← Back to home

Legal

Privacy Policy

Effective Date: 1 September 2024  · Last Updated: 24 February 2026

1. About This Policy

This Privacy Policy explains how Spacecubed Foundation Ltd (ABN 58 149 449 972), operating the Echo platform (“Echo”, “we”, “us”, or “our”), collects, holds, uses, and discloses personal information. Echo is an online impact measurement platform that helps organisations measure, map, and analyse the long-term impact of their grants, programs, people, and investments.

This policy applies to all users of the Echo platform, including organisation administrators (“Customer Users”), grant recipients and program participants who submit data via Echo forms (“Form Respondents”), and any other individuals who interact with the platform or our website.

We are bound by the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) (“Privacy Act”). We may update this policy from time to time to reflect changes in our practices or applicable law. Material changes will be posted on our website.

2. Personal Information We Collect

The types of personal information we collect depend on how you interact with Echo.

Customer Users (Foundation and Organisation Staff)

We may collect your name, email address, job title, organisation name, phone number, and account login credentials. We also collect information about your use of the platform, including login activity and actions taken within the platform.

Form Respondents (Grant Recipients, Program Participants, and Stakeholders)

When you complete a form, survey, application, update request, or impact report through Echo at the request of an Echo customer, we may collect the information you provide. This may include your name, contact details, role or position, organisation name, and responses to questions relating to impact, program outcomes, business operations, or financial performance. The specific information collected will depend on the form designed by the customer organisation.

Website Visitors

We may collect your IP address, browser type, device information, and browsing behaviour on our website through cookies and similar technologies.

Information We Do Not Collect

We do not intentionally collect sensitive information (as defined in the Privacy Act) unless it is directly relevant to the services we provide and you have consented to its collection. We do not collect financial information such as credit card or bank account numbers through the platform.

3. How We Collect Personal Information

We collect personal information directly from you when you create an account on Echo, complete a form, survey, or impact report through Echo, communicate with us via email or other channels, or visit our website.

We may also collect personal information indirectly from our customers (the organisations that use Echo) when they provide data for the purpose of setting up their account and portfolio, and from publicly available sources where necessary for the services we provide.

4. Our Role in Handling Your Data

Echo handles personal information in two distinct capacities:

As a service provider on behalf of our customers: When we collect, store, and process data that customers or their Form Respondents enter into the platform, we do so under the customer's instructions and for the purpose of providing the Echo platform services. The customer organisation directs how this data is used, and we process it only as necessary to deliver the services they have engaged us to provide.

For our own operational purposes: We independently collect and use certain information for our own purposes, including website visitor data (analytics, cookies), account administration data (login credentials, support correspondence), and platform usage data to maintain security and improve the service.

5. Why We Collect Personal Information

We collect and use personal information for the following purposes: to provide, operate, and improve the Echo platform and our services; to facilitate the collection and analysis of impact data on behalf of our customers; to generate impact reports and dashboards for our customers; to communicate with you about your account, forms you have been asked to complete, or support requests; to comply with our legal obligations; and to protect the security and integrity of the platform.

We do not use personal information for direct marketing unless you have specifically opted in to receive marketing communications from us.

6. Data Ownership

Customer data belongs to the customer. All data entered into Echo by or on behalf of a customer organisation — including data submitted by Form Respondents in response to customer-initiated forms — is owned by and vested in the customer organisation. Echo does not claim any ownership rights over customer data.

Your data is isolated to your account. Each customer's data is logically separated within the Echo platform. Customer data is never shared with, visible to, or accessible by other Echo customers. Impact data, financial data, business information, form responses, and all other data within a customer's account are isolated to that customer's tenant and cannot be accessed by any other organisation using the platform.

Customers may request a full export of their data at any time. Upon termination of a customer's agreement, we will return or destroy customer data on request in accordance with the terms of our Platform Services Agreement.

7. How We Use Artificial Intelligence

Echo offers optional artificial intelligence (“AI”) features within the platform. Customer organisations may choose to enable AI functions for purposes such as generating summaries, automating reporting workflows, analysing trends, and producing insights from the data within their account. The use of AI features is entirely at the customer's discretion — they are not enabled by default and customers are not required to use them.

If a customer chooses to use AI features, data within their account may be processed by third-party AI providers, which may include Anthropic, OpenAI, Google, and other providers as our technology evolves. When AI features are used, customer data may be transmitted to these providers' infrastructure, which is located outside Australia (primarily in the United States), for processing. Data is transmitted securely and is not retained by AI providers beyond the immediate processing request.

Important commitments regarding AI:

  • Customer data is never used to train third-party AI models or any general-purpose machine learning models.
  • We contractually require all AI providers to refrain from using customer data for any purpose other than providing the processing service to Echo, including model training, benchmarking, or product improvement.
  • Customer data is never shared with AI providers for their own purposes.
  • AI features operate only on data within a customer's own account and at the direction of the customer.
  • AI-generated outputs (such as summaries, reports, and analysis) are treated as customer data and are subject to the same ownership, confidentiality, and privacy protections as all other customer data.
  • Customers can disable AI features for their account at any time.
  • Form Respondents should be aware that if a customer has enabled AI features, data submitted through Echo forms (including application data, survey responses, financial information, and impact reports) may be analysed using AI tools at the customer's direction.

We regularly review our AI practices and our AI provider agreements to ensure they align with this policy and applicable law.

8. Disclosure of Personal Information

We may disclose personal information to:

  • The customer organisation that requested the collection (for example, when a Form Respondent submits an impact report, that data is made available to the relevant customer);
  • Our employees, officers, and contractors who need access to provide and support the platform;
  • Third-party service providers who assist us with hosting, data storage, software development, and platform maintenance; and
  • Government or regulatory authorities where required by law.

We do not sell personal information. We do not share personal information with third parties for their marketing purposes.

Where we disclose personal information to third-party service providers, we require them to handle that information in accordance with the Australian Privacy Principles and this policy.

9. Overseas Disclosure

Some of our third-party service providers may store or process data outside of Australia, including in the United States. This includes AI providers used to power platform features (see Section 7) and infrastructure providers used for hosting and data storage. Where personal information is disclosed overseas, we take reasonable steps to ensure that the overseas recipient handles the information in accordance with the Australian Privacy Principles.

10. Data Security

We take the security of personal information seriously. We implement appropriate physical, electronic, and organisational measures to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include encryption of data in transit and at rest, access controls and authentication requirements, regular backups, and monitoring of platform activity for security incidents.

If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme under the Privacy Act.

11. Cookies and Tracking

Our website uses cookies and similar technologies to improve your browsing experience, gather usage statistics, and enable platform functionality. When you first visit the Echo website, you will be presented with a cookie consent notice that allows you to accept or decline non-essential cookies. You can also configure your browser to reject cookies at any time, though this may limit your ability to use certain features of the platform or website. Essential cookies required for the platform to function cannot be disabled.

12. Form Respondents — Your Rights

If you have been asked to fill in a form, survey, application, or update request through Echo by a customer organisation (such as a foundation, investor, or grant-maker), the data you provide is collected by Echo on behalf of that organisation. That organisation is responsible for informing you about why your data is being collected and how it will be used.

All Echo forms include a link to this Privacy Policy at the point of data entry, so that you are informed about how Echo handles your information before you submit it. By submitting a form through Echo, you acknowledge that your data will be collected and processed by Echo on behalf of the customer organisation in accordance with this policy, and that your data may be analysed using AI tools at the customer's direction (see Section 7).

You have the right to ask what personal information is held about you, to request correction of inaccurate information, and to contact the customer organisation directly about how your data is being used. You may also contact us using the details in Section 16 below.

If you believe that providing information through an Echo form is inappropriate or that you have not been properly informed about its use, please contact the organisation that sent you the form, or contact us directly.

13. Retention and Deletion

We retain personal information for as long as necessary to provide our services and to comply with our legal obligations. The following indicative retention periods apply:

Customer data (including Form Respondent submissions) is retained for the duration of the customer's agreement with us. Upon termination or expiry of a customer agreement, the customer may request the return or destruction of their data. Data destruction requests will be completed within 90 days of the request, subject to any legal obligations requiring longer retention. Backups containing customer data are retained for a maximum of 90 days and are then automatically overwritten.

Account and login data for Customer Users is retained for the duration of the customer agreement and deleted within 90 days of account deactivation.

Website analytics data (cookies, browsing behaviour, IP addresses) is retained for a maximum of 26 months.

Once data has been destroyed, it cannot be recovered.

Form Respondents may request deletion of their personal information by contacting us or the relevant customer organisation. Such requests will be handled in consultation with the customer, as the data is owned by them.

14. Rescinding Consent

Customers may rescind their consent for us to hold their data at any time by providing written notice. Upon receiving such notice, we will work with the customer to return or destroy their data in accordance with our Platform Services Agreement.

Form Respondents may withdraw their consent by contacting the customer organisation or by contacting us directly. We will take reasonable steps to action such requests, noting that some data may need to be retained where required by law.

15. Data Processing Agreements

For customers who require a formal Data Processing Agreement (DPA) — for example, organisations subject to the General Data Protection Regulation (GDPR) or other international privacy frameworks — we can provide a DPA addendum to the Platform Services Agreement on request. Please contact us using the details below.

16. Contact Us

If you have any questions about this Privacy Policy, wish to access or correct your personal information, or have a privacy complaint, please contact us:

Echo by Spacecubed Foundation Ltd

Email: hello@echoimpact.io

Address: 45 St Georges Terrace, Perth, Western Australia, 6000

We will respond to your query or complaint within a reasonable time. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au.