Legal

Privacy Policy

Effective May 17, 2026 · Elite Capital Inc. · Toronto, Ontario

Elite Capital Inc. operates the Echo Agents product and the echoagents.io site. We are based in Toronto, Ontario.

This page covers two things. The data we collect from visitors and demo requests on echoagents.io. The data Echo touches inside your tenant once you become a customer.

We keep it short and specific. The full Master Services Agreement you sign at purchase covers production use of Echo in detail.

When you book a call, we collect what the form asks for.

Your name and work email.
Your company and your role.
Your team size.
The workflows you flagged.
Any optional notes you add.

Vercel logs standard server data when you visit the site: IP address, user agent, and the page paths you load.

The site runs without analytics, advertising trackers, or session replay tools.

Echo connects to systems you already run. The exact set depends on your vertical and which agents you deploy. Common connections include Microsoft Outlook or Gmail shared mailboxes, Microsoft Teams, your TMS (Trimble TruckMate, McLeod), your ERP (Oracle Fusion, NetSuite), your EHR (athenahealth, Epic), your dock scheduler (OpenDock), and your ELD provider (Samsara, Motive).

Echo reads only the scopes you grant. Microsoft Graph scopes are limited to the shared mailboxes and Teams channels you assign to each agent. Vendor API scopes are limited to the records and actions each agent needs.

Echo writes back through the same connection: posting a draft to Outlook, filing a ticket in Teams, posting a POD record in TruckMate, posting an invoice in Oracle, updating a chart note in the EHR. Every write respects the autonomy level your team sets per agent and per workflow.

The data Echo reads stays in your tenant. Echo's service runs inside your Microsoft Azure tenant or an equivalent buyer-approved environment.

Postgres stores case state, idempotency keys, extracted fields, audit records, and metrics inside your tenant. It does not store full email bodies, attachments, or PHI unless your contract explicitly approves longer retention for a specific workflow.

Secrets live in Azure Key Vault or your equivalent secret store. Secrets are never in source code or Postgres.

The architecture is the same across verticals. The source systems and the data categories differ.

Carriers. Outlook and Teams for customer service and dispatch. Trimble TruckMate for POD, BOL, detention, and AR. OpenDock for appointments. Samsara or Motive for ELD context.
Oracle ERP. Outlook and Teams for finance team communication. Oracle Fusion or NetSuite for invoices, vendor records, AR, AP, and the GRC audit trail. Documents flow through email and shared drives into the ERP.
Freight & Logistics. Outlook and Teams for shipper and carrier communication. McLeod for tenders, BOLs, settlement, and collections. DAT and Greenscreens.ai for spot-market rate intelligence. EDI 204, 210, and 214 messages where shippers require them.
Regenerative Health. Outlook and Teams for patient communication and intake. EHR (athenahealth, Epic) for chart notes, scheduling, intake forms, consent forms, and claims. HL7 or FHIR connectors where the EHR supports them.

Per-agent scopes and a deeper data-flow walkthrough live on the Security page.

Marketing site form data: to respond to your call request within 24 hours and tailor the demo to your stack.
Server logs: 30 days for security and abuse prevention.
Customer operational data: to perform the work each agent is assigned (classify an email, post a POD, file a detention claim, reconcile a remittance).

We do not sell, rent, or trade your data. We do not use customer data to train third-party foundation models.

Marketing site (echoagents.io)

Vercel, United States. Hosting and edge delivery.
Formspree, United States. Form intake for book-a-call requests.
Google Workspace, United States. Echo team inbox and scheduling.

Live product

Anthropic, United States. Claude Sonnet 4.6 inference for classification and structured extraction. Anthropic does not train on customer inputs.
Microsoft Azure, your tenant in your region. Runtime, Key Vault, Postgres.
Microsoft Graph, your tenant. Mailbox and Teams access where applicable.

Your source systems (Trimble TruckMate, McLeod, Oracle Fusion, NetSuite, athenahealth, Epic, OpenDock, Samsara, Motive, DAT, Greenscreens.ai) stay on your side. Echo connects with customer-scoped credentials and does not host them.

If we add or change a sub-processor that handles your data, we update this page and email active customers.

Marketing site form data: 24 months from your last interaction, then deleted.
Server logs: 30 days.
Customer operational data: handled per your Master Services Agreement. Default retention is short. Auditable case records are retained for the audit window your compliance team requests.
Email bodies: not retained in our Postgres unless your contract explicitly grants longer retention.

You can access, correct, or delete your data. Email jay@echoagents.io and we will process the request within 30 days. We may need to verify your identity first.

Canada (PIPEDA): right to access and correct your information, file a complaint with the Office of the Privacy Commissioner of Canada.
EU and UK (GDPR, UK GDPR): right to access, correction, deletion, portability, restriction, and objection.
California (CCPA, CPRA): right to know, delete, correct, and opt out of sale or sharing. We do not sell or share personal information.

For health vertical customers, Echo Agents operates as a Business Associate under HIPAA. A Business Associate Agreement is signed before any PHI is processed.

Where the EHR supports it, Echo connects through HL7 or FHIR endpoints scoped to the patient records and clinical workflows your team assigns.

PHI fields are redacted from operational logs and case state by default. Echo stores the minimum information needed to continue a workflow. Retention for clinical data is customer-controlled and set in the BAA.

Email jay@echoagents.io to request a BAA. The dedicated security inbox security@echoagents.io is also available.

Marketing data collected through echoagents.io is not PHI and is not subject to a BAA.

For ERP customers operating under SOX, the Audit and Ledger agents write a tamper-evident audit record for every action that affects a financial control: invoice posted, journal created, reconciliation cleared, access change requested.

Segregation of duties is enforced at the scope level. Each agent receives only the read or write scopes its job requires. The Audit agent runs read-only against Oracle GRC and never posts financial transactions.

Audit records are retained for the window your compliance team specifies in the Master Services Agreement.

SOC 2 Type I achieved (August 2025). Type II in progress.
TLS 1.2 or higher for every external connection.
Customer data at rest is encrypted within your Azure tenant.
Vulnerability reports: security@echoagents.io.

The full security write-up lives at /security.

The site and product are built for business buyers. We do not direct them at children under 13 and do not knowingly collect personal data from minors. If you believe a minor submitted information, email jay@echoagents.io and we will delete it.

We post updates here and bump the effective date at the top. Material changes are emailed to active customers and noted at the top of the page. Past versions are available on request.

Elite Capital Inc.
Toronto, Ontario, Canada
jay@echoagents.io for privacy and data requests
security@echoagents.io for security issues

{title}

Privacy Policy