Privacy Policy

Evique — evique.io

Last updated: 22 May 2026

1. Introduction

This Privacy Policy explains how Evique ("we", "us", "our") collects, uses, stores, and shares personal data when you use our SaaS platform at https://evique.io.

Evique is operated from Poland under the trading name Evique Group. We process personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Polish Act on the Protection of Personal Data of 10 May 2018.

The supervisory authority in Poland is the Urząd Ochrony Danych Osobowych (UODO), https://uodo.gov.pl/.

By using Evique, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the service.

2. Data Controller

For data you provide as a user of Evique (account details, billing information, content you upload), Evique is the data controller.

For personal data of third-party recipients (prospects, leads) that you upload, generate, or send messages to through Evique, you are the data controller and Evique acts as your data processor. By using Evique to process such data, you confirm that you have a valid legal basis under the GDPR (such as legitimate interest under Article 6(1)(f), or consent under Article 6(1)(a)) to do so.

Contact: support@evique.io

3. What Personal Data We Collect

We collect the following categories of personal data:

a) Account data

  • Email address (from Google OAuth or manual registration)
  • Full name (from Google account or manually provided)
  • Profile picture URL (from Google account, if you sign in with Google)
  • Hashed password (if you register with email; we never store plaintext passwords)
  • Account creation date and last login timestamp

b) Technical data

  • IP address
  • Browser type and version, operating system, device type
  • Pages visited, time spent, referring URL
  • Session identifiers (cookies, tokens)

c) Billing data

  • Subscription plan and status
  • Billing email and country (for tax purposes)
  • Payment method metadata (last 4 digits of card, expiry, brand) — full payment data is processed and stored by Stripe, not by us
  • Invoice history

d) Content you create or upload

  • Contact lists, prospect data, email templates, campaign content
  • Email messages drafted, scheduled, or sent through Evique
  • Replies received from recipients (when you connect an inbox)
  • Notes, tags, and other metadata you add to records

e) Third-party connected account data

  • Gmail / Microsoft Outlook OAuth tokens (encrypted at rest), used to send emails on your behalf
  • Google Calendar OAuth tokens (encrypted at rest), used for scheduling integrations
  • Email headers and message IDs needed to track sent messages and detect replies
  • We do not read, store, or process emails in your inbox other than those related to outreach campaigns initiated through Evique

f) Prospect / lead data sourced through the platform

  • Publicly available business contact information (business name, business email, phone, address) retrieved via Google Places API, Google Maps, and similar public sources
  • Enrichment data generated by our AI (industry classification, suggested message angle)

This data concerns businesses, not consumers. Where any such data may identify a natural person (e.g. a freelancer using their personal email for business), it is treated as personal data and processed under the legal basis described in Section 5.

g) Analytics data

  • Google Analytics 4 data (page views, sessions, geographic region at country level), if Analytics cookies are accepted via our cookie banner

Analytics tracking is governed by your consent choices in the cookie banner. If you reject non-essential cookies, no Analytics data is collected.

4. How We Collect Your Data

  • Directly from you when you register, fill out forms, or upload content
  • Automatically through cookies, server logs, and analytics scripts when you use evique.io
  • From third parties when you sign in with Google (we receive profile info via OAuth)
  • From public sources (e.g. Google Places API) when you instruct the platform to find prospects
  • From Stripe when you make a payment (we receive transaction metadata, not card numbers)

5. Legal Basis for Processing (GDPR Art. 6)

We rely on the following legal bases:

Contract (Art. 6(1)(b)): to provide the service you subscribed to — account access, email sending, campaign management, billing.

Legitimate interest (Art. 6(1)(f)): to operate, secure, and improve the platform; to prevent fraud; to communicate with you about service updates; to enable B2B prospecting on publicly available business contact data, which is recognised as a legitimate business interest under Recital 47 of the GDPR provided that the fundamental rights of data subjects do not override that interest.

Consent (Art. 6(1)(a)): for non-essential cookies, marketing emails (if any), and any optional processing where consent is the appropriate basis. You can withdraw consent at any time without affecting the lawfulness of prior processing.

Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, anti-money-laundering, and other applicable Polish and EU law.

6. How We Use Your Data

We use personal data to:

  • Create and maintain your account
  • Authenticate you and secure your session
  • Provide, operate, and improve the features of Evique
  • Generate, schedule, and send emails on your behalf through your connected mail accounts
  • Process payments and issue invoices via Stripe
  • Detect, prevent, and address fraud, abuse, and security incidents
  • Comply with legal and regulatory obligations
  • Communicate with you about service updates, security alerts, and customer support
  • Aggregate usage statistics to understand product performance (subject to your cookie consent)

7. AI Processing and Sub-Processors

Evique uses third-party AI services to generate email content, classify replies, and enrich prospect data. Specifically, we send the following information to Anthropic (provider of the Claude language model) for processing:

  • Prompts containing prospect business data, campaign context, and your custom instructions
  • Inbound email content (when you use the reply classifier or draft assistant)

Anthropic processes this data under its commercial terms, which include a zero data retention option that Evique has elected to use where available. Anthropic does not use API inputs or outputs to train its models.

We do not feed your data into any AI model training pipeline. We do not sell your data to any party.

