Payments are in test mode — use card 4242 4242 4242 4242 to try checkout. Read more

Privacy Policy

Echelon Edge Pty Ltd | ABN 12 102 962 532 | talktrail.co Last updated: 31 May 2026

1. About This Policy and Governing Law

This Policy explains how Echelon Edge Pty Ltd ("Echelon Edge", "we") collects, uses, and protects personal information through the Talk Trail application and website (talktrail.co). It applies to all subscribers regardless of location.

Governing law: Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) are our baseline standard. We also comply with EU/UK GDPR for EU and UK subscribers; PIPEDA for Canadian subscribers; and CCPA/CPRA for California subscribers. Where your local law is stricter, we apply it.

2. What We Collect

WhatDetail
Account dataEmail address, display name, subscription status, and trial dates. Passwords stored as one-way cryptographic hashes only.
Email and calendar metadataSubject lines, sender/recipient names, event titles, timestamps, and durations — only when you connect an account (see section 3). Processed transiently; raw content never stored.
Technical dataDevice type, OS, browser version, IP address, session timestamps, and error logs. Used for security and service improvement. IP not linked to your activity history.
Payment dataTransaction confirmation and subscription status from Stripe. We never see, store, or transmit your card number, expiry, or CVV.

3. Email and Calendar Integration

3.1 What we access

When you connect a Gmail, Google Calendar, Outlook, or Exchange account, we use OAuth 2.0 (no password required). We access metadata only — never full email body text in Strict mode, never attachments, never your contacts list. We request the minimum permissions required for the feature you enable.

3.2 How it works

Our server fetches a limited window of metadata, processes it in-memory on our secure servers to compute an anonymised "derived signal" (a stress level indicator and a generic activity category such as "high-demand communication"), then immediately discards the raw metadata. The derived signal is the only thing stored — never source subjects, names, or event titles. No email or calendar content is included in any backup.

At any point in time, our database contains: your account details, your encrypted OAuth token, and your anonymised derived signals. It does not contain your email subjects, event titles, sender names, or any other raw content from your inbox or calendar.

No decisions with legal or similarly significant effects on you are made by automated means based solely on Talk Trail data.

3.3 Privacy modes

ModeWhat the AI receivesWhat is stored
Strict (default)Anonymised derived signal only — stress level and generic category. No metadata.Derived signal only. No raw content.
Enhanced (opt-in)A de-identified summary: full names become initials + role descriptors (e.g. "J.S. — direct report"); subject lines become category/sentiment descriptions; no quoted content.Derived signal only. De-identified summary processed in-memory and discarded. Same no-storage rule.

Change mode at any time from Settings > Privacy. Switching to Strict takes effect immediately and stops Enhanced processing prospectively. Previously derived signals are not deleted unless you request account deletion.

3.4 Disconnecting

Settings > Connections: immediately revokes our OAuth token and deletes it from our database. You can also revoke access directly via your Google or Microsoft account security settings.

4. How We Use Your Information

We use your information to:

  • operate and manage your account and subscription
  • compute derived signals and deliver nudges as you have configured
  • send account, subscription, and product notifications
  • respond to support requests
  • detect and prevent fraud, abuse, and security incidents
  • improve Talk Trail using aggregated, de-identified analytics
  • comply with our legal obligations

We do not: use your data for advertising; sell personal information to any party; use email or calendar content to train AI models; or share your derived signals with other subscribers.

5. Legal Bases for Processing (EU / UK GDPR)

For EU, UK, and Swiss subscribers:

BasisData and purpose
Contract performanceAccount data and OAuth tokens — necessary to deliver the Talk Trail service.
ConsentConnecting an email/calendar account; selecting Enhanced mode. Withdraw at any time by disconnecting or switching to Strict.
Legitimate interestsTechnical and usage data for security, fraud prevention, and service improvement, where not outweighed by your privacy rights.
Legal obligationRecords required by Australian corporate and tax law.
Art. 28 DPAProcessing by Lovable's infrastructure is governed by Lovable's Business plan Data Processing Agreement (lovable.dev/legal), constituting a GDPR Art. 28-compliant controller-processor arrangement.

