Logiciel EvalFlow Inc., operating as EvalFlow (“EvalFlow,” “we,” “us,” or “our”), is committed to protecting privacy and safeguarding personal information.
This Privacy Policy explains how we collect, use, disclose, store, protect, and otherwise process information when you visit our website, use the EvalFlow platform, interact with our artificial intelligence features, connect integrations, contact us, or otherwise use our services collectively referred to as the “Service.”
EvalFlow is a performance management platform that may include features for employee feedback, goals, OKRs, performance reviews, one-on-one meetings, recognition, employee profiles, pulse surveys, analytics, AI-assisted workflows, integrations, notifications, and related HR/performance-management processes.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
If you use EvalFlow on behalf of an organization, company, or employer, that organization is responsible for determining how personal information is collected and used within EvalFlow. In that context, EvalFlow generally acts as a service provider or processor on behalf of the organization.
1. Who We Are
EvalFlow is operated by:
Logiciel EvalFlow Inc.
Operating as EvalFlow
Incorporated in Quebec, Canada
Email: info@evalflow.com
Website: https://www.evalflow.com
EvalFlow is based in Canada and uses cloud infrastructure and service providers that may process and store information in Canada, the United States, and other jurisdictions.
For data submitted by customers into the EvalFlow platform, EvalFlow generally acts as a processor or service provider. The customer, such as your employer or organization, generally acts as the controller or business responsible for deciding why and how that data is processed.
2. Scope of this Privacy Policy
This Privacy Policy applies to information processed by EvalFlow when:
a. you visit our website;
b. you create or use an EvalFlow account;
c. your organization uses EvalFlow;
d. you interact with EvalFlow features, including AI features;
e. you contact us for support, sales, billing, or general inquiries;
f. you subscribe to emails or communications;
g. you connect or use integrations; or
h. you otherwise interact with EvalFlow.
This Privacy Policy does not replace the privacy notices, employee notices, HR policies, consent forms, or internal policies of the organization that uses EvalFlow.
If your employer or another organization uses EvalFlow to process your information, that organization is primarily responsible for explaining how and why your information is used. EvalFlow may redirect privacy requests relating to customer-controlled data to the relevant customer.
3. Information We Collect
We collect information in the following ways.
3.1 Information You Provide Directly
We may collect information you provide directly, including:
a. name;
b. email address;
c. job title;
d. company or organization name;
e. account registration details;
f. login and authentication information;
g. support requests and communications;
h. billing and subscription-related information;
i. demo requests and contact form submissions;
j. feedback or messages you send to us; and
k. other information you choose to provide.
3.2 Customer and Employee Data Entered into the Platform
Customers and authorized users may submit, upload, generate, or process data through EvalFlow, including:
a. employee profiles;
b. names and business contact information;
c. job titles and departments;
d. reporting relationships;
e. goals and OKRs;
f. performance feedback;
g. performance reviews and ratings;
h. recognitions;
i. pulse survey responses;
j. one-on-one meeting notes;
k. tasks, projects, and comments;
l. AI prompts and AI-generated outputs;
m. integration data enabled by the customer;
n. usage logs and audit logs; and
o. other HR or performance-management information submitted by the customer or its users.
This information is referred to as “Customer Data.”
The customer is responsible for ensuring that it has the required legal basis, notices, consents, policies, approvals, and authorizations to submit and process Customer Data through EvalFlow.
3.3 Information Collected Automatically
When you use EvalFlow, we may automatically collect:
a. IP address;
b. browser type;
c. device type;
d. operating system;
e. pages or features accessed;
f. actions taken in the platform;
g. session duration;
h. referring pages;
i. approximate location derived from IP address;
j. log data;
k. security events;
l. authentication events; and
m. performance and diagnostic data.
We use this information to operate, secure, troubleshoot, analyze, and improve the Service.
3.4 Payment Information
EvalFlow does not directly store full payment card details.
Payment card details are processed by our payment processor, such as Stripe. We may receive limited billing information, such as customer name, billing email, subscription status, invoice history, payment status, and partial payment details necessary for accounting and subscription management.
3.5 Information from Third-Party Services and Integrations
If a customer enables integrations, EvalFlow may receive information from third-party systems, such as HRIS platforms, identity providers, communication tools, productivity tools, payment providers, CRM tools, or other services connected by the customer.
