Privacy Policy
Last updated: March 20, 2026
1. Who We Are
evalfa.st is operated from within the European Union and is the data controller for your personal data. If you have questions about how we handle your data, contact us at hello@evalfa.st.
2. What We Collect and Why
We collect the minimum data necessary to provide the Service. The table below describes what we collect, why, and the legal basis under GDPR Art. 13(1)(c).
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account, sending reports | Contract performance |
| API endpoint URL | Running security scans | Contract performance |
| Auth headers | Authenticating scan requests (transient) | Contract performance |
| Test prompts & AI responses | Generating reports | Contract performance |
| System prompt (optional) | Improved analysis | Consent |
| Usage analytics | Improving the service | Legitimate interest |
3. What We Don't Store
- API keys or authentication tokens (used once, then discarded)
- Your application's source code
- Your users' data
4. Third-Party Processors
We use the following third-party processors to operate the Service:
- Supabase — Database hosting and authentication (EU region)
- Vercel — Application hosting and analytics
- Hetzner — Scan processing infrastructure (EU)
5. International Data Transfers
Primary processing takes place within the European Union (Hetzner, Supabase). Vercel may process limited data outside the EEA for application hosting. Where transfers occur outside the EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as appropriate.
6. Data Retention
| Data | Retention |
|---|---|
| Account data (email) | Until you delete your account |
| Scan results & reports | 90 days, then auto-deleted |
| API keys/tokens | Never stored |
| Analytics | Aggregated and anonymized |
You can request deletion of your data at any time by contacting us.
7. Data Security
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). We use industry-standard security practices to protect your information.
8. Cookies and Analytics
We use Vercel Analytics to collect anonymized usage data. Vercel Analytics does not use tracking cookies and does not collect personally identifiable information. We do not use advertising cookies or third-party tracking.
9. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time where processing is based on consent (Art. 7(3))
- Lodge a complaint with your local supervisory authority
To exercise any of these rights, contact us at hello@evalfa.st. We will respond within 30 days.
10. Changes to This Policy
We will notify you of material changes to this Privacy Policy via email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
11. Contact
For privacy questions, contact us at hello@evalfa.st.