Echo Studios Master Privacy Policy

Version 1.0 | Effective Date: 15 December 2025

1. INTRODUCTION

This Privacy Policy explains how Echo Studios AU Pty Ltd ("we", "us", "our") collects, uses, discloses, and protects your personal information across all our brands and services.

This Policy Applies To:

  • Echo Studios (full-service marketing agency)
  • EchoFlow (CRM and marketing automation)
  • EchoSite (website development and hosting)
  • EchoJoy (design and branding services)
  • PhilWeb (founder's portfolio - informational only)

Our Commitment:

We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and, where applicable, the General Data Protection Regulation (GDPR) for our international customers.

2. WHO WE ARE

Data Controller:

Echo Studios AU Pty Ltd
ABN 97 683 957 888 | ACN 683 957 888
Victoria, Australia

Contact Information:

Email: info@echostudios.au
Phone: 0489 074 049

Data Protection Contact:

For privacy-related inquiries: privacy@echostudios.au

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

Account & Business Information:

  • Full name and business/trading name
  • Business registration details (ABN, ACN, EIN, etc.)
  • Business address and physical location
  • Email address and phone number
  • Job title and role
  • Industry and business type

Payment Information:

  • Credit card details (processed and stored by Stripe - we never see your full card number)
  • Billing address
  • Purchase history and transaction records
  • Tax identification information (for GST/invoicing purposes)

Service-Specific Information:

EchoFlow:
  • Customer contact lists you upload to GoHighLevel
  • Email addresses and phone numbers you store in CRM
  • Communication history (emails sent, SMS sent, call logs)
  • Appointment and calendar data
  • Website visitor behaviour and analytics
  • Form submissions from your website
EchoSite:
  • Website content (text, images, videos)
  • Domain registration details
  • Hosting preferences
  • Access credentials for third-party services
  • Design preferences and feedback
EchoJoy:
  • Brand guidelines and assets
  • Design briefs and creative requirements
  • Feedback on design iterations
  • Logo and imagery files
Echo Studios:
  • Marketing strategy documents
  • Campaign performance data
  • Advertising account access (with your permission)
  • Social media account information (with your permission)

Communications:

  • Support tickets and help requests
  • Email correspondence with our team
  • Phone call recordings (with prior notice)
  • Chat messages and feedback
  • Survey responses

3.2 Information We Collect Automatically

Website Usage Data:

  • IP address and location data
  • Browser type and version
  • Device information (desktop, mobile, tablet)
  • Operating system
  • Pages visited and time spent
  • Referral sources (where you came from)
  • Click behaviour and navigation patterns

Service Usage Data:

  • Login times and frequency
  • Features used within our platforms
  • File uploads and downloads
  • API calls and integrations
  • Error logs and technical diagnostics

Cookies & Tracking Technologies:

  • Essential cookies (required for service functionality)
  • Analytics cookies (Google Analytics, Microsoft Clarity)
  • Marketing cookies (if you consent)
  • Session cookies (temporary, deleted when you close browser)
  • Persistent cookies (remain until expiry or deletion)

3.3 Information From Third Parties

Platform Data:

  • GoHighLevel/LeadConnector: CRM data, automation logs, communication records
  • Vercel: Hosting metrics, website performance data
  • GitHub: Code repository access logs
  • Stripe: Payment confirmations and transaction status
  • Google Workspace: Email interactions if you use Gmail
  • Social media platforms: If you connect Facebook, LinkedIn, Instagram accounts

Referral Partners:

If someone refers you to us, we may receive your name and contact details

Business information from partner directories or associations

Public Sources:

  • Business registration information (ASIC, ABR in Australia)
  • LinkedIn or other public professional profiles
  • Your public website or social media presence
  • Industry directories and associations

4. HOW WE USE YOUR INFORMATION

4.1 Service Provision

To Deliver Our Services:

  • Create and manage your account
  • Process payments and invoices
  • Build and host your website (EchoSite)
  • Set up and manage your CRM (EchoFlow)
  • Create designs and brand assets (EchoJoy)
  • Execute marketing campaigns (Echo Studios)
  • Provide customer support and troubleshooting
  • Send service-related notifications

4.2 Communication

To Keep You Informed:

  • Send account updates and service announcements
  • Notify you of price changes or terms updates
  • Respond to your inquiries and support requests
  • Send invoices and payment reminders
  • Provide onboarding and training resources
  • Share tips for using our services effectively

Marketing Communications (with your consent):

  • Send newsletters and product updates
  • Promote new features or services
  • Invite you to webinars or events
  • Share case studies and success stories
  • Request testimonials and feedback

You can opt out of marketing emails at any time using the unsubscribe link.

4.3 Service Improvement

To Make Our Services Better:

  • Analyse usage patterns and trends
  • Identify and fix bugs or issues
  • Test new features and improvements
  • Conduct customer satisfaction surveys
  • Measure service performance and uptime
  • Optimise website speed and user experience

4.4 Legal & Compliance

To Meet Our Legal Obligations:

  • Comply with Australian tax laws (GST, income tax)
  • Respond to legal requests and court orders
  • Prevent fraud and abuse
  • Enforce our terms and conditions
  • Protect our rights and property
  • Resolve disputes and claims

4.5 Business Operations

To Run Our Business:

  • Financial reporting and accounting
  • Business planning and strategy
  • Risk management and insurance
  • Mergers, acquisitions, or asset sales
  • Internal audits and compliance reviews

5. HOW WE SHARE YOUR INFORMATION

5.1 Service Providers (Data Processors)

We share your information with trusted third-party providers who help us deliver our services:

Essential Service Providers:

ProviderPurposeData SharedLocation
GoHighLevel/LeadConnectorCRM platformBusiness info, customer contacts, communicationsUnited States
VercelWebsite hostingWebsite files, visitor dataGlobal CDN
GitHubCode repositorySource code, development logsUnited States
StripePayment processingPayment details, billing infoUnited States
TwilioSMS & phone servicesPhone numbers, message contentUnited States
Google WorkspaceEmail & productivityEmail correspondenceUnited States
N8N / ZapierAutomation workflowsIntegration dataUnited States

Analytics & Monitoring:

  • Google Analytics (website behaviour)
  • Microsoft Clarity (user experience analysis)
  • Sentry (error tracking and debugging)

All service providers are contractually obligated to:

  • Use your data only for providing services to us
  • Implement appropriate security measures
  • Not disclose your data to others
  • Delete or return data when services end

5.2 Legal Requirements

We may disclose your information if required by law:

  • Court orders or subpoenas
  • Government investigations
  • Law enforcement requests
  • Tax authorities (ATO, IRS)
  • Regulatory bodies (ACCC, FTC)
  • Legal disputes involving our services

We will notify you of legal requests unless prohibited by law.

5.3 Business Transfers

If Echo Studios is involved in a merger, acquisition, asset sale, or bankruptcy:

  • Your information may be transferred to the successor entity
  • You will be notified via email and/or website notice
  • The new entity must honour this privacy policy
  • You may request account deletion before transfer

5.4 With Your Consent

We may share your information with others when you explicitly consent:

  • Integration with your other business tools
  • Access by your team members or contractors
  • Case studies or testimonials (with approval)
  • Partner collaborations on your project
  • Public listings or directories (if you agree)

5.5 Aggregated & De-Identified Data

We may share anonymised, aggregated data that cannot identify you:

  • Industry benchmarks and statistics
  • Usage trends and insights
  • Research and development
  • Public reports and presentations

Example: "EchoFlow customers see an average 3x increase in lead response time" (without identifying any specific customer).