6. Third-Party Services

Talk Trail is built and hosted on the Lovable platform (Lovable Labs Inc, United States). Echelon Edge holds a Business plan agreement with Lovable that includes a DPA. Lovable's own sub-processors (including Supabase for database/auth and AI providers for Enhanced mode signal processing) are managed under Lovable's contractual chain — current list at trust.lovable.dev.

PartyLocationRole
Lovable Labs IncUnited StatesApplication infrastructure, database hosting, auth, and AI processing (Enhanced mode only). DPA: lovable.dev/legal.
Stripe IncUnited StatesPayment processing. DPA available via Stripe merchant dashboard. Card data handled solely by Stripe.

Google and Microsoft: when you connect your account, you directly authorise Talk Trail to access your own data under your existing agreement with Google or Microsoft. They are not processing data on our behalf. Your use of those accounts remains subject to their own privacy policies (policies.google.com/privacy; privacy.microsoft.com).

7. International Data Transfers

Talk Trail's infrastructure is US-based (via Lovable). Personal information is stored and processed in the United States.

Australia (APP 8): We rely on the contractual protections in our Lovable Business DPA and Lovable's SOC 2 Type II certification as reasonable steps ensuring APP-consistent handling by an overseas recipient.

EU / UK (GDPR Chapter V): Transfers are governed by EU Standard Contractual Clauses (Module 2, Commission Decision 2021/914) and the UK International Data Transfer Addendum (version B1.0), incorporated into Lovable's Business plan DPA at lovable.dev/legal.

Canada (PIPEDA, Schedule 1, Principle 7): The same DPA protections constitute reasonable contractual measures for third-party transfers.

8. Your Rights

Contact privacy@talktrail.co to exercise any right. We respond within 30 days (or the period your local law requires).

RegionLawKey rights
AustraliaPrivacy Act / APPsAccess, correction, complaint to OAIC (oaic.gov.au, 1300 363 992)
EU / EEAEU GDPRAccess, erasure, portability, restriction, objection, complaint to national DPA
United KingdomUK GDPRSame as EU GDPR; complaint to ICO (ico.org.uk)
CanadaPIPEDAAccess, correction, complaint to OPC (priv.gc.ca)
CaliforniaCCPA / CPRAKnow, delete, opt-out of sale (we do not sell data)
All other regionsAustralian baseline + local lawAccess and deletion on request

All subscribers may at any time: access and update account settings; disconnect email/calendar integrations; switch privacy mode; delete their account and all data; and withdraw consent by disconnecting integrated accounts. We will not discriminate against you for exercising your rights.

9. Data Retention and Deletion

DataRetention
Account dataDuration of subscription + 90 days, then permanently deleted.
Derived signalsDuration of account. Deleted on account deletion.
OAuth tokensDeleted immediately on disconnection or account deletion.
Raw email/cal contentNever stored — discarded in-memory after signal computation.
Aggregated analyticsIndefinite (de-identified; cannot be linked to any individual).

To delete your account: Settings > Account > Delete Account, or email support@talktrail.co. Deletion completed within 30 days. Backup copies overwritten within 90 days.

10. Security

Data in transit: TLS 1.2+. Data at rest: AES-256 encryption, including OAuth tokens. Access controls: role-based permissions and MFA on production systems. Row-level security prevents cross-account data access. Lovable's hosting infrastructure holds SOC 2 Type II certification. In the event of a notifiable data breach, we will notify affected subscribers and (where required) the OAIC within the timeframes required by law. No security system is impenetrable; we cannot guarantee absolute security against all threats.

11. Children

Talk Trail is not intended for persons under 16. We do not knowingly collect personal information from under-16s. Contact privacy@talktrail.co if you believe a minor has registered and we will delete the account promptly.

12. Changes

Revised Policies will be posted at talktrail.co/privacy with an updated "Last updated" date. For material changes affecting your rights or expanding our processing purposes, we will give at least 30 days' notice by email or in-app notification. Continued use after the effective date constitutes acceptance.

13. Contact and Complaints

Email: privacy@talktrail.co
Mail: PO Box 458, West Ashgrove QLD 4060, Australia

If you are not satisfied with our response, contact your local regulator:

  • Australia — OAIC: oaic.gov.au | 1300 363 992
  • EU / EEA — your national data protection authority
  • United Kingdom — ICO: ico.org.uk
  • Canada — OPC: priv.gc.ca
  • California (US) — CPPA: cppa.ca.gov