Privacy Policy
Last updated: May 15, 2026
Who We Are
ProofEcho is operated by M. Robi, based in Indonesia. You can reach us at [email protected].
ProofEcho is a testimonial collection and management platform. Our customers (businesses) use ProofEcho to collect, organize, and display testimonials from their own customers. This policy covers both our customers who sign up for ProofEcho accounts and the people who submit testimonials through our forms.
Our Role vs. Your Role
When you sign up for a ProofEcho account, we are the data controller for your account information, billing details, and product usage data. We decide how and why this data is processed.
When your customers submit testimonials through your forms, we act as a data processor on your behalf. You, the form owner, are the data controller for the testimonial content your customers submit. You decide what data to collect, how to use it, and whether to publish it. We store and process it according to your instructions.
Children
ProofEcho is a business tool intended for users 16 years of age or older. We do not knowingly collect personal data from anyone under 16 to create a ProofEcho account. If you become aware that a child under 16 has signed up, please contact us at [email protected]and we will close the account and delete the data. If our customers collect testimonials from children under 16 through their forms, those customers are responsible for obtaining verifiable parental consent under COPPA (US), the UK Children's Code, and equivalent laws.
Data We Collect
Account holders
When you create a ProofEcho account, we store:
- Name, email address, and profile image
- Password (hashed) if using email/password sign-up. If you sign in with Google, we receive your name, email, and profile picture from your Google account, we do not store your Google password or access token after the login session is established.
- Organization name and settings
- Subscription and billing status (managed by Polar)
- Optional feedback you choose to provide, such as a cancellation survey answer and comment or a feature access request and its reason (used to improve the service and respond to your request, never shared with advertisers)
Testimonial submitters
When someone submits a testimonial through a ProofEcho form, we may collect on behalf of the form owner:
- Name, email, job title, and company
- Testimonial content (text, video, or audio recordings, images)
- Rating, consent preferences, and optional social links
- Custom form responses as configured by the form owner
Automatically collected
- IP address and browser user agent (for session security and submission rate limiting)
- Basic usage events such as form views and widget impressions (stored in our own database, not sent to third-party analytics)
How We Use Your Data
- To provide and operate the ProofEcho service
- To send transactional emails: account verification, password resets, team invitations, testimonial requests, and subscription notifications
- To generate sample testimonials using AI when a new account is created (to help users explore the product)
- To provide optional AI-powered analysis of your testimonials when you choose to use the Analyze feature (Pro plan)
- To process payments and manage subscriptions
- To enforce rate limits and prevent abuse (using IP addresses stored temporarily in memory)
- To display testimonials through widgets and embeds as configured by our customers
Transactional emails only. ProofEcho currently sends only transactional and account-related emails (verification, password reset, team invitations, testimonial requests you initiate, billing receipts, lifecycle notices, and security alerts). We do not run a marketing newsletter and do not add you to one when you sign up. If we add marketing or promotional emails in the future, we will ask for separate opt-in consent before sending, and every marketing email will include a one-click unsubscribe link as required by CAN-SPAM and GDPR.
Lawful Basis for Processing
Depending on your location, we process your data under the following legal bases:
- Contract: to provide the service you signed up for (account management, billing, testimonial collection and display)
- Legitimate interest: to prevent abuse, maintain security, improve the service, and send transactional communications
- Consent: where required by local law, such as for testimonial submitters who choose their sharing preferences before submitting
Third-Party Services (Sub-processors)
We use the following sub-processors to operate ProofEcho. Each has its own privacy policy. We do not sell or share your personal data with advertisers. If we add or remove a sub-processor, we will update this list and notify active customers by email at least 30 days in advance for material changes.
