This Privacy Policy explains how evidion ("we", "us", "our") collects, uses, stores, and shares personal data when you use the evidion beta platform ("Service"). We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR).
Data Controller
evidion, Munich, Germany
contact@evidion.dev · evidion.dev
Data Protection Officer
No DPO has been appointed. evidion currently qualifies as a small entity under GDPR Art. 37(1) and is not required to designate a DPO. For all data protection matters, contact contact@evidion.dev.
1.
Data We Collect
1.1 Account Data
When access is provisioned for you, we collect and store the following:
- Name and email address
- Hashed password (never stored in plain text)
- Access request date and account creation date
1.2 Uploaded Documents & Inputs
Any documents, text, or other content you upload or submit for processing ("User Data"), including technical documentation, system descriptions, and engineering data.
1.3 Usage & Analytics Data
We collect anonymized usage data to understand how the Service is used and to improve it, including:
- Feature usage patterns (modules used, session duration)
- Error logs and performance metrics
- Browser type, device type, and approximate geographic region
1.4 Support & Communications
When you contact us via email or in-app feedback, we collect your message content and contact details to respond to your inquiry and improve the Service.
1.5 Session & Local Storage
The Service uses technically necessary browser session storage and local storage mechanisms to maintain your authenticated session and preserve in-progress work. These are not used for tracking or advertising purposes.
2.
Legal Basis for Processing
- Contractual necessity (Art. 6(1)(b)):Account data is processed to provide you access to the Service.
- Legitimate interests (Art. 6(1)(f)):Usage analytics and service communications (onboarding, product updates) are processed to improve the Service and keep you informed. These interests are balanced against your privacy rights.
- Consent (Art. 6(1)(a)):Where you have explicitly agreed via the in-app consent screen, User Data may be used for model quality assurance during the Beta Period. You may withdraw this consent at any time.
3.
Where Your Data Is Processed
3.1 Infrastructure Overview
| Processor | Purpose | Location | Transfer Mechanism |
|---|
| Microsoft Azure | App hosting, containers | EU (West Europe) | Data stays in EU |
| Supabase (via AWS) | Database & storage | EU region | Data stays in EU |
| Google LLC (Gemini) | AI safety assessment | United States | Standard Contractual Clauses (SCCs) |
3.2 Primary Storage – EU
Account data and User Data are stored in Supabase, operating on EU-region infrastructure (via AWS EU). Frontend and backend application containers run on Microsoft Azure in the EU (West Europe). Data stored in these systems does not leave the EU.
3.3 AI Processing – United States
Text inputs you submit for safety assessment generation are transmitted to Google LLC's Gemini AI Studio, operating in the United States. This constitutes a transfer of personal data to a third country under GDPR Chapter V.
Legal transfer mechanism: This transfer is covered by Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c), as provided under Google LLC's Data Processing Terms. No profiling or automated decision-making under GDPR Art. 22 occurs. AI outputs are used solely to assist human reviewers.
4.
Data Retention
We retain your personal data for the duration of the Beta Period and up to 90 days thereafter, unless you request earlier deletion. At the end of this period, all personal data and User Data are permanently deleted from our systems.
Anonymized and aggregated analytics data, which can no longer identify individuals, may be retained for longer periods for product improvement purposes.
5.
Data Sharing
We do not sell your personal data. We share data only with the sub-processors listed in Section 3 and only to the extent necessary to provide the Service. No other third parties receive your personal data.
6.
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Right of access (Art. 15):Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16):Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17):Request deletion of your personal data ("right to be forgotten").
- Right to restriction of processing (Art. 18):Request that we limit how we process your data.
- Right to data portability (Art. 20):Receive your data in a structured, machine-readable format.
- Right to object (Art. 21):Object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)):Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at contact@evidion.dev. We will respond within 30 days. You also have the right to lodge a complaint with your supervisory authority. In Germany: the relevant Landesbeauftragter für Datenschutz (for Bavaria: BayLDA, www.lda.bayern.de).
7.
Technical & Organisational Measures (TOMs)
We implement the following measures to protect your data:
- Encryption in transitTLS 1.2+ on all connections
- Encryption at restAES-256 across all storage layers
- Access controlRole-based access, provisioned accounts only
- AuthenticationSecure password hashing (bcrypt)
- InfrastructureISO 27001 / SOC 2 Data Centers
- Data minimisationOnly necessary data collected
- Incident response72-hour notification (Art. 33)
8.
Cookies & Browser Storage
The Service uses only technically necessary cookies for authentication and session management. No tracking, advertising, or analytics cookies are used. No cookie consent banner is required for technically necessary cookies under GDPR Recital 47.
In addition to cookies, the Service uses session storage and local storage in your browser to maintain your authenticated session and preserve in-progress work. These mechanisms are technically necessary and do not contain personal data beyond your session token.
9.
Beta Communications
During the Beta Period, we may send you onboarding emails and product update communications. These are processed under legitimate interests (GDPR Art. 6(1)(f)) as necessary service communications, not marketing. You may opt out at any time by contacting contact@evidion.dev.
10.
Changes to This Policy
We may update this Privacy Policy as the Service evolves. Material updates will be communicated before they take effect, via email or an in-app notice. Continued use of the Service after notification constitutes acceptance of the updated policy. The current version and effective date are always shown at the top of this document.
11.
Contact
For privacy-related questions or to exercise your rights: