Privacy Policy

Echo Impact Agency
Effective Date: 19 September 2025

Who We Are

Echo Impact Agency (“we,” “us,” “our”) provides AI automations for lead generation and workflows. We operate globally and align with UK GDPR/EU GDPR and provide CCPA/CPRA disclosures for US residents.

Legal name / Controller: Echo Impact Agency

Registered address: 8 Blackheath, Colchester, CO2 0AA, England

Website: www.echoimpactagency.com

Privacy contact: [email protected]

Scope & Roles

We act as:

Controller for personal data we collect via our website, prospecting, and our own business operations.

Processor when we handle personal data on behalf of our business clients (e.g., AI automations that interact with clients’ end-customers). In those cases, we process only under our client’s instructions and our agreement with them.

ICO registration: Not currently registered (per your input). We review this regularly and will register/pay the fee if required.

Information We Collect

Depending on how you interact with us, we may process:

Contact details: name, email, phone, address/postcode.

Communications: emails, messages, and call recordings/transcripts (if you call or are called by systems we operate).

Billing data via payment processor: limited payment metadata (we do not store full card numbers).

Operational/technical logs (minimal): basic logs necessary to run and secure the service.

Client-provided data (Processor role): any personal data a client lawfully supplies for us to process in automations/workflows.

We do not intentionally collect special category data. Please avoid submitting sensitive data unless requested and covered by appropriate safeguards.

Cookies & Tracking

We use strictly necessary cookies only to operate our site and services.

We do not use analytics or marketing cookies. If we add them in future, we will update this notice and obtain consent where required.

How We Use Your Data (Purposes & Legal Bases)

We use personal data to:

Provide and operate our services (set up/run AI automations, respond to enquiries, manage accounts) — Contract.

Customer support and operations (communicating with you, troubleshooting) — Contract.

Service improvement, including model tuning (see “AI-Specific Disclosures”) — Legitimate interests with the right to object.

Legal/compliance (records, tax, fraud prevention, enforcing terms) — Legal obligation.

AI-Specific Disclosures

Use for improvement/training: We may use data to improve our services and tune models. Where feasible we anonymise/de-identify data. If personal data is used, we rely on legitimate interests and you may object/opt out at any time by emailing [email protected].

Vendor training: We disable vendor retention for training where controls exist (per your instruction).

Automated decision-making: We do not carry out automated decisions producing legal or similarly significant effects.

Human QA: We do not conduct human review of calls/transcripts by default.

Sharing & Disclosures

We share personal data only as needed to operate our services, including with:

AI model/API providers: OpenAI, Google (for model inference).

Telephony/communications: LeadConnector/LC Phone (and underlying carriers).

CRM/automation: GoHighLevel.

Payments: Stripe.

Scheduling: Calendly.

Cloud/communications providers as required to deliver notifications/hosting.

We require appropriate safeguards and limit processing to our instructions or the provider’s lawful purposes. We do not “sell” or “share” personal information as defined by CCPA/CPRA.

International Data Transfers

Our aim is to process within the UK/EEA where practical. Some providers operate globally. If personal data is transferred outside the UK/EEA, we will implement appropriate safeguards such as the UK IDTA and/or EU Standard Contractual Clauses with UK Addendum, and conduct transfer risk assessments where applicable.

Data Retention

We retain data only as long as necessary for the purposes above or as required by law:

CRM / contact & lead data: 3 years after last activity.

Call recordings & transcripts: 90 days (unless a longer period is required by you as a client or for legal reasons).

Aggregated/cookieless analytics or operational metrics (if generated): 3 years.

Contracts & invoices: 5 years (or longer if legally required).

Backups: rolling 60 days.
When retention expires, data is securely deleted or anonymised.

Security

We apply appropriate technical and organisational measures, including:

Encryption in transit,

Network/IP restrictions, and

access controls/least-privilege appropriate to our systems and vendors, plus incident-response procedures and vendor due diligence.

Your Rights (UK/EU GDPR)

Subject to conditions/exemptions, you may:

Access your data; Rectify inaccuracies; Erase data; Restrict processing;

Port your data; Object to processing (including service-improvement/model tuning);

Withdraw consent where processing relies on consent (without affecting prior processing).

How to Exercise Your Rights

Email: [email protected] with subject “Data Rights Request”.

ID verification: we may ask you to verify identity (e.g., confirm control of your email/phone and limited additional proof if needed).

Response time: we aim to respond within one month (extendable for complex requests; we will notify you).

When we process data for clients (Processor role), please direct your request to the relevant client (Controller). We will assist them as required.

US State Privacy (CCPA/CPRA)

For California residents:

We do not “sell” or “share” personal information as defined by CPRA.

You may request access, deletion, correction, and to limit use of sensitive information (if collected). Submit requests to [email protected].

We will not discriminate against you for exercising your rights.

Children

Our services are not intended for individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it where required.

Contact Us

Questions, requests, or complaints about privacy:
Email: [email protected]
Postal: Echo Impact Agency, 8 Blackheath, Colchester, CO2 0AA, England

You may also lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO).

Changes to This Policy

We may update this policy from time to time. We will post updates on our website and revise the Effective Date above.