The short version
What we collect: Slack team and user IDs, message content from the channels you tell the bot to watch, the email of the installer (so we can email you about your subscription), and payment metadata via LemonSqueezy.
What we do with it: auto-triage IT requests (categorise, prioritise, summarise), track SLAs, render a dashboard, and DM assignees on deadlines. That's it. We don't train AI models on your data. We don't sell it.
Where it lives: AWS Ireland (eu-west-1). The default AI provider is Google Vertex AI (Belgium region). Enterprise customers can BYOM (bring their own Gemini API key) and route processing through their own GCP project instead.
How long: as long as you stay installed. Uninstall and we hard-delete every workspace record within one hour.
Age restriction. Echo-Synch is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact privacy@echo-synch.com and we'll delete it.
1. Introduction
Welcome to Echo-Synch. This Privacy Policy explains how we collect,
use, share, and protect information in relation to our Slack bot
and the companion web dashboard at app.echo-synch.com
(collectively, the "Service"). Echo-Synch is operated from Rome,
Italy.
Echo-Synch helps IT teams triage requests that arrive in Slack channels — auto-categorising, prioritising, and tracking SLAs on every request. By installing or using Echo-Synch, you agree to the collection, use, disclosure, and procedures this Privacy Policy describes, as well as our Terms of Service and Data Processing Addendum.
2. Information we collect
2.1 Information you provide directly through Slack installation (OAuth)
- Workspace information: Slack Team ID (e.g.
T12345ABC) and, where applicable, Enterprise Grid ID. - Bot authentication: a Bot User OAuth Access Token, the Bot User ID, and the Bot ID.
- Installing user information: the Slack User ID of the individual who performed the installation.
- Installing user email: obtained via the
users:read.emailscope, used for billing notifications and essential service emails.
Why we collect this. The OAuth scopes are essential for Echo-Synch to be installed, to authenticate with the Slack API, to read messages in monitored channels, to post triage labels and SLA alerts, and to DM assignees when deadlines approach. The full scope list is published in the install URL; every scope has a justification documented at the call site in our bot codebase.
2.2 Information collected automatically during service operation
- Triaged threads. When an IT request arrives in a monitored channel, Echo-Synch stores the thread's Slack channel ID, message timestamp, poster Slack user ID, and the AI-generated summary, category, and priority. We also store the original message text so the dashboard can show it back to you. Original message text is auto-scrubbed after each workspace's configured retention window (default 30 days; configurable per workspace).
- SLA events. When a thread's SLA deadline elapses,
we record an event row with the thread ID, event type
(
first_response_missedorresolution_missed), and timestamp. - Workspace users cache. We cache the Slack user
roster of your workspace (Slack User ID, display name, real name,
email if your Slack workspace exposes it via
users:read.email, and timezone) so the dashboard's team picker can render without a Slack API round-trip on every page load. - Subscription metadata. If you subscribe, we store your LemonSqueezy subscription ID, plan (Pro / Enterprise), seat count, period start/end, and the customer-portal URL LemonSqueezy issues us. Card details are held by LemonSqueezy and never reach our servers.
- Operational metadata. Slack channel IDs, message timestamps, label assignments, assignee IDs, and audit logs. Used to render the dashboard and chase SLAs.
- System logs. Application logs (CloudWatch + Sentry error events) auto-expire after 30 days.
AI processing. Message content from triaged threads is sent to your configured AI provider — Google Vertex AI Gemini (Belgium region) by default, or your own model if your workspace has configured Bring Your Own Model (Enterprise BYOM). The AI returns a structured triage decision (label + priority + summary) which we store on the thread row. Your data is never used to train AI models. All workspace records are deleted within one hour of uninstall.
3. Information you provide voluntarily
If you contact support@echo-synch.com, submit a feedback form on this site, or reach out via any other voluntary channel, we collect the information you provide (name, email, message body). We use it solely to respond to you and improve the Service. Legal basis: your consent.
4. How we use your information
- Provide and operate the Service: install/uninstall the bot, run AI triage, track SLAs, render the dashboard, send SLA-warning DMs and breach alerts.
- Improve and maintain the Service: aggregated usage metrics, error logs, performance traces. We never analyse a specific workspace's content to inform product decisions.
- Communicate with you: essential service emails (billing, security, breaking changes). We do not send marketing emails without explicit opt-in.
- Comply with legal obligations: retain records to the extent required by tax, billing, or applicable law.
5. Legal basis for processing (EEA / UK)
| Data category | Legal basis |
|---|---|
| OAuth installation information | Contractual necessity (Art. 6(1)(b) GDPR) |
| Installing user email | Contractual necessity — account administration & billing |
| Triaged threads + SLA events + operational metadata | Legitimate interest (Art. 6(1)(f) GDPR) — providing the triage Service to your team |
| Subscription metadata | Contractual necessity + legal obligation (tax records) |
| Voluntarily-provided feedback | Consent (Art. 6(1)(a) GDPR) |
6. Data sharing and third-party services
We do not sell your personal information. We share data only with the subprocessors below, each of which is contractually bound to process data only on our instructions.
