Privacy Policy

Last Updated: 14 December 2021

Our Approach to Privacy

Echobox operates a platform, which we make available through our website located at echobox.com (our "Website"), that allows users to manage and automate their social media presence, email campaigns and other forms of customer engagement (collectively, the "Echobox Service").

Before accessing or using the Echobox Service, please ensure that you have read and understood our collection, storage, use and disclosure of your personal information as described in this privacy policy.

Information about us

Echobox Limited is a company registered in England with company number 08115900 and its registered address at 9th Floor, 107 Cheapside, London EC2V 6DN ("Echobox", "we", "our" or "us").

If you would like to contact us, please write to us at privacy@echobox.com.

Whom does this Privacy Policy apply to

This privacy policy sets out how we collect, store, process, transfer, share and use data that identifies or is associated with users of our Website and the Echobox Service ("Users"). It also sets out, in paragraph 5, how we use information that identifies or is associated with other individuals whose information might be uploaded to the Echobox Service by Users, or that we might collect through websites and social media accounts that Users connect to the Echobox Service.

This information that identifies or is associated with a particular individual is referred to in this privacy policy as "personal information".

This privacy policy therefore applies to our processing of your personal information if:

  1. you are a User;
  2. your personal information is uploaded to the Echobox Service by a User or collected from websites and social media accounts that a User has connected to the Echobox Service.

Who is responsible for your personal information

Most of the processing of personal information we do when providing the Echobox Service we carry out as a processor on behalf of the relevant Customer. This means that we use this personal information on the instructions of the Customer in accordance with our DPA at echobox.com/dpa, and the Customer remains responsible for how that personal information is used.

We do, however, also process personal information as a controller, as set out in this privacy policy. This means that we determine and are responsible for how personal information is processed.

Personal Information we collect about users and visitors to our website

If you are a User, or you visit our Website, we collect personal information about you when you submit information directly to us when you access or use the Echobox Service. This can include information you provide to us when you register for an account, fill in a form, correspond with us via the Echobox Service, contact us by phone, email or otherwise, subscribe to our mailing lists, newsletters or other forms of marketing communications, respond to surveys or use some other feature of the Echobox Service as available from time to time.

We will indicate to you where the provision of personal information is mandatory or optional. If you choose not to provide personal information marked as mandatory, we may not be able to provide certain features of the Echobox Service to you or respond to your other requests.

The table at ANNEX 1 sets out the categories of personal information we collect about you and how we use that information. The table also lists the legal basis which we rely on to process the personal information.

We also automatically collect personal information about how you access and use the Echobox Service and information about the device you use to access the Echobox Service.

The table at ANNEX 2 sets out the categories of personal information we collect about you automatically and how we use that information. The table also lists the legal basis which we rely on to process the personal information.

We may link or combine the personal information we collect about you and the information we collect automatically. This allows us to provide you with a personalised experience regardless of how you interact with us.

We may anonymise and aggregate any of the personal information we collect (so that it is not possible to identify you from that information). We may use anonymised information for purposes (including commercial purposes) such as, among others, testing our IT systems, research, data analysis, improving the Echobox Service and developing new products and features. We may also make public, sell or share such anonymised information with others.

Personal Information Customers and Users upload to the Echobox Service

Your personal information may be included in the data that a Customer uploads to the Echobox Service (either directly or by connecting their website or social media pages to the Echobox Service). This may include:

  1. your email address;
  2. your communication preferences; and
  3. how you interact with the Customer online, including its website, apps or social media page (such as pages and content you view, like or share).

We will use that personal information:

  1. as a processor on behalf of the Customer; and
  2. to monitor and detect errors in the Echobox Service, and to help us improve the Echobox Service and develop new products and services. This processing is necessary for our legitimate interests, namely to inform our product development and improvement.

