Privacy Policy

Last updated: 27 May 2026

This Privacy Policy explains how Evaluat Digital Limited collects, uses, and protects personal data across our website (www.evaluat.com) and our application (app.evaluat.com). Please read it alongside our Terms & Conditions and, for customers, our Data Processing Agreement.

1. Who we are

Evaluat Digital Limited (“Evaluat”, “we”, “us”, “our”) is the company behind the Evaluat platform and this website. We are registered in England and Wales under company number 14150225, with our registered office at 128 City Road, London, EC1V 2NX, United Kingdom.

We are the data controller for the personal data described in this policy, except where we act as a processor on behalf of our customers (see section 2).

We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZC158246.

For any privacy question, or to exercise your rights, contact us at [email protected].

2. Scope and our two roles

Evaluat is a business-to-business performance testing platform. Depending on the data, we act in one of two roles under data protection law:

Controller. For personal data about website visitors, people who contact us, account holders, and billing contacts, we decide why and how the data is processed. We are the controller, and this policy governs that processing.
Processor. When a customer runs tests on our platform, the customer may include personal data in their test configuration and results (for example, the data of their own users). We process that “customer content” only on the customer’s instructions. The customer is the controller for it. That relationship is governed by our Data Processing Agreement, not by this policy. See section 5.

3. Information we collect from website visitors (www.evaluat.com)

When you use our marketing website we collect:

Demo requests. When you submit the demo form we collect your name, work email, company, role, any message you write, and the topic or page that led you to request a demo. We pass this to our CRM (HubSpot) to follow up. We also record your IP address and, if present, a HubSpot attribution cookie so we can link your request to the pages you viewed.
Contact messages. When you submit the contact form we collect your name, email, the reason for contact, your message, and your IP address.
Analytics. We use Microsoft Clarity to understand how visitors use the site. Clarity collects interaction data (such as clicks and scrolling) in pseudonymised form.
Attribution. When enabled, HubSpot sets a cookie (hubspotutk) so we can attribute a later enquiry to earlier visits.
Anti-abuse. Cloudflare Turnstile runs on our forms to block automated submissions. It processes technical signals, including your IP address.

The website also loads some third-party content that, by the nature of the web, reveals your IP address to the provider: an OpenStreetMap map on our contact page, the Font Awesome icon kit on every page, and, if you choose to book a meeting from our demo page, a HubSpot scheduling page.

4. Information we collect from account holders (app.evaluat.com)

When you create and use an Evaluat account we collect:

Account and profile. Your first and last name, email address, password (stored only as a secure hash), and your time zone (which we estimate from your IP address using IPInfo at sign-up). The app generates a default avatar from your initials.
Team and organisation. Your team’s name and logo, who belongs to it and their roles, and the email addresses used to invite new members.
Billing. If your team subscribes, we hold your billing address, VAT identification number, the email addresses for invoices, and limited payment-method details (card type, last four digits, and expiry) together with a Stripe customer reference. Full card numbers are handled by Stripe and are never stored on our systems.
Technical and usage data. Your IP address, browser user agent, session information, and an audit log of significant actions in your account (such as creating a test or changing a setting), which records the action, who took it, the time, the IP address, and the user agent.
Verification and communications. One-time email verification codes, and the transactional emails we send you (such as verification, invoices, billing notices, and team invitations).

5. Customer content we process on your behalf

When you run tests, the platform stores the material you configure and the results it produces: test scenarios, the target domains you test (including any HTTP authentication credentials you supply), datasets, executions, console and network logs, session recordings, screenshots, and performance metrics. This is held in a third-party data warehouse and object storage, both in the EU (see our Sub-processors list).

This content can contain personal data, for example if your test journeys involve your own users or realistic test data. For that data we act as a processor on your instructions, and you remain the controller. Our handling of it is governed by our Data Processing Agreement. If you are an individual whose data appears in a customer’s test content and you want to exercise your rights, please contact that customer (the controller); we will support them in responding.

6. How we use your information and our legal bases

Under the UK GDPR and EU GDPR we rely on the following legal bases:

To provide the service to account holders (creating accounts, running tests, support): performance of a contract.
To respond to demo and contact requests: your consent, given when you submit the form. That consent is limited to contacting you about your specific request. We do not add you to marketing without separate, additional opt-in.
To keep the service and site secure, prevent abuse, measure and improve how they are used, and respond to general enquiries: our legitimate interests, balanced against your rights.
To meet legal and regulatory duties, such as keeping accounting and tax records and responding to lawful requests: compliance with a legal obligation.

You can withdraw consent at any time (see section 11). Withdrawing consent does not affect processing that already took place.

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

7. Cookies and similar technologies

We keep cookies to a minimum and do not use advertising or cross-site tracking cookies.

