Privacy Policy


Our Approach to Privacy

Echobox operates a platform, which we make available through our website located at echobox.com (our "Website"), that allows users to manage and automate their social media presence, email campaigns and other forms of customer engagement (collectively, the "Echobox Service").

Before accessing or using the Echobox Service, please ensure that you have read and understood our collection, storage, use and disclosure of your personal information as described in this privacy policy.

Information about us

Echobox Limited is a company registered in England with company number 08115900 and its registered address at 9th Floor, 107 Cheapside, London EC2V 6DN ("Echobox", "we", "our" or "us").

If you would like to contact us, please write to us at privacy@echobox.com.

Whom does this Privacy Policy apply to

This privacy policy sets out how we collect, store, process, transfer, share and use data that identifies or is associated with users of our Website and the Echobox Service ("Users").

It also sets out, in paragraph 6, how we use information that identifies or is associated with other individuals whose information might be shared with the Echobox Service by business customers that have signed up to use the Echobox Service (our "Customers"), or that we might collect through websites and social media accounts that Customers connect to the Echobox Service.

This information that identifies or is associated with a particular individual is referred to in this privacy policy as "personal information".

This privacy policy therefore applies to our processing of your personal information if:

  1. you are a User;
  2. your personal information is shared with the Echobox Service by a Customer or collected from websites and social media accounts that a Customer has connected to the Echobox Service.

Who is responsible for your personal information

Most of the processing of personal information we do when providing the Echobox Service we carry out as a processor on behalf of the relevant Customer. This means that we use this personal information on the instructions of the Customer in accordance with our DPA at echobox.com/dpa, and the Customer remains responsible for how that personal information is used.

We do, however, also process personal information as a controller, as set out in this privacy policy. This means that we determine and are responsible for how personal information is processed.

Personal Information we collect about users and visitors to our website

If you are a User, or you visit our Website, we collect personal information about you when you submit information directly to us when you access or use the Echobox Service. This can include information you provide to us when you register for an account, fill in a form, correspond with us via the Echobox Service, contact us by phone, email or otherwise, subscribe to our mailing lists, newsletters or other forms of marketing communications, respond to surveys or use some other feature of the Echobox Service as available from time to time.

We will indicate to you where the provision of personal information is mandatory or optional. If you choose not to provide personal information marked as mandatory, we may not be able to provide certain features of the Echobox Service to you or respond to your other requests.

The table at ANNEX 1 sets out the categories of personal information we collect about you and how we use that information. The table also lists the legal basis which we rely on to process the personal information.

We also automatically collect personal information about how you access and use the Echobox Service and information about the device you use to access the Echobox Service.

The table at ANNEX 2 sets out the categories of personal information we collect about you automatically and how we use that information. The table also lists the legal basis which we rely on to process the personal information.

We may link or combine the personal information we collect about you and the information we collect automatically. This allows us to provide you with a personalised experience regardless of how you interact with us.

We may anonymise and aggregate any of the personal information we collect (so that it is not possible to identify you from that information). We may use anonymised information for purposes (including commercial purposes) such as, among others, testing our IT systems, research, data analysis, improving the Echobox Service and developing new products and features. We may also make public, sell or share such anonymised information with others.

Personal Information Customers and Users share with the Echobox Service

Your personal information may be included in the data that a Customer uploads directly to the Echobox Service. This may include:

  1. your email address; and
  2. your communication preferences.

We may also collect certain information about how you interact with Customers' websites, email campaigns and newsletters. We collect this information through web tags, cookies and similar technologies that our Customers integrate with their website and include in their emails.

We use that personal information as a processor on behalf of the Customer. However, we also use that personal information in aggregated form to monitor the performance of, and detect errors in the Echobox Service, to help us improve the Echobox Service and develop new products and services.

Disclosure of your Personal Information

As required in accordance with how we use it (as set out in the Annexes), we will share your personal information with the following categories of recipients:

Recipient Why we share personal information with that recipient Legal basis
Service providers and advisors. Third party vendors and other service providers that perform services for us, on our behalf, which may include providing mailing or email services, payments processing, data enhancement services, fraud prevention, web hosting, or providing analytics services. These third party vendors and other service providers perform services for us or on our behalf. These service providers will use your personal data as processors on our instructions.
Advisors, such as legal advisors or accountants. Our advisors may need to access personal data in order to develop and provide their advice to us or otherwise perform their services.

