Privacy Policy

Last Updated: April 2026

Introduction

Welcome to Echo ("we," "our," or "us"), a product of Splocket. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our review management platform.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, company name, phone number
• Billing Information: Credit card details (processed securely through Stripe)
• Profile Data: User preferences, settings, profile pictures
• Business Information: Company details, locations, products

1.2 Information We Collect Automatically

• Usage Data: How you interact with our platform, features used, time spent
• Device Information: IP address, browser type, operating system
• Cookies: We use cookies to enhance your experience

1.3 Information from Third Parties

• Review Data: Reviews from Google, Facebook, Trustpilot, Shopify, App Store, Play Store
• CRM Data: Customer information from your connected CRM
• OAuth Data: Basic profile information when you connect integrations

2. How We Use Your Information

We use your information to:

• Provide and improve our review management services
• Aggregate and display reviews from connected platforms
• Generate AI-powered response suggestions
• Send email notifications and campaigns
• Process payments and prevent fraud
• Provide customer support
• Comply with legal obligations

3. Data Sharing

3.1 We Share Data With:

• Supabase: Database and infrastructure provider for secure data storage
• Stripe: Payment processing
• Resend: Transactional email delivery
• OpenAI: AI-powered response generation and sentiment analysis
• Review Platforms: When you respond to reviews through our platform
• Your CRM: When you enable CRM sync features

3.2 We Do NOT:

• Sell your personal data to third parties
• Share your data for advertising purposes
• Use your review data to train AI models for other customers
• Transfer Platform Data received from Meta beyond what is necessary to provide our services

4. Google API Disclosure

5. Data Security

We implement industry-standard security measures:

• Encryption: All data is encrypted in transit (TLS) and at rest (AES-256)
• Access Controls: Role-based permissions limit data access
• Authentication: Secure OAuth 2.0 for third-party integrations
• Infrastructure: Hosted on secure, SOC 2 compliant servers (Supabase)

6. OAuth Token Management

6.1 How We Handle Access Tokens

• Storage: Encrypted at rest using AES-256 encryption in secure database
• Access: Only used by our backend servers, never exposed to browsers
• Refresh: Tokens automatically refreshed before expiration to maintain connection
• Revocation: Immediately revoked and deleted when you disconnect an integration
• Scope Limitation: We only request minimum permissions needed for review management

6.2 Token Permissions by Platform

We only request the minimum permissions needed for review management:

• Google Business Profile: Read business information and reviews (business.manage scope required by Google API)
• Facebook Pages: Read page reviews and recommendations (pages_show_list, pages_read_user_content)
• Shopify: Read product reviews and order data
• CRM Platforms: Read/write CRM contacts and cases for review sync

6.3 You Control Access

You can revoke Echo's access to your accounts at any time:

• Within Echo: Dashboard → Integrations → Disconnect button
• In Google: myaccount.google.com/permissions → Remove Echo access
• In Facebook: facebook.com/settings → Apps and Websites → Remove Echo

When you revoke access, all tokens are immediately deleted from our servers.

7. Data Retention

• Account Data: Retained while your account is active
• Review Data: Retained indefinitely — there is no storage cap on reviews
• OAuth Tokens: Retained only while integration is active, deleted immediately upon disconnection
• Deleted Accounts: Personal data deleted within 30 days of account closure
• Backups: Retained for 90 days for disaster recovery, then permanently deleted

8. Data Deletion Process

8.1 User-Initiated Deletion

You can delete your data at any time through multiple methods:

• Within Echo: Dashboard → Settings → Account → Delete Account button
• By Email: Request deletion by emailing support@splocket.com
• Processing Time: Deletion completed within 30 days of request
• Confirmation: You will receive email confirmation when deletion is complete

8.2 What Gets Deleted

When you delete your account, we permanently delete:

• Your account credentials, password, and authentication data
• Profile information (name, email, phone, company details)
• All review data synced from connected platforms
• CRM integration data and mappings
• Email campaign history and templates
• All OAuth access tokens and refresh tokens (immediately revoked)
• Usage analytics tied to your account
• QR codes and marketing materials

8.3 What We Retain (Legally Required)

For legal and regulatory compliance, we retain:

• Billing Records: Transaction history for 7 years (required for tax compliance)
• Anonymized Analytics: Aggregate usage statistics with no personal identifiers
• Security Logs: Audit logs for fraud prevention and security incidents (90 days)

9. Your Rights

You have the right to:

• Access: Request a copy of your personal data in machine-readable format
• Correction: Update inaccurate or incomplete data at any time
• Deletion: Request deletion of your data ("right to be forgotten" under GDPR)
• Portability: Export your data in CSV or JSON format
• Opt-Out: Unsubscribe from marketing emails (compliance emails still sent)
• Object: Object to processing of your data for certain purposes
• Restrict: Request limitation of how we process your data

To exercise these rights, use the form below or contact us at support@splocket.com. We will respond within 30 days.

10. Cookies

We use cookies for:

• Essential: Authentication, security, session management (cannot be disabled)
• Analytics: Understanding how you use our platform (Google Analytics)
• Functionality: Remembering your preferences and settings

11. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission and other relevant data protection authorities.

12. Children's Privacy

Our services are not intended for individuals under 18. We do not knowingly collect data from children. If we discover we have collected data from a child, we will delete it immediately.

13. Changes to This Policy

We may update this policy periodically to reflect changes in our practices or legal requirements. We'll notify you of significant changes via email or platform notification at least 30 days before changes take effect.

14. Contact Us

For all privacy questions, requests, and concerns:

• Email: support@splocket.com
• Website: splocket.com

15. GDPR Compliance (EU Users)

Legal Basis for Processing

• Contract: To provide our services as agreed in Terms of Service
• Consent: For marketing communications (can be withdrawn anytime)
• Legitimate Interest: To improve our platform, prevent fraud, and ensure security

EU users have additional rights under GDPR including data portability and the right to lodge a complaint with your local supervisory authority.

16. CCPA Compliance (California Users)

California residents have additional rights under the California Consumer Privacy Act. Use the form below to submit a request:

Effective Date: April 2026
Company: Splocket
Product: Echo by Splocket
Version: 3.0