Etho

Privacy-first by design

We built Etho because we believe you shouldn't have to compromise user privacy to build great features. Privacy isn't an afterthought—it's our foundation.

Our privacy principles

Events only, never email bodies

We extract structured data objects and discard the raw email content. We never store, read, or retain full email bodies.

Never sold for ads or marketing

Your users' data is never monetized through advertising, data brokerage, or any form of third-party sale. Ever.

User-controlled deletion

Users can disconnect their inbox and request full data deletion at any time. We honor deletion requests within 24 hours.

Encryption at rest and in transit

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Access is strictly controlled and audited.

How we handle email data

What we DO extract

  • Structured transaction data (merchant, amount, date, items)
  • Travel itineraries (flights, hotels, reservations)
  • Subscription and billing information
  • Event tickets and calendar-relevant data

What we NEVER store

  • Full email body content or HTML
  • Email attachments
  • Personal correspondence or non-transactional emails
  • User credentials or OAuth tokens after processing

Compliance & certifications

SOC 2 Type II

Audited annually for security, availability, and confidentiality controls.

GDPR Compliant

Full compliance with EU data protection regulations including right to erasure.

CCPA Compliant

California Consumer Privacy Act compliance for US users.

For integrators

We provide all the tools you need to maintain user trust and meet your own compliance requirements.

Tenant Dashboard

Full visibility into connected users, data access, and deletion requests.

Data Processing Agreement

Standard DPA available for enterprise customers with custom terms.

Audit Logs

Complete audit trail of all API access and data operations.

Sub-processor List

Transparent list of all sub-processors with update notifications.

Questions about privacy?

We are happy to discuss our privacy practices, provide additional documentation, or complete your security questionnaire.