The information received depends on the integration enabled and the permissions granted by the customer.
Customers are responsible for ensuring they have the right to connect third-party services and transfer data to EvalFlow.
4. Information We Do Not Intentionally Collect
EvalFlow is not designed to collect or process highly sensitive categories of personal information unless expressly agreed in writing.
Customers should not submit:
a. health or medical information;
b. biometric data;
c. government identifiers;
d. financial account numbers;
e. criminal records;
f. union membership information;
g. religious or political beliefs;
h. racial or ethnic origin;
i. sexual orientation;
j. immigration records;
k. payroll, benefits, or tax records;
l. background-check records; or
m. other sensitive personal information.
EvalFlow is designed for performance management workflows, not for medical records, payroll processing, benefits administration, background checks, or regulated health data.
If a customer submits sensitive information without written authorization from EvalFlow, the customer is responsible for all resulting legal, regulatory, contractual, and operational consequences.
5. How We Use Information
We use information to:
a. provide, operate, maintain, and secure the Service;
b. create and manage accounts;
c. authenticate users;
d. process subscriptions, invoices, and billing;
e. provide customer support;
f. send account-related and service-related communications;
g. enable performance-management workflows;
h. enable AI-assisted features;
i. provide analytics, reports, summaries, and insights;
j. enable integrations requested by customers;
k. monitor platform security and prevent unauthorized access;
l. troubleshoot errors and improve performance;
m. analyze aggregated usage patterns;
n. improve the Service;
o. enforce our Terms of Service and other agreements;
p. comply with legal obligations;
q. protect the rights, safety, and security of EvalFlow, customers, users, and others; and
r. communicate with prospects, customers, and users about EvalFlow.
We do not sell personal information.
We do not use Customer Data for third-party advertising.
We do not rent personal information to third parties.
We do not use Customer Data to train generalized AI models for other customers.
6. Customer Data and Data Protection Roles
When an organization uses EvalFlow to process employee, contractor, manager, administrator, or user information, the organization generally determines the purposes and means of processing that information.
In that situation:
a. the customer is generally the controller, business, or equivalent entity; and
b. EvalFlow is generally the processor, service provider, or equivalent entity.
EvalFlow processes Customer Data on the customer’s instructions, including instructions contained in the Terms of Service, the Data Processing Addendum, the customer’s configuration of the Service, and the customer’s use of the Service.
The customer is responsible for:
a. providing required privacy notices to employees and users;
b. obtaining required consents or approvals;
c. establishing a lawful basis for processing;
d. handling employee privacy requests;
e. complying with workplace, employment, labor, privacy, and data protection laws;
f. ensuring that only authorized users access the Service; and
g. determining whether its use of EvalFlow requires a data protection impact assessment, transfer impact assessment, works council consultation, union approval, employee monitoring assessment, or similar review.
EvalFlow’s processing of Customer Data on behalf of customers is further governed by EvalFlow’s Data Processing Addendum.
7. Artificial Intelligence
EvalFlow may use artificial intelligence features to support HR and performance-management workflows, including drafting, summarizing, analyzing, searching, organizing, recommending, or generating insights from Customer Data.
AI features may process prompts, employee-related information, feedback, goals, OKRs, reviews, recognitions, survey responses, comments, and other content submitted by customers or authorized users.
EvalFlow does not use Customer Data to train generalized AI models for other customers.
EvalFlow does not permit third-party AI providers to use Customer Data to train or improve generalized AI models, unless a customer expressly authorizes such use in writing.
EvalFlow may use third-party AI providers, including OpenAI or similar providers, as subprocessors. Depending on the provider, feature, endpoint, and configuration, AI providers may temporarily process and retain limited inputs, outputs, metadata, or logs for abuse monitoring, security, legal compliance, or service operation purposes.
For example, OpenAI states that data sent to the OpenAI API is not used to train or improve OpenAI models unless the customer explicitly opts in, and that abuse monitoring logs may contain customer content such as prompts and responses and are retained by default for up to 30 days unless longer retention is required by law or necessary to protect services or third parties.
AI outputs may be inaccurate, incomplete, biased, outdated, or unsuitable for a particular purpose. Customers and users must review AI outputs before relying on them.
AI outputs are not legal, HR, employment, compliance, medical, financial, or professional advice.
