Privacy Policy

Customer data (audit events)

Whatever your application sends to POST /v1/logs is stored verbatim, hashed into the chain, and returned to you on query. Fields include:

• Event descriptors: action, actionType, eventName, occurredAt.
• Actor and target descriptors you attach — these may include user IDs, names, and emails.
• Optional context (IP, user-agent) and metadata (a free-form JSON object).
• Optional groupId for multi-tenant segmentation.

We don't inspect event payloads for content. You decide what to put in them. The docs recommend keeping payloads to audit metadata — no secrets, no payment details, no sensitive categories unless you've disclosed and justified them under the applicable law.

Retention on customer data follows your plan — 7 days on Hacker, 1 year on Startup, 7 years on Pro and Business, with custom windows available to Business-plan customers. Retention is implemented by time-based pruning of events older than the window, not by tampering with the chain.

Subject rights (access, deletion, correction): for customer data we process on your behalf, your end users should contact you. You're the controller. We support you in fulfilling those requests — export endpoints are the tool you use to serve access and portability requests; for erasure, email privacy@evelmo.com and we will action it within 30 days as part of our processor assistance obligations. Our standard Data Processing Agreement covers these obligations formally; a counter-signed copy is available on request.

Account data

When you sign up and use the dashboard, we collect:

• Identity and account data — name, email, organization name. This is managed on our behalf by Clerk (see subprocessors).
• Session data — authentication tokens, session cookies, IP address and user-agent for the dashboard session, managed by Clerk.
• API-key hashes — we store only a hash of each API key, not the key itself.
• Billing data — when paid plans are wired in, payment details will be processed by a PCI-compliant billing provider and listed on the subprocessors page. We never see your card number.
• Service logs — request IDs, endpoints called, response codes, rough timing. Used for operating and debugging the service. Retained for a rolling 90 days.

Website analytics: we use privacy-respecting, cookie-light analytics for evelmo.com to understand which pages prospects visit. No cross-site tracking, no advertising pixels, no selling browsing data.

How we use it

Strictly to operate, secure, and improve the service:

• Provide the service you signed up for.
• Authenticate you and authorize API requests.
• Send transactional email (sign-up confirmation, security alerts, billing notices, subprocessor changes).
• Detect and prevent abuse or misuse.
• Comply with legal obligations we're subject to.

We don't sell your data. We don't share it with advertisers. We don't train machine-learning models on your audit events or account data. We don't repurpose it for any third-party use.

Who we share it with

The service is built on four subprocessors — Google Cloud, MongoDB Atlas, Vercel, and Clerk. Each has access only to the infrastructure-level data necessary for their role. Full details, processing purpose, region, and DPA links on the subprocessors page. We notify customers at least 30 days in advance of any change.

We may disclose data if legally required — valid subpoena, court order, or binding regulatory demand. Where legally permitted, we'll notify affected customers before complying. We've never received a government data request.

International transfers

Production data is currently stored in Google Cloud's us-central1 region (Iowa, USA). If you're located in the EU, UK, or Switzerland, your data crosses borders when it reaches us. We rely on the EU-US Data Privacy Framework (where applicable) and on the Standard Contractual Clauses as the transfer mechanism — included in our DPA.

EU data residency is under evaluation for Business-plan customers who need it as a hard requirement; get in touch if that's you.

Security

How we protect your data — encryption, access controls, integrity model, incident response — is documented on the security page. In short: encrypted at rest, TLS in transit, hash-chained for tamper evidence, written access limited to the founder, every request traceable.

Cookies

The marketing site uses essential cookies only. The dashboard sets a session cookie (managed by Clerk) so you stay signed in. We don't set advertising cookies, we don't embed third-party tracking pixels, and we don't participate in any ad network.

Your rights

For account data we control, you can:

• Access and export your account and audit data at any time.
• Correct inaccurate information directly in the dashboard, or by emailing us.
• Delete your account — 30-day export window, then deletion within 30 days of written request except where retention is required by law.
• Object to or restrict processing, where the law provides that right (GDPR Articles 18 and 21).
• Lodge a complaint with your local data-protection authority. In the EU, you can find yours at edpb.europa.eu.

To exercise any of these rights, email privacy@evelmo.com. We respond within 30 days.

Children

Evelmo is a B2B tool for developers. It's not directed at anyone under 18, and we don't knowingly collect data from anyone under 18. If you believe we have, email privacy@evelmo.com and we'll delete it.

Changes

If we change how we handle data in a way that affects customers, we'll update this page and notify the admin contact on your account at least 30 days before the change takes effect. The date at the top always reflects the current version.

Contact

Privacy questions, data-subject requests, or DPA requests: privacy@evelmo.com. Security reports: security@evelmo.com. General: hello@evelmo.com.