EchoDrop Privacy Policy

Effective date: October 10, 2025

Who We Are

EchoDrop is a Software-as-a-Service feedback collection platform that enables individuals and teams to create and share feedback links and receive responses in real time.

• Data controller: EchoDrop, represented by Aykut Spohr, established in Germany
• Registered address: Wilhelm-Busch-Straße 23, 59192 Bergkamen, Germany
• Contact email: contact@echodrop.app

Scope

This policy applies when you:

• Use the EchoDrop website and web app
• Create or use an account or workspace
• Receive emails from us
• Interact with EchoDrop-powered feedback links

Roles and Responsibilities

EchoDrop as Controller:

EchoDrop acts as a controller for account, workspace, usage, billing metadata, and our direct communications with you.

EchoDrop as Processor:

For the content of feedback you collect via EchoDrop links (and any identifiers you choose to capture), EchoDrop acts as a processor on your documented instructions, governed by a Data Processing Agreement pursuant to GDPR Article 28 and the Commission's controller–processor standard contractual clauses where appropriate.

What Data We Collect

Account and profile:

• Email address
• Password (hashed)
• Optional name
• Team/workspace membership and roles
• Invite status for collaboration

Authentication and security:

• Login timestamps
• Session identifiers
• Security logs
• Multi-factor indicators (if enabled)

Workspace and usage:

• Workspace settings
• Collaborators
• Activity logs
• In-app events (device/browser type) needed to operate the service

Feedback content (processor context):

• Responses submitted via your feedback links
• Any custom fields you configure
• Optional respondent identifiers you enable
• Processed under your instructions

Payments and billing:

• Payments are handled by Dodo Payments
• EchoDrop receives limited transaction metadata (transaction IDs, status, plan, timestamps)
• EchoDrop does not store full card details
• Dodo provides payment infrastructure for subscriptions and one-time purchases

Communications:

• Support messages
• Email preferences
• Newsletter subscription status
• High-level engagement metrics (opens and clicks) for consented marketing

Cookies and analytics:

• Cookie identifiers
• Usage metrics via Google Analytics
• Page views and event data (subject to Google's privacy and retention controls)

Purposes and Legal Bases

Provide and operate the service:

• Create and manage accounts and workspaces
• Authenticate users
• Enable real-time feedback and collaboration
• Maintain reliability and availability
• Legal basis: GDPR Article 6(1)(b) and 6(1)(f)

Payments and billing:

• Process purchases or subscriptions
• Prevent fraud
• Maintain records
• Legal basis: Article 6(1)(b), 6(1)(c), and 6(1)(f)

Communications:

• Send transactional emails (sign-up confirmation, password reset)
  • Legal basis: Article 6(1)(b) and 6(1)(f)
• Send marketing emails (monthly digest/newsletter)
  • Legal basis: Article 6(1)(a) with prior consent and applicable legitimate interest where permitted by law

Analytics and improvement:

• Measure usage and improve features using Google Analytics
• Non-essential analytics rely on consent under Article 6(1)(a)
• Necessary security/operational processing under Article 6(1)(f)

Security and abuse prevention:

• Detect, prevent, and respond to spam, fraud, and security incidents
• Legal basis: Article 6(1)(f) and legal obligations under Article 6(1)(c)

Legal compliance:

• Comply with applicable laws
• Respond to lawful requests
• Enforce our terms
• Legal basis: Article 6(1)(c) and Article 6(1)(f)

Cookies and Analytics

Necessary Cookies:

• Used for core operations
• Essential for service functionality

Analytics Cookies:

• Non-essential analytics cookies require your consent
• You can withdraw consent at any time through:
  • In-app settings
  • Your browser controls

Google Analytics:

• Used for usage analytics
• Google's controls allow configuration of user and event-level data retention
• Commonly set to 14 months for standard properties
• Includes other privacy safeguards in GA4

Payments

Payment Infrastructure:

• Dodo Payments provides the payment infrastructure
• EchoDrop does not store full payment card details
• EchoDrop receives only limited billing metadata necessary to:
  • Administer your account
  • Comply with recordkeeping obligations

Payment Methods:

• Cards and other regionally supported methods
• Global coverage designed for SaaS and digital products

Email Delivery

Email Service Provider:

• Transactional and marketing emails are sent via Resend
• See Resend's privacy policy for their handling of personal data

Email Types:

• Transactional messages: Necessary to provide the service
  • Legal basis: Article 6(1)(b)
• Marketing messages: Sent based on your consent
  • Legal basis: Article 6(1)(a)
  • Opt-out available at any time

Data Sharing and Processors

We share personal data with service providers under written terms requiring confidentiality and appropriate security, and we do not sell personal data.