- Railway: application hosting in Singapore. Runs our web server, background workers, and managed PostgreSQL database
- Cloudflare: CDN, DNS, and R2 media storage (served from media.proofecho.com) for videos, audio, and images
- Resend: transactional email delivery; we track delivery status, bounces, and complaints to maintain email health
- Polar: subscription billing and payments; payment details are handled entirely by Polar and we do not store credit card numbers
- Google: OAuth sign-in; we receive your name, email, and profile picture from your Google account to create your ProofEcho profile. We do not request access to your Gmail, Google Drive, Google Calendar, or any other Google services
- OpenAI: powers the optional AI analysis feature and, for new accounts, generates sample seed testimonials so you can explore the dashboard before collecting real ones. When you run AI analysis, we send testimonial text, ratings, and tags to OpenAI's API. We do not send submitter email addresses, IP addresses, account passwords, billing details, or media files. Under OpenAI's current API data usage policy, API inputs are not used to train OpenAI models and are retained by OpenAI for up to 30 days for abuse monitoring before deletion
- Sentry: error monitoring. When the application throws an unhandled error, Sentry receives a stack trace and a limited request context. Stack traces can occasionally contain personal data (such as your user id or an email address present in a request body). We sample traces at 5% in production and use Sentry only for diagnostic purposes
- Slack and Discord: optional outbound integrations. When you enable a Slack or Discord integration on your organization, ProofEcho posts new testimonial notifications to the channel you connect. The notification includes the author name, testimonial text preview, rating, and a link back to ProofEcho — the same information visible inside the dashboard. You can disconnect at any time and we keep the last 10 delivery attempts per automation for debugging
Data Processing Agreement (DPA)
When you collect testimonials through ProofEcho, we process those submitters' personal data on your behalf as a data processor (you are the data controller). Business customers, including those subject to GDPR, may request our Data Processing Agreement by emailing [email protected]. The DPA covers our processor obligations, sub-processor list, security measures, breach notification, and international transfer mechanisms.
Media and File Storage
Uploaded and recorded media (videos, audio, images) are stored on Cloudflare R2 servers. Files are organized by organization and are not publicly accessible unless explicitly published through a widget, embed, or testimonial page by the account owner.
Cookies and Sessions
We use only cookies that are strictly necessary to operate the service. We do not use analytics cookies, advertising cookies, or session-recording tools, and we do not need a cookie consent banner for these essential cookies under GDPR/ePrivacy.
- Session cookies (first-party, essential) set by better-auth on the ProofEcho domain. HTTP-only, Secure, SameSite=Lax. Used to keep you signed in and to protect against CSRF. Cleared when you sign out or when the session expires.
- OAuth state cookies (first-party, essential) short-lived cookies used during Google, Slack, or Discord sign-in/connect flows to prevent CSRF on the redirect callback. Deleted immediately after the callback completes.
- Polar checkout cookies (third-party, essential) set by Polar.sh on its own domain only when you start a Pro checkout. Used by Polar to complete the payment session. ProofEcho cannot read these cookies. See Polar's privacy policy for details.
Session records store your IP address and browser user agent so we can detect suspicious sign-in activity. We do not load Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, FullStory, or any similar tracker on the ProofEcho dashboard or marketing site.
Data Retention and Deletion
- Account deletion.You can delete your account at any time from your account settings. We send a verification email first to confirm the request. Once confirmed, your user record, sessions, and personal profile data are removed from our database immediately. Organization data you own follows the "Organization deletion" rules below.
- Organization deletion. Organization owners can delete their organization and all associated data (testimonials, forms, media files in R2, widgets, automations, settings) from organization settings. Deletion is immediate and cascades to all org-scoped tables.
- Inactive organizations. If your organization becomes inactive (no Pro subscription and no activity), it follows our organization-lifecycle policy: after a grace period it is archived (read-only), and after a longer period it is soft-deleted. We send email notifications at each stage so you can re-activate or export your data before deletion.
- Pro downgrade. If you downgrade from Pro, your account reverts to free-tier limits at the end of your current billing period. Every testimonial's text, rating, author, and tags are kept indefinitely. For 90 days after downgrade you can resubscribe and nothing is touched. After 90 days, a one-time media cleanup removes image files on testimonials beyond your latest 100, video files beyond your latest 10 video testimonials, and audio files beyond your latest 20 audio testimonials. Text and rating data are unaffected. You can download all testimonials and media at any time during the countdown.