8. Who We Share Your Data With

We share personal data only with sub-processors that are necessary to operate the service. Our current sub-processors are:

Infrastructure and hosting

  • Railway Corp. (United States) — backend and frontend hosting plus database storage, deployed in EU West region
  • Cloudflare Inc. (United States) — DNS and DDoS protection

Authentication and email delivery

  • Google LLC (United States) — Google OAuth, Gmail API, Google Calendar API
  • Microsoft Corporation (United States) — Microsoft Entra OAuth, Outlook / Microsoft Graph API

Business search and enrichment data

  • Google LLC (United States) — Google Places API (business search) and Google Maps (geocoding)
  • Foursquare Inc. (United States) — business search data for US/CA queries (Places v3 API)
  • OpenStreetMap Foundation (United Kingdom) — open business data via Overpass community instance (ODbL license)

Payments

  • Stripe, Inc. (United States) — subscription and payment processing

AI processing

  • Anthropic PBC (United States) — large language model API for email generation, classification, and enrichment

Analytics

  • Google LLC — Google Analytics 4 (only if you accept analytics cookies)

Error monitoring

  • Functional Software, Inc. (d/b/a Sentry) (United States) — error monitoring and performance tracing. Processes application error data and stack traces. Personal data (email addresses, IP addresses) is masked via a before_send filter before transmission. Data processed in the United States. We rely on Sentry's published Data Processing Addendum.

We do not sell or rent personal data to advertisers or data brokers. We will disclose data to law enforcement or other authorities only when legally required and only to the extent necessary.

9. International Data Transfers

Several of our sub-processors are located in the United States. We rely on the following transfer mechanisms under GDPR Articles 44–46:

  • EU–U.S. Data Privacy Framework certification (for sub-processors that participate)
  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Additional technical and organisational safeguards, including encryption in transit (TLS) and encryption at rest for sensitive credentials

Where data is transferred outside the EEA, we ensure equivalent protection in line with applicable GDPR requirements.

10. Data Retention

We retain personal data only for as long as needed:

  • Account data: while your account is active, plus 30 days after deletion request (to allow recovery in case of accidental deletion)
  • Billing records: 5 years from the end of the relevant fiscal year, as required by Polish accounting law
  • Campaign content and prospect data: while your account is active; deleted within 30 days of account closure
  • OAuth tokens for connected mail accounts: until you disconnect the account or close your account
  • Server logs: 90 days, then deleted or aggregated
  • Backups: rolling 30-day window; data in backups is overwritten on the same retention schedule

11. Your Rights Under GDPR

If you are in the EEA, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest, including for direct marketing
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent
  • Right to lodge a complaint with a supervisory authority (Art. 77) — in Poland, the UODO

To exercise any of these rights, email us at support@evique.io. We will respond within 30 days as required by Art. 12(3) GDPR.

12. Rights of Prospect / Lead Data Subjects

If you are a prospect or recipient of a message sent through Evique by one of our users, and you wish to exercise your data subject rights regarding data that user holds about you:

  • Your primary point of contact is the Evique user who contacted you — they are the data controller for your data and are responsible for fulfilling your request
  • If you cannot reach them or believe they have not honoured your request, you may contact us at support@evique.io and we will, where technically possible and lawful, assist you and facilitate communication with the controller
  • You always retain the right to lodge a complaint with the UODO or your local supervisory authority

13. Cookies and Tracking

Evique uses cookies and similar technologies. Categories include:

  • Strictly necessary cookies — required for authentication, security, and basic functionality. Cannot be disabled.
  • Functional cookies — remember your preferences (e.g. language, display settings)
  • Analytics cookies — Google Analytics 4, used only if you accept it via the cookie banner
  • No advertising or third-party advertising cookies are set by Evique

You can manage your cookie preferences at any time through the cookie banner accessible from the footer of every page. You can also manage cookies through your browser settings.

14. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • TLS encryption for all data in transit (HTTPS only)
  • Encryption at rest for sensitive credentials (OAuth tokens, API keys) using Fernet symmetric encryption
  • Hashed passwords using industry-standard algorithms (bcrypt or argon2)
  • Principle of least privilege for internal access to production systems
  • Regular security reviews of code and infrastructure
  • Sub-processors are selected based on their security posture and contractual commitments

No system is 100% secure. If a personal data breach affects you, we will notify you and the UODO without undue delay, and within 72 hours where required by Art. 33 GDPR.

15. Children's Data

Evique is a business service and is not directed to children. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a child has provided us with personal data, please contact us at support@evique.io and we will delete it.

16. Automated Decision-Making

Evique uses AI to generate suggested email content, classify replies, and score leads. However, no decisions producing legal or similarly significant effects on you are made solely by automated means. All AI outputs are advisory and can be reviewed, modified, or rejected by the human user before any action (such as sending an email) is taken.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date and notify users by email at least 14 days before the changes take effect. Continued use of Evique after that date constitutes acceptance of the updated Policy.

18. Contact

For any questions, requests, or concerns about this Privacy Policy or how we handle your data:

Email: support@evique.io Operated from: Poland Website: https://evique.io

Evique currently operates as an online-only business without a physical office. All data protection inquiries, including requests to exercise your GDPR rights, should be directed to the email address above. We respond to GDPR requests within 30 days as required by Art. 12(3) GDPR.

Supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland — https://uodo.gov.pl/