protection Officer (DPO) has been appointed. Users may request deletion of personal data. Cross-border data transfer requires approval from the Ministry of Electronics and Information Technology (MeitY).
We follow the Personal Data Protection Law (PDPL). Local data storage requirements are fulfilled. User data is stored on servers within Saudi Arabia. No unauthorized cross-border transfer occurs. We accept supervision by the Saudi Data and AI Authority (SDAIA) / National Data Management Office (NDMO).
We adapt to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25. Data processing standards are clearly defined. User data rights are protected. We cooperate with local regulatory authority audits and respond to the 2026 global data sovereignty upgrade requirements.
We adapt to the Act on the Protection of Personal Information (APPI). Cross-border transfer rules are followed. We cooperate with the Personal Information Protection Commission (PPC) audits.
We adapt to the Personal Information Protection Act (PIPA). Data subject rights are respected and overseas transfer documentation is maintained per the Korea Internet & Security Agency (KISA) standards.
We adapt to the Singapore Personal Data Protection Act 2012 (PDPA), Australia's Privacy Act 1988, and New Zealand's Privacy Act 2020. Cross-border transfer documentation and breach notification protocols are maintained in line with local statutory requirements.
If an application contains auto-renewing subscription services, we strictly follow the rules of the Apple App Store and Google Play Store, as well as global regional compliance requirements. The following disclosures are made to protect user rights to information and choice:
We collect only subscription-related necessary information, including:
Used for subscription management and service provision. No unrelated information is collected.
We clearly inform the user of subscription period (weekly/monthly/yearly), subscription price, trial period duration (if any), renewal rules, and subscription cancellation method. There are no hidden clauses.
24 hours before each auto-renewal charge, we send a charge reminder to the user via in-app pop-up, system push, etc., clearly stating the charge amount, charge time, and direct access to cancel the subscription.
Users can cancel auto-renewal at any time via in-app "Settings → Subscription Management" or the App Store/Google Play subscription management page. After cancellation, no further charges will occur. Cancelling a subscription during the trial period incurs no fees.
If a free trial is provided, the subscription will automatically renew and be charged after the trial period ends. Users may cancel the subscription at any time during the trial period to avoid charges. If the user has used subscription-exclusive features during the trial period and then cancels, those features will immediately become unavailable.
If an application contains AI-generated content (including but not limited to text, audio, images, interactive scenes, etc.), we strictly follow global AI compliance requirements and make the following disclosures to protect user rights to information and legal interests:
All AI-generated content is clearly labeled as "AI-Generated" to distinguish it from human-created content and avoid misleading users. This complies with the EU AI Act and US state AI transparency requirements.
AI-generated content strictly follows global content moderation standards. Generation of violent, pornographic, vulgar, false information, politically sensitive, racially discriminatory, or otherwise prohibited content is prohibited. We implement a dual "AI-generation + human review" mechanism to ensure content compliance.
AI-generated content serves only as an auxiliary function and does not constitute any advice, commitment, or guarantee. We bear no responsibility for any loss incurred by the user based on AI-generated content. If AI-generated content infringes the intellectual property rights or reputation rights of others, we bear corresponding responsibility and promptly delete the non-compliant content.
Data used to train AI models is either compliantly collected or authorised non-sensitive data. User personal information or private data is never used to train AI models. User data security is rigorously protected.
Where our products meet the EU AI Act's high-risk system criteria, we maintain a complete risk management system, data governance framework, technical documentation, transparency disclosures, human oversight mechanisms, and accuracy/robustness/cybersecurity measures as required by Articles 9-15 of the AI Act.
We do not knowingly collect personal information from children under 13 (or under the applicable age of digital consent in the relevant jurisdiction: 13 in the US under COPPA, 13 in the UK under the Age-Appropriate Design Code, 16 in Spain and Portugal, 14 in China under PIPL, etc.).
Our applications implement age-screening mechanisms. Where users are identified as under the age of digital consent, we either disable account creation and certain data collection, or require verifiable parental consent before any personal data is processed.
We never use behavioural or targeted advertising for users identified as minors. All advertising served to minors is contextual and age-appropriate.
Parents and guardians may review, request deletion of, or restrict further collection of their child's personal information by contacting us at contact@echodatagridapex.com. Response time: within 7 business days.
As global data sovereignty awareness strengthens in 2026, multiple countries/regions have introduced stricter data localisation requirements. We strictly follow the rules below to avoid violations:
Our website uses only strictly necessary cookies for session management, language preferences, and security purposes. We do not use marketing or third-party tracking cookies on our corporate website.
Cookie categories in use on echodatagridapex.com:
Our mobile applications do not use cookies. They rely on device-level identifiers (IDFA, GAID, OAID) that are subject to the consent flows described in this policy. Users can revoke consent at any time via in-app privacy settings or via their device's privacy controls.
We fully respect the "Do Not Track" browser setting. When DNT is enabled, we disable all non-essential tracking technologies on our website.
We honour the Global Privacy Control (GPC) signal as a valid opt-out preference for US state privacy law compliance (CCPA/CPRA, VCDPA, CPA, CTDPA, etc.).
Depending on your jurisdiction, you may have some or all of the following rights:
To exercise any of these rights, contact us at contact@echodatagridapex.com. We respond to all verified requests within the timeframes required by applicable law (typically 30 calendar days for GDPR, 45 days for CCPA).
For business customers and partners who process personal data through our Services, we provide a Data Processing Addendum (DPA) that includes the European Commission's Standard Contractual Clauses (SCCs) approved by Decision (EU) 2021/914, the UK International Data Transfer Addendum to the EU SCCs, and supplementary measures consistent with the Schrems II decision.
The DPA forms part of your agreement with us upon signature. It addresses: subject matter and duration of processing, nature and purpose, type of personal data, categories of data subjects, processor obligations, sub-processor management, international data transfers, security measures, audit rights, breach notification, and return or deletion of data at end of services.
To request a copy of our DPA, contact contact@echodatagridapex.com.
We employ industry-leading technical and organisational measures to protect personal data, including but not limited to:
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
When we transfer personal data out of the country/region where it was collected, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws. These safeguards may include:
For local-first architecture, the majority of user content never leaves the user's device. Cross-border transfers are limited to: encrypted device identifiers (for ad serving), anonymized aggregated metrics (for product improvement), and legally required billing information.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, and other factors. When we make material changes, we will:
We recommend that you review this policy periodically to stay informed about how we protect your personal data.
If you have any questions, comments, or complaints regarding this Privacy Policy or our data handling practices, please contact us via any of the following channels:
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority:
Document Version: 2026.1 — Global Compliance Deep-Enhancement Edition
Effective Date: June 1, 2026
Last Reviewed: June 2026
Next Scheduled Review: December 2026
Document Owner: ECHODATAGRIDAPEX Privacy Engineering Team