Privacy & Trust
Proof of control without invading privacy. Workers get private coaching; management sees anonymised cohorts. You choose the privacy profile.
- Documentation: PIA summary
- Fairness: Fairness review available on request
- Compliance: ISO program overview available on request
Two streams, zero snooping
Echo separates private coaching for workers from cohort-level analytics for management. Supervisors never receive raw conversations. Actionable trends go up; personal coaching stays with the individual.
Private to worker
- Personal coaching and nudges
- Opt-in, mute or reschedule anytime
- Self-service export/delete
- Clear privacy contact
Visible to management
- Team/site cohorts and trends
- Time-to-intervention and control coverage
- ISO 45003 readiness indicators
- Never raw voice or coaching content
Who sees what
Access boundaries by role. Cohorts first, individuals kept private except for predefined urgent safety exceptions.
- Can see: their own insights, coaching, participation history, “What Echo stores about me.”
- Controls: mute/reschedule, export/delete, channel preference.
- Cannot see: teammates’ data.
- Can see: cohort heatmaps, leading indicators, time-to-intervention, playbooks, exception alerts.
- Controls: escalation policy, retention, privacy profile selection.
- Cannot see: raw voice, personal coaching, personality labels.
- Can see: ISO 45003 readiness, participation coverage, control evidence, trendlines vs baseline.
- Cannot see: any individual-level data.
- Output: quarterly evidence pack.
- Can see: aggregated control evidence released by employer.
- Default: data sharing off; enable per profile.
- Cannot see: person-level data.
Deep link: #tab=roles:board opens the Board view.
Privacy dials for your context
Start strict, standard, or high-hazard. Every setting is transparent and auditable. Tighten or relax controls to fit workforce, regulation, and risk appetite.
Settings
- Identity visibility: anonymous cohorts only
- Granularity: crew/site aggregates
- Escalation: named only on predefined urgent-safety exceptions
- Participation: opt-in; easy opt-out
- Cadence: monthly
- Retention: 6 months
- Insurer sharing: off
- Audit: all exceptions logged
Preview
Supervisors see cohort heatmaps and intervention timers. Individuals receive private coaching. No named data by default.
{
"profile_name":"Union‑strict",
"identity_visibility":"anonymous",
"granularity":"crew_site",
"escalation_rules":["urgent_safety_exception_only"],
"participation_mode":"opt_in",
"cadence":"monthly",
"retention_months":6,
"insurer_sharing":"off",
"audit_logging":true
}
Settings
- Identity visibility: named to privacy admins; managers see cohorts
- Granularity: team/site with thresholding
- Escalation: named with worker confirmation; urgent-safety auto-escalation
- Participation: opt-in with reminders
- Cadence: fortnightly
- Retention: 12 months
- Insurer sharing: aggregates only, employer-controlled
- Audit: exception catalog versioned
Preview
Cohorts first; named follow-up by consent. Supervisors act on hotspots; individuals get private nudges.
{
"profile_name":"Standard",
"identity_visibility":"privacy_admin_named",
"granularity":"team_site_thresholded",
"escalation_rules":["worker_confirmed","urgent_safety_auto"],
"participation_mode":"opt_in",
"cadence":"fortnightly",
"retention_months":12,
"insurer_sharing":"aggregates",
"audit_logging":true
}
Settings
- Identity visibility: named with explicit consent for safety coaching
- Granularity: team/site and shift-time windows
- Escalation: imminent-harm auto-escalation; full audit trail
- Participation: opt-in with higher-frequency prompts
- Cadence: weekly or shift-based
- Retention: 24 months
- Insurer sharing: aggregates + control coverage, employer-controlled
- Audit: admin access logs enforced
Preview
Faster cadence for hazardous tasks. Escalations are narrow, predefined, and fully auditable.
{
"profile_name":"High‑hazard",
"identity_visibility":"named_with_consent",
"granularity":"team_site_shift",
"escalation_rules":["imminent_harm_auto","audit_full"],
"participation_mode":"opt_in",
"cadence":"weekly_or_shift",
"retention_months":24,
"insurer_sharing":"aggregates_plus_controls",
"audit_logging":true
}
Predefined urgent safety exceptions: threats of self-harm, violence, intoxication at work, imminent critical fatigue. All exceptions are predeclared, narrowly scoped, and audited.
Deep link: #tab=privacy:highhazard opens the High-hazard profile.
Risk stratification, not surveillance
Echo converts weak signals into low/medium/high risk cohorts. Supervisors fix hotspots at the cohort level first. Individuals receive private coaching. Only urgent, predefined safety exceptions trigger a named escalation with an audit trail.
- Buckets before identities
- Exceptions are predefined and narrow
- Every escalation is logged and reviewable
Consent & control
- Opt-in on first contact, plain-language summary
- Mute or reschedule any check-in
- Choose channel: phone, SMS, WhatsApp
- Self-service export/delete request
- Privacy contact for questions or disputes
“What Echo stores about me”
A simple page for workers to review participation, change preferences, and request data export or deletion.
We never share your personal coaching with your manager.
Security & governance
- Encryption in transit and at rest
- Regional data residency available
- Admin console with auditable access logs
- Annual pen test and red-team exercises
- ISO 27001 program in progress; policy set published
- Responsible disclosure program
We’re building to SOC 2, aligning our controls to the AICPA Trust Services Criteria (Security baseline) and preparing for an independent audit.
Request docs
Need the PIA summary, fairness review, or pen test letter for your assessment?
Three real-world setups
Union-heavy city works
Anonymous cohorts, clear exceptions, short retention, zero insurer sharing.
Mixed industrial sites
Cohort-first with named follow-up by consent, reasonable cadence, limited sharing.
High-hazard operations
Faster cadence, explicit consent for named safety coaching, auditable urgent-risk escalations.
Bottom line
Echo gives you actionable cohort insights and a quarterly evidence pack while workers keep privacy and agency. Start strict, adapt as trust grows. Every change is transparent and auditable.
FAQ
Will supervisors hear raw conversations?
No. Supervisors see cohort trends and alerts. Personal coaching stays private to the worker.
Can we prevent named data entirely?
Yes. Choose the Union-strict profile and keep the default exceptions only.
When can an individual be named?
Only for predefined urgent safety exceptions or with explicit consent in high-hazard contexts. Every case is logged and reviewable.
Do workers control their data?
Yes. Opt-in, mute/reschedule, and export/delete are built in. A dedicated privacy contact handles disputes.
How do we prove control to the board or insurer?
Quarterly ISO 45003 readiness, participation coverage, time-to-intervention, and trendlines with an audit trail.
Where is data stored and how is it protected?
Encrypted at rest and in transit, regional residency on request, admin access logs, annual pen test, and an ISO 27001 program.
Does Echo profile personalities for managers?
No. Managers get cohort risk signals and control coverage, not personality labels or private coaching content.
What about unions?
Start with Union-strict. Cohort-only, short retention, and zero insurer sharing by default.
Will this create more admin work?
No. Privacy profiles and escalation rules are predefined. You pick, we enforce, you audit.
Can we test this before rollout?
Yes. The 90-day pilot ships with strict defaults and a ready-to-share evidence pack.
Note: “Exceptions” are narrow, predefined cases tied to clear imminent safety risk. They are disclosed to workers, versioned, and auditable.