EVA-I EN / FR

Privacy policy.

Notice: This English version is an unofficial translation provided for the convenience of international readers. Only the French version is legally binding. Read the French version →

Applicable to the eva-i.ai site and to the products published by EVA-I. Compliant with the General Data Protection Regulation (GDPR, EU Regulation 2016/679), the French Data Protection Act ("Loi Informatique et Libertés"), and the Digital Services Act (EU 2022/2065).

1. Scope

This policy covers two distinct scopes:

  • The eva-i.ai site: data processed when browsing the site and through correspondence addressed to EVA-I via the channels indicated on it.
  • The products published by EVA-I: data processed by the applications during their use. When inference or personalization is performed locally, EVA-I does not process such data.

2. Non-negotiable commitments

The following principles are permanent and cannot be reversed without prior public modification of this policy.

  • Zero data resale. EVA-I undertakes never to sell, lease, exchange or commercially exploit its users' data, in any format, for any purpose, or to any recipient.
  • Zero promotional email. EVA-I undertakes never to send promotional, commercial or marketing emails to its users and customers. The only electronic communications issued concern transactions (Stripe payment receipt), licence expiration (EVA-ID), or security alerts.
  • Zero third-party tracking. EVA-I does not use any tracking tool, explicitly including Google Analytics, Google Tag Manager, Meta Pixel (Facebook), TikTok Pixel, LinkedIn Insight Tag, Hotjar, Mixpanel and their equivalents.
  • Zero automated profiling. No decision producing legal effects or significantly affecting the user is taken on the basis of automated processing (GDPR art. 22).
  • Privacy by Design. Minimization and data protection are embedded in the architecture (GDPR art. 25), not added afterwards.

3. Data collected

On the eva-i.ai site

The site is served as static pages. No cookie banner is displayed because no cookie is set: no audience measurement cookie, no advertising cookie, no personalization cookie.

The hosting provider Cloudflare collects technical logs (IP address, user agent, request timestamps) exclusively for security and attack protection purposes. These logs are not exploited by EVA-I.

If you write to support@eva-i.ai, your contact details and the content of your message are received in a mailbox operated by EVA-I.

In the products published by EVA-I

The products published by EVA-I are designed to perform inference, personalization and memory locally on the user's device. As a result, EVA-I collects and receives neither the content of conversations, nor processed documents, nor preferences, nor user memory, nor any application usage data.

The only data received by EVA-I in connection with a paid product are: (i) the transaction metadata transmitted by Stripe (amount, currency, date, transaction identifier, status), and (ii) the EVA-ID activation key associated with the subscription, used solely to verify the licence's validity.

4. Legal bases (GDPR art. 5 and 6)

  • Emails received: performance of a pre-contractual or contractual measure at your request (art. 6.1.b).
  • Technical hosting logs: legitimate interest in ensuring site security and availability (art. 6.1.f).
  • Payment metadata: performance of the sales contract and legal accounting and tax obligations (art. 6.1.b and 6.1.c).
  • EVA-ID validation: performance of the licence contract (art. 6.1.b).

The principles of processing (lawfulness, fairness, transparency, purpose limitation, minimization, accuracy, storage limitation, integrity, confidentiality, accountability) defined in Article 5 of the GDPR are observed.

EVA-I is not required to designate a data protection officer (DPO) within the meaning of GDPR Article 37, as its size and activity do not reach the mandatory designation thresholds. GDPR requests are handled by the company's management, reachable at support@eva-i.ai.

5. Sub-processors and third parties

Payment — Stripe, Inc.

Payment processing is operated by Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, United States). Stripe directly collects the email address, payment instrument and billing address. This data does not transit through EVA-I's servers.

EVA-I receives only the transaction metadata necessary for its accounting. Stripe adheres to the EU-US Data Privacy Framework. Stripe policy: stripe.com/privacy.

Hosting — Cloudflare, Inc.

The eva-i.ai site is served via Cloudflare, Inc.'s infrastructure, which also adheres to the EU-US Data Privacy Framework.

No other sub-processor

No other external service provider processes data on behalf of EVA-I. In particular, no analytics, marketing automation, externalized CRM, automated prospecting or retargeting tool is used.

6. Retention periods

  • Email correspondence: time necessary for processing, extended to comply with legal obligations (up to five years for accounting and tax obligations).
  • Technical hosting logs: per Cloudflare's terms (typically, maximum twelve months).
  • Payment metadata: legal retention period for accounting records (ten years, Article L123-22 of the French Commercial Code).
  • Data associated with the EVA-ID: duration of the licence's validity, plus a technical period for managing renewals and billing.

7. Ownership and withdrawal of user content

The user retains full and exclusive intellectual and material ownership of any content they provide to the applications. EVA-I holds no right of use, transformation, reproduction or reuse over this content.

The user may, at any time, delete, export or withdraw any content they have submitted to the applications. The operation is performed locally, from the application, without intervention by EVA-I, which holds no copy on its servers.

8. Your rights

In accordance with the GDPR, you have the following rights: access, rectification, erasure, restriction of processing, portability, objection.

To exercise these rights, write to support@eva-i.ai. A response will be provided within the one-month period prescribed by the GDPR.

You also have the right to lodge a complaint with the French Data Protection Authority (CNIL), 3 place de Fontenoy — TSA 80715 — 75334 PARIS CEDEX 07, France, or via www.cnil.fr.

9. Transfers outside the European Union

Technical hosting logs and payment metadata may transit through servers located in the United States (Cloudflare and Stripe). Both providers adhere to the EU-US Data Privacy Framework, ensuring an adequate level of protection under the European Commission's adequacy decision of 10 July 2023.

No other transfer outside the EU is performed by EVA-I.

10. Updates

This policy may evolve. The latest update date appears below. Any substantial modification is notified visibly on the home page of the site before taking effect.

Last updated: 18 May 2026.