Legal
Privacy Policy
How we collect, use, and protect personal data across the EvoPoint platform.
Last updated · 19 May 2026
About this policy
This policy explains how EvoPoint Ltd, a company registered in England & Wales and registered with the Information Commissioner's Office under reference ZA123456, processes personal data in connection with the EvoPoint platform. EvoPoint is a multi-tenant incident management service used by UK event venues, festivals, stadiums, and managed facilities.
This policy applies to visitors to our marketing website, customers who hold an EvoPoint subscription, members of their teams who use the platform, contractors who receive jobs through it, and members of the public who submit a report by scanning a venue's QR code. Where we act as a processor on behalf of a customer organisation, the customer's own privacy notice will also apply to the personal data they upload to the platform.
This is a template policy and should be reviewed by your legal advisers before being relied upon. References to specific statutory provisions are illustrative and subject to change.
Information we collect
We collect information that you provide directly to us, that is generated through your use of the platform, and that is uploaded by your organisation in the course of operating its EvoPoint tenant.
- Account information - name, work email address, role, and the organisation you belong to. For Company Admins and Super-admins, this includes a hashed password and an encrypted TOTP secret.
- Usage data - server logs, IP addresses, device and browser identifiers, pages viewed, and timestamps recorded when you interact with the platform.
- Tenant-uploaded content - incident reports, photographs, location data, status updates, comments, and audit log entries created within a customer's tenant.
- Billing information - name, billing address, and limited card metadata returned to us by Stripe. Full payment card numbers are handled by Stripe and never reach our systems.
- Support correspondence - the contents of any messages you send us when you contact customer support.
How we use your information
We use personal data to operate the platform safely and to meet our obligations to customers and to regulators. In particular, we use information to:
- provide, maintain, and improve the EvoPoint service;
- authenticate users and protect accounts, including through multi-factor authentication;
- invoice customers, process subscription payments, and recognise revenue;
- respond to support requests and communicate with you about changes to the service;
- detect, investigate, and prevent fraudulent, abusive, or unauthorised activity;
- monitor the performance and reliability of the platform and to improve our product;
- comply with legal obligations and to respond to lawful requests from regulators or law enforcement.
Legal basis for processing
Under the UK General Data Protection Regulation and the Data Protection Act 2018, we must rely on a lawful basis for each processing activity. The bases we rely on are summarised below.
- Performance of a contract (Article 6(1)(b)): where processing is necessary to provide the platform to a customer or to take steps requested before entering into a contract.
- Legitimate interests (Article 6(1)(f)): to secure our systems, prevent fraud, monitor performance, and improve our service, where these interests are not overridden by your rights.
- Legal obligation (Article 6(1)(c)): to retain records for tax, accounting, or regulatory purposes, and to respond to lawful requests.
- Consent (Article 6(1)(a)): for optional cookies and certain marketing communications, which you may withdraw at any time.
International transfers
Personal data processed through the EvoPoint platform is hosted on Amazon Web Services in the London region (eu-west-2). Some of our sub-processors operate from outside the United Kingdom. Where personal data is transferred outside the UK, we rely on appropriate safeguards including the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or an adequacy decision recognised by the UK government.
How long we retain data
We retain personal data only for as long as is necessary for the purpose for which it was collected. Specific retention periods include:
- Active accounts - for as long as the customer organisation maintains an EvoPoint subscription.
- Audit log entries - append-only and retained for a minimum of seven years to meet regulatory expectations for incident records.
- Backups - encrypted backups are retained for thirty days before being securely destroyed.
- Billing records - retained for six years to satisfy UK tax and accounting obligations.
Your rights under UK GDPR
Subject to certain conditions, you have the following rights in relation to the personal data we hold about you:
- the right to be informed about how we use your data;
- the right of access to a copy of your data;
- the right to rectification of inaccurate data;
- the right to erasure, subject to our retention obligations;
- the right to restriction of processing;
- the right to data portability;
- the right to object to processing carried out on the basis of legitimate interests;
- the right to lodge a complaint with the Information Commissioner's Office.
To exercise any of these rights, please email us at privacy@evopoint.com. Where you are a user within a customer's tenant, we may need to direct your request to that customer, who is the controller for the data they upload to the platform.
Security
We take the security of personal data seriously and design our systems with defence in depth. Personal data is encrypted at rest using AES-256 and in transit using TLS 1.3. Tenants are isolated at the application layer, with every database query and storage path scoped to a single organisation.
Privileged accounts must enrol in time-based one-time password (TOTP) multi-factor authentication, and TOTP secrets are encrypted using a platform-level key. We carry out regular security reviews, log all privileged actions to an append-only audit trail, and follow recognised industry standards for vulnerability management and incident response.
Children's privacy
EvoPoint is a business-to-business platform and is not directed at children. We do not knowingly collect personal data from individuals under the age of 16. If you believe that a child has provided personal data to us, please contact privacy@evopoint.com so that we can take appropriate action.
Changes to this policy
We may update this policy from time to time to reflect changes in our practices, our service, or applicable law. When we do, we will post the updated policy on this page and revise the “Last updated” date at the top. For material changes, we will give customers reasonable advance notice by email or in-product notification.
Contact us
For questions about this policy or to exercise your rights, please contact us at privacy@evopoint.com or by post to EvoPoint Ltd, 1 Finsbury Avenue, London EC2M 2PF.
If you are not satisfied with how we have handled your personal data, you also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.