Privacy Policy

EchoTags (“we”, “us”) provides an NFC-based security patrol logging service for business customers (“Customers”). This Privacy Policy explains how we process personal data in connection with our website and services.

1. Data Controller

EchoTags acts as:

• Controller for data on our own website, billing, and account management.
• Processor when we process scan-related data on behalf of our Customers. In that case, processing is governed by a Data Processing Agreement (DPA) incorporated into our Terms.

2. Personal Data We Process

• Account & billing data (B2B): company name, contact person name, role, email, phone (optional), invoice details.
• Service data: scan records (timestamp, tag ID, assigned location name, user ID or email if your company configures user accounts, and technical logs).
• Technical data: IP address, device/browser information necessary to provide the service securely.

3. Legal Bases (GDPR)

• Contract (Art. 6(1)(b)): to create and manage your business account and deliver the service.
• Legitimate interests (Art. 6(1)(f)): securing the service, preventing abuse, and improving reliability.
• Legal obligation (Art. 6(1)(c)): for tax and accounting requirements.

4. Cookies

We use only essential cookies necessary for core functionality (e.g., authentication session). Analytics cookies are disabled by default and will only be used if you explicitly enable them in the future. See our Cookie Policy.

5. Data Retention

• Billing/account data: retained for up to 7 years to comply with tax law.
• Scan data: retained for the period your company configures or until your subscription ends, after which it is deleted or anonymized within 90 days unless longer retention is requested by law enforcement or your company.
• Technical logs: typically retained up to 180 days for security and troubleshooting.

6. Sharing

• Service providers (e.g., hosting, payment, email) under data processing agreements.
• Authorities when required by law.
• No sale of personal data. No marketing lists are created from service data.

7. International Transfers

Where data is processed outside the EEA, we rely on appropriate safeguards (e.g., Standard Contractual Clauses) and technical measures.

8. Your Rights

Under GDPR you (or your company’s users) may have rights of access, rectification, erasure, restriction, objection, and data portability. For service data where we act as processor, please contact your employer (the Customer). For website/account/billing inquiries, contact contact@echotags.nl.

9. Security

We apply administrative, technical, and physical measures to protect data, including role-based access, encryption in transit, and logging.

10. Contact

For privacy questions or to exercise rights, email contact@echotags.nl. No public office address is listed; business details are available on invoices.

Last updated: 2025-08-12