- Slack: we operate as a Slack app and necessarily exchange data with Slack.
- Amazon Web Services (Ireland): hosts our Lambda functions, Aurora Postgres database, SQS queues, and KMS-encrypted secrets.
- Google Cloud / Vertex AI (Belgium): default AI provider for triage and summaries.
- Bring Your Own Model (Enterprise): when configured, message content is sent to your own Google Gemini API key — not ours.
- LemonSqueezy: merchant of record for subscriptions. Stores card details and invoices; we receive only subscription metadata via webhook.
- Cloudflare: DNS, CDN, and email routing for
echo-synch.com. - Resend: transactional email provider for service notifications.
- Sentry: error monitoring. We deliberately disable PII attachment; events contain stack traces and tagged metadata only.
- Legal disclosures: if required by law, court order, or to protect rights and safety.
The complete subprocessor list with locations is published on our Trust Center and in Annex 1 of the DPA.
7. International data transfers
Echo-Synch is operated from Italy (EU). Primary infrastructure runs
in AWS eu-west-1 (Dublin, Ireland) and Google Vertex
AI's Belgium region. For subprocessors located outside the EEA
(LemonSqueezy and Sentry, both US-based), transfers are governed by
the EU Standard Contractual Clauses; both providers self-certify
under the EU–US Data Privacy Framework. BYOM transfers happen
between you and your chosen AI provider; Echo-Synch is not in the
data path.
8. Data storage, security, and retention
8.1 Storage and location
All data is stored in AWS eu-west-1 (Dublin, Ireland). Slack bot tokens are encrypted with AWS KMS before being written to the database; secrets (API keys, signing secrets) are stored in AWS SSM Parameter Store with at-rest encryption.
8.2 Security
TLS 1.2+ in transit (1.3 preferred). AES-256 encryption at rest. Least-privilege IAM. MFA for all internal access. Multi-tenant data is workspace-scoped on every query — tenant data never crosses rows.
8.3 Retention
- OAuth installation information: retained while installed. Deleted within 1 hour of uninstall.
- Installing user email: same — deleted on uninstall, except where retention is required for billing, legal, or dispute resolution.
- Original IT request text: auto-scrubbed after each workspace's configured retention window (default 30 days; admin-configurable). Triage metadata (label, priority, summary) is retained.
- Triaged threads + SLA events + operational metadata: retained while installed. Deleted on uninstall.
- Subscription metadata: retained for the duration of the subscription plus the period required by tax law (typically 7 years for invoice records).
- System logs: auto-deleted after 30 days.
9. Your rights and choices
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data — uninstalling the bot triggers full erasure within 1 hour.
- Restrict processing in certain circumstances.
To exercise any of these, email privacy@echo-synch.com. We respond within 30 days.
9.1 For EEA / UK residents (GDPR)
You additionally have the right to:
- Data portability — receive your data in a machine-readable format.
- Object to processing based on legitimate interest.
- Lodge a complaint with your local Data Protection Authority. In Italy that's the Garante per la protezione dei dati personali.
10. Your California privacy rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights:
- Right to know: the categories of personal information we collect and the purposes.
- Right to delete: request deletion of personal information we hold about you.
- Right to opt out of sale: we do not sell personal information, and have not sold any in the preceding 12 months.
- Right to non-discrimination: exercising these rights doesn't change the price or quality of the Service.
10.1 Categories of personal information collected (past 12 months)
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Slack User ID, Slack Team ID, installer email | Yes |
| Internet/network activity | Message timestamps, channel IDs, label assignments | Yes |
| Professional information | Slack workspace name, IT-team roster | Yes |
| Commercial information | Subscription tier, seat count, payment history (via LemonSqueezy) | Yes |
11. Cookies and similar technologies
Echo-Synch's marketing site (echo-synch.com) uses no tracking cookies and runs no third-party analytics. The dashboard at app.echo-synch.com uses a single first-party session cookie (echo_synch_session) for authentication; it is HTTP-only, Secure, SameSite=Lax, and expires after 7 days. The Slack platform separately uses cookies as part of its OAuth flow — review Slack's Cookie Policy for details.
12. Changes to this Privacy Policy
We may update this Policy as the Service evolves. The "Effective date" at the top of the page reflects the most recent revision. For material changes, we'll notify the installer via email at the address recorded during OAuth.
13. Contact
Questions about privacy, data subject requests under GDPR or CCPA, or general inquiries:
- Email: privacy@echo-synch.com
- General support: support@echo-synch.com
14. Data controller
Echo-Synch (sole proprietor, registered in Rome, Italy) is the data controller for the personal information described above. For DPA-related matters, see our Data Processing Addendum.