Legal
Last updated: 14 April 2026
EverEcho Ltd is the data controller for the personal information processed through this platform. We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
To contact us about data protection matters: privacy@everecho.co.uk
| Account data | Name, email address, password (hashed) | When you register |
| Payment data | Name, billing address, last 4 digits of card (via Stripe) | When you purchase |
| Memorial content | Photographs, written text, video, life dates | When you build a memorial |
| Usage data | IP address, browser type, pages visited | Automatically via our servers |
| Communications | Emails you send us, support requests | When you contact us |
We do not sell personal data to third parties. We do not use your data for advertising.
| Providing the Service | Performance of contract (Art. 6(1)(b) UK GDPR) | |
| Processing payment | Performance of contract; Legal obligation | |
| Sending service emails | Legitimate interests (service communication) | |
| Marketing emails | Consent (you may withdraw at any time) | |
| Security and fraud prevention | Legitimate interests |
We use the following trusted third-party providers to operate the Service:
| Supabase (US) | Database and authentication | DPA in place; EU/UK SCCs |
| Stripe (US) | Payment processing | PCI-DSS compliant; EU/UK SCCs |
| Cloudflare R2 (EU) | Media storage (photos, video) | GDPR-compliant infrastructure |
| Resend (US) | Transactional email delivery | DPA in place; EU/UK SCCs |
Each provider is bound by contractual safeguards (Standard Contractual Clauses) where data transfers outside the UK occur.
We retain your personal data for as long as your account is active, plus a further 6 years for legal and financial record-keeping obligations. Memorial content (photographs, text) is retained permanently as part of the Service unless you request deletion.
If you close your account, we will delete your personal profile data within 90 days. Published memorials will be taken offline unless a family member assumes ownership.
| Right of access | Request a copy of the data we hold about you |
| Right to rectification | Correct inaccurate or incomplete data |
| Right to erasure | Request deletion of your personal data ("right to be forgotten") |
| Right to restriction | Ask us to limit how we process your data |
| Right to portability | Receive your data in a machine-readable format |
| Right to object | Object to processing based on legitimate interests |
| Right to withdraw consent | Withdraw marketing consent at any time |
To exercise any of these rights, email privacy@everecho.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We use strictly necessary cookies to maintain your login session. We do not use advertising or tracking cookies. A session cookie is set when you log in and is deleted when you close your browser or log out.
All data is transmitted over HTTPS. Passwords are hashed using bcrypt and never stored in plain text. Access to production data is restricted to authorised personnel. We conduct regular security reviews.
We will notify you by email of any material changes to this Privacy Policy at least 30 days before they take effect. The current version will always be available at everecho.co.uk/privacy.