NightEchoesAI — Privacy Policy

Contents

Data Controller
Scope of This Policy
Data We Collect & Why
Legal Basis for Processing (GDPR Art. 6)
Data Processors & Third Parties
International Data Transfers
Anonymous Analytics & Usage Statistics
Conversation Data
Cookies & Local Storage
Data Retention
Data Security
Children & Minors
Your Rights Under GDPR
Exercising Your Rights
Complaints
Changes to This Policy
Contact

01 Data Controller

The data controller responsible for your personal data is:

Manfred Uschan
Unterneuberg 136
8225 Pöllau
Austria (Österreich)

Email: unifiedbizdesk@gmail.com
Tel: +43 699 12342155

This is a private, non-commercial project. The Operator is not a registered business and does not hold a UID or Gewerbeschein in connection with this Platform.

02 Scope of This Policy

This Privacy Policy applies to all personal data collected through:

The NightEchoesAI website at nightechoesai.mirrorsoulai.com;
The beta application form on the website;
The bug report form on the website;
The contact / impressum form on the website;
Any AI companion bot operated via Telegram as part of the NightEchoesAI platform.

This policy does not apply to third-party services you may use to access or interact with the Platform (such as Telegram), which are governed by their own privacy policies.

03 Data We Collect & Why

We collect only the data necessary to operate the Platform and process beta applications. The table below details each category.

Data Category	Specific Data	Source	Purpose
Application data	Telegram Client ID, email address, age, gender (optional), companion preferences, referral source, motivation text	Beta application form	Evaluating and managing beta tester selection; contacting selected applicants
Bug report data	Companion name, conversation excerpts (user input & bot output), expected behaviour description, screenshot (optional), Telegram ID (optional)	Bug report form	Identifying, reproducing, and resolving platform defects
Contact data	Name, email address, subject, message content	Contact / impressum form	Responding to enquiries, legal notices, and data subject requests
Conversation data	Messages sent to AI companions, timestamps, session identifiers	Telegram bot interactions	Enabling AI companion functionality; generating memory summaries; improving the platform
Anonymous analytics	Message frequency, session length, response timings, feature interaction counts	Platform systems (automated)	Platform development and quality improvement
Technical data	IP address (rate limiting only, not stored long-term), submission timestamps	Web forms	Spam prevention and rate limiting

We do not collect payment information. We do not build advertising profiles. We do not sell your data to any third party under any circumstances.

04 Legal Basis for Processing (GDPR Art. 6)

All processing of personal data is grounded in one or more of the following lawful bases under Article 6 of the General Data Protection Regulation (EU) 2016/679:

Art. 6(1)(b) — Contract performance: Processing necessary to evaluate and fulfil the beta participation agreement (application data, contact data).
Art. 6(1)(a) — Consent: Processing based on your freely given, specific, and informed consent provided when submitting forms or accepting the age/consent gate. You may withdraw consent at any time — see Section 13.
Art. 6(1)(f) — Legitimate interests: Processing of anonymous usage analytics and technical data for platform development and spam prevention, where these interests are not overridden by your rights.
Art. 6(1)(c) — Legal obligation: Processing required to comply with applicable Austrian law, including responding to verified legal requests.

For any sensitive data (e.g. content of adult conversations), processing is additionally grounded in Art. 9(2)(a) GDPR — your explicit consent, given by voluntarily initiating and continuing interaction with adult-oriented Companions.

05 Data Processors & Third Parties

We use the following third-party processors. Each processes your data only as necessary to provide their service and is subject to their own privacy policy and, where applicable, EU data protection law.

PHP mail() / Hosting Provider
Form submissions are processed server-side via the hosting provider's mail infrastructure. Data is transmitted over HTTPS and delivered directly to the Operator's inbox. No third-party form service is used. Your data passes only through the hosting server and Gmail.

Google LLC (Gmail)
Form submission data is received into a Gmail inbox operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google processes this data as part of its Gmail service and may store it on servers outside the European Economic Area. Google participates in the EU-U.S. Data Privacy Framework (DPF). Google's Privacy Policy: policies.google.com/privacy.

Telegram Messenger Inc.
AI companion conversations take place within the Telegram platform. Telegram processes message data in accordance with its own Privacy Policy (telegram.org/privacy). The Operator has access to messages sent to its bots for the purpose of generating AI responses and maintaining conversation memory.

Hosting Provider (A2 Hosting / shared webhost)
Website files and form-processing scripts are hosted on a shared web server. The hosting provider may have access to server logs including IP addresses and request metadata in the ordinary course of providing hosting services.

We do not use advertising networks, social media trackers, Google Analytics, or any other analytics or marketing platform.

06 International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically the United States, via Google's Gmail service.

Such transfers are carried out on the basis of:

Google's participation in the EU-U.S. Data Privacy Framework, which provides an adequate level of protection as recognised by the European Commission;
Standard Contractual Clauses (SCCs) adopted by the European Commission, where applicable.

Conversation data processed via Telegram may also be stored outside the EEA. Telegram's international transfer mechanisms are governed by Telegram's Privacy Policy.

07 Anonymous Analytics & Usage Statistics

The Platform collects anonymous usage statistics to understand how Companions are used and to guide development priorities. This data includes:

Message frequency and session duration;
Response time and system performance metrics;
Feature interaction counts (e.g. how often proactive messaging triggers);
Intimacy level progression patterns (aggregated, not per-user).