Disclosure of your Personal Information

As required in accordance with how we use it (as set out in the Annexes), we will share your personal information with the following categories of recipients:

  1. Service providers and advisors. Third party vendors and other service providers that perform services for us, on our behalf, which may include providing mailing or email services, tax and accounting services, payments processing, data enhancement services, fraud prevention, web hosting, or providing analytics services.
  2. Purchasers and third parties in connection with a business transaction. Personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganisation, financing, change of control or acquisition of all or a portion of our business.
  3. Law enforcement, regulators and other parties for legal reasons. Third parties as required by law or if we reasonably believe that such action is necessary to: (i) comply with the law and the reasonable requests of law enforcement; (ii) enforce our Terms of Use or to protect the security or integrity of our Website; and/or (iii) exercise or protect the rights, property, or personal safety of Echobox, our customers or others.

Marketing and Advertising

If you subscribe to receive updates from us, we will send you emails from time to time with relevant information regarding the Echobox Service. For some messages, we may use personal information we collect about you to help us determine the most relevant information to share with you.

If you no longer want to receive such messages from us, you can change your marketing preferences by clicking on the unsubscribe link at the bottom of our emails.

Storing and transferring your Personal Information

We implement appropriate technical and organisational measures to protect your personal information against accidental or unlawful destruction, loss, change or damage. All personal information we collect will be stored on secure servers.

The personal information we collect may be transferred to and stored in countries outside of the jurisdiction you are in where we and our third-party service providers have operations. If you are located in the European Economic Area ("EEA") or the United Kingdom, your personal information may be processed outside of the EEA or UK including in the United States. These international transfers of your personal information will be made pursuant to appropriate safeguards, such as standard data protection clauses adopted by the European Commission. If you wish to enquire further about these safeguards used, please contact us using the details set out at the beginning of this privacy policy.

Retaining your Information

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of our legitimate business interests and satisfying any legal or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and the applicable legal requirements.

Your Rights in respect of your Personal Information

In accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:

  1. Right of access. The right to obtain access to your personal information along with certain information.
  2. Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.
  3. Right to rectification. The right to obtain rectification of your personal information without undue delay where that personal information is inaccurate or incomplete.
  4. Right to erasure. The right to obtain the erasure of your personal information without undue delay in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed.
  5. Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal information in certain circumstances, such as where the accuracy of the personal information is contested by you, for a period enabling us to verify the accuracy of that personal information.
  6. Right to object. The right to object, on grounds relating to your particular situation, to the processing of your personal information, and to object to processing of your personal information for direct marketing purposes, to the extent it is related to such direct marketing.

If you wish to exercise one of these rights, please contact us using the contact details at the beginning of this privacy policy.

You also have the right to lodge a complaint to your local data protection authority. If you are based in the UK, your local data protection authority is the Information Commissioner's Office - please see https://ico.org.uk/make-a-complaint/ for more information. If you are based in the EEA, information about how to contact your local data protection authority is available at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.html

Links to Third Party Sites

The Echobox Service may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to those websites.

Our Policy towards children

The Echobox Service is not directed at persons under 18 and we do not knowingly collect personal information from children. If you become aware that your child has provided us with personal information, without your consent, then please contact us using the details above so that we can take steps to remove such information and terminate any account your child has created with us.

Changes to this Policy

We may update this privacy policy from time to time and so you should review this page periodically. When we change this privacy policy in a material way, we will update the "last modified" date at the end of this privacy policy. Changes to this privacy policy are effective when they are posted on this page.

Notice to you

If we need to provide you with information about something, whether for legal, marketing or other business-related purposes, we will select what we believe is the best way to get in contact with you. We will usually do this through email or by placing a notice on our Website. The fact that we may send notices to you will not stop you from being able to opt out of certain types of contact as described in this privacy policy.


Annex 1: Personal Information we collect about users and website visitors

Category of personal information How we use it Legal basis for the processing
Contact information and account profile. Such as your name, phone number, location (country), work email, profile photos, company name, the name of the Customer that granted you access, your role at the Customer. We use this information to authenticate you and give you access to the Customer's account on the Echobox Service. The processing is necessary for the performance of a contract and to take steps prior to entering into a contract (namely our Terms of Service).
We use this information to send you service-related communications about your account and the Echobox Service. The processing is necessary for the performance of a contract with you (namely our Terms of Service).
We use this information to deal with enquiries and other requests made by or about you, including customer service issues, relating to the Echobox Service. The processing is necessary for our legitimate interests, namely for communicating with you effectively and responding to your queries.
Correspondence and comments. When you contact us directly, e.g. by email, phone, mail, or when you interact with customer service, we will record your comments and opinions. To address your questions, issues and concerns and resolve your customer service issues. The processing is necessary for our legitimate interests, namely communicating with you effectively for the purposes of resolving your issues.
Payment information. If you use a personal payment method to pay for a Customer's access to the Echobox Service, we will collect your payment details such as your credit or debit card number. We use this information to facilitate payment for use of the Echobox Service. If you are the Customer, the processing is necessary for the performance of our contract with you (namely our Terms of Service).

