Privacy Policy

How Echo collects, uses, and protects information. Echo is part of Ethica Compliance LLP.

Back

1. Overview

Echo is a secure whistleblowing platform that helps individuals report concerns and helps organizations manage cases. This Privacy Policy explains how we process Personal Data when you use Echo.

2. Roles and Responsibility

Echo usually acts as a processor on behalf of customer organizations that are controllers of report content and case files. In some situations Echo acts as a controller, for example for platform telemetry, security monitoring, service announcements, and billing contacts. When we act as controller we do so in accordance with this Policy.

3. Data We Process

  • Report data such as narrative text, categories, attachments, timestamps, and case identifiers.
  • Account and access data for authorized staff such as names, emails, roles, and audit logs.
  • Technical and usage data such as IP addresses for security, device and browser information, language settings, and essential cookies to maintain sessions.
  • Support data you share through the Contact page including name, email, company, category, subject, and message.

4. Lawful Bases

We process data based on one or more of these bases: performance of a contract to deliver the service, legitimate interests in maintaining a secure reporting channel, compliance with legal obligations, and consent where required by law.

5. Security

We apply administrative, technical, and physical safeguards including TLS in transit, encryption at rest where configured, role based access control, least privilege, audit logging, credential hashing, and regular backups.

6. Retention

Customer organizations set retention for case data. We retain logs and backups consistent with security and compliance needs. When retention ends, we delete or anonymize data where feasible, subject to legal obligations.

7. Subprocessors

We use vetted service providers, for example cloud hosting and email delivery. Each provider is bound by written terms and security requirements that are appropriate for the data they process.

8. International Data Transfers

Where cross border transfers occur, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms and implement additional technical and organizational measures.

9. Your Rights

Depending on jurisdiction you may have rights to access, rectify, delete, restrict processing, object, or request portability. If your report was submitted to a customer organization, contact that organization as the controller. You can also contact us through the Contact page and we will coordinate with the controller where applicable.

10. Children

Echo is intended for use by adults in a workplace context. We do not knowingly process data of children under 16 without appropriate authorization.

11. Kenya and African Frameworks

We operate with regard to the Kenya Data Protection Act 2019 and its Regulations. We also consider applicable African Union frameworks and local country laws where our customers operate. Where European data protection laws apply we align with GDPR principles.

12. Contact

For privacy questions or to exercise your rights, use Contact Support. If you contact us about a report managed by a customer organization, we may refer your request to the controller.

13. Changes

We may update this Policy and will post the revised date below. If changes are material, we will notify you through the platform.

Last updated: November 8, 2025