These recipients will use your personal data in accordance with their own privacy policies, but in a manner consistent with this privacy notice.
The lawful basis we rely on for sharing personal data in this way is that it is necessary for our legitimate interests, namely receiving professional legal, financial and accountancy advice.
Purchasers and third parties in connection with a business transaction. Your personal data may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganisation, financing, change of control or acquisition of all or a portion of our business. These recipients will use your personal data to assess the potential transaction with us, and otherwise only as disclosed in this privacy notice. The lawful basis we rely on for transferring this personal data is that the processing is necessary for our and the third party's legitimate interests, namely assessing and executing a potential transaction with us.
Law enforcement, regulators and other parties for legal reasons. We may share your personal information with third parties as required by law or if we reasonably believe that such action is necessary to (i) comply with the law and the reasonable requests of law enforcement; (ii) detect and investigate illegal activities and breaches of agreements; and/or (iii) exercise or protect the rights, property, or personal safety of Echobox, its users or others. These recipients will use your personal data in the performance of their regulatory or law enforcement role, or to advise us in connection with a potential claim or regulatory enforcement action. The lawful basis we rely on for sharing personal data with these recipients is that the processing is either necessary to comply with a legal obligation to which we are subject or is necessary for our legitimate interests, namely enforcing our rights or complying with requests from regulatory authorities.

Marketing

If you subscribe to receive updates from us, we will send you emails from time to time with relevant information regarding the Echobox Service. For some messages, we may use personal information we collect about you to help us determine the most relevant information to share with you.

If you no longer want to receive such messages from us, you can change your marketing preferences by clicking on the unsubscribe link at the bottom of our emails.

Storing and transferring your Personal Information

We implement appropriate technical and organisational measures to protect your personal information against accidental or unlawful destruction, loss, change or damage. All personal information we collect will be stored on secure servers.

The personal information we collect may be transferred to and stored in countries outside of the jurisdiction you are in where we and our third-party service providers have operations. If you are located in the European Economic Area ("EEA") or the United Kingdom, your personal information may be processed in the USA. These international transfers of your personal information will be made pursuant to appropriate safeguards, namely agreements incorporating standard data protection clauses adopted by the European Commission and approved under the UK Data Protection Act 2018.

If you wish to enquire further about these safeguards used, please contact us using the details set out at the beginning of this privacy policy.

Retaining your Information

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of our legitimate business interests and satisfying any legal or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and the applicable legal requirements.

Your Rights in respect of your Personal Information

In accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:

  1. Right of access. The right to obtain access to your personal information along with certain information about the personal information we hold about you and how we use it.
  2. Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.
  3. Right to rectification. The right to obtain rectification of your personal information without undue delay where that personal information is inaccurate or incomplete.
  4. Right to erasure. The right to obtain the erasure of your personal information without undue delay in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed.
  5. Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal information in certain circumstances, such as where the accuracy of the personal information is contested by you, for a period enabling us to verify the accuracy of that personal information.

You also have the right to object, on grounds relating to your particular situation, to the processing of your personal information. You can also object to processing of your personal information for direct marketing purposes, to the extent it is related to such direct marketing.

If you wish to exercise one of these rights, please contact us using the contact details at the beginning of this privacy policy.

You also have the right to lodge a complaint to your local data protection authority. If you are based in the UK, your local data protection authority is the Information Commissioner's Office - please see https://ico.org.uk/make-a-complaint/ for more information. If you are based in the EEA, information about how to contact your local data protection authority is available at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.html

Links to Third Party Sites

The Echobox Service may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to those websites.

Our Policy towards children

The Echobox Service is not directed at persons under 18 and we do not knowingly collect personal information from children. If you become aware that your child has provided us with personal information, without your consent, then please contact us using the details above so that we can take steps to remove such information and terminate any account your child has created with us.

Changes to this Policy

We may update this privacy policy from time to time and so you should review this page periodically. When we change this privacy policy in a material way, we will update the "last modified" date at the end of this privacy policy. Changes to this privacy policy are effective when they are posted on this page.

Notice to you

If we need to provide you with information about something, whether for legal, marketing or other business-related purposes, we will select what we believe is the best way to get in contact with you. We will usually do this through email or by placing a notice on our Website. The fact that we may send notices to you will not stop you from being able to opt out of certain types of contact as described in this privacy policy.


