top of page

Privacy Policy

Last Updated: 25 November 2025
1. Controller

Company: evaluoi.ai

Email: hello@evaluoi.ai

Data Protection Officer: kaisa@evaluoi.ai

2. Data We Collect

We collect the following categories of personal data when you use our Service:

​

Account Information

  • Email address

  • Display name

  • Password (hashed)

​​

Measurement Data

  • Goals, constructs, and metrics you create

  • Responses submitted by you or participants

  • Triangulation and measurement configuration data

​​

AI Analysis Results

  • Sentiment outputs

  • Identified themes

  • Quantified insights generated from text responses

​​

Usage Data

  • Login timestamps

  • Device and browser metadata

  • Feature usage logs (anonymized after 90 days)

​​

Payment Information

  • Processed securely by Stripe

  • We do not store credit card numbers or full payment details

3. Legal Bases for Processing

We process personal data under the following GDPR legal bases:

  • Consent (Article 6(1)(a))

You provide explicit consent during signup and when granting specific permissions.

  • Contract Performance (Article 6(1)(b))

Processing is necessary to provide the evaluoi.ai Service.

  • Legitimate Interest (Article 6(1)(f))

For security, fraud prevention, and improving the reliability and performance of the Service.

4. Your Rights

Under GDPR, you have the following rights:

  • Right of Access: Export all your data from Dashboard → Settings → Export Data.

  • Right to Rectification: Update your profile information at any time.

  • Right to Erasure: Delete your account, triggering a 30-day soft deletion period before permanent removal.

  • Right to Data Portability: Export data in machine-readable JSON or Excel format.

  • Right to Withdraw Consent: Modify consent settings in your account.

  • Right to Object: Object to processing based on legitimate interest.

To exercise these rights, contact: hello@evaluoi.ai

5. Security

We implement strict security standards to protect your data:

  • Encryption at rest (AES-256)

  • Encryption in transit (TLS 1.3)

  • Database Row Level Security (RLS) for tenant isolation

  • Access controls based on roles and permissions

  • Audit logs retained for 90 days

  • Passwords hashed using industry-standard algorithms

6. Third-Party Processors

We work with the following GDPR-compliant processors:

​

Supabase

  • Services: Database, Authentication, Storage

  • Location: EU (Frankfurt)

  • Compliance: GDPR, ISO-certified infrastructure

​​

Google (Gemini AI)

  • Services: AI-powered analysis

  • Data Handling: Zero retention; data not used for model training

  • Compliance: Standard Contractual Clauses (SCCs)

​​

Stripe

  • Services: Payment processing

  • Compliance: PCI DSS Level 1 certified

​​

All processors operate under Data Processing Agreements (DPAs) compliant with GDPR Article 28.

7. Data Retention

  • Active accounts: Retained until deletion

  • Deleted accounts: 30-day soft delete, then permanent removal

  • Audit logs: 90 days

  • Admin logs: 1 year

  • Backups: Encrypted backups retained for 90 days

8. Cookies

We use only essential cookies:

  • Session authentication cookies

  • Language preference cookie (fi/en)

We do not use advertising, tracking, or analytics cookies without consent. For details, see our Cookie Policy.

9. Contact
bottom of page