Customers are responsible for ensuring that AI features are used lawfully, fairly, transparently, and with appropriate human review, especially where outputs may relate to employment, performance, compensation, discipline, promotion, termination, or similar decisions.
Customers must not use AI features as the sole basis for decisions that produce legal or similarly significant effects on individuals.
8. Subprocessors and Service Providers
EvalFlow uses trusted third-party service providers and subprocessors to operate, secure, support, and improve the Service.
Current subprocessors may include:
Supabase
Purpose: Database, authentication, backend infrastructure, storage, and application services used to operate EvalFlow.
Data Location / Notes: United States / AWS-based infrastructure and other Supabase processing locations.
AWS / Cloud Infrastructure Providers
Purpose: Underlying cloud hosting, infrastructure, compute, storage, backups, networking, and security services used directly or through infrastructure providers.
Data Location / Notes: United States, Canada, and other provider processing locations.
Stripe
Purpose: Payment processing, subscription billing, invoices, receipts, payment status, and limited billing records.
Data Location / Notes: United States and other Stripe processing locations. EvalFlow does not store full payment card details.
SendGrid / Twilio
Purpose: Transactional email delivery, account notifications, password reset emails, product notifications, and service communications.
Data Location / Notes: United States and other provider processing locations.
OpenAI
Purpose: AI Copilot, AI-assisted drafting, summarization, analysis, insights, search, and performance-management support features.
Data Location / Notes: United States and other provider processing locations. EvalFlow does not permit OpenAI to use Customer Data to train generalized AI models.
Merge.dev
Purpose: Unified API provider for HRIS and third-party workplace system integrations, including employee profile and organization data synchronization when enabled by Customer.
Data Location / Notes: United States and other provider processing locations. Data is processed only when Customer enables or authorizes an integration.
HubSpot
Purpose: Customer relationship management, sales operations, support, marketing communications, customer records, and business communications.
Data Location / Notes: United States and other HubSpot processing locations.
Slack
Purpose: Customer-enabled Slack notifications, recognition alerts, workflow updates, and communication integrations.
Data Location / Notes: United States and other Slack processing locations. Used only where Customer enables the Slack integration.
Microsoft Teams / Microsoft 365
Purpose: Customer-enabled Microsoft Teams notifications, communication workflows, calendar or productivity integrations where applicable.
Data Location / Notes: United States, Canada, and other Microsoft processing locations. Used only where Customer enables the integration.
Google Workspace / Google APIs
Purpose: Customer-enabled Google integrations, email/calendar/productivity workflows, or authentication-related services where applicable.
Data Location / Notes: United States and other Google processing locations. Used only where Customer enables the integration.
Analytics and Monitoring Providers
Purpose: Product analytics, performance monitoring, error tracking, diagnostics, logging, reliability, and service improvement.
Data Location / Notes: United States and other provider processing locations. Used to operate, secure, troubleshoot, and improve the Service.
Customer Support and Communication Tools
Purpose: Support requests, help desk workflows, customer communications, troubleshooting, and account assistance.
Data Location / Notes: United States, Canada, and other provider processing locations.
File Storage and Backup Providers
Purpose: Secure file storage, backups, recovery, export support, and operational continuity where applicable.
Data Location / Notes: United States, Canada, and other provider processing locations.
Integration and Automation Providers
Purpose: Customer-authorized integrations, workflow automations, API connections, and data synchronization with third-party systems.
Data Location / Notes: Processing locations depend on the provider and integration enabled by Customer.
Depending on enabled features and integrations, EvalFlow may also use additional providers for hosting, logging, monitoring, analytics, customer support, CRM, file storage, HRIS integrations, Slack, Microsoft Teams, Google Workspace, Merge.dev, automation, security, and other customer-enabled integrations. EvalFlow updates its subprocessors from time to time as the Service evolves. EvalFlow does not authorize subprocessors to sell Customer Data or use Customer Data for their own advertising purposes.
Depending on enabled features and integrations, EvalFlow may also use providers for hosting, logging, monitoring, analytics, customer support, CRM, file storage, HRIS integrations, Slack, Microsoft Teams, Google Workspace, or other customer-enabled integrations.
EvalFlow requires subprocessors to protect personal information using contractual confidentiality and data protection obligations.
EvalFlow does not authorize subprocessors to sell Customer Data or use Customer Data for their own advertising purposes.
A dedicated Subprocessor List may be published and updated from time to time.
9. How We Share Information
We may share information in the following circumstances:
9.1 With Subprocessors
We share information with subprocessors and service providers that help us provide, secure, support, maintain, and improve the Service.
9.2 With Customer Administrators
If you use EvalFlow through an organization, your information may be visible to that organization’s administrators, managers, HR users, executives, or other authorized users depending on the customer’s configuration and permissions.
9.3 With Integrations Enabled by Customers
If a customer enables integrations, information may be shared with connected third-party services according to the customer’s configuration and permissions.
9.4 For Legal Requirements
We may disclose information where required by law, court order, subpoena, legal process, regulator request, government authority, or law enforcement request.
9.5 To Protect Rights and Security
We may disclose information where necessary to enforce our Terms of Service, protect the Service, prevent fraud or abuse, respond to security incidents, protect users, or defend legal claims.
9.6 Business Transfers
We may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction. Where required, we will provide notice or require appropriate safeguards.
9.7 With Consent or Instruction
We may share information when a customer or user directs us to do so or provides consent.
We do not share Customer Data with advertisers or data brokers.
10. International Transfers and Data Location
EvalFlow is based in Canada and uses service providers located in Canada, the United States, and other jurisdictions.
This means personal information may be transferred to, stored in, accessed from, or processed in jurisdictions outside your province, state, country, or region. These jurisdictions may have privacy and data protection laws that differ from those where you are located.
Customer Data may be stored and processed using cloud infrastructure and service providers located primarily in the United States, Canada, and other provider locations necessary to deliver the Service.
Where personal data is transferred from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with data-transfer restrictions to a jurisdiction that does not provide an adequate level of protection, EvalFlow relies on appropriate safeguards where required, such as the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms described in the Data Processing Addendum.
Customers are responsible for determining whether their use of EvalFlow requires employee notices, transfer impact assessments, works council consultation, union consultation, or other transfer-related compliance steps.
11. Data Security
EvalFlow implements administrative, technical, and organizational safeguards designed to protect the confidentiality, integrity, and availability of information.
These safeguards may include:
a. encryption in transit;
b. encryption at rest;
c. role-based access controls;
d. tenant isolation;
e. database-level row-level security;
f. authentication controls;
g. access restrictions for personnel;
h. logging and monitoring;
i. secure secret management;
j. backup and recovery controls;
k. infrastructure security controls;
l. security review of critical systems; and
m. incident response procedures.
EvalFlow’s architecture is designed to prevent cross-tenant data access through tenant scoping, database-level row-level security, role-based permissions, and server-side authorization checks.
No method of transmission over the Internet and no method of electronic storage is completely secure. EvalFlow cannot guarantee absolute security.
Customers are responsible for managing their own users, permissions, passwords, devices, networks, integrations, and account configurations.
12. Security Incidents
If EvalFlow becomes aware of a confirmed security incident affecting Customer Data, we will notify the affected customer without undue delay and in accordance with applicable law and the Data Processing Addendum.
The notice may include, where available and legally permitted:
a. a description of the incident;
b. the categories of information affected;
c. the likely consequences;
d. measures taken or proposed to address the incident; and
e. recommended steps for the customer.
Customers are responsible for determining whether they must notify employees, users, regulators, unions, works councils, customers, or other third parties.
EvalFlow’s notification of a security incident is not an admission of fault or liability.
13. Data Retention and Deletion
We retain information for as long as necessary to provide the Service, maintain accounts, comply with legal obligations, resolve disputes, enforce agreements, maintain security, prevent fraud, and support legitimate business purposes.
For Customer Data:
a. Customer Data is retained for the duration of the active subscription or customer relationship;
b. upon contract termination, cancellation, or verified written deletion request, organization data is deleted or anonymized from active systems and backups within ninety (90) days, unless longer retention is required or permitted by law;
c. deletion confirmation may be provided in writing upon request; and
d. customers are responsible for exporting Customer Data before termination or cancellation.
EvalFlow may retain limited information where necessary for billing records, tax records, legal compliance, dispute resolution, security, fraud prevention, backup integrity, or the establishment, exercise, or defense of legal claims.