Annex 1: Personal Information we collect about users and website visitors

Category of personal information How we use it Legal basis for the processing
Contact information and account profile. Such as your name, phone number, location (country), work email, profile photos, company name, the name of the Customer that granted you access, your role at the Customer. We use this information to deal with enquiries and other requests made by or about you, including customer service issues, relating to the Echobox Service. The processing is necessary for our legitimate interests, namely for communicating with you effectively and responding to your queries.
If you have subscribed to our newsletter, we use this information to send you updates and information about the Echobox Service. The processing is necessary for our legitimate interests, namely communicating with users and prospective users and promoting the Echobox Service.
Correspondence and comments. When you contact us directly, e.g. by email, phone, mail, or when you interact with customer service, we will record your comments and opinions. To address your questions, issues and concerns and resolve your customer service issues. The processing is necessary for our legitimate interests, namely communicating with you effectively for the purposes of resolving your issues.
Payment information. If you use a personal payment method to pay for a Customer's access to the Echobox Service, we will collect your payment details such as your credit or debit card number. We use this information to facilitate payment for use of the Echobox Service. If you are the Customer, the processing is necessary for the performance of our contract with you (namely our Terms of Service).

If you make payments on behalf of the Customer, the processing is necessary for our legitimate interests, namely processing payments for the Customer's use of the Echobox Service.
We use this information to detect and prevent fraud. The processing is necessary for our legitimate interests, namely the detection and prevention of fraud.
Newsletter and communications preferences, such as whether you have subscribed to our newsletter and your communication preferences, such as the language in which you choose to communicate with us. We use this information to provide notifications, send news, alerts and marketing communications and we do this in accordance with your choices. The processing is necessary for our legitimate interest, namely ensuring the User receives the correct marketing and other communications in accordance with the User's preferences.
Location information. Other than information you choose to provide to us, we do not collect information about your precise location. Your device's IP address (which we collect automatically; see ANNEX 2 below) may help us determine an approximate location. We may use an approximate location to ensure content on the Echobox Service is relevant to the city or country you are using your device in. We will only process your personal information in this way to the extent you have given us your consent to do so.

Annex 2: Personal Information collected automatically about users and website visitors

Category of personal information How we use it Legal basis for the processing
IP address, activity log and related information. We collect IP addresses and we log and store actions you have taken on the Echobox Service (for example when you log in or where you edit a media item). We use this information to present our Website and the Echobox Service to you on your device. The processing is necessary for the performance of a contract and (namely our Terms of Service).

If you access the Echobox Service as an authorised user on behalf of a Customer, the processing is necessary for our legitimate interests, namely providing the Website and Echobox Service to users.
We use this information for security and verification purposes. The processing is necessary for our legitimate interests, namely verifying your identity and for the purposes of accountability with respect to the Customer.
We use this information to resolve issues with the Echobox Service. We will only process your personal information in this way to the extent you have given us your consent to do so.
We use this information to determine appropriate scheduled messages as part of the Echobox Service. We will only process your personal information in this way to the extent you have given us your consent to do so.
Information about how you access and use the Echobox Service. For example, the website from which you came, how frequently you access the Echobox Service, the time you access the Echobox Service and how long you use it for, whether you open emails or click the links contained in emails, whether you access the Echobox Service from multiple devices, and other actions you take on the Echobox Service. We use this information to tailor how the Echobox Service is presented. We will only process your personal information in this way to the extent you have given us your consent to do so.
We use this information to inform our online marketing strategy. We will only process your personal information in this way to the extent you have given us your consent to do so.
We use this information to monitor and improve our Website and the Echobox Service and business, and to help us develop new products and services. We will only process your personal information in this way to the extent you have given us your consent to do so.
Log files and information about your device. We also collect information about the computer, tablet, smartphone or other electronic device you use to connect to the Echobox Service. This information can include details about the type of device, unique device identifying numbers, operating systems, browsers and applications connected to the Echobox Service through the device, information about the server upon which the Echobox Service operates, your Internet service provider or mobile network. We use this information to:
• enable the Echobox Service to be presented to you on your device; and
• operate, maintain and provide to you the features and functionality of the Echobox Service.
The processing is necessary for the performance of a contract and (namely our Terms of Service).

If you access the Echobox Service as an authorised user on behalf of a Customer, the processing is necessary for our legitimate interests, namely providing the Website and Echobox Service to users.
We use this information to monitor and improve the Echobox Service and business, and to help us develop new products and services. We will only process your personal information in this way to the extent you have given us your consent to do so.