If you make payments on behalf of the Customer, the processing is necessary for our legitimate interests, namely processing payments for the Customer's use of the Echobox Service.
We use this information to detect and prevent fraud. The processing is necessary for our legitimate interests, namely the detection and prevention of fraud.
Marketing and communications preferences, such as your preferences in receiving marketing from us and your communication preferences, such as the language in which you choose to communicate with us. We use this information to provide notifications, send news, alerts and marketing communications and we do this in accordance with your choices. The processing is necessary for our legitimate interest, namely ensuring the User receives the correct marketing and other communications in accordance with the User's preferences.
We use this information to ensure that we comply with our legal obligation to send only those marketing communications to which you have consented. The processing is necessary for compliance with a legal obligation to which we are subject.
Location information. Other than information you choose to provide to us, we do not collect information about your precise location. Your device's IP address (which we collect automatically; see ANNEX 2 below) may help us determine an approximate location. We may use an approximate location to ensure content on the Echobox Service is relevant to the city or country you are using your device in. The processing is necessary for our legitimate interests, namely to tailor the Echobox Service to you and to improve the Echobox Service generally.
All personal information set out above. We will use all the personal information we collect to operate, maintain and provide to you the features and functionality of the Echobox Service, to monitor and improve the Echobox Service, our Website and business, and to help us develop new products and services. The processing is necessary for our legitimate interests, namely to administer and improve the Echobox Service, our business and develop new services.

Annex 2: Personal Information collected automatically about users and website visitors

Category of personal information How we use it Legal basis for the processing
IP address, activity log and related information. We collect IP addresses and we log and store actions you have taken on the Echobox Service (for example where you edit a media item). We use this information for security and verification purposes. The processing is necessary for our legitimate interests, namely verifying your identity and for the purposes of accountability with respect to the Customer.
We use this information to resolve issues with the Echobox Service. The processing is necessary for our legitimate interests, namely to monitor and resolve issues and to improve the Echobox Service generally.
We use this information to determine appropriate scheduled messages as part of the Echobox Service. The processing is necessary for the performance of our contract with you (namely our Terms of Service).
Information about how you access and use the Echobox Service. For example, the website from which you came and the website to which you are going when you leave our Website, how frequently you access the Echobox Service, the time you access the Echobox Service and how long you use it for, whether you open emails or click the links contained in emails, whether you access the Echobox Service from multiple devices, and other actions you take on the Echobox Service. We use this information to present our Website and the Echobox Service to you on your device. The processing is necessary for our legitimate interests, namely to tailor the Echobox Service to the user.
We use this information to determine products and services that may be of interest to you for marketing purposes. The processing is necessary for our legitimate interests, namely to inform our direct marketing.
We use this information to monitor and improve our Website and the Echobox Service and business, and to help us develop new products and services. The processing is necessary for our legitimate interests, namely to inform our product development and improvement.
Log files and information about your device. We also collect information about the computer, tablet, smartphone or other electronic device you use to connect to the Echobox Service. This information can include details about the type of device, unique device identifying numbers, operating systems, browsers and applications connected to the Echobox Service through the device, information about the server upon which the Echobox Service operates, your Internet service provider or mobile network. We use this information to:
• enable the Echobox Service to be presented to you on your device; and
• operate, maintain and provide to you the features and functionality of the Echobox Service.
The processing is necessary for the performance of a contract and (namely our Terms of Service).
We use this information to monitor and improve the Echobox Service and business, and to help us develop new products and services. The processing is necessary for our legitimate interests, namely to inform our product development and improvement.