ecoStart chatting
eco

Privacy Policy

Last updated: June 3, 2026

Eco is operated by Bos Computing LLC (“we,” “us,” or “our”), a Wyoming limited liability company. We believe that AI should respect your privacy. This policy explains what data we collect, what we don't collect, and how Eco web v1.0 keeps your conversations on your device by running the AI model in your own browser. We aim to be straightforward — no legalese where plain language will do.

1. What We Collect

  • Account information: Email address and display name when you create an account
  • Usage metrics: Aggregate request metrics for our account and billing API — request counts, response timing, and error rates — for reliability and security. Your chat activity (how often you chat, timing, and the model you use) is measured on your device and never sent to Eco
  • Payment information: Processed by Stripe. We never see or store your full card number. We retain subscription status and billing history.
  • Device information: Browser type and version for compatibility purposes (no fingerprinting)
  • Server logs: IP addresses, request timestamps, and HTTP metadata for security and abuse prevention

2. What We Do Not Collect

  • Your conversation content — the AI model runs in your browser, so your prompts and responses are not sent to Eco servers for inference
  • Browsing history or activity outside the Eco service
  • Third-party tracking data, advertising identifiers, or analytics cookies
  • Biometric data or precise location data
  • Social media profiles or contacts

We do not use your inputs or outputs to train AI models.

3. Legal Basis for Processing

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a legal basis for data processing, we process your personal data on the following grounds:

  • Contractual necessity — Account creation, authentication, and subscription billing are necessary to provide the Service you requested (GDPR Article 6(1)(b))
  • Legitimate interest — Usage metrics, device information, and server logs are processed for service improvement, security monitoring, and abuse prevention. We have balanced these interests against your rights and determined they do not override your fundamental freedoms (GDPR Article 6(1)(f))
  • Legal obligation — Billing records are retained as required by tax and financial regulations (GDPR Article 6(1)(c))
  • Consent — Error tracking via Sentry is opt-in only. You may withdraw consent at any time without affecting the lawfulness of prior processing (GDPR Article 6(1)(a))

4. How On-Device Chat Protects Your Privacy

Eco web v1.0 runs the AI model on your device, inside your browser. Your conversations are not sent to Eco servers for inference.

On-device inference

When you chat, your prompts and the model's responses are processed in your browser. They are not transmitted to Eco servers to generate the response, so we cannot see your conversation content.

Local storage of conversations

If you keep a conversation, it can persist in your browser storage (such as IndexedDB or the Origin Private File System) on your own device. It stays on your device, and you can clear it from your browser at any time.

Model downloads

To run a model on your device, your browser downloads the model files from Eco's same-origin proxy and upstream model hosts. These requests carry model identifiers and file paths — not your prompts, files, conversation text, or generated responses.

Web lookups (Wikipedia, Wikidata, and Open-Meteo)

To help the AI answer factual questions with real sources instead of guessing, Eco includes an optional “Look up facts from the web” feature, on by default. When it is on, your browser contacts Wikipedia and Wikidata directly to fetch the search terms from your question, and — for weather questions — Open-Meteo to fetch the current conditions for the city you ask about. These requests go straight from your device to those providers — they are not routed through, seen by, or stored on Eco's servers — and only those search terms or the named city are sent, never your full conversation and never your device location. Each provider receives the request (including your IP address and the terms or city) under its own privacy policy, as it would if you visited the site yourself. You can turn this off at any time in Settings → Eco; with it off, both fact and weather lookups stop and your requests stay entirely on your device.

5. Cookies and local storage

Eco uses session cookies for authentication (powered by Better Auth), a launch-gate cookie when pre-launch access is enabled, and a small cookie notice preference stored in your browser. These are strictly necessary for the Service to function or remember your local choices. We do not use tracking cookies, advertising cookies, or any third-party cookie-based analytics.

Eco also uses local or session storage for browser-only state such as theme preference, one-time prompt handoff, guest chat context, onboarding/workspace settings, service-worker recovery metadata, and on-device model cache state. Local model files and cache records stay in your browser storage so guests can prepare local AI without an account. Clearing browser storage may reset those local preferences or require model preparation again.

Preparing a local model downloads reviewed model artifacts through Eco's same-origin local-model proxy and upstream model hosts. Those artifact requests include model identifiers and file paths, not your prompts, uploaded files, conversation text, or generated responses.

