Privacy Policy

1. Introduction

Ekhos ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Unified Cross-Platform Broadcast Center service ("the Service").

By using Ekhos, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 OAuth Tokens and Authentication Data

When you connect your Slack, Microsoft Teams, or Google Chat accounts to Ekhos, we collect and store:

• OAuth Access Tokens: Used to send messages on your behalf
• OAuth Refresh Tokens: Used to maintain continuous access without requiring re-authentication
• Token Expiration Metadata: To proactively refresh tokens before they expire
• Workspace/Tenant Information: Names and IDs of connected Slack workspaces, Teams tenants, and Google Chat accounts

Security: All OAuth tokens are encrypted at rest using AES-256 encryption. We implement strict access controls and never log raw tokens to files or console outputs.

2.2 Message Content and Metadata

We process the following information related to your broadcasts:

• Message Text: The content you compose in the rich text editor
• Formatting Data: Bold, italics, lists, blockquotes, hyperlinks, code blocks
• Emojis: Unicode emoji characters you include in messages
• Media Attachments: Images, PDFs, and other files you upload (temporarily stored during delivery)
• Destination Channels: Lists of channels, workspaces, and platforms you select for broadcasting

Retention: Message content is retained temporarily during the delivery process and then deleted. We do not permanently store the content of your messages unless required for troubleshooting with your explicit consent.

2.3 Channel and Workspace Data

To provide channel selection functionality, we collect:

• Names and IDs of channels you have access to
• Channel types (public, private, direct message)
• Workspace/tenant names and identifiers
• Your membership status in each channel

This data is refreshed periodically to ensure accuracy and is stored only for the duration of your account.

2.4 Audit Logs and Delivery Records

For accountability and compliance, we maintain comprehensive audit logs containing:

• Broadcast ID (unique identifier for each broadcast)
• User identity (who initiated the broadcast)
• Destination channels and platforms
• Scheduled vs. actual send timestamps
• Delivery status (Sent, Failed, Pending)
• Error messages for failed deliveries
• Retry attempts and outcomes

Retention: Audit logs are retained for compliance and troubleshooting purposes. You may request deletion of audit logs upon account termination, subject to legal retention requirements.

2.5 Account Information

We collect basic account information from your connected platforms:

• Email address
• Full name
• Profile picture (optional)
• User ID from connected platforms

2.6 Usage Data and Analytics

We automatically collect certain information about your use of the Service:

• Login timestamps and frequency
• Number of broadcasts sent
• Number of channels selected
• Feature usage patterns (e.g., scheduling, channel groups)
• Error rates and performance metrics
• Browser type, device type, and operating system
• IP address (for security and fraud prevention)

3. How We Use Your Information

3.1 To Provide the Service

• Authenticate you with Slack, Microsoft Teams, and Google Chat
• Retrieve lists of channels you have access to
• Translate your message into platform-specific formats
• Send messages to your selected channels on your behalf
• Upload media attachments to destination platforms
• Schedule messages for future delivery
• Implement rate limiting to comply with platform quotas
• Retry failed message deliveries

3.2 To Maintain Audit Logs

• Track delivery status for accountability
• Provide you with delivery confirmation and error reports
• Enable compliance with organizational policies
• Support troubleshooting and customer support

3.3 To Improve the Service

• Analyze usage patterns to identify popular features
• Monitor performance and identify bottlenecks
• Detect and fix bugs
• Develop new features based on user needs

3.4 To Communicate With You

• Send service announcements and updates
• Respond to your inquiries and support requests
• Notify you of changes to Terms or Privacy Policy
• Send security alerts (e.g., unusual login activity)

3.5 For Security and Fraud Prevention

• Detect and prevent unauthorized access
• Identify and block abusive or malicious activity
• Comply with legal obligations and law enforcement requests

4. Data Sharing and Disclosure

4.1 Third-Party Platform APIs

To deliver your messages, we share data with third-party platforms:

• Slack: Message content, channel IDs, OAuth tokens
• Microsoft Teams: Message content, channel IDs, OAuth tokens
• Google Chat: Message content, channel IDs, OAuth tokens

These platforms have their own privacy policies governing how they handle your data. We recommend reviewing:

• Slack Privacy Policy: https://slack.com/privacy-policy
• Microsoft Privacy Statement: https://privacy.microsoft.com/en-us/privacystatement
• Google Privacy Policy: https://policies.google.com/privacy

4.2 Service Providers

We may share data with trusted service providers who assist in operating the Service:

• Cloud Hosting Providers: For infrastructure and data storage
• Analytics Services: For usage analytics and performance monitoring
• Email Services: For transactional emails and notifications

