EvalFlow Inc. ("EvalFlow", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our performance management platform and related services (the "Service"). By using EvalFlow, you agree to this Privacy Policy.

1. Who We Are

EvalFlow Inc. is incorporated in Quebec, Canada. Our Service is delivered through US-based cloud infrastructure. For all practical purposes, your data is stored and processed in the United States.

Contact: info@evalflow.com

2. Information We Collect

Information you provide directly:

• Account registration details (name, email address, job title, company name)
• Employee and organizational data you import or enter into the platform (performance reviews, feedback, goals, pulse survey responses, recognition)
• Communications sent to us via support, contact forms, or email

Information collected automatically:

• Usage data (features accessed, actions taken, session duration)
• Technical data (IP address, browser type, device type, operating system)
• Log data for security monitoring and performance optimization

We do not collect:

• Payment card details (processed directly by Stripe)
• Sensitive personal categories (health, biometric, or financial data)

3. How We Use Your Information

We use your information to:

• Provide, operate, and maintain the Service
• Process transactions and manage your subscription
• Send account-related communications (onboarding, support, product updates)
• Monitor platform security and prevent unauthorized access
• Analyze aggregated usage patterns to improve the Service
• Comply with applicable legal obligations

We do not use your data for advertising purposes. We do not sell or rent your personal information to any third party.

4. Subprocessors

EvalFlow uses the following trusted third-party service providers ("Subprocessors") to operate the Service. Each is bound by confidentiality and data protection obligations:

Your data is processed by these subprocessors solely to deliver the Service. We do not authorize subprocessors to use your data for their own purposes.

5. Artificial Intelligence

EvalFlow uses OpenAI to power AI features including the HR Copilot, review suggestions, and performance insights.

• Your data is never used to train or fine-tune any AI model — ours or any third party's
• OpenAI's model training on API inputs is disabled for all EvalFlow data
• AI features process your data in real time to generate responses and are not retained by OpenAI beyond the API call
• If we add or change AI providers in the future, the same protections apply and this policy will be updated

6. Data Security

EvalFlow implements the following security controls:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Row-Level Security (RLS) enforced at the database level — no cross-tenant data access is possible
• JWT-based authentication with short-lived tokens
• Multi-factor authentication available for all accounts
• Access to production data by EvalFlow personnel is restricted and logged
• Our infrastructure runs on Supabase, which is built on AWS and holds SOC 2 Type 2 certification

No security system is impenetrable. In the event of a data breach affecting your organization, we will notify you without undue delay and in accordance with applicable law.

7. Data Retention and Deletion

• Your data is retained for the duration of your active subscription
• Upon contract termination or written request, all organization data — including backups — is permanently deleted within 90 days
• Deletion confirmation is provided in writing upon request
• You may request deletion of your personal account data at any time by emailing info@evalflow.com

8. Sharing Your Information

We share your information only in the following circumstances:

• Subprocessors: As listed in Section 4, solely to operate the Service
• Legal requirements: When required by law, court order, or government authority
• Business transfers: In connection with a merger, acquisition, or sale of assets, with advance notice to you
• Protection of rights: To enforce our Terms of Service or protect the safety of users

We do not share your data with advertisers, data brokers, or marketing platforms.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

All users:

• Access and review your personal data
• Correct inaccurate data
• Request deletion of your account and associated data
• Receive a copy of your data in a portable format
• Opt out of marketing communications at any time

California residents (CCPA): You have the right to know what personal information we collect, request deletion of your personal information, and opt out of the sale of personal information (we do not sell personal information). To exercise your rights, contact info@evalflow.com.

Canadian users: Your rights are governed by Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25) and Canada's PIPEDA.

We will respond to all verified data rights requests within 30 days.

10. Cookies and Tracking

We use cookies and similar technologies for:

• Maintaining authenticated sessions
• Analyzing platform usage to improve the Service

You can control cookie preferences through your browser settings. Disabling certain cookies may affect platform functionality.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last Updated" date above. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact Us

For privacy-related questions, requests, or concerns:

EvalFlow Inc. Email: info@evalflow.com Website: evalflow.com/privacy

By using EvalFlow, you acknowledge that you have read and understood this Privacy Policy.