If local AI fails, Eco can prepare a support report that stays in your browser until you copy or download it. That report may include browser class, device memory bucket, model readiness, cache status, compatibility blockers, and error codes. It is designed to exclude prompts, generated text, uploaded file contents, account content, raw URLs, and secrets.

6. Third-Party Services and Data Processors

We use the following third-party services to operate Eco. Each processes data on our behalf and is bound by their respective privacy policies and, where applicable, data processing agreements:

  • Stripe — Payment processing for subscriptions. Stripe processes your payment card information directly; we never see your full card number.
  • Sentry — Error tracking for application stability. Opt-in only. When enabled, personally identifiable information is stripped before transmission.
  • Vercel — Hosts the Eco website. May process IP addresses and request metadata for edge routing and DDoS protection.
  • Fly.io — Hosts the API gateway (authentication and billing). Processes request metadata, server logs, and application data.
  • Neon — Managed PostgreSQL database. Stores account information and billing records. Located in US East.
  • Upstash — Managed Redis. Used only for service health checks; no personal data is stored here. Located in US East. Connections are encrypted in transit.
  • Model artifact hosts — Local model preparation may retrieve reviewed model files through Eco's proxy and upstream artifact storage. These requests are for model files, not chat content.

We do not sell, rent, or share your personal data with any other third parties. We do not share data with advertisers. We may disclose data if required by law, regulation, or valid legal process.

7. International Data Transfers

Eco is operated from the United States. Our primary infrastructure (API, database, cache) is located in the US East region. If you access the Service from outside the United States, the account, billing, and operational data we process will be transferred to and processed in the United States.

Your conversation content stays on your device, because the AI model runs in your browser. It is not transferred to us or to any other country for inference.

For users in the EEA and UK, we rely on the European Commission's adequacy decisions where applicable, and Standard Contractual Clauses (SCCs) with our sub-processors that operate outside of jurisdictions with adequate data protection laws. If you have questions about specific transfer safeguards, contact us at privacy@eco.network.

8. Data Retention

  • Account data: Retained while your account is active. Upon account deletion, your personal data is permanently erased within 30 days, except where retention is required by law.
  • Server logs: Retained for 90 days, then automatically purged
  • Billing records: Retained for 7 years as required by applicable tax and financial regulations
  • Conversation content: Processed on your device in your browser; we do not receive or retain it. Any conversations you keep are stored locally in your browser and can be cleared by you at any time.
  • Rate limiting data: Temporary, expires automatically (typically within minutes to hours)

9. Your Rights

Regardless of where you are located, we respect your data rights. Under GDPR, CCPA, and similar regulations, you have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Deletion — Request that we delete your account and associated data
  • Export — Receive your data in a portable, machine-readable format (data portability)
  • Correction — Update or correct inaccurate personal information
  • Restriction — Request that we limit how we process your data in certain circumstances
  • Objection — Object to processing based on legitimate interest
  • Withdraw consent — Where processing is based on consent (e.g., Sentry error tracking), withdraw at any time

To exercise any of these rights, contact us at privacy@eco.network. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local supervisory authority.

10. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than providing the Service. No opt-out is required because we do not engage in these practices.

Categories of personal information collected: Identifiers (email, display name), commercial information (subscription status), internet activity (usage metrics, server logs), and inferences drawn from the above for service improvement.

11. Automated Decision-Making

Eco uses automated systems for rate limiting and abuse detection. These systems may affect your access to the Service (e.g., temporary rate limit enforcement). We do not use automated decision-making that produces legal effects or similarly significant effects on individuals based solely on automated processing, including profiling, as defined under GDPR Article 22.

12. Children's Privacy

Eco is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child under the applicable age has provided us with personal data, please contact us at privacy@eco.network and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide at least 30 days' notice of material changes by posting the updated policy on this page, updating the “Last updated” date, and, where feasible, notifying you by email. Your continued use of the Service after the notice period constitutes acceptance of the revised policy. If you do not agree to the updated policy, you must stop using the Service.

14. Contact and Data Protection

If you have questions about this Privacy Policy, how your data is handled, or wish to exercise your data rights, contact our data protection point of contact:

Data Protection Contact
Bos Computing LLC
Email: privacy@eco.network

For general support inquiries, contact support@eco.network.