EvoExtract

Privacy Policy

Last updated: 2 July 2026

This policy explains how Evologics AI Ltd (“EvoExtract”, “we”) processes personal data in the EvoExtract service. It covers both data about you as an account holder (where we are the controller) and personal data contained in the documents your workspace processes (where your organisation is the controller and we are the processor). We process personal data in accordance with the Mauritius Data Protection Act 2017 and, where it applies, the EU GDPR.

1. Data we process

  • Account data — name, email address, hashed credentials (authentication is operated by Supabase), workspace membership and role.
  • Customer documents — the files you upload or connect (invoices, receipts and similar), the data extracted from them, and your corrections.
  • Usage and audit data — API activity, page counts for billing, and an audit log of security-relevant actions (sign-ins, key creation, exports) including IP address and user agent.
  • Support communications — messages you send us.

2. Why we process it

To provide and secure the Service (contract performance); to meter usage and issue statements (contract performance); to maintain audit trails and prevent abuse (legitimate interest / legal obligation); and to send transactional email such as verification, password reset and invitations (contract performance). We do not use your documents to train machine-learning models, and we do not sell personal data.

3. Where data lives and who touches it

Documents, extracted data and account records are stored in Supabase (PostgreSQL and object storage, EU region). The web application runs on Vercel. During extraction, document contents are transmitted to Anthropic (US) — a third-party LLM API — for the duration of the API call. Residency disclosure: this means document contents leave Mauritius/EU while the cloud extraction provider is active. Conditional subprocessors (email delivery, queue hosting, error monitoring, ingestion connectors) are engaged only when the corresponding feature is enabled; the full register is available in our subprocessors documentation and on request.

4. Retention and deletion

  • Customer documents and extracted data are retained while your workspace is active.
  • A workspace admin can permanently delete the workspace (Settings → Workspace). This erases the workspace’s documents from object storage, its database records (including extracted data, API keys and audit history) and its member accounts.
  • Residual copies in encrypted backups expire on the backup retention schedule (up to 30 days).
  • Billing statements may be retained longer where required for tax and accounting.

5. Security

Data is encrypted in transit (TLS) and at rest by the storage provider. Workspaces are strictly isolated; passwords are hashed; API keys and session tokens are stored only as cryptographic hashes; connector credentials are additionally encrypted with AES-256-GCM at the application layer. Access to production systems is restricted and audited.

6. Your rights

Subject to applicable law, you may request access to, correction of, or deletion of your personal data, object to or restrict certain processing, and request portability. For personal data contained in a customer workspace’s documents, we will refer the request to that workspace’s controller. You may also lodge a complaint with the Mauritius Data Protection Office or your local supervisory authority.

7. Cookies

The Service uses only strictly necessary cookies: the authentication session cookie and security-related state (such as OAuth state during connector authorisation). There are no advertising or cross-site tracking cookies.

8. Changes and contact

We will notify workspaces of material changes to this policy in the app or by email. Privacy questions and rights requests: contact Evologics AI Ltd via your workspace support channel.