Privacy Policy
How Echo handles your data
Last updated: 19 May 2026
Echo ("we", "the app") is operated by Lumarion Technologies Sdn. Bhd. (Malaysia company registration 202601001066). This policy explains, in plain terms, what data Echo collects, how it is collected, every use of that data, and the third parties it is shared with — including a third-party AI service (Google Gemini).
1. Data Echo collects, how, and why
The table below lists every category of data Echo handles, how it is collected, what it is used for, and which third parties (if any) receive it.
| Data | How it is collected | How it is used | Shared with |
|---|---|---|---|
| Business card image | You capture it with the in-app camera, or pick a photo from your photo library | (a) On-device OCR using Apple Vision to extract text; (b) Sent to Google Gemini to parse contact fields and draft a follow-up message; (c) Stored locally on your device (Apple SwiftData) and, if you are signed in, synced to your private iCloud database | Google Gemini (third-party AI) — see §2 |
| OCR text extracted on-device | Generated locally by Apple Vision from the card image | Sent to Google Gemini together with the card image to improve parsing accuracy | Google Gemini (third-party AI) — see §2 |
| Parsed contact fields (name, title, company, phone, email, website) | Returned by Google Gemini from the card image and OCR text | Displayed to you, stored locally, optionally written to iOS Contacts if you tap “Save to Contacts” | None (stays on your device / your iCloud) |
| AI-drafted follow-up message | Returned by Google Gemini, personalised with your profile and event | Displayed to you for editing and sending via your own WhatsApp/email — Echo never sends messages on your behalf | None (stays on your device / your iCloud) |
| Your profile (name, role, company) and the event name | You enter it in Settings / onboarding | Sent to Google Gemini alongside each scan so the follow-up message is personalised in your voice and context | Google Gemini (third-party AI) — see §2 |
| Apple user identifier + email (Sign in with Apple) | Provided by Apple if you sign in with Apple | Associates your subscription entitlement with your account so it works across your devices | Apple (provides the identifier); not sold or shared with anyone else |
| Subscription receipt | Apple StoreKit when you subscribe | Verify an active Echo Pro entitlement | Apple StoreKit — Echo never sees your payment method, card number, or billing address |
| Anonymous crash reports & performance metrics | Auto-collected by Apple if you opted in at iOS setup | Diagnose crashes and improve stability — no card content, messages, or profile data is included | Apple (per your iOS Analytics setting) |
2. Third-party AI service — Google Gemini
Echo uses Google Gemini, an AI service operated by Google LLC, to parse business cards and to draft follow-up messages. The following data is transmitted to Google Gemini on every scan:
- The scanned business card image
- The OCR text Apple Vision extracted from that image on-device
- Your profile (name, role, company) and the current event name, so the drafted message is personalised
Requests are routed through Lumarion's Cloud Run proxy (echo-api-300830381418.asia-southeast1.run.app) so that Google API keys are never shipped inside the app. The proxy does not retain request bodies; it forwards each request to Gemini and returns the response.
Google's handling of this data — including any retention by Google — is governed by the Gemini API Terms and Google's Privacy Policy. Echo does not use this data to train any model, and Lumarion does not retain copies of the requests on its own servers.
3. Where the rest of your data lives
Everything that is not sent to Google Gemini (scans, parsed contacts, drafted messages, your profile and event) is stored locally on your iPhone using Apple SwiftData. If you are signed into iCloud, Echo also syncs this data to your private iCloud database (the iCloud.co.lumarion.cardconnect container) so it is available across your iPhone, iPad, and Mac, and so a phone replacement does not lose your contacts. iCloud data is end-to-end encrypted by Apple — Lumarion cannot read it; only the user with their Apple ID can. If you sign out of iCloud or never sign in, Echo falls back to local-only storage automatically.
This data never reaches Lumarion-controlled servers. It does not leave Apple's ecosystem unless you explicitly send it somewhere — for example, via WhatsApp, email, or by saving a contact to your iOS Contacts.
4. Permissions Echo requests
- Camera — to scan business cards
- Photo library — to import a card photo you have already taken
- Contacts — only if you tap “Save to iOS Contacts”
Each permission is requested only when needed and can be revoked at any time in iOS Settings.
5. Your rights and how to delete your data
You can delete all your data at any time:
- Delete a single scanned card by swiping it in the home screen
- Tap Settings → Delete Account to remove your profile, all scans, and reset the app to first-launch state
- Uninstalling the app removes all locally stored data
For account-related questions or to exercise rights under PDPA 2010 (Malaysia) or GDPR, email support@lumarion.co. We respond within 30 days.
6. Children
Echo is not directed at children under 13 and we do not knowingly collect data from them.
7. Changes to this policy
We may update this policy as the app evolves. Material changes will be announced in-app before they take effect.
8. Contact
Lumarion Technologies Sdn. Bhd. (202601001066)
Email: support@lumarion.co