Privacy Policy
Echelon Edge Pty Ltd | ABN 12 102 962 532 | talktrail.co Last updated: 31 May 2026
1. About This Policy and Governing Law
This Policy explains how Echelon Edge Pty Ltd ("Echelon Edge", "we") collects, uses, and protects personal information through the Talk Trail application and website (talktrail.co). It applies to all subscribers regardless of location.
Governing law: Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) are our baseline standard. We also comply with EU/UK GDPR for EU and UK subscribers; PIPEDA for Canadian subscribers; and CCPA/CPRA for California subscribers. Where your local law is stricter, we apply it.
2. What We Collect
| What | Detail |
|---|---|
| Account data | Email address, display name, subscription status, and trial dates. Passwords stored as one-way cryptographic hashes only. |
| Email and calendar metadata | Subject lines, sender/recipient names, event titles, timestamps, and durations — only when you connect an account (see section 3). Processed transiently; raw content never stored. |
| Technical data | Device type, OS, browser version, IP address, session timestamps, and error logs. Used for security and service improvement. IP not linked to your activity history. |
| Payment data | Transaction confirmation and subscription status from Stripe. We never see, store, or transmit your card number, expiry, or CVV. |
3. Email and Calendar Integration
3.1 What we access
When you connect a Gmail, Google Calendar, Outlook, or Exchange account, we use OAuth 2.0 (no password required). We access metadata only — never full email body text in Strict mode, never attachments, never your contacts list. We request the minimum permissions required for the feature you enable.
3.2 How it works
Our server fetches a limited window of metadata, processes it in-memory on our secure servers to compute an anonymised "derived signal" (a stress level indicator and a generic activity category such as "high-demand communication"), then immediately discards the raw metadata. The derived signal is the only thing stored — never source subjects, names, or event titles. No email or calendar content is included in any backup.
At any point in time, our database contains: your account details, your encrypted OAuth token, and your anonymised derived signals. It does not contain your email subjects, event titles, sender names, or any other raw content from your inbox or calendar.
No decisions with legal or similarly significant effects on you are made by automated means based solely on Talk Trail data.
3.3 Privacy modes
| Mode | What the AI receives | What is stored |
|---|---|---|
| Strict (default) | Anonymised derived signal only — stress level and generic category. No metadata. | Derived signal only. No raw content. |
| Enhanced (opt-in) | A de-identified summary: full names become initials + role descriptors (e.g. "J.S. — direct report"); subject lines become category/sentiment descriptions; no quoted content. | Derived signal only. De-identified summary processed in-memory and discarded. Same no-storage rule. |
Change mode at any time from Settings > Privacy. Switching to Strict takes effect immediately and stops Enhanced processing prospectively. Previously derived signals are not deleted unless you request account deletion.
3.4 Disconnecting
Settings > Connections: immediately revokes our OAuth token and deletes it from our database. You can also revoke access directly via your Google or Microsoft account security settings.
4. How We Use Your Information
We use your information to:
- operate and manage your account and subscription
- compute derived signals and deliver nudges as you have configured
- send account, subscription, and product notifications
- respond to support requests
- detect and prevent fraud, abuse, and security incidents
- improve Talk Trail using aggregated, de-identified analytics
- comply with our legal obligations
We do not: use your data for advertising; sell personal information to any party; use email or calendar content to train AI models; or share your derived signals with other subscribers.
5. Legal Bases for Processing (EU / UK GDPR)
For EU, UK, and Swiss subscribers:
| Basis | Data and purpose |
|---|---|
| Contract performance | Account data and OAuth tokens — necessary to deliver the Talk Trail service. |
| Consent | Connecting an email/calendar account; selecting Enhanced mode. Withdraw at any time by disconnecting or switching to Strict. |
| Legitimate interests | Technical and usage data for security, fraud prevention, and service improvement, where not outweighed by your privacy rights. |
| Legal obligation | Records required by Australian corporate and tax law. |
| Art. 28 DPA | Processing by Lovable's infrastructure is governed by Lovable's Business plan Data Processing Agreement (lovable.dev/legal), constituting a GDPR Art. 28-compliant controller-processor arrangement. |
6. Third-Party Services
Talk Trail is built and hosted on the Lovable platform (Lovable Labs Inc, United States). Echelon Edge holds a Business plan agreement with Lovable that includes a DPA. Lovable's own sub-processors (including Supabase for database/auth and AI providers for Enhanced mode signal processing) are managed under Lovable's contractual chain — current list at trust.lovable.dev.
