DSGVO · Art. 13/14 EU 2016/679

Privacy Policy

As of: November 24, 2025 · Version 1.0

1. Controller and Contact

Data Controller

EchoCall LLC
5830 E 2nd St Ste 7000, Casper, WY 82609, USA
E-Mail: team@echocall.de

For EchoCall LLC (US-LLC), a Data Protection Officer is not required according to GDPR Art. 37.

For data protection inquiries, please contact: team@echocall.de

Legal basis: Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)

3. Processing of Customer Data

3.1 Purpose of Processing

We process your data for:

Registration in our system (EchoCall Hub) - Art. 6 para. 1 lit. b GDPR
Contract processing (billing, communication) - Art. 6 para. 1 lit. b GDPR
Provision of our SaaS platform - Art. 6 para. 1 lit. b GDPR
Customer support and technical operations - Art. 6 para. 1 lit. b GDPR
Security and fraud prevention - Art. 6 para. 1 lit. f GDPR
Legal compliance (GDPR, taxes) - Art. 6 para. 1 lit. c GDPR

3.2 Categories of Personal Data

We process the following data:

Name and contact details: First and last name, email, phone
Billing data: Billing address, VAT ID if applicable, bank details
Agent recordings: Conversation content, audio recordings, IP addresses (if activated)
System data: User activities, logins, technical error logs
Uploaded customer data: PDFs, knowledge bases, texts, logos

3.3 Legal Basis

Art. 6 para. 1 lit. b GDPR: Contract fulfillment
Art. 6 para. 1 lit. c GDPR: Legal obligation
Art. 6 para. 1 lit. f GDPR: Legitimate interests (security, operations)

3.4 Retention Period

Customer account: As long as the contract is active + 3 years
Invoices: 10 years (statutory retention requirement)
Agent recordings: According to your configuration (default: 30 days)
Uploaded content: Until deletion or 90 days after contract termination

4. Processing of End-Customer Data by Agents

When processing data through your agents (Voice or Chat), you are the controller (Art. 4 No. 7 GDPR) and we are the processor according to Art. 28 GDPR.

You are responsible for:

The lawfulness of data processing
Obtaining consents (e.g., for call recording)
Providing data protection information to your end customers
Compliance with all GDPR requirements

Important Note:

You can obtain consents through a notice/automatic announcement before the conversation begins. You configure this yourself in the agent prompt.

5. Processing by Sub-processors

We use the following sub-processors (according to Art. 28 para. 4 GDPR):

EchoHubTTS-eu

Purpose: Text-to-Speech, Voice Cloning, AI Model Hosting

Location: EU Servers

EchoCall controls

Ionos

Purpose: Server Hosting

Location: Germany, France

EchoCall has COMPLETE control

N8N (Self-hosted)

Purpose: Workflow automation

Location: Germany (Ionos servers)

EchoCall controls

Google Analytics

Purpose: Website analytics

Location: EU and USA

EchoCall controls

Stripe

Purpose: Payment Processing (Credit Card, SEPA)

Location: USA/EU

Stripe processes payment data per PCI-DSS standard

PayPal (optional)

Purpose: Alternative Payment Method

Location: USA/EU

PayPal processes payment data when selected by user

Important:

EchoCall LLC maintains COMPLETE control over all customer data on Ionos servers (Germany/France). Customer data is NOT transferred to the USA.

Payment Processing:

Payment data (credit card, SEPA, PayPal) is processed exclusively by our certified payment service providers Stripe and PayPal. EchoCall does not store complete credit card data. Processing is based on Art. 6 para. 1 lit. b GDPR (contract fulfillment) and Standard Contractual Clauses (SCCs) according to Art. 46 GDPR.

6. Specifics for Phone Call Recording

6.1 Consent

Recording of telephone conversations is only permissible with prior consent under German law (§ 86 StGB) and EU law. You are responsible for obtaining this consent in accordance with Art. 7 GDPR. We provide the technical means (automatic announcement in the agent prompt).

6.2 Required Announcement

You should configure the following or similar announcement before the conversation begins:

"This conversation is being recorded and transcribed. By participating in this conversation, you consent to the recording."

You are solely responsible for the choice and legality of the wording.

6.3 Retention Period and Deletion

You determine the retention period in the dashboard. After this period expires, recordings are automatically deleted (Art. 5 para. 1 lit. e GDPR - storage limitation). You can manually delete recordings at any time.

7. Cookies and Tracking

7.1 Magic Link Authentication

We use Magic Links instead of passwords. This is not a cookie in the traditional sense. A token is generated and sent via email; after clicking, the session is authenticated.

7.2 Website Analytics (Google Analytics)

We collect anonymous usage data on the website https://echocall.de such as:

Page views
Dwell times
Click behavior
Browser and device information

This data is anonymized (Art. 4 No. 1 GDPR) and used to improve our website. It is NOT linked to customer data from the platform.

7.3 Logging and Technical Data

We collect technical data such as:

IP addresses (for security and error analysis - Art. 6 para. 1 lit. f GDPR)
Login times and locations
Error logs
Platform usage (anonymized where possible)

This data is not shared with third parties except for security analysis or when legally required (Art. 6 para. 1 lit. c GDPR).

8. Your Rights as Data Subject

According to GDPR Chapter III (Art. 12-23), you have the following rights:

Right of access (Art. 15 GDPR): You can learn what data we process about you at any time.
Right to rectification (Art. 16 GDPR): You can have incorrect data corrected.
Right to erasure (Art. 17 GDPR): You can have your data deleted, unless we still need to store it.
Right to restriction (Art. 18 GDPR): You can limit the processing of your data.
Right to data portability (Art. 20 GDPR): You can receive your data in structured form.
Right to object (Art. 21 GDPR): You can object to processing for certain purposes.
Complaint to supervisory authority (Art. 77 GDPR): You can complain to a data protection authority.

Contact for exercising your rights:

team@echocall.de

Subject: "GDPR Access Request" or "GDPR Deletion Request"

We will respond to you within 30 days (Art. 12 para. 3 GDPR).

9. Data Security

We implement comprehensive protective measures (Art. 32 GDPR):

Encryption: TLS/SSL for all transmissions (HTTPS)
Authentication: Magic-link-based (no password storage)
Access control: Role-based Access Control (RBAC)
Regular audits: Penetration tests and security reviews
Incident response: Emergency plan for security breaches
Storage location: All data on German/French servers

Google API Services

Gmail, Google Drive, Google Calendar, Google Sheets

EchoCall uses Google API Services. Access to Google user data is used exclusively for the automation features configured by the user (e.g. sending emails, saving files, creating calendar events, filling spreadsheets). Google user data is not shared with third parties or used for advertising purposes. Access can be revoked at any time via Google Account Settings. Our use complies with the Google API Services User Data Policy, including the Limited Use restrictions.

Revoke access: Google Account Settings

Policy: Google API Services User Data Policy

12. Support and Contact

12.1 Request Data Access

To exercise your rights or obtain information about your stored data, send a request to:

Email: team@echocall.de

Subject: "GDPR Access Request" or "GDPR Deletion Request"

We will respond to you within 30 days (see Art. 12 para. 3 GDPR).

12.2 Complaint to Supervisory Authority

Berlin Commissioner for Data Protection and Freedom of Information (BfDI)

Phone: +49 (0)30 13889-0

Email: info@datenschutz-berlin.de

Website: https://www.datenschutz-berlin.de

13. Changes to This Privacy Policy

We may update this privacy policy at any time to reflect changes in our practices or laws. Major changes will be communicated to you by email.

Valid from: November 2025 · Version 1.0