- Operational retention windows. We prune high-volume audit tables on a daily worker:
- Email delivery logs (bounces, complaints): 90 days
- Usage analytics events (form views, widget impressions): 90 days
- Media compression metrics: 90 days
- Polar webhook events: 30 days
- In-memory data. IP addresses used for rate limiting and login-attempt tracking are held in application memory only (no database row) and are cleared on each deploy and rotated within hours by the sliding-window logic.
- Backups. Managed PostgreSQL backups (via Railway) may retain deleted data for the backup-retention period of our hosting provider as a disaster recovery safety net. Backups are encrypted at rest and automatically rotated; older copies are permanently deleted by the provider.
- Unpublished testimonials. Testimonials that are never approved (or are rejected) remain in the dashboard until you delete them or delete the organization.
- To request manual data deletion or export, email us at [email protected]. We respond within 30 days.
Security
We take reasonable measures to protect your data, including:
- Passwords are hashed (never stored in plain text) and managed by the better-auth library
- All data in transit is encrypted via HTTPS/TLS, including media served from Cloudflare R2
- Database connections require SSL in production
- Login sessions use HTTP-only cookies; OAuth state is HMAC-signed to prevent CSRF
- Outbound webhook integrations pass through an SSRF guard that blocks private and reserved IP ranges
- Media files are stored in private R2 buckets and only served through explicitly published widget / Wall of Love paths
- Sentry monitors application errors so we can detect and patch security regressions quickly
No system is 100% secure. If you discover a security vulnerability, please report it to [email protected] and we will respond as soon as we can.
Data Breach Notification
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected account holders and (where required) the relevant supervisory authority without undue delay, and in any event within 72 hours of becoming aware. Notifications will describe the nature of the breach, the data categories affected, the likely consequences, and the steps we are taking to mitigate it.
Rate Limiting and Abuse Prevention
To prevent abuse, ProofEcho enforces multiple rate-limit layers, all using sliding-window counters held in application memory (no database row, no cross-deploy persistence):
- Public testimonial form submission: 5 per IP per hour, plus 1 per email per 24 hours per form
- Public form media upload: 30 per (IP, form) per hour, 60 per IP per hour
- Per-organization free-tier submission ceiling: 60 per minute and 600 per hour
- Sign-up and sign-in attempts: 5 per minute
- Password reset and email-verification requests: 3 per 5 minutes
- Anonymous analytics event ingestion: 120 per IP per minute, 6000 per org per minute
Public forms also use a hidden honeypot field to deflect bots, and integration webhooks pass through an SSRF guard that blocks private and reserved network ranges. We do not retain blocked-request data beyond the rolling sliding-window itself.
Children
ProofEcho is not intended for use by children under the age of 13. We do not knowingly collect data from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
International Data
ProofEcho is operated from Indonesia with infrastructure hosted in Singapore (Railway) and globally distributed via Cloudflare. By using ProofEcho, you acknowledge that your data may be processed and stored in these locations.
Your Rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (the "right to be forgotten")
- Export your data in a structured, commonly used format
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
- California residents (CCPA / CPRA): the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of any sale or sharing for cross-context behavioral advertising. ProofEcho does not sell personal information and does not engage in cross-context behavioral advertising. We will not discriminate against you for exercising these rights.
- EU / UK residents (GDPR): the rights above plus the right to lodge a complaint with your local supervisory authority. Our lawful bases are listed in the "Lawful Basis for Processing" section above.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
Complaints
If you have a concern about how we handle your data, please email [email protected] first so we can try to resolve it. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.
Changes to This Policy
We may update this policy from time to time. If we make significant changes, we will notify you through the application or by email. The date at the top of this page indicates when it was last updated.
Contact
ProofEcho is operated by M. Robi. For privacy-related questions or requests, email us at [email protected].