1. Introduction

Evoluna ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use the Evoluna service ("Service").

This policy applies to all users of our website and application. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).

2. Data Controller

Evoluna is the data controller responsible for your personal data. If you have any questions about this policy or wish to exercise your rights, you can contact us at:

3. Data We Collect

3.1 Data You Provide Directly

• Account information: Name, email address, and password when you register
• Profile information: Any additional profile details you choose to provide
• Planning content: Tasks, goals, gratitude journal entries, and checklist items you create
• Social Path data: Social activities you log within the platform
• Payment information: Billing details processed securely by our payment provider (Stripe); we do not store raw card details

3.2 Data Collected Automatically

• Usage data: Pages visited, features used, and interaction timestamps
• Technical data: IP address, browser type and version, device type, operating system
• Cookie data: Session identifiers and preference cookies (see our Cookie Policy)
• Error and performance data: Application errors and performance metrics to help us improve the Service

3.3 Data from Third Parties

If you choose to register or log in using a social authentication provider (e.g., Facebook), we receive basic profile information (name, email address, profile picture) from that provider in accordance with your privacy settings on that platform.

3.4 Backup and Recovery Copies

As part of operating the Service, we may create backup and recovery copies of our databases and related records for disaster recovery, business continuity, security monitoring, incident investigation, and service restoration. These copies may contain account information and content you have submitted to the Service.

4. How We Use Your Personal Data

We use your data for the following purposes:

• To create and manage your account
• To provide, operate, and improve the Service
• To process payments and manage your subscription
• To send transactional emails (account verification, password resets, subscription receipts)
• To send service-related notifications and important updates
• To maintain backup, disaster recovery, business continuity, and service restoration processes
• To personalise your experience within the Service
• To analyse usage patterns and improve product features
• To detect, prevent, and address security issues or abuse
• To comply with our legal obligations

We do not sell your personal data to third parties. We do not use your personal planning content (tasks, journal entries, goals) for advertising or profiling purposes.

5. Legal Basis for Processing (UK & EU GDPR)

We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you have signed up for
• Legitimate interests: Improving the Service, detecting fraud, and maintaining security
• Legal obligation: Complying with applicable laws and regulations
• Consent: Where we have asked for and received your consent (e.g., marketing communications)

6. Data Sharing & Disclosure

We may share your data with:

• Stripe: Our payment processor, for handling subscription billing. Stripe's privacy policy applies to payment data
• Email service providers: To send transactional, service, and backup-related emails on our behalf
• Infrastructure providers: Cloud hosting, storage, and server infrastructure that processes live data and backup data on our behalf under appropriate data processing agreements
• Analytics tools: Aggregated, anonymised usage analytics to understand how the Service is used

All third-party processors are contractually required to handle your data in accordance with applicable data protection law and only process your data as we instruct. We may also disclose your data if required by law, court order, or to protect the rights, property, or safety of Evoluna, our users, or the public.

7. International Data Transfers

Some of our service providers are located outside the UK and European Economic Area (EEA). Where we transfer your data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO) or the European Commission, or transfers to countries with an adequacy decision.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it longer by law (for example, financial records may be retained for up to 7 years for tax purposes).

Live service data and backup data may follow different retention schedules. We aim to keep backup copies only for a limited rolling period, review them regularly, and delete, rotate, or overwrite them when they are no longer needed for disaster recovery, security, legal, or operational purposes. As a result, deleted data may remain in secure backup media for a limited period before it is overwritten, deleted, or otherwise put beyond use.

If we deliver a backup archive or other export to an authorised recipient, that copy is outside our direct control once delivered. The recipient is responsible for storing it securely and deleting it when it is no longer needed.

Anonymised or aggregated data that cannot identify you may be retained indefinitely for analytical purposes.

9. Security

We implement appropriate technical and organisational security measures to protect your personal data, including:

• Encrypted data transmission via HTTPS/TLS
• Securely hashed passwords (never stored in plain text)
• Two-factor authentication (2FA) available for your account
• Regular security assessments of our application and infrastructure
• Access controls limiting who can access personal data
• Restricted access to backup archives together with secure transfer, monitoring, and deletion or rotation processes

Despite these measures, no method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately.

10. Your Rights

Under UK and EU GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data in certain circumstances
• Right to restrict processing: Ask us to limit how we use your data in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making: We do not make automated decisions with legal or similarly significant effects based solely on your data

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. If you are unhappy with how we handle your request, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local supervisory authority.

11. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, please contact us immediately and we will take steps to delete it.

12. Cookies

We use cookies and similar tracking technologies to operate the Service and remember your preferences. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a prominent notice within the Service. We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes your acknowledgement of the revised policy.

14. Contact Us

For any privacy-related queries, requests, or complaints, please contact our privacy team: