Privacy Policy

Version: 1.0 Effective Date: October 21, 2025 Last Updated: October 21, 2025

1. Introduction

This Privacy Policy explains how ehkootay (styled as eh•koo•tay) ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our service (the "Service").

IMPORTANT ALPHA/PRE-ALPHA NOTICE: ehkootay is currently in alpha/pre-alpha development. During this early phase, our privacy practices may evolve as we build out the service. We will update this policy to reflect any changes and notify you of material changes via email.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

We may update this Privacy Policy from time to time. For minor or clarifying changes, we will update the "Last Updated" date above. For material changes that affect how we handle your personal information, we will notify you by email at least 30 days before the changes take effect.

For questions about this Privacy Policy, contact us at [email protected].

Our Terms of Service govern your use of the Service.

2. Information We Collect

2.1 Information You Provide Directly

When you register for and use the Service, we collect:

Email Address: Used for account creation, authentication, and communication
Feed Configurations: The podcast feeds you create and customize
Episode Selections: Podcast episodes you add to your feeds or suggest to friends
Recommendations: Episodes or podcasts you suggest to other users
Account Preferences: Settings and preferences you configure

2.2 Information Collected Automatically

When you use the Service, we may automatically collect:

Usage Data: How you interact with the Service (feeds accessed, episodes added to feeds, recommendations made, features used)
Technical Data: IP address, browser type, device information, operating system
Access Logs: Timestamps of when you access the Service and which parts you use

2.3 Information We Do NOT Collect

Currently, we do not:

Use cookies for tracking purposes
Collect location data beyond what is revealed by your IP address
Use analytics or tracking services (Google Analytics, etc.)
Collect payment information (the Service is currently free)

If we begin collecting additional types of data in the future, we will update this Privacy Policy and notify you.

2.4 Information About Podcast Content

Important: We do not collect, store, or host the actual podcast audio files or artwork files. We store episode metadata (including titles, descriptions, publication dates, and links to audio files and artwork) for episodes added to your feeds as snapshots at the time they were added. The actual audio and artwork content remains hosted by third-party podcast providers.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision

Creating and maintaining your account
Generating your custom RSS feeds
Enabling you to share and discover podcast episodes
Processing recommendations to and from other users
Providing customer support and responding to your inquiries

3.2 Service Improvement and Debugging

Debugging technical issues and errors
Understanding how users interact with the Service
Improving features and developing new functionality
Ensuring the Service operates securely and reliably

3.3 Communication

Sending service-related emails (account notifications, security alerts)
Communicating with alpha/beta participants about the program
Notifying you of material changes to our Terms of Service or Privacy Policy

We will not send you marketing emails without your explicit consent.

3.4 Legal and Safety

Complying with legal obligations
Enforcing our Terms of Service
Protecting against fraud, abuse, and security threats
Responding to law enforcement requests as described in Section 8

4. How We Share Your Information

4.1 Third-Party Service Providers

Your email address passes through servers controlled by third-party service providers that help us operate the Service:

Fly.io: Hosting infrastructure provider (stores and processes all Service data)
Tigris (via Litestream): Backup and disaster recovery service (stores encrypted database backups)
Cloudflare: Content delivery and DDoS protection (processes requests to the Service)
Mailgun: used to send and receive transactional, service emails for ehkootay.com
Gmail: used to send and receive "human" emails on behalf of ehkootay.com
Honeycomb & Grafana Cloud: Observability and debugging services (processes logs, traces, and request data for service monitoring and debugging)

These service providers have access to your information only to perform specific tasks on our behalf and are obligated to protect your information and not use it for other purposes.

4.2 Podcast Services

When you add podcasts to your feeds, our servers make requests to third-party podcast hosting services (such as iTunes, RSS feed hosts, etc.) to retrieve episode information. These services will see requests coming from ehkootay's servers, but they will not see your personal information or identity—they only see that ehkootay's system is making a request.

4.3 Other Users

When you suggest episodes to a friend's feed, that friend will be able to see your recommendation. We do not share your email address or other personal information with other users unless you explicitly choose to do so.