EvalFlow may retain aggregated, anonymized, or de-identified information that does not identify customers, users, employees, or other individuals.
Data exported by customers, sent to third-party integrations, stored outside EvalFlow, or retained by customer-controlled systems is not controlled by EvalFlow.
14. Your Privacy Rights
Depending on your location and applicable law, you may have rights regarding your personal information, including the right to:
a. access your personal information;
b. correct inaccurate personal information;
c. request deletion of personal information;
d. restrict processing;
e. object to certain processing;
f. receive a copy of personal information in a portable format;
g. withdraw consent where processing is based on consent;
h. opt out of marketing communications; and
i. lodge a complaint with a privacy regulator or supervisory authority.
To exercise rights, contact info@evalflow.com.
If your information is processed by EvalFlow on behalf of your employer or another customer, we may redirect your request to that customer. The customer is generally responsible for responding to requests relating to Customer Data.
We may need to verify your identity before responding to a request.
We will respond to verified privacy requests within the timeframe required by applicable law. Where no specific timeframe applies, we aim to respond within thirty (30) days.
15. Canadian and Quebec Privacy Rights
EvalFlow is incorporated in Quebec, Canada.
Canadian users may have rights under Canada’s Personal Information Protection and Electronic Documents Act, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, and other applicable provincial privacy laws.
These rights may include access, correction, withdrawal of consent where applicable, information about processing, and complaint rights.
To submit a privacy request, contact info@evalflow.com.
16. EEA, UK, and Swiss Privacy Rights
If you are located in the European Economic Area, United Kingdom, or Switzerland, you may have rights under applicable data protection laws, including the right to request access, correction, deletion, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
Where EvalFlow processes your personal data on behalf of your employer or another customer, EvalFlow acts as a processor and may redirect your request to that customer.
Where EvalFlow processes information as an independent controller, you may contact EvalFlow directly at info@evalflow.com.
EvalFlow does not intentionally make solely automated decisions that produce legal or similarly significant effects on individuals. Customers are responsible for how they use EvalFlow outputs, including AI outputs, in workplace decisions.
17. California and U.S. State Privacy Rights
Depending on your state of residence, you may have rights under U.S. state privacy laws, including the right to know, access, correct, delete, or receive a copy of personal information, and to opt out of certain processing.
EvalFlow does not sell personal information.
EvalFlow does not share Customer Data for cross-context behavioral advertising.
To exercise rights, contact info@evalflow.com.
If your information is processed through an employer or other customer account, we may redirect your request to that customer.
18. Marketing Communications
We may send marketing communications to prospects, customers, or users where permitted by law.
You may opt out of marketing emails by using the unsubscribe link in the email or by contacting info@evalflow.com.
Even if you opt out of marketing communications, we may still send service-related, transactional, security, billing, legal, or account-related communications.
19. Cookies and Tracking Technologies
We use cookies and similar technologies to:
a. maintain authenticated sessions;
b. remember preferences;
c. secure the Service;
d. analyze platform and website usage;
e. improve the Service; and
f. understand how visitors interact with our website.
You can control cookies through your browser settings. Disabling certain cookies may affect website or platform functionality.
EvalFlow does not use Customer Data for third-party advertising.
20. Children’s Privacy
The Service is not directed to individuals under the age of 18.
We do not knowingly collect personal information from minors under 18.
If we learn that we have collected personal information from a minor in violation of applicable law, we will take appropriate steps to delete it.
Customers must not invite minors to use the Service unless they have all legally required authority and EvalFlow has expressly agreed in writing.
21. Links to Third-Party Websites
Our website or Service may contain links to third-party websites, applications, or services.
EvalFlow is not responsible for the privacy, security, or data practices of third parties.
You should review the privacy policies of third-party services before using them.
22. Changes to This Privacy Policy
We may update this Privacy Policy from time to time.
When we make material changes, we may notify users or customers by email, in-app notice, website posting, or another reasonable method.
The updated Privacy Policy will be effective as of the “Last Updated” date shown above, unless otherwise stated.
Continued use of the Service after the updated Privacy Policy becomes effective means you acknowledge the updated policy.
23. Contact Us
For privacy-related questions, requests, or concerns, contact:
Logiciel EvalFlow Inc.
Operating as EvalFlow
Email: info@evalflow.com
Website: https://www.evalflow.com/privacy