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (e.g., subpoenas, court orders)
• Law enforcement requests
• National security requirements
• Protection of our rights, property, or safety
• Prevention of fraud or illegal activity

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and provide options regarding your data.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Storage and Security

5.1 Encryption

• At Rest: All OAuth tokens are encrypted using AES-256 encryption
• In Transit: All data transmission uses TLS 1.2 or higher
• Database Encryption: Sensitive fields are encrypted at the database level

5.2 Access Controls

• Role-based access control (RBAC) for internal systems
• Multi-factor authentication (MFA) for administrative access
• Regular access audits and principle of least privilege
• Secure credential management for service accounts

5.3 Token Lifecycle Management

• Proactive Refresh: Tokens are refreshed before expiration to maintain service continuity
• Secure Storage: Tokens are never logged or exposed in error messages
• Immediate Revocation: Tokens are deleted immediately upon account disconnection or termination

5.4 Security Monitoring

• Real-time monitoring for suspicious activity
• Automated alerts for security incidents
• Regular security audits and penetration testing
• Incident response plan for data breaches

5.5 Data Location

Your data is stored in secure data centers. We may transfer data across borders to provide the Service. By using Ekhos, you consent to such transfers in accordance with this Privacy Policy.

6. Data Retention

6.1 OAuth Tokens

Stored for the duration of your account and deleted immediately upon disconnection or account termination.

6.2 Message Content

Retained temporarily during the delivery process (typically minutes to hours) and then deleted. Message content is not permanently stored unless you explicitly request retention for troubleshooting.

6.3 Media Attachments

Uploaded media is stored temporarily in encrypted cloud storage with a short TTL (Time-to-Live), typically 24-48 hours, and then automatically deleted.

6.4 Audit Logs

Retained for compliance and troubleshooting purposes. Default retention period is 12 months, after which logs are archived or deleted. You may request deletion upon account termination, subject to legal requirements.

6.5 Account Information

Retained for the duration of your account. Upon account termination, personal information is deleted within 30 days, except as required for legal compliance.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to access your personal data and request a copy in a portable format. Contact us at privacy@ekhos.io to request your data.

7.2 Correction

You may update your account information at any time through the Service settings. For assistance, contact support@ekhos.io.

7.3 Deletion

You may request deletion of your account and personal data by contacting privacy@ekhos.io. We will delete your data within 30 days, except as required for legal compliance or legitimate business purposes.

7.4 Disconnect Platforms

You may disconnect any or all connected platforms (Slack, Teams, Google Chat) at any time through the Service settings. OAuth tokens for disconnected platforms are immediately deleted.

7.5 Opt-Out of Communications

You may opt out of non-essential communications by clicking "unsubscribe" in emails or updating your notification preferences in the Service settings. You cannot opt out of essential service communications (e.g., security alerts, Terms updates).

7.6 Do Not Track

We do not currently respond to "Do Not Track" browser signals. We use analytics only for service improvement and do not engage in behavioral advertising.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

We use essential cookies to maintain your session, authenticate you, and provide core functionality. These cookies are necessary for the Service to function and cannot be disabled.

8.2 Analytics Cookies

We use analytics cookies to understand how users interact with the Service. This helps us improve performance and user experience. You may disable analytics cookies through your browser settings.

8.3 Third-Party Cookies

OAuth authentication flows may set cookies from Slack, Microsoft, and Google. These are governed by the respective platforms' privacy policies.

9. International Data Transfers

Ekhos may transfer your data to countries outside your country of residence. We ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by regulatory authorities
• Adequacy decisions by relevant data protection authorities
• Compliance with applicable data protection frameworks

10. Children's Privacy

Ekhos is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it immediately. If you believe we have collected data from a child, please contact us at privacy@ekhos.io.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (Note: We do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@ekhos.io with "CCPA Request" in the subject line.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right of Access: Obtain confirmation of data processing and access to your data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for data processing at any time

To exercise these rights or file a complaint with a supervisory authority, contact us at privacy@ekhos.io.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovery
• Provide details about the nature of the breach
• Explain the potential impact and steps we are taking
• Recommend actions you can take to protect yourself
• Notify relevant regulatory authorities as required by law

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website
• Sending email notifications to registered users
• Displaying in-app notifications

The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy Inquiries: privacy@ekhos.io
• Data Protection Officer: dpo@ekhos.io
• General Support: support@ekhos.io
• General Inquiries: hello@ekhos.io

Effective Date: January 19, 2026
Version: 1.0