Oasisecho privacy policy

Your privacy isn’t just a feature — it’s our entire business model.

This policy explains, in plain language, what we collect, how we protect it, and what never leaves your device. What do we actually see? Very little. We use zero-knowledge encryption, so message content stays private by design.

What we don’t collect

Message content, contacts, location, IP logs

What we do collect

Email for login, support requests, anonymous analytics

Last updated

14 June 2026

Minimal data GDPR aligned Ukrainian law

Oasis Echo Privacy Policy at a Glance

We built this service to carry messages, not personal data. That means we limit collection to the essentials: your email address for login, support requests when you contact us, and optional analytics that are anonymised and self-hosted. Anything else? We avoid it unless the law demands otherwise.

We don’t collect

  • Message content or attachments
  • Contacts from your address book
  • Precise location data
  • Routine IP log trails

We do collect

  • Email for account access and verification
  • Support messages you send voluntarily
  • Optional anonymous usage analytics
  • Technical logs required for delivery and abuse prevention

User data rights

Your rights under GDPR and Ukrainian data protection law

Rights sound formal until you need them. Can you access your data, correct it, or ask us to delete it? Absolutely. Here’s how we handle each request, and how quickly we respond.

Right to Access

See what we hold and why.

You can ask for a copy of the personal data we process about you, along with the purposes, categories, and retention periods. We’ll verify your identity, then respond clearly. No hidden jargon.

Right to Rectification

Fix inaccurate information.

If your account details are wrong, tell us what needs correcting. We’ll update the record without unnecessary delay and confirm once the change is complete.

Right to Erasure

Ask us to delete your data.

We’ll delete account data when there’s a lawful basis to do so, typically within 30 days. Some records may be retained if we’re required to keep them under tax, security, or legal obligations.

Right to Data Portability

Take your data with you.

You can request a portable copy of the personal data you’ve provided. We’ll return it in a structured format that another service can read, where technically feasible.

Right to Object

Stop certain processing.

Where processing is based on legitimate interests or direct marketing, you can object. We’ll review the request and stop the activity unless we have a compelling lawful reason to continue.

End-to-end encryption policy

Our end-to-end encryption, explained without the smoke and mirrors

Double Ratchet sounds technical because it is. Yet the idea is simple: each message gets a fresh key path, forward secrecy protects older conversations, and future secrecy limits the damage if a device is compromised. Would you trust a messenger that could decode your traffic? We wouldn’t either.

Forward secrecy Future secrecy Open-source libraries

Sender

Key exchange

Recipient

Ratchet step

Fresh keys

Unreadable to us

What our engineers insist on

  • Audited, open-source encryption libraries only.
  • No server-side access to decrypted message bodies.
  • Minimal delivery metadata, kept only as long as needed.
  • Regular security reviews and independent audits published annually.

The goal is simple: make interception worthless. If someone tries, they get ciphertext and nowhere useful to go.

Data protection Ukraine

Our use of cookies and analytics

Cookies aren’t the villain; careless tracking is. We keep only the scripts needed for security, login, and service reliability. Optional analytics are self-hosted, anonymised, and switched off when you say no. That’s fair, isn’t it?

Session cookie

Keeps you signed in securely.

Session

CSRF token

Stops malicious request forgery.

Short-lived

Optional analytics

Self-hosted, anonymised IP.

Up to 13 months

Prefer no analytics?

You can opt out of optional cookies without losing core app functionality. Simple.

Self-hosted by design

We avoid third-party tracking where we can. Less noise, fewer hands on your data.

Questions?

Send a note to [email protected]. We’ll answer plainly.

Trust, verified

Transparency should feel practical, not theatrical.

We publish our audit summaries annually, maintain strict retention controls, and treat deletion requests as real obligations, not support tickets that drift for weeks. What’s the point of a privacy policy if nobody can rely on it?