4.4 Human Access by Our Team

Important Disclosure: During the alpha/pre-alpha phases and for ongoing service support and debugging, our team members (currently just the founder) may access your data, including:

Your email address
The podcasts and episodes you share
Your feed configurations and usage patterns

While we make efforts to minimize this access and will work to architect systems that separate personally identifiable information from usage data in the long term, we cannot guarantee anonymity during early operations. In the short term and during early development, a human (currently the founder) may see your data to provide and improve the Service.

We will never sell, rent, or otherwise share your data for marketing purposes.

4.5 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court, subpoena, or government agency). See Section 8 for details.

4.6 Business Transfers

If ehkootay is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5. International Data Transfers

The Service is operated from the United States. If you are located outside the United States, please be aware that information we collect will be transferred to, processed, and stored in the United States.

5.1 European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data in accordance with the General Data Protection Regulation (GDPR). Our legal bases for processing your data include:

Contractual Necessity: Processing is necessary to provide the Service you requested
Legitimate Interests: Processing is necessary for our legitimate interests in operating and improving the Service, provided those interests are not overridden by your rights
Legal Obligation: Processing is necessary to comply with legal requirements
Consent: Where required, we will obtain your explicit consent

By using the Service, you acknowledge and consent to the transfer of your data to the United States.

5.2 Your Rights Under GDPR

If you are an EEA, UK, or Swiss resident, you have certain rights regarding your personal data. See Section 9 for details.

6. Data Security

We take the security of your personal information seriously and implement reasonable technical and organizational measures to protect it against unauthorized access, loss, destruction, or alteration.

6.1 Security Measures

Our security measures include:

Encrypted connections (HTTPS/TLS) for all data transmitted to and from the Service
Database backups transmitted securely (TLS) to Tigris and encrypted at rest by Tigris
Email-based authentication (no passwords stored)
Access controls limiting who can access production systems and data
Regular security updates and monitoring

6.2 Limitations

However, please be aware that:

No method of transmission over the Internet or electronic storage is 100% secure
We cannot guarantee absolute security of your information
You are responsible for maintaining the confidentiality of your account credentials

If you become aware of any security breach or unauthorized access to your account, please contact us immediately at [email protected].

7. Data Retention and Deletion

7.1 How Long We Keep Your Data

We retain your personal information for as long as your account is active or as needed to provide you with the Service.

7.2 Account Deletion

When you delete your account (or we terminate your account):

Production Systems: Your data will be deleted from our production systems nearly immediately, typically within 24-48 hours
Backups: Data may persist in backups for up to 90 days after deletion before being permanently removed
Debug/Support Data: Information related to debugging or security issues may be retained longer (see Section 7.3)

After the backup retention period, your data will be permanently and irrecoverably deleted.

7.3 Exceptions to Standard Retention

We may retain certain data longer than the standard retention period when:

Legal Requirements: We are required by law to retain data (e.g., tax records, legal holds)
Legal Proceedings: Data is relevant to ongoing or anticipated legal proceedings, disputes, or enforcement of our Terms
Fraud/Abuse Prevention: Data is needed to prevent fraud, abuse, or other harmful activity
Debugging/Security: Data is needed to investigate or resolve technical or security issues

When retaining data under these exceptions, we will:

Remove or anonymize personally identifiable information when reasonably possible
Limit access to only those who need it for the specific purpose
Delete the data as soon as it is no longer needed for the exception purpose

8. Government Requests and Legal Compliance

8.1 Law Enforcement Requests

We will not share your data with government entities or law enforcement without a valid warrant, subpoena, court order, or other legally binding request, except as described in Section 8.2.

When we receive a legal request for user data, we will:

Verify the request is valid and legally sufficient
Provide only the data specifically requested and legally required
Attempt to notify you of the request, except where prohibited by law or where we believe notice could create a risk of harm

8.2 Mandatory Reporting of Illegal Activity

Notwithstanding Section 8.1, we are required by law—and it is our policy—to report certain illegal activities to appropriate authorities, including but not limited to:

Child sexual abuse material (CSAM) or child exploitation
Imminent threats of violence or harm to individuals
Other activities that we are legally required to report

When we identify or become aware of such illegal activity, we will:

Report it to the appropriate authorities (e.g., National Center for Missing & Exploited Children, law enforcement)
Preserve and share relevant data without requiring a warrant or court order
Not notify the user in advance, as doing so could interfere with investigations or create additional risk

8.3 Transparency

We believe in transparency with our users. Except where prohibited by law or where we believe notice could create a risk of harm, we will make reasonable efforts to notify users when their data is requested by government entities.