| Party | Location | Role |
|---|---|---|
| Lovable Labs Inc | United States | Application infrastructure, database hosting, auth, and AI processing (Enhanced mode only). DPA: lovable.dev/legal. |
| Stripe Inc | United States | Payment processing. DPA available via Stripe merchant dashboard. Card data handled solely by Stripe. |
Google and Microsoft: when you connect your account, you directly authorise Talk Trail to access your own data under your existing agreement with Google or Microsoft. They are not processing data on our behalf. Your use of those accounts remains subject to their own privacy policies (policies.google.com/privacy; privacy.microsoft.com).
7. International Data Transfers
Talk Trail's infrastructure is US-based (via Lovable). Personal information is stored and processed in the United States.
Australia (APP 8): We rely on the contractual protections in our Lovable Business DPA and Lovable's SOC 2 Type II certification as reasonable steps ensuring APP-consistent handling by an overseas recipient.
EU / UK (GDPR Chapter V): Transfers are governed by EU Standard Contractual Clauses (Module 2, Commission Decision 2021/914) and the UK International Data Transfer Addendum (version B1.0), incorporated into Lovable's Business plan DPA at lovable.dev/legal.
Canada (PIPEDA, Schedule 1, Principle 7): The same DPA protections constitute reasonable contractual measures for third-party transfers.
8. Your Rights
Contact privacy@talktrail.co to exercise any right. We respond within 30 days (or the period your local law requires).
| Region | Law | Key rights |
|---|---|---|
| Australia | Privacy Act / APPs | Access, correction, complaint to OAIC (oaic.gov.au, 1300 363 992) |
| EU / EEA | EU GDPR | Access, erasure, portability, restriction, objection, complaint to national DPA |
| United Kingdom | UK GDPR | Same as EU GDPR; complaint to ICO (ico.org.uk) |
| Canada | PIPEDA | Access, correction, complaint to OPC (priv.gc.ca) |
| California | CCPA / CPRA | Know, delete, opt-out of sale (we do not sell data) |
| All other regions | Australian baseline + local law | Access and deletion on request |
All subscribers may at any time: access and update account settings; disconnect email/calendar integrations; switch privacy mode; delete their account and all data; and withdraw consent by disconnecting integrated accounts. We will not discriminate against you for exercising your rights.
9. Data Retention and Deletion
| Data | Retention |
|---|---|
| Account data | Duration of subscription + 90 days, then permanently deleted. |
| Derived signals | Duration of account. Deleted on account deletion. |
| OAuth tokens | Deleted immediately on disconnection or account deletion. |
| Raw email/cal content | Never stored — discarded in-memory after signal computation. |
| Aggregated analytics | Indefinite (de-identified; cannot be linked to any individual). |
To delete your account: Settings > Account > Delete Account, or email support@talktrail.co. Deletion completed within 30 days. Backup copies overwritten within 90 days.
10. Security
Data in transit: TLS 1.2+. Data at rest: AES-256 encryption, including OAuth tokens. Access controls: role-based permissions and MFA on production systems. Row-level security prevents cross-account data access. Lovable's hosting infrastructure holds SOC 2 Type II certification. In the event of a notifiable data breach, we will notify affected subscribers and (where required) the OAIC within the timeframes required by law. No security system is impenetrable; we cannot guarantee absolute security against all threats.
11. Children
Talk Trail is not intended for persons under 16. We do not knowingly collect personal information from under-16s. Contact privacy@talktrail.co if you believe a minor has registered and we will delete the account promptly.
12. Changes
Revised Policies will be posted at talktrail.co/privacy with an updated "Last updated" date. For material changes affecting your rights or expanding our processing purposes, we will give at least 30 days' notice by email or in-app notification. Continued use after the effective date constitutes acceptance.
13. Contact and Complaints
Email: privacy@talktrail.co
Mail: PO Box 458, West Ashgrove QLD 4060, Australia
If you are not satisfied with our response, contact your local regulator:
- Australia — OAIC: oaic.gov.au | 1300 363 992
- EU / EEA — your national data protection authority
- United Kingdom — ICO: ico.org.uk
- Canada — OPC: priv.gc.ca
- California (US) — CPPA: cppa.ca.gov