Legal

Privacy Policy

Last updated: 1 January 2026  ·  GDPR-compliant

This Privacy Policy explains how Evora IQ ("we", "us", or "our") collects, uses, and protects your personal data when you use the Evora IQ platform and website (the "Service"). We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and other applicable data-protection laws.

1. Data Controller

Evora IQ is the data controller for personal data processed through the Service. Contact us at: support@compliancepilot.com.

2. Data We Collect

Account data: when you register, we collect your name, email address, company name (optional), and hashed password.

Facturación data: payment processing is handled by Stripe and PayPal. We do not store card numbers or full payment details. We store transaction identifiers, plan information, and billing currency.

Scan data: the URLs you submit for scanning, the HTML content retrieved from those URLs, and the resulting findings and scores.

Usage data: IP address, browser/device type, pages visited, and timestamps — collected automatically via server logs.

Communications: messages you send us via the contact form or email.

3. How We Use Your Data

  • Service delivery: to run scans, generate reports, and display your compliance score;
  • Account management: to authenticate you, send verification emails, and manage your subscription;
  • Transactional emails: scan reports, invoices, password resets;
  • Product emails: onboarding guides, feature updates, and (for freemium users) conversion emails — you may opt out at any time;
  • Security and abuse prevention: rate limiting, fraud detection, and audit logging;
  • Service improvement: aggregated, anonymised analytics to improve scan accuracy and platform performance.

4. Legal Basis for Processing (GDPR)

  • Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you signed up for;
  • Legitimate interests (Art. 6(1)(f)): security logging, fraud prevention, and product improvement;
  • Consent (Art. 6(1)(a)): marketing emails (you may withdraw at any time);
  • Legal obligation (Art. 6(1)(c)): retaining billing records as required by law.

5. Cookies

We use a session cookie (cp_session) strictly necessary to keep you logged in. We do not use advertising or cross-site tracking cookies. If we add analytics cookies in future, we will request your consent first.

6. Data Sharing

We do not sell your personal data. We share data only with:

  • Stripe / PayPal — for payment processing (their privacy policies apply);
  • Hosting provider — server infrastructure to run the Service (EU/EEA hosted);
  • AI inference APIs (Groq, Hugging Face) — URL and page-content snippets may be sent to generate AI summaries; no personal data is intentionally included;
  • Law enforcement — if required by court order or applicable law.

7. Data Retention

  • Account data: retained for the duration of your account plus 2 years after deletion, then permanently erased;
  • Scan findings: retained for the duration of your subscription; deleted upon account deletion;
  • Facturación records: retained for 7 years to satisfy tax/legal obligations;
  • System logs: retained for 30 days (configurable by admin) then auto-purged;
  • Volverups: retained for 30 days then automatically overwritten.

8. Your Rights (GDPR)

Under GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — ask us to correct inaccurate data;
  • Erasure ("right to be forgotten") — request deletion of your data (subject to legal retention requirements);
  • Restriction — ask us to limit processing in certain circumstances;
  • Portability — receive your data in a machine-readable format;
  • Objection — object to processing based on legitimate interests;
  • Withdraw consent — for marketing emails, unsubscribe at any time via the link in any email.

To exercise any right, email support@compliancepilot.com with "Data Request" in the subject. We will respond within 30 days. You also have the right to lodge a complaint with your national data-protection authority (e.g. CNPD in Portugal).

9. Security

We implement appropriate technical and organisational measures: HTTPS/TLS encryption in transit, Argon2id password hashing, CSRF protection, rate limiting on authentication, encrypted backups, and regular security scans. No system is 100% secure; in the event of a data breach we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR.

10. International Transfers

We primarily process data within the EU/EEA. Where data is transferred outside (e.g. to AI APIs in the US), we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

11. Children

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email and/or by posting the updated policy on this page with a revised "Last updated" date. Continued use of the Service constitutes acceptance of the updated policy.

13. Contact

For privacy-related enquiries:
Evora IQ
support@compliancepilot.com
Contact form →