Key processors include:

• Vercel for hosting in Washington, D.C., USA (iad1, us‑east‑1)
• Supabase for database hosting with regions including East US (Ohio, us‑east‑2)
• Google Analytics for usage analytics
• Dodo Payments for payment processing
• Resend for email delivery

International Transfers

Transfers Outside the EEA:

Given the hosting and selected vendors, personal data may be transferred to countries outside the EEA (e.g., United States).

Safeguards:

• European Commission's Standard Contractual Clauses for international transfers where required
• Controller-processor standard contractual clauses or equivalent Article 28 terms for relationships within the EEA

Storage Location

Primary Infrastructure:

• Application hosting: Vercel's Washington, D.C., USA region (iad1, us-east-1)
• Database: Supabase's East US (Ohio, us-east-2) region
• Subject to the safeguards described above

Other Processing:

Some processing activities may occur in other jurisdictions depending on:

• Your configuration
• Location of sub-processors
• Appropriate safeguards applied for each transfer scenario

Retention

General Retention:

• Personal data is retained only for as long as necessary for the purposes described
• Or to comply with legal obligations
• After which it is deleted or anonymized
• Consistent with GDPR principles of storage limitation and minimization

Analytics Retention:

• User and event-level data retention is configurable in Google Analytics
• Standard options include:
  • 2 months
  • 14 months for GA4 properties

Security

Security Measures:

EchoDrop implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit
• Access controls
• Least-privilege practices
• Consistent with GDPR Article 32 principles

Our Commitment:

No system can be absolutely secure, but EchoDrop works to protect personal data against:

• Unauthorized access
• Disclosure
• Alteration
• Loss

We regularly review controls for effectiveness.

Your GDPR Rights

Subject to conditions and exceptions, you have the following rights:

• Right of Access - Request a copy of your personal data
• Right to Rectification - Correct inaccurate or incomplete data
• Right to Erasure - Request deletion of your personal data
• Right to Restriction - Restrict processing of your data
• Right to Portability - Receive your data in a structured, commonly used format
• Right to Object - Object to processing of your data
• Right to Withdraw Consent - Withdraw consent without affecting prior processing
• Right to Complaint - Lodge a complaint with a supervisory authority

How to Exercise Your Rights:

Contact us at contact@echodrop.app

For data processed as a processor on your behalf (feedback content), EchoDrop will refer relevant requests to the appropriate controller consistent with Article 28.

Children's Privacy

Age Requirement:

• EchoDrop is not directed to children under 16
• Personal data from children is not knowingly collected

If Child Data is Identified:

• Steps will be taken to delete it
• Or obtain appropriate authorization
• Consistent with GDPR Article 8 requirements

Controller–Processor Notice for EchoDrop Customers

Your Responsibilities as Controller:

When you use EchoDrop to collect feedback from respondents, you are responsible for:

• Providing a lawful basis for processing
• Providing transparent notices to respondents
• Configuring fields to minimize data collection
• Honoring data subject rights

EchoDrop's Role as Processor:

EchoDrop processes such data:

• Under your instructions
• Maintains Article 28 terms
• Implements controller-processor SCCs where applicable

Our Assistance:

EchoDrop will assist with appropriate technical and organizational measures for responding to requests under Articles 12–23 to the extent feasible for processor-handled data.

Changes to This Policy

EchoDrop may update this policy to reflect:

• Operational changes
• Legal changes
• Regulatory changes

Notice of Changes:

• Updated version will be posted with a new effective date
• Notice will be provided where required by law

Contact and Supervisory Authority

Contact EchoDrop:

• Address: Wilhelm-Busch-Straße 23, 59192 Bergkamen, Germany
• Email: contact@echodrop.app

Competent Supervisory Authority (NRW):

• Name: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
• Address: Kavalleriestr. 2–4, 40213 Düsseldorf, Germany
• Email: poststelle@ldi.nrw.de
• Phone: +49 211 38424-0

Alternative Complaint Options:

You may also lodge a complaint with the supervisory authority in your habitual residence or place of work within the EEA as permitted by GDPR Article 77.

Service Infrastructure References

• Hosting and edge: Vercel region iad1 (us‑east‑1, Washington, D.C., USA)
• Database: Supabase region us‑east‑2 (East US, Ohio)
• Analytics: Google Analytics GA4 privacy and retention controls
• Email provider: Resend (Plus Five Five, Inc.)
• Payments: Dodo Payments (payments and billing platform)