Privacy Policy
Effective date: March 18, 2026
1. Overview
EvalGuard™ ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the EvalGuard™ AI evaluation and governance platform (the "Service").
We designed EvalGuard with privacy as a core principle. We collect only the data necessary to provide the Service, we never sell your data, and we give you full control over your information.
2. Data We Collect
2.1 Account Information
When you create an account, we collect:
- Name and email address
- Organization name (if applicable)
- Password (stored as a salted, one-way hash — we never store plaintext passwords)
- Profile information you choose to provide (e.g., role, avatar)
- Authentication tokens from SSO/SAML providers (if you use enterprise SSO)
2.2 Customer Data (Evaluation Data)
When you use the Service, you may submit:
- LLM prompts and model outputs for evaluation
- Evaluation datasets and test cases
- Model configurations and provider API keys (encrypted at rest with AES-256)
- Red teaming attack results and security scan outputs
- Prompt versions and templates
- Custom scoring configurations
Important: We do not use your evaluation data, prompts, or model outputs to train any machine learning models. Your Customer Data is processed solely to provide the Service to you.
2.3 Usage Data
We automatically collect:
- Feature usage patterns (which pages and features you use, and how often)
- API request metadata (endpoints called, response times, error rates — not request bodies)
- Browser type, operating system, and device information
- IP address (used for security, rate limiting, and approximate geolocation)
- Referring URLs and pages visited within the Service
2.4 Billing Data
Payment information (credit card numbers, bank details) is collected and processed directly by our payment processors (Stripe and/or Razorpay). We receive only non-sensitive transaction identifiers, the last four digits of your card, and billing address for invoicing purposes.
3. How We Use Your Data
We use the data we collect for the following purposes:
- Service delivery: To provide, operate, and maintain the evaluation, security testing, monitoring, and governance features you use
- Account management: To authenticate you, manage your subscription, and provide customer support
- Product improvement: To understand how the Service is used and identify areas for improvement (using aggregated, anonymized usage data only)
- Billing: To process payments, send invoices, and manage your subscription
- Security: To detect and prevent fraud, abuse, and security threats
- Communication: To send essential service notifications, security alerts, and (with your consent) product updates
- Compliance: To fulfill legal obligations, respond to lawful requests, and enforce our Terms of Service
4. Data Storage and Security
4.1 Infrastructure
Customer Data is stored in Supabase-managed PostgreSQL databases with the following security measures:
- Encryption at rest using AES-256
- Encryption in transit using TLS 1.2+
- Row-Level Security (RLS) policies ensuring strict data isolation between organizations
- Regular automated backups with point-in-time recovery
- Network-level isolation and firewall rules
4.2 Access Controls
Access to production data is restricted to authorized personnel on a need-to-know basis. All access is logged and audited. We follow the principle of least privilege for all internal access.
4.3 SOC 2 Readiness
We are pursuing SOC 2 Type II certification. Our infrastructure and operational practices are designed to meet the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.
4.4 Self-Hosted Option
For organizations with strict data residency requirements, EvalGuard can be self-hosted using our Docker images and Helm charts. In self-hosted deployments, all data remains within your own infrastructure and is never transmitted to our servers.
5. Data Retention
- Account data: Retained for the duration of your account, plus 30 days after account deletion for data export purposes
- Evaluation results and logs: Configurable retention period (default: 90 days). Enterprise plans can configure custom retention from 30 days to indefinite
- API request logs: Retained for 90 days for debugging and monitoring purposes
- Audit logs: Retained for 1 year for compliance and security purposes
- Billing records: Retained for 7 years as required by tax and accounting regulations
- Usage analytics: Aggregated and anonymized data may be retained indefinitely
You can request deletion of your data at any time (see Section 7: Your Rights). Upon account deletion, we permanently delete all Customer Data within 30 days, except as required by law.
6. Third-Party Services
We use the following third-party services to operate the platform. Each processes data only as necessary for the stated purpose:
| Service | Purpose | Data Processed |
|---|---|---|
| Supabase | Database and authentication | Account data, Customer Data |
| Sentry | Error tracking and monitoring | Error reports, stack traces (no Customer Data) |
| Resend | Transactional email delivery | Email addresses, email content |
| Stripe | Payment processing | Billing information |
| Razorpay | Payment processing (India) | Billing information |
| Vercel | Application hosting | Request metadata, IP addresses |
All third-party processors are bound by Data Processing Agreements (DPAs) that require them to protect your data in accordance with applicable privacy laws.
7. Your Rights
7.1 GDPR (European Economic Area)
If you are in the EEA, you have the following rights under the General Data Protection Regulation:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate personal data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Object: Object to processing of your data for certain purposes
Our legal basis for processing your data is: (a) performance of a contract (to provide the Service); (b) legitimate interest (to improve the Service and ensure security); and (c) your consent (for optional communications). A Data Processing Agreement (DPA) is available for enterprise customers upon request.
7.2 CCPA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information. There is nothing to opt out of
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
We do not sell, share, or use personal information for cross-context behavioral advertising.
7.3 India DPDP Act
For users in India, we comply with the Digital Personal Data Protection Act, 2023:
- Consent Management: We obtain clear, informed consent before processing personal data. You can withdraw consent at any time
- Data Localization: For Indian customers requiring data localization, we offer self-hosted deployments and Supabase regions in India (Mumbai)
- Data Principal Rights: You have the right to access, correct, and erase your personal data, and to nominate another person to exercise these rights
- Grievance Redressal: Complaints can be directed to our Data Protection Officer at dpo@evalguard.ai
7.4 Exercising Your Rights
To exercise any of the above rights, contact us at privacy@evalguard.ai. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. Data export is also available directly through the dashboard and API at any time.
9. Children's Privacy
The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@evalguard.ai.
10. International Data Transfers
Your data may be processed in countries other than your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission for EEA transfers
- Data Processing Agreements with all sub-processors
- Self-hosted deployment options for organizations requiring data to remain in specific jurisdictions
11. Security Incidents
In the event of a data breach that affects your personal data, we will:
- Notify affected users within 72 hours of becoming aware of the breach (as required by GDPR)
- Notify relevant supervisory authorities as required by applicable law
- Provide details of the breach, including the nature of the data affected and the measures taken
- Take immediate steps to contain and remediate the breach
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email and/or a prominent notice on the Service. We will update the "Effective date" at the top of this page. Your continued use of the Service after the effective date of updates constitutes acceptance of the revised policy.
13. Contact Us
If you have questions about this Privacy Policy or our data practices:
- Privacy inquiries: privacy@evalguard.ai
- Data Protection Officer: dpo@evalguard.ai
- General support: support@evalguard.ai
- Website: https://evalguard.ai