Data Policy & Security

1. Data Handling

1.1 Data Collection

ECHO collects only the data necessary to provide our services:

Account information (email, name, student ID)
Profile data (location, schedule, preferences)
Usage data (travel history, connections)
Device information (push notification tokens)

1.2 Data Processing

We process your data to:

Match you with potential travel companions
Send notifications about nudge requests
Maintain your travel history and contacts
Improve app functionality and user experience

1.3 Data Storage

Your data is stored securely on Supabase infrastructure, which complies with industry-standard security practices. Data is encrypted both in transit and at rest.

2. Security Measures

2.1 Technical Security

Encryption: All data is encrypted using TLS 1.3 for data in transit and AES-256 for data at rest
Authentication: Secure password hashing and email verification required for all accounts
Access Control: Row-level security policies ensure users can only access their own data
API Security: All API requests are authenticated and rate-limited

2.2 Operational Security

Regular security audits and updates
Monitoring for suspicious activities
Secure backup procedures
Limited access to production data

2.3 Privacy Protection

EWU email verification ensures only legitimate students can join
Gender preferences allow users to control who can match with them
Contact information is only shared after mutual acceptance
Users can delete their account and all associated data at any time

3. Data Sharing

We are committed to protecting your privacy:

No Third-Party Sales: We never sell your personal data
Limited Sharing: Information is only shared with matched travel companions after mutual acceptance
Service Providers: We use trusted third-party services (Supabase, Expo) that are bound by strict privacy agreements
Legal Compliance: We may disclose data if required by law or to protect user safety

4. User Controls

You have full control over your data:

View and edit your profile information
Control schedule visibility and gender preferences
Manage your travel history and contacts
Delete your account and all associated data
Export your data if needed

5. Data Retention

We retain your data only as long as necessary:

Active accounts: Data is retained while your account is active
Deleted accounts: Most personal data is removed immediately upon account deletion
Safety data retention: Minimal safety information is retained even after account deletion (see below)
Legal requirements: Some data may be retained longer if required by law

Data Retained After Account Deletion

For student safety and accountability purposes, we retain minimal information even after account deletion:

Student ID: For accountability and safety reporting
Account deletion timestamp: Record of when the account was deleted
Minimal travel connection records: Basic information about travel companions for incident reporting

Purpose: This information is retained to ensure student safety and accountability. If an incident occurs during travel, we need to be able to identify who was involved for safety reporting and legal compliance purposes. This prevents misuse of the platform and protects all students.

Access: This information is only accessed in case of safety incidents, legal requirements, or official investigations. It is not used for any other purpose.

6. Breach Notification

In the unlikely event of a data breach, we will:

Notify affected users within 72 hours
Provide details about what data was compromised
Recommend steps to protect your account
Work immediately to resolve the issue

7. Compliance

We are committed to complying with applicable data protection laws and regulations. While we are currently focused on EWU students, we maintain high standards for data protection.

8. Contact Us

For questions about data handling, security, or to report a security concern:

Email: support.echo@akhlak.dev