Cookie or technology	Purpose	Provider	Type	Duration
Session and CSRF cookies	Keep you signed in and protect forms on the app	Evaluat (app.evaluat.com)	Essential	Session
Cloudflare Turnstile	Block automated form submissions	Cloudflare	Essential	Session
hubspotutk	Attribute a later enquiry to earlier visits	HubSpot	Analytics and attribution	Up to 13 months
Microsoft Clarity cookies	Measure how visitors use the site (pseudonymised)	Microsoft	Analytics	Up to 1 year

You can clear cookies in your browser at any time. You can also opt out of the analytics tools directly: Microsoft Clarity at [Microsoft Clarity opt-out URL], and HubSpot’s cookie controls at [HubSpot cookie policy URL]. We are working to add a consent banner for non-essential cookies; until it is live, please use the browser and vendor opt-outs above to decline analytics.

We do not sell your personal data. We share it only with service providers (“sub-processors”) who help us run Evaluat, and only as needed for them to provide their service to us. They fall into these categories:

cloud hosting, storage, and content-delivery providers;
a payment processor (for subscription billing);
a CRM and customer-communications provider (for demo and contact enquiries);
website and product analytics providers;
security, anti-abuse, and error-monitoring providers;
an IP geolocation provider.

For the current named list of our sub-processors, including where each one processes data, see our Sub-processors list.

We may also disclose personal data where the law requires it, to protect our rights or safety, or in connection with a merger, acquisition, or sale of assets (in which case we will tell you).

9. International data transfers

Some of our sub-processors are based in, or transfer data to, countries outside the UK and EEA (notably the United States). When we transfer personal data outside the UK or EEA, we rely on a lawful transfer mechanism: an adequacy decision where one exists, or the UK International Data Transfer Agreement (IDTA) or addendum and the EU Standard Contractual Clauses where it does not, together with additional safeguards as needed. Our application hosting and data-warehouse processing is located in EU regions (London and Frankfurt).

10. How long we keep your data

We keep personal data only as long as we need it:

Demo and contact enquiries: for as long as we are in contact about your request and for a reasonable follow-up period afterwards [retention period to confirm].
Account data: for the life of your account, and for a limited period after closure [retention period to confirm] to handle wind-down and disputes.
Audit logs: 180 days, then deleted automatically.
Test and execution data: according to the data retention allowance of your plan.
Billing and invoice records: for 6 years, to meet UK tax and accounting requirements.
Website analytics: in line with Microsoft Clarity’s retention period.

11. Your rights

If you are in the UK or EEA, you have the right to:

access a copy of your personal data;
have inaccurate data corrected;
have your data erased in certain circumstances;
restrict or object to certain processing;
receive your data in a portable format;
withdraw consent where we rely on it.

To exercise any of these, email [email protected]. We will respond within the time the law allows (usually one month).

If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner’s Office at ico.org.uk. If you are in the EEA, you can also complain to your local data protection authority.

For customer content where we act as a processor, please direct requests to the customer who controls that data (see section 5).

12. Your US privacy rights (California and other states)

This section applies if you are a US resident. We collect, and in the preceding 12 months have collected, the following categories of personal information as defined by the California Consumer Privacy Act as amended (CCPA/CPRA):

identifiers (such as name, email, and IP address);
commercial information (such as subscription and billing details);
internet or network activity (such as analytics and usage data);
geolocation data (approximate, derived from IP address);
professional information (such as your company and role).

We also collect account log-in credentials, which are “Sensitive Personal Information” under the CPRA. We use them only as necessary to provide and secure the service, and not to infer characteristics about you. California residents have the right to limit our use of Sensitive Personal Information; to exercise that right, contact [email protected].

We disclose this information only to the providers listed in section 8. They act as our “service providers” or “contractors” under the CPRA and may use the information only to perform services for us. We do not “sell” personal information, and we do not “share” it for cross-context behavioural advertising, as those terms are defined under the CPRA.

California residents have the right to know, access, correct, and delete their personal information, the right to opt out of the sale or sharing of personal information (which we do not do), and the right not to be discriminated against for exercising these rights. To exercise them, contact [email protected]. Residents of other US states with comparable privacy laws have similar rights, which we honour on the same basis.

13. How we protect your data

We use technical and organisational measures appropriate to the risk, including encryption of data in transit (TLS), encryption at rest where applicable, secure password hashing (bcrypt), role-based access controls, audit logging, and contracts with our sub-processors that require appropriate security. No system is perfectly secure, but we work to protect your data and to respond quickly if something goes wrong.

14. Children’s data

Evaluat is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.

15. Changes to this policy

We may update this policy from time to time. When we do, we change the “last updated” date at the top. If a change is significant, we will take reasonable steps to tell you, for example by email or a notice on the site or in the app.

16. Contact us

Evaluat Digital Limited 128 City Road, London, EC1V 2NX, United Kingdom Company number 14150225 ICO registration number ZC158246 Email: [email protected]

For complaints, the UK Information Commissioner’s Office: ico.org.uk.