EvoPoint

Legal

Privacy Policy

How we collect, use, and protect personal data across the EvoPoint platform.

Last updated · 19 May 2026

About this policy

This policy explains how EvoPoint Ltd, a company registered in England & Wales and registered with the Information Commissioner's Office under reference ZA123456, processes personal data in connection with the EvoPoint platform. EvoPoint is a multi-tenant incident management service used by UK event venues, festivals, stadiums, and managed facilities.

This policy applies to visitors to our marketing website, customers who hold an EvoPoint subscription, members of their teams who use the platform, contractors who receive jobs through it, and members of the public who submit a report by scanning a venue's QR code. Where we act as a processor on behalf of a customer organisation, the customer's own privacy notice will also apply to the personal data they upload to the platform.

This is a template policy and should be reviewed by your legal advisers before being relied upon. References to specific statutory provisions are illustrative and subject to change.

Information we collect

We collect information that you provide directly to us, that is generated through your use of the platform, and that is uploaded by your organisation in the course of operating its EvoPoint tenant.

  • Account information - name, work email address, role, and the organisation you belong to. For Company Admins and Super-admins, this includes a hashed password and an encrypted TOTP secret.
  • Usage data - server logs, IP addresses, device and browser identifiers, pages viewed, and timestamps recorded when you interact with the platform.
  • Tenant-uploaded content - incident reports, photographs, location data, status updates, comments, and audit log entries created within a customer's tenant.
  • Billing information - name, billing address, and limited card metadata returned to us by Stripe. Full payment card numbers are handled by Stripe and never reach our systems.
  • Support correspondence - the contents of any messages you send us when you contact customer support.

How we use your information

We use personal data to operate the platform safely and to meet our obligations to customers and to regulators. In particular, we use information to:

  • provide, maintain, and improve the EvoPoint service;
  • authenticate users and protect accounts, including through multi-factor authentication;
  • invoice customers, process subscription payments, and recognise revenue;
  • respond to support requests and communicate with you about changes to the service;
  • detect, investigate, and prevent fraudulent, abusive, or unauthorised activity;
  • monitor the performance and reliability of the platform and to improve our product;
  • comply with legal obligations and to respond to lawful requests from regulators or law enforcement.

Sharing your information

We do not sell personal data. We share it only with trusted sub-processors who help us run the platform, and only under written contracts that require them to protect your information.

  • Amazon Web Services - cloud hosting, database, and object storage in the London region.
  • Stripe - subscription billing and payment processing.
  • Resend - transactional email delivery, including magic-link authentication.
  • Sentry - error tracking and application monitoring.
  • Firebase Cloud Messaging - push notifications to the EvoPoint mobile app.

A Data Processing Agreement is available to customers on request. We may disclose personal data where compelled by law, by a court order, or by a properly authorised request from law enforcement or a regulator.

International transfers

Personal data processed through the EvoPoint platform is hosted on Amazon Web Services in the London region (eu-west-2). Some of our sub-processors operate from outside the United Kingdom. Where personal data is transferred outside the UK, we rely on appropriate safeguards including the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or an adequacy decision recognised by the UK government.

How long we retain data

We retain personal data only for as long as is necessary for the purpose for which it was collected. Specific retention periods include:

  • Active accounts - for as long as the customer organisation maintains an EvoPoint subscription.
  • Audit log entries - append-only and retained for a minimum of seven years to meet regulatory expectations for incident records.
  • Backups - encrypted backups are retained for thirty days before being securely destroyed.
  • Billing records - retained for six years to satisfy UK tax and accounting obligations.

Your rights under UK GDPR

Subject to certain conditions, you have the following rights in relation to the personal data we hold about you:

  • the right to be informed about how we use your data;
  • the right of access to a copy of your data;
  • the right to rectification of inaccurate data;
  • the right to erasure, subject to our retention obligations;
  • the right to restriction of processing;
  • the right to data portability;
  • the right to object to processing carried out on the basis of legitimate interests;
  • the right to lodge a complaint with the Information Commissioner's Office.

To exercise any of these rights, please email us at privacy@evopoint.com. Where you are a user within a customer's tenant, we may need to direct your request to that customer, who is the controller for the data they upload to the platform.

Cookies and similar technologies

We use a small number of cookies and similar technologies to operate the platform and to measure how it is used. For full details, including the categories of cookies and how to manage them, please see our Cookie Policy.

Security

We take the security of personal data seriously and design our systems with defence in depth. Personal data is encrypted at rest using AES-256 and in transit using TLS 1.3. Tenants are isolated at the application layer, with every database query and storage path scoped to a single organisation.

Privileged accounts must enrol in time-based one-time password (TOTP) multi-factor authentication, and TOTP secrets are encrypted using a platform-level key. We carry out regular security reviews, log all privileged actions to an append-only audit trail, and follow recognised industry standards for vulnerability management and incident response.

Children's privacy

EvoPoint is a business-to-business platform and is not directed at children. We do not knowingly collect personal data from individuals under the age of 16. If you believe that a child has provided personal data to us, please contact privacy@evopoint.com so that we can take appropriate action.

Changes to this policy

We may update this policy from time to time to reflect changes in our practices, our service, or applicable law. When we do, we will post the updated policy on this page and revise the “Last updated” date at the top. For material changes, we will give customers reasonable advance notice by email or in-product notification.

Contact us

For questions about this policy or to exercise your rights, please contact us at privacy@evopoint.com or by post to EvoPoint Ltd, 1 Finsbury Avenue, London EC2M 2PF.

If you are not satisfied with how we have handled your personal data, you also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.