EKKO Ltd
How EKKO Handles Data
Last updated: June 2026
This page is maintained by EKKO Ltd to answer common questions about how we look after the data flowing through our websites, CRMs and AI systems for clients in the United Kingdom, Australia, New Zealand and Singapore. It supplements, and does not replace, our Privacy Policy.
Where data lives
Client systems we build are hosted on reputable cloud providers, with hosting region confirmed per project. UK and EU clients are hosted in the UK or EEA by default. For clients in Australia, New Zealand or Singapore we can host in the closest available regional data centre where the underlying provider offers one; otherwise data is hosted in the UK/EEA under appropriate transfer safeguards.
Cross-border transfers
Because EKKO is UK-based, personal data may be transferred to the United Kingdom for support, development and administration. Where applicable, transfers rely on the UK IDTA, the UK Addendum to the EU Standard Contractual Clauses, or equivalent contractual protections. Clients in Australia (Privacy Act 1988 / APPs), New Zealand (Privacy Act 2020) and Singapore (PDPA) are informed of the overseas handling of personal information as required by their local law.
Access control
Production access is limited to named EKKO engineers. Credentials are stored in a managed secret store, not in code, and rotated when team members change.
Encryption
Data is encrypted in transit (TLS) and at rest using the provider's standard encryption. Sensitive secrets are stored separately from application data.
AI systems
Where we use AI features (e.g. WhatsApp receptionists, the website assistant, EKKO Loop®), prompts and responses may be processed by third-party model providers under their data-processing terms, which may involve processing outside your country. We do not use client data to train third-party models.
Backups & retention
Live systems are backed up on a rolling schedule appropriate to the project. Client data is retained for the duration of the engagement plus any statutory requirements, then deleted on request.
Incidents
If we become aware of a security incident affecting your data, we'll notify you without undue delay and work with you to investigate and remediate, following notification duties in your jurisdiction (UK GDPR, Australia's Notifiable Data Breaches scheme, New Zealand's Privacy Act 2020 notification duty, and Singapore's PDPA data-breach notification obligation).