This data is fully anonymised before storage — it cannot be linked back to any individual user, Telegram account, or conversation. It is used solely for internal development purposes and is never shared with third parties.

By accepting the Platform's age/consent gate or submitting a beta application, you consent to this anonymous data collection.

08 Conversation Data

Messages sent to AI Companions and the AI-generated responses are processed by the Platform's local AI inference system (Ollama, running on the Operator's own hardware). This means conversation data is not transmitted to third-party AI providers such as OpenAI, Anthropic, or Google AI.

Conversation data is stored locally to enable:

Persistent memory across sessions (conversation history window);
Cross-session narrative summaries;
Entity memory (names, preferences, topics mentioned);
Intimacy and mood tracking.

Conversation data is retained for as long as you remain an active user of the Platform. Inactive accounts (no messages for 12 months) may have their stored conversation data purged.

Important: Do not share sensitive personal information (such as your full name, address, financial details, or identifying information about third parties) in conversations with AI Companions. Such information is not necessary for the Platform to function and its inclusion in conversation data creates unnecessary privacy risk.

09 Cookies & Local Storage

The NightEchoesAI website uses minimal browser storage:

Age verification (sessionStorage): A flag indicating that you have passed the age gate, stored for the duration of your browser session. Cleared when you close the tab.
Theme preference (localStorage): Your chosen light/dark theme setting. Stored indefinitely until cleared by you. Contains no personal data.
Cookie consent decision (localStorage): Whether you accepted or declined cookies. Stored indefinitely until cleared by you. Contains no personal data.

We do not use advertising cookies, tracking pixels, Google Analytics, or any third-party cookies of any kind. No cookie consent is required under ePrivacy Directive for strictly functional storage of this nature, but we inform you of it for full transparency.

10 Data Retention

Data Category	Retention Period
Beta application data	Duration of beta program + 12 months, or until deletion requested
Bug report data	Until issue resolved + 6 months, then deleted
Contact form data	Duration of correspondence + 12 months
Conversation data (bot memory)	While account is active; purged after 12 months of inactivity
Anonymous analytics	Aggregated indefinitely (no personal data retained)
IP addresses (rate limiting)	Maximum 1 hour in temporary cache; not stored permanently

Upon project discontinuation, all personal data will be deleted within 30 days of the Platform ceasing operation.

11 Data Security

The Operator implements reasonable technical and organisational measures to protect your personal data, including:

HTTPS encryption for all website and form transmissions;
Local AI inference ensuring conversation data does not leave the Operator's own infrastructure to third-party AI services;
Access controls on the web dashboard and bot administration interface;
No storage of payment information (none is collected).

However, no method of transmission over the internet or method of electronic storage is 100% secure. The Operator cannot guarantee absolute security and excludes liability for security breaches to the fullest extent permitted by law.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, the Operator will notify affected individuals without undue delay as required by GDPR Art. 34.

12 Children & Minors

The Platform is strictly restricted to persons aged 21 years or older. We do not knowingly collect personal data from anyone under the age of 21.

If the Operator becomes aware that personal data has been collected from a person under 21 without valid parental consent, that data will be deleted immediately. If you believe a minor has provided personal data to the Platform, please contact us at unifiedbizdesk@gmail.com immediately.

13 Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (EU) 2016/679, you have the following rights with respect to your personal data:

Right of Access (Art. 15)

Request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure (Art. 17)

Request deletion of your personal data, subject to legal retention obligations.

Right to Restriction (Art. 18)

Request that we restrict processing of your data in certain circumstances.

Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format and transfer it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right Not to Be Profiled

We do not carry out automated decision-making or profiling with legal or similarly significant effects. This right is not currently applicable.

14 Exercising Your Rights

To exercise any of your rights, contact the Operator at:

Email: unifiedbizdesk@gmail.com
Subject line: GDPR Data Request — [Right you are exercising]
Include: Your Telegram ID or email address used in any form submission, and a description of your request.

We will respond to verified requests within 30 days of receipt. Where requests are complex or numerous, this period may be extended by a further 60 days — we will notify you if this is the case.

We may ask you to verify your identity before processing your request. We will not charge a fee for reasonable requests. Manifestly unfounded or excessive requests may be refused or charged a reasonable administrative fee.

15 Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority. In Austria, this is:

Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40–42, 1030 Wien, Austria
dsb.gv.at
+43 1 52 152-0

We encourage you to contact us first so we can address your concern directly before escalating to the supervisory authority.

16 Changes to This Policy

This Privacy Policy may be updated from time to time to reflect changes in our data practices, applicable law, or platform features. The effective date at the bottom of this page will be updated accordingly.

Where changes are material, we will notify active beta users via Telegram. Your continued use of the Platform after any update constitutes acceptance of the revised policy. If you do not accept the revised policy, you must discontinue use of the Platform and request deletion of your data.

17 Contact

For any privacy-related questions, data subject requests, or concerns:

Manfred Uschan — Data Controller
Unterneuberg 136, 8225 Pöllau, Austria
Email: unifiedbizdesk@gmail.com
Tel: +43 699 12342155

NightEchoesAI Privacy Policy · Version 1.0 · Effective date: 1 August 2026 · Governing law: Republic of Austria · GDPR (EU) 2016/679