6. DATA SECURITY

6.1 Security Measures

Technical Safeguards:

  • SSL/TLS encryption for data in transit (https://)
  • AES-256 encryption for sensitive data at rest
  • Secure password hashing (bcrypt)
  • Regular security audits and vulnerability testing
  • Firewall and intrusion detection systems
  • Access controls and authentication (2FA where available)
  • Regular software updates and patches

Organisational Safeguards:

  • Employee background checks
  • Confidentiality agreements with all staff
  • Need-to-know access principles
  • Security awareness training
  • Incident response procedures
  • Regular backup and disaster recovery testing

6.2 Platform Security

Third-Party Platform Security:

Since we use enterprise platforms like GoHighLevel, Vercel, and GitHub:

  • These platforms maintain SOC 2 and ISO 27001 certifications
  • They implement industry-standard security practices
  • They conduct regular third-party security audits
  • We are not responsible for security breaches at the platform level

Your Responsibilities:

  • Use strong, unique passwords
  • Enable two-factor authentication where available
  • Keep your login credentials confidential
  • Report suspicious activity immediately
  • Regularly review your account for unauthorised access

6.3 Data Breach Response

If a data breach occurs:

  • Investigation: Assess scope, cause, and impact within 72 hours
  • Notification: Notify affected individuals and relevant authorities as required by law
  • Remediation: Take immediate steps to secure systems and prevent further breach
  • Support: Provide guidance on protecting yourself
  • Review: Conduct post-incident review and implement improvements

Australian customers: Breaches affecting personal information are reported to the Office of the Australian Information Commissioner (OAIC) as required.

GDPR customers: Breaches are reported to relevant EU supervisory authorities within 72 hours.

7. DATA RETENTION

7.1 How Long We Keep Your Data

During Active Service:

  • All data retained for service provision
  • Regular backups maintained

After Service Cancellation:

Data TypeRetention PeriodReason
Account information30 daysAllow for reactivation
CRM data30 daysData export period
Website files30 daysPurchase option window
Payment records7 yearsAustralian tax law requirement
Invoices7 yearsAustralian tax law requirement
Support tickets2 yearsService improvement
Marketing dataUntil opt-outConsent-based

7.2 Data Deletion

You can request data deletion at any time by contacting privacy@echostudios.au

We will delete:

  • Data no longer needed for service provision
  • Data you request to be deleted (subject to legal obligations)

We must retain:

  • Financial records (7 years - tax law)
  • Data subject to legal holds or disputes
  • Aggregated/anonymised data that doesn't identify you

7.3 Backup Data

Data in backups may persist until backups are cycled (typically 90 days). We cannot selectively delete data from automated backups but will ensure it's not restored to active systems.

8. YOUR PRIVACY RIGHTS

8.1 Rights for All Customers

  • Access: Request a copy of your personal information
  • Correction: Request corrections to inaccurate information
  • Deletion: Request deletion (subject to legal obligations)
  • Portability: Export your data in machine-readable format
  • Objection: Object to certain processing activities
  • Opt-Out: Unsubscribe from marketing communications

8.2 Additional Rights for Australian Customers

Under the Australian Privacy Principles (APPs):

  • Right to Know: We must tell you how we collect and use your information
  • Anonymity: You may interact anonymously where practicable (not possible for paid services)
  • Cross-Border Disclosure: We tell you when data goes overseas
  • Complaint Rights: Complain to OAIC if you're unsatisfied

To make a complaint:

  • Contact privacy@echostudios.au
  • We will respond within 30 days
  • If unresolved, contact OAIC: oaic.gov.au | 1300 363 992

8.3 Additional Rights for GDPR Customers (EU/UK)

If you're in the European Economic Area or UK:

Additional Rights:

  • Data Portability: Receive data in structured, commonly used format
  • Restriction of Processing: Request temporary halt to processing
  • Automated Decision-Making: Not subject to automated decisions with legal effect

Legal Basis for Processing:

  • Contract Performance: To provide services you've purchased
  • Legitimate Interests: To improve services and prevent fraud
  • Legal Obligation: To comply with tax and legal requirements
  • Consent: For marketing communications (can be withdrawn anytime)

To exercise GDPR rights, contact: privacy@echostudios.au

8.4 How to Exercise Your Rights

Email: privacy@echostudios.au

Subject Line: "Privacy Request - [Your Request Type]"

Include:

  • Your full name and account email
  • Specific request (access, deletion, correction, etc.)
  • Verification of identity (last 4 digits of payment method or account details)

Response Time:

  • Australian customers: 30 days
  • GDPR customers: 30 days (extension to 60 days if complex)

No Fee: We don't charge for reasonable requests (excessive/repeated requests may incur administrative fees)

9. INTERNATIONAL DATA TRANSFERS

9.1 Where Your Data Goes

Primary Data Locations:

  • Australia: Echo Studios servers and operations
  • United States: GoHighLevel, Vercel, Stripe, Twilio, GitHub, AWS
  • Global: Vercel CDN (distributed worldwide for fast website delivery)

9.2 Cross-Border Transfer Safeguards

When we transfer data internationally, we ensure protection through:

For US Transfers:

  • Standard Contractual Clauses (SCCs) with processors
  • Vendor contracts requiring equivalent protection
  • Regular vendor security audits

For EU/UK Customers:

  • GDPR-compliant transfer mechanisms
  • Standard Contractual Clauses (Article 46 GDPR)
  • Adequacy decisions where applicable

9.3 Your Consent

By using our services, you consent to data transfers as described in this policy. If you're uncomfortable with international transfers, you may not be able to use certain features that rely on these platforms.

10. COOKIES & TRACKING

10.1 Types of Cookies We Use

Essential Cookies (Always Active):

  • Session management and authentication
  • Shopping cart and checkout functionality
  • Security and fraud prevention
  • Load balancing and performance

Analytics Cookies (Can Be Disabled):

  • Google Analytics: Website traffic and behaviour
  • Microsoft Clarity: User experience and heatmaps
  • Hotjar: Session recordings (if implemented)

Marketing Cookies (Requires Consent):

  • Facebook Pixel: Ad retargeting
  • Google Ads: Conversion tracking
  • LinkedIn Insight: B2B marketing

10.2 Cookie Management

Browser Controls:

  • All browsers allow you to block or delete cookies
  • Settings vary by browser (Chrome, Firefox, Safari, Edge)
  • Blocking cookies may limit website functionality

Third-Party Opt-Outs:

  • Google Analytics: tools.google.com/dlpage/gaoptout
  • Google Ads: adssettings.google.com
  • Facebook: www.facebook.com/settings?tab=ads

Our Cookie Consent Tool:

We provide a cookie consent banner on first visit where you can:

  • Accept all cookies
  • Reject non-essential cookies
  • Customise your preferences

10.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals as there is no industry standard for compliance. Instead, use our cookie consent tools or browser settings.

11. CHILDREN'S PRIVACY

11.1 Age Restriction

Our services are not intended for individuals under 18 years of age. We do not knowingly collect information from children.

If we discover we've collected data from a child:

  • We will delete it immediately
  • We will notify parents/guardians if possible
  • We will prevent future collection

If you believe we've collected a child's information: Contact privacy@echostudios.au immediately.

11.2 Business Contacts

If your business serves minors (e.g., youth services, education):

  • You are responsible for complying with children's privacy laws
  • You must obtain parental consent where required
  • You must not input children's data into our systems without proper consent

12. MARKETING COMMUNICATIONS

12.1 What We Send

Service Emails (Cannot Opt Out):

  • Account creation and setup
  • Payment confirmations and invoices
  • Service updates and critical notices
  • Security alerts
  • Password resets

Marketing Emails (Can Opt Out):

  • Product updates and new features
  • Tips and best practices
  • Case studies and success stories
  • Webinar invitations
  • Special offers and promotions