9. Your Privacy Rights

9.1 Rights Available to All Users

Regardless of where you are located, you have the following rights:

Access: You may request a copy of the personal information we hold about you
Correction: You may request that we correct inaccurate or incomplete information
Deletion: You may request that we delete your account and personal information (subject to exceptions in Section 7.3)
Opt-Out of Communications: You may opt out of non-essential emails by following the unsubscribe instructions in those emails

To exercise these rights, contact us at [email protected].

9.2 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You can request details about the personal information we collect, use, disclose, and sell (we do not sell personal information)
Right to Delete: You can request deletion of your personal information, subject to certain exceptions
Right to Opt-Out: You have the right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information for these purposes)
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at [email protected]. We will respond to your request within 45 days.

9.3 Additional Rights for European Users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the GDPR:

Right of Access: You can request access to your personal data
Right to Rectification: You can request correction of inaccurate data
Right to Erasure ("Right to be Forgotten"): You can request deletion of your data in certain circumstances
Right to Restriction of Processing: You can request that we limit how we use your data
Right to Data Portability: You can request a copy of your data in a structured, machine-readable format
Right to Object: You can object to our processing of your data in certain circumstances
Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time
Right to Lodge a Complaint: You can file a complaint with your local data protection authority

To exercise these rights, contact us at [email protected]. We will respond to your request within 30 days.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at [email protected]. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to delete that information.

11. Cookies and Tracking Technologies

11.1 Current Use

We do not use cookies for tracking or analytics purposes. We use essential cookies necessary for the operation of the Service (e.g., to keep you logged in).

11.2 Cookies

We use the following cookies to operate the Service:

wwwIdentity: Authentication - keeps you logged in to your account

11.3 Future Use

If we begin using additional cookies or other tracking technologies in the future (for analytics, advertising, or other purposes), we will:

Update this Privacy Policy with details about what cookies we use and why
Notify you of the change via email if the change is material
Where required by law (e.g., GDPR), obtain your consent before placing non-essential cookies

12. Third-Party Links

The Service may contain links to third-party websites or services (such as podcast hosting platforms, episode pages, etc.). We are not responsible for the privacy practices of these third parties.

We encourage you to read the privacy policies of any third-party websites or services you visit. This Privacy Policy applies only to information collected by ehkootay.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

13.1 Notice of Changes

Minor Changes: For clarifications or non-material changes, we will update the "Last Updated" date at the top of this policy
Material Changes: For changes that materially affect how we collect, use, or share your personal information, we will notify you by email at least 30 days before the changes take effect

13.2 Effective Date of Changes

Material changes will include an "Effective Date" that is at least 30 days after we notify you. Your continued use of the Service after the Effective Date constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Email: [email protected]

For questions about our Terms of Service, contact us at [email protected].

For questions about the alpha program, see Alpha Program Information.

14.1 Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer (currently the founder) at [email protected].

14.2 EU Representative

We do not currently have an EU representative. If required in the future, we will update this section with contact information.

15. Summary of Key Privacy Practices

For your convenience, here is a summary of our key privacy practices:

What we collect: Email, feed configurations, usage data
Why we collect it: To provide and improve the Service
Who sees it: Our hosting providers (Fly.io, Tigris, Cloudflare, Gmail) and our team for debugging/support
How long we keep it: While your account is active, plus up to 90 days in backups after deletion (longer if legally required)
Your rights: Access, correction, deletion, and portability of your data
Your control: You can delete your account at any time
Security: We use encryption and access controls to protect your data
We don't: Sell your data, use analytics/tracking, or share your identity with podcast services

By using ehkootay, you acknowledge that you have read, understood, and agree to this Privacy Policy.