EvalPilot
Back to EvalPilot

Data Protection Notice

Last updated: December 9, 2025

Introduction

This Data Protection Notice explains how Latent Ventures LLC ("we," "us," or "our"), the operator of EvalPilot, processes and protects personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

This notice supplements our Privacy Policy with specific information about your data protection rights and our compliance measures.

Data Protection Principles

We adhere to the following data protection principles as outlined in GDPR Article 5:

  • Lawfulness, Fairness, and Transparency — We process personal data lawfully, fairly, and in a transparent manner
  • Purpose Limitation — We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes
  • Data Minimization — We collect only the personal data that is adequate, relevant, and necessary for the purposes for which it is processed
  • Accuracy — We take reasonable steps to ensure personal data is accurate and kept up to date
  • Storage Limitation — We retain personal data only for as long as necessary for the purposes for which it was collected
  • Integrity and Confidentiality — We process personal data securely, protecting against unauthorized access, loss, or damage
  • Accountability — We are responsible for and able to demonstrate compliance with these principles

Categories of Personal Data

We process the following categories of personal data:

Identity Data

Name, username, and account identifiers

Contact Data

Email address and billing address (for paid subscribers)

Technical Data

IP address (anonymized), browser type, device information, and operating system

Usage Data

Information about how you use our Service, including evaluation history, feature usage, and preferences

Content Data

Prompts, test cases, and evaluation results you create using our Service

Financial Data

Payment card details (processed by Stripe, not stored on our servers)

Legal Basis for Processing

We process your personal data on the following legal grounds:

Contract Performance (GDPR Article 6(1)(b))

Processing necessary to provide the Service, including running evaluations, generating test cases, saving suites, and managing your account.

Legitimate Interests (GDPR Article 6(1)(f))

Processing necessary for our legitimate interests, such as improving the Service, ensuring security, preventing fraud, and communicating about product updates. We balance these interests against your rights and freedoms.

Consent (GDPR Article 6(1)(a))

Where you have given explicit consent, such as for marketing communications or optional analytics. You may withdraw consent at any time.

Legal Obligation (GDPR Article 6(1)(c))

Processing necessary to comply with legal requirements, such as tax regulations, court orders, or regulatory requests.

Your Data Protection Rights

Under GDPR and other applicable laws, you have the following rights:

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected.

Right to Restriction of Processing (Article 18)

You have the right to request that we limit the processing of your personal data in certain circumstances.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI-powered evaluations are tools to assist you, not automated decision-making about you.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption — Data encrypted in transit (TLS 1.3) and at rest (AES-256-GCM for sensitive data)
  • Access Controls — Role-based access controls and principle of least privilege
  • Authentication — Secure password hashing and support for secure authentication methods
  • Monitoring — Security monitoring and logging for threat detection
  • Incident Response — Documented procedures for handling security incidents and data breaches
  • Regular Reviews — Periodic security assessments and updates
  • Vendor Management — Due diligence on third-party service providers

International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. When transferring data internationally, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all service providers
  • Assessment of the legal framework in recipient countries
  • Additional technical and organizational measures where necessary

Our key service providers (Vercel, Supabase, Stripe) maintain their own GDPR compliance programs and appropriate safeguards for international transfers.

Data Retention

We retain personal data only for as long as necessary to:

  • Provide the Service and fulfill the purposes described in this notice
  • Comply with legal, accounting, or reporting requirements
  • Resolve disputes and enforce our agreements
  • Protect against fraudulent or illegal activity

Specific retention periods:

  • Free accounts: Evaluation data retained for 7 days
  • Paid accounts: Evaluation data retained for duration of subscription plus 30 days
  • Account data: Retained until account deletion, then deleted within 30 days
  • Payment records: Retained for 7 years for tax and legal compliance
  • Support communications: Retained for 2 years after resolution

Third-Party Processors

We use the following categories of third-party data processors:

  • Infrastructure: Vercel (hosting), Supabase (database and authentication)
  • AI Services: OpenAI, Anthropic (evaluation processing)
  • Payments: Stripe (payment processing)
  • Analytics: PostHog (product analytics, anonymized)
  • Monitoring: Sentry (error tracking)

All processors are bound by data processing agreements and are required to implement appropriate security measures.

Data Protection Contact

For any questions about this notice, to exercise your data protection rights, or to raise concerns about how we handle your data, please contact us:

Email: support@evalpilot.co

Mailing Address:
Latent Ventures LLC
2108 N ST STE N
Sacramento, CA 95816, USA

We aim to respond to all legitimate requests within one month. If your request is complex or you have made multiple requests, we may need up to three months, in which case we will notify you.

Right to Lodge a Complaint

If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. You may do this in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

We encourage you to contact us first so we can address your concerns directly. However, this does not affect your right to contact a supervisory authority.

For users in the UK, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

Updates to This Notice

We may update this Data Protection Notice from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated notice on this page and updating the "Last updated" date.

We encourage you to review this notice periodically to stay informed about how we protect your data.

Privacy PolicyTerms of ServiceCookie PolicyData Protection