Privacy Policy

Last Updated: February 20, 2026

Introduction

Welcome to Echo ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our review management platform.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, company name, phone number
• Billing Information: Credit card details (processed securely through our payment processor)
• Profile Data: User preferences, settings, profile pictures
• Business Information: Company details, locations, products

1.2 Information We Collect Automatically

• Usage Data: How you interact with our platform, features used, time spent
• Device Information: IP address, browser type, operating system
• Cookies: We use cookies to enhance your experience

1.3 Information from Third Parties

• Review Data: Reviews from Google, Facebook, Trustpilot, Shopify, App Store, Play Store
• CRM Data: Customer information from your connected CRM
• OAuth Data: Basic profile information when you connect integrations

2. How We Use Your Information

We use your information to:

• Provide and improve our review management services
• Aggregate and display reviews from connected platforms
• Generate AI-powered response suggestions
• Send email notifications and campaigns
• Process payments and prevent fraud
• Provide customer support
• Comply with legal obligations

3. Data Sharing

3.1 We Share Data With:

• Service Providers: Payment processors (Stripe), email service (Resend), AI providers (OpenAI)
• Review Platforms: When you respond to reviews through our platform
• Your CRM: When you enable CRM sync features

3.2 We Do NOT:

• Sell your personal data to third parties
• Share your data for advertising purposes
• Use your review data to train AI models for other customers

4. Data Security

We implement industry-standard security measures:

• Encryption: All data is encrypted in transit (TLS) and at rest
• Access Controls: Role-based permissions limit data access
• Authentication: Secure OAuth 2.0 for third-party integrations
• Infrastructure: Hosted on secure, SOC 2 compliant servers (Supabase)

5. OAuth Token Management

5.1 How We Handle Access Tokens

• Storage: Encrypted at rest using AES-256 encryption in secure database
• Access: Only used by our backend servers, never exposed to browsers
• Refresh: Tokens automatically refreshed before expiration to maintain connection
• Revocation: Immediately revoked and deleted when you disconnect an integration
• Scope Limitation: We only request minimum permissions needed for review management

5.2 Token Permissions by Platform

We only request the minimum permissions needed for review management:

• Google Business Profile: Read business information and reviews (business.manage scope required by Google API)
• Facebook Pages: Read page reviews and engagement metrics (pages_read_engagement)
• Salesforce/Zoho CRM: Read/write CRM contacts and cases for review sync
• Shopify: Read product reviews and order data

5.3 You Control Access

You can revoke Echo's access to your accounts at any time:

• Within Echo: Dashboard → Integrations → Disconnect button
• In Google: myaccount.google.com/permissions → Remove Echo access
• In Facebook: facebook.com/settings → Business Integrations → Remove Echo
• In Salesforce/Zoho: Remove Echo from Connected Apps in your admin settings

When you revoke access, all tokens are immediately deleted from our servers.

6. Data Retention

• Account Data: Retained while your account is active
• Review Data: Retained per your subscription plan limits
• OAuth Tokens: Retained only while integration is active, deleted immediately upon disconnection
• Deleted Accounts: Personal data deleted within 30 days of account closure
• Backups: Retained for 90 days for disaster recovery, then permanently deleted

7. Data Deletion Process

7.1 User-Initiated Deletion

You can delete your data at any time through multiple methods:

• Within Echo: Dashboard → Settings → Account → Delete Account button
• By Email: Request deletion by emailing privacy@splocket.com
• Processing Time: Deletion completed within 30 days of request
• Confirmation: You will receive email confirmation when deletion is complete

7.2 What Gets Deleted

When you delete your account, we permanently delete:

• Your account credentials, password, and authentication data
• Profile information (name, email, phone, company details)
• All review data synced from connected platforms
• CRM integration data and mappings
• Email campaign history and templates
• All OAuth access tokens and refresh tokens (immediately revoked)
• Usage analytics tied to your account
• QR codes and marketing materials

7.3 What We Retain (Legally Required)

For legal and regulatory compliance, we retain:

• Billing Records: Transaction history for 7 years (required for tax compliance)
• Anonymized Analytics: Aggregate usage statistics with no personal identifiers
• Security Logs: Audit logs for fraud prevention and security incidents (90 days)

7.4 Third-Party Data

Important: Deleting your Echo account does NOT delete:

• Your original reviews on Google, Facebook, Trustpilot, etc. (these remain on their platforms - contact them directly to delete)
• Data in your connected CRM systems (Echo only disconnects and stops syncing, doesn't delete CRM records)
• Data in your Shopify, Salesforce, or other integrated platforms

To delete data from these platforms, you must contact each platform directly and follow their deletion procedures.

8. Your Rights

You have the right to:

• Access: Request a copy of your personal data in machine-readable format
• Correction: Update inaccurate or incomplete data at any time
• Deletion: Request deletion of your data ("right to be forgotten" under GDPR)
• Portability: Export your data in CSV or JSON format
• Opt-Out: Unsubscribe from marketing emails (compliance emails still sent)
• Object: Object to processing of your data for certain purposes
• Restrict: Request limitation of how we process your data

To exercise these rights, contact us at privacy@splocket.com. We will respond within 30 days.

9. Cookies

We use cookies for:

• Essential: Authentication, security, session management (cannot be disabled)
• Analytics: Understanding how you use our platform (Google Analytics)
• Functionality: Remembering your preferences and settings

You can disable non-essential cookies in your browser settings, but this may affect functionality. Essential cookies are required for the platform to work.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission and other relevant data protection authorities.

11. Children's Privacy

Our services are not intended for individuals under 18. We do not knowingly collect data from children. If we discover we have collected data from a child, we will delete it immediately.

12. Changes to This Policy

We may update this policy periodically to reflect changes in our practices or legal requirements. We'll notify you of significant changes via email or platform notification at least 30 days before changes take effect. Continued use of Echo after changes constitute acceptance of the updated policy.

13. Contact Us

For privacy questions or concerns:

• Email: privacy@splocket.com
• Support: https://echo.splocket.com/support
• Data Protection Officer: dpo@splocket.com

14. GDPR Compliance (EU Users)

Legal Basis for Processing

• Contract: To provide our services as agreed in Terms of Service
• Consent: For marketing communications (can be withdrawn anytime)
• Legitimate Interest: To improve our platform, prevent fraud, and ensure security

EU Data Subject Rights

EU users have additional rights under GDPR including data portability and the right to lodge a complaint with your local supervisory authority.

15. CCPA Compliance (California Users)

California residents have additional rights under the California Consumer Privacy Act:

• Right to Know: What personal information is collected, used, shared, or sold
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of sale of personal information (we don't sell your data)
• Right to Non-Discrimination: Equal service regardless of privacy choices

To exercise CCPA rights, email ccpa@splocket.com or use our data request form at echo.splocket.com/privacy-request

Effective Date: February 20, 2026
Company: Splocket, Inc.
Product: Echo by Splocket
Version: 2.0