Privacy Policy

EVIDENCEE DMCC Ltd is the data controller for personal data collected through our platform at evidencee.io. We are a UK-based compliance software provider serving subscription businesses subject to the Digital Markets, Competition and Consumers Act 2024.

For data protection queries, contact us at: privacy@evidencee.io

Account and workspace data

• Name, email address, and password (hashed) for user accounts
• Workspace and brand configuration data
• Integration credentials (API keys stored encrypted at rest)
• Billing information (processed by our payment provider; we do not store card numbers)

Compliance and evidence data

• Subscriber event records ingested from Shopify, Stripe, and GoCardless webhooks
• Hashed subscriber identifiers (SHA-256; one-way hash — plain-text subscriber names or email addresses are not stored in the Evidence Vault)
• Notice delivery logs and statuses
• Cancellation journey records and cooling-off case data
• Audit bundle export logs

Usage and technical data

• IP addresses and browser/device information for authentication logs
• Activity logs within the platform (for audit trail purposes)
• Error and performance telemetry

• Platform provision: To operate the EVIDENCEE platform, including user authentication, brand management, and compliance automation.
• Legal basis — contract: Processing necessary to fulfil our contract with you (subscription agreement).
• Legal basis — legitimate interests: Security monitoring, fraud prevention, and platform improvement.
• Legal basis — legal obligation: Retaining records as required by applicable law.
• Communications: Sending service emails (account verification, billing receipts, critical alerts). We do not send marketing emails without explicit consent.

We retain personal data for as long as your account is active plus a reasonable period thereafter:

• Account data: 90 days after account closure
• Evidence vault records: Retained per the data retention settings you configure in your workspace (default: 7 years, as required for DMCC compliance purposes)
• Activity logs: 12 months
• Billing records: 7 years (legal obligation)

We implement appropriate technical and organisational measures to protect your data:

• All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Evidence events signed with SHA-256 payload hashes to ensure integrity
• Subscriber identifiers stored as SHA-256 hashes (one-way, irreversible)
• Role-based access control limiting data access within your workspace
• Regular security reviews and penetration testing
• UK/EU data processing only

We do not sell personal data. We share data only with the named sub-processors below, each operating under a data-processing agreement with us:

• Vercel Inc. — application hosting and edge delivery (UK / EU regions).
• Supabase — managed Postgres database and storage (UK / EU regions).
• Stripe Payments UK, Ltd. — subscription billing and payment processing (governed by Stripe's privacy policy).
• Resend — transactional and platform notification email delivery.
• Legal compliance: If required by applicable UK law, regulator request, or court order.

A complete, current sub-processor list and our notice mechanism for changes are set out in the Data Processing Agreement.

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate data
• Erasure (right to be forgotten), subject to legal retention requirements
• Portability of your account data in a machine-readable format
• Restriction of processing in certain circumstances
• Object to processing based on legitimate interests

To exercise any of these rights, contact privacy@evidencee.io. We will respond within 30 days.

We use essential cookies for authentication and security, and we offer optional analytics and marketing categories that are off by default and only set after you actively accept them. We default to denying non-essential cookies until you give consent, and we re-prompt every 12 months in line with ICO guidance.

Full per-cookie detail (name, purpose, duration, provider) and a working “manage preferences” control are on our Cookie Policy page.

We may update this privacy policy from time to time. Material changes will be communicated by email and/or a notice within the platform. Continued use of EVIDENCEE after changes are published constitutes acceptance of the updated policy.

For privacy queries: privacy@evidencee.io

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.