Privacy Policy

This Privacy Policy explains how Echt ("Echt", "we", "us", or "our") collects, uses, stores, and protects personal data when you access our AI document fraud detection platform and related services (the "Service").

Echt provides business-to-business ("B2B") software to letting agencies, property managers, and other enterprise customers in the United Kingdom. We are committed to compliance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and applicable privacy laws.

In most cases, your organisation (the "Customer") is the data controller for personal data contained in tenant referencing documents and related case files. Echt acts as a data processor when we analyse documents, generate forensic outputs, and store results on your instructions.

Where Echt collects account, billing, or support information directly from authorised users at a Customer organisation, Echt may act as an independent controller for that administrative data. A Data Processing Agreement ("DPA") is available to enterprise Customers on request and forms part of our contractual relationship where applicable.

Depending on how you use the Service, we may process:

• Account and contact data — names, work email addresses, job titles, authentication credentials, and audit logs relating to authorised users.
• Tenant and applicant documents — payslips, bank statements, identity documents, references, and other files uploaded for verification. These may contain special category data and financial information.
• Derived forensic outputs — metadata extractions, integrity scores, tamper indicators, verdicts, and structured analysis reports generated from uploaded files.
• Technical and security data — IP addresses, device identifiers, session tokens, error logs, and usage telemetry necessary to operate, secure, and improve the Service.

We process personal data for the following purposes:

• To perform our contract with the Customer and deliver document verification services (lawful basis: performance of a contract; Article 6(1)(b) UK GDPR).
• To detect document fraud, forgery, and manipulation on behalf of the Customer (lawful basis: legitimate interests of the Customer and, where applicable, explicit instructions under contract).
• To maintain platform security, prevent abuse, and meet legal obligations (lawful basis: legitimate interests and legal obligation).
• Where special category data is processed within uploaded documents, processing is carried out strictly on the documented instructions of the Customer as controller, for substantial public interest in preventing fraud in housing and tenancy decisions, or other lawful basis identified in the DPA.

When you upload documents relating to prospective or existing tenants, Echt processes those files solely to provide forensic analysis and related outputs you request. We do not use tenant document content to train public-facing AI models unless explicitly agreed in writing with the Customer.

Customers are responsible for providing appropriate privacy notices to data subjects, establishing a lawful basis for referencing checks, and ensuring uploads are limited to what is necessary for tenancy decisions. Echt implements technical and organisational measures designed to protect sensitive documents, including encryption in transit, access controls, and configurable retention options where offered.

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, our agreement with the Customer, or applicable law. Document retention periods may be configured by the Customer or defined in the DPA. Upon termination of services, we will delete or return Customer data in accordance with contractual terms, subject to limited backup retention and legal hold requirements.

We do not sell personal data. We may share data with infrastructure providers, security vendors, and professional advisers who process data on our behalf under written agreements requiring UK GDPR–equivalent protections. A list of material sub-processors is available to Customers on request.

We may disclose information where required by law, court order, or to protect the rights, property, or safety of Echt, our Customers, or others.

Echt is established in the United Kingdom. If personal data is transferred outside the UK, we implement appropriate safeguards such as the UK International Data Transfer Agreement or other mechanisms approved under UK data protection law.

We maintain administrative, technical, and physical safeguards appropriate to the nature of the data processed, including role-based access, monitoring, and secure development practices. No method of transmission or storage is completely secure; Customers should also implement internal controls over user access and document handling.

Where Echt acts as processor, data subjects should direct requests to exercise UK GDPR rights (access, rectification, erasure, restriction, objection, and data portability, as applicable) to the Customer organisation that collected their information.

Where Echt is controller of account or support data, you may contact us using the details below. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

For privacy enquiries, Data Processing Agreements, or sub-processor information, contact:

Echt — Privacy
Email: privacy@echt.ai