Privacy & Trust
Proof of control without invading privacy. Workers get private coaching; management sees anonymised cohorts. You choose the privacy profile.
- Documentation: PIA summary
- Fairness: Fairness review available on request
- Compliance: ISO program overview available on request
Two streams, zero snooping
Echo separates private coaching for workers from cohort-level analytics for management. Supervisors never receive raw conversations. Actionable trends go up; personal coaching stays with the individual.
Private to worker
- Personal coaching and nudges
- Opt-in, mute or reschedule anytime
- Self-service export/delete
- Clear privacy contact
Visible to management
- Team/site cohorts and trends
- Time-to-intervention and control coverage
- ISO 45003 readiness indicators
- Never raw voice or coaching content
Who sees what
Access boundaries by role. Cohorts first, individuals kept private except for predefined urgent safety exceptions.
- Can see: their own insights, coaching, participation history, “What Echo stores about me.”
- Controls: mute/reschedule, export/delete, channel preference.
- Cannot see: teammates’ data.
- Can see: cohort heatmaps, leading indicators, time-to-intervention, playbooks, exception alerts.
- Controls: escalation policy, retention, privacy profile selection.
- Cannot see: raw voice, personal coaching, personality labels.
- Can see: ISO 45003 readiness, participation coverage, control evidence, trendlines vs baseline.
- Cannot see: any individual-level data.
- Output: quarterly evidence pack.
- Can see: aggregated control evidence released by employer.
- Default: data sharing off; enable per profile.
- Cannot see: person-level data.
Deep link: #tab=roles:board opens the Board view.
Privacy dials
Three predefined profiles; you pick, we enforce, you audit.
- Identity visibility: Worker-only
- Aggregation: Cohort-level
- Escalation: Pre-agreed safety exceptions
- Retention: Minimal, time-bound
- Insurer sharing: Aggregate evidence only
- Identity visibility: Role-based
- Aggregation: Team/site
- Escalation: Defined critical alerts
- Retention: Policy-aligned
- Insurer sharing: Opt-in aggregates
- Identity visibility: Narrowly expanded for critical ops
- Aggregation: Team/site with finer granularity
- Escalation: Rapid, per safety case
- Retention: Hazard-profile driven
- Insurer sharing: Controlled aggregates
We’re building to SOC 2, aligning our controls to the AICPA Trust Services Criteria (Security baseline) and preparing for an independent audit.
Guardrails for workers and managers
Worker guardrails
- Clear opt-in and re-consent
- Mute/reschedule anytime
- Export/delete on request
- Agent tone-matching; no HR-speak
- Escalations only on predefined safety exceptions
Manager guardrails
- No raw voice; no personality labels
- Cohort-only analytics by default
- Audit trail of escalations and actions
- Retention per profile; short by default
- Insurer sharing off unless you enable
Controls & preferences
Worker controls
- Channel choice (phone/WhatsApp/SMS)
- Opt-in/out; mute/reschedule
- Export/delete request
- Privacy contact
Manager controls
- Privacy profile selection
- Escalation policy & routing
- Retention & data residency
- Reporting cadence
Broker/insurer controls
- Sharing off by default
- Aggregate evidence only
- Profile-based access
- Auditable releases
FAQ
Will supervisors hear raw conversations?
No. Supervisors see cohort trends and alerts. Personal coaching stays private to the worker.
Can we prevent named data entirely?
Yes. Choose the Union-strict profile and keep the default exceptions only.
When can an individual be named?
Only for predefined urgent safety exceptions or with explicit consent in high-hazard contexts. Every case is logged and reviewable.
Where can workers read the full Echo terms and rules?
Workers can read the full Echo Pilot Participant Information & Privacy Notice, the Echo Safety & Escalation Rules, and the Echo Worker Terms of Use.
Do workers control their data?
Yes. Opt-in, mute/reschedule, and export/delete are built in. A dedicated privacy contact handles disputes.
How do we prove control to the board or insurer?
Quarterly ISO 45003 readiness, participation coverage, time-to-intervention, and trendlines with an audit trail.
Where is data stored and how is it protected?
Encrypted at rest and in transit, regional residency on request, admin access logs, annual pen test, and an ISO 27001 program.
Does Echo profile personalities for managers?
No. Managers get cohort risk signals and control coverage, not personality labels or private coaching content.
What about unions?
Start with Union-strict. Cohort-only, short retention, and zero insurer sharing by default.
Will this create more admin work?
No. Privacy profiles and escalation rules are predefined. You pick, we enforce, you audit.
Can we test this before rollout?
Yes. The 90-day pilot ships with strict defaults and a ready-to-share evidence pack.
Note: “Exceptions” are narrow, predefined cases tied to clear imminent safety risk. They are disclosed to workers, versioned, and auditable.