12.2 How to Opt Out

Email Marketing:

  • Click "Unsubscribe" link at bottom of any marketing email
  • Email info@echostudios.au with "UNSUBSCRIBE"
  • Update preferences in your account settings

SMS Marketing:

  • Reply "STOP" to any marketing text message
  • Email hello@echoflow.au with "SMS UNSUBSCRIBE"
  • Opt-out processed within 5 business days

12.3 Your Customer Communications

If you use EchoFlow to send marketing to your customers:

You must comply with:

  • Australian Spam Act 2003 (Australian businesses)
  • CAN-SPAM Act (US businesses)
  • TCPA regulations (SMS/phone - US)
  • CASL (Canadian businesses)
  • GDPR (EU businesses)

Your responsibilities:

  • Obtain consent before sending marketing
  • Include unsubscribe mechanisms
  • Honour opt-out requests promptly
  • Maintain consent records
  • Include your business identity in messages

We may suspend your account for spam violations.

13. CALIFORNIA PRIVACY RIGHTS (CCPA)

13.1 For California Residents

If you're a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Categories of personal information collected, sources, business purposes, and third parties we share with
  • Right to Delete: Request deletion of personal information (subject to exceptions)
  • Right to Opt-Out: Opt out of "sale" of personal information (we do not sell personal information)
  • Right to Non-Discrimination: We won't discriminate against you for exercising CCPA rights

13.2 How to Exercise CCPA Rights

Contact: privacy@echostudios.au

Subject: "CCPA Request - [Your Request Type]"

Verification: We'll verify your identity before processing requests

Response Time: 45 days (may extend to 90 days if complex)

13.3 California "Shine the Light" Law

California residents may request information about disclosures to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing.

14. CHANGES TO THIS POLICY

14.1 How We Update This Policy

We may update this Privacy Policy to reflect:

  • Changes in our services or business practices
  • New legal or regulatory requirements
  • Feedback from customers or regulators
  • Improvements to privacy protection

14.2 Notice of Changes

For Material Changes:

  • Email notification to your account email
  • Prominent notice on our website for 30 days
  • Opportunity to review before effective date

For Minor Changes:

  • Updated "Last Modified" date at top of policy
  • Available at all times on our website

14.3 Your Continued Use

Your continued use of our services after changes take effect constitutes acceptance of the updated policy. If you don't agree with changes, you may cancel your account.

15. CONTACT US

15.1 General Privacy Inquiries

Email: privacy@echostudios.au

Phone: 0489 074 049

Hours: Monday-Friday, 9am-5pm AEST/AEDT

15.2 Brand-Specific Inquiries

  • Echo Studios: info@echostudios.au
  • EchoFlow: hello@echoflow.au
  • EchoSite: hello@echosite.au
  • EchoJoy: hello@echojoy.au

15.3 Data Protection Officer

For complex privacy matters or formal complaints:

Email: dpo@echostudios.au

15.4 Regulatory Authorities

Australia:

Office of the Australian Information Commissioner (OAIC)
Website: oaic.gov.au
Phone: 1300 363 992

European Union:

Your local Data Protection Authority
List: edpb.europa.eu/about-edpb/board/members_en

United Kingdom:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113

16. DEFINITIONS

Personal Information:
Information that identifies or can reasonably identify an individual.
Processing:
Any operation performed on personal data (collection, storage, use, disclosure, deletion).
Data Controller:
Entity that determines purposes and means of processing (Echo Studios).
Data Processor:
Entity that processes data on behalf of controller (GoHighLevel, Vercel, etc.).
Consent:
Freely given, specific, informed, and unambiguous agreement to processing.
Legitimate Interest:
Lawful basis for processing when it's necessary for our business and doesn't override your rights.

Last Updated: 15 December 2025

Version: 1.0

Policy Owner: Echo Studios AU Pty Ltd

By using any Echo Studios services, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy.