Skip to content
Evidary

Privacy Policy

Effective Date: 12 January 2026
Last Updated: 12 January 2026

1. Introduction

Procure Ally AI Ltd (trading as "Evidary"), a company registered in England and Wales under company number 15559154 ("we", "us", or "our"), is committed to protecting your privacy and personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website at www.evidary.com and use our services (collectively, the "Service"). This policy applies to all visitors, users, and customers of the Service.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Data Controller: Procure Ally AI Ltd
Company Number: 15559154
Email: [email protected]

2. Personal Data We Collect

2.1 Information You Provide

We collect personal data that you voluntarily provide when you:

  • Create an account: Name, email address, organisation name, job title, password
  • Subscribe to our service: Billing information, company details, VAT number (if applicable)
  • Contact us: Name, email, phone number, message content
  • Request a demo or pilot: Name, email, company, role, use case information
  • Subscribe to communications: Email address, communication preferences

2.2 Information Collected Automatically

When you access the Service, we automatically collect:

  • Device information: Browser type, operating system, device type
  • Usage data: Pages visited, time spent, features used, click patterns
  • Technical data: IP address (anonymised where possible), referring URL
  • Cookie data: As described in our Cookie Policy

2.3 Customer Data

When you use our Service, you may submit data relating to your organisation's AI systems ("Customer Data"). This may include compliance documentation, model metadata, audit trails, and related information. We process Customer Data only as instructed by you and as necessary to provide the Service.

Important: The Evidary platform is designed with privacy by default. We actively discourage the submission of personal data within Customer Data, and our Transparency Log is designed to exclude personally identifiable information (PII). Where possible, use pseudonymised identifiers rather than direct personal data.

2.4 Special Categories of Data

We do not intentionally collect special categories of personal data (such as health data, biometric data, or data revealing racial or ethnic origin). If you believe you have inadvertently submitted such data, please contact us immediately.

3. How We Use Your Personal Data

We process your personal data for the following purposes and legal bases:

3.1 Contract Performance (Article 6(1)(b) UK GDPR)

  • Providing and maintaining the Service
  • Processing your subscription and payments
  • Communicating about your account and service updates
  • Providing customer support

3.2 Legitimate Interests (Article 6(1)(f) UK GDPR)

  • Improving and developing the Service
  • Analysing usage patterns to enhance user experience
  • Ensuring security and preventing fraud
  • Sending relevant product updates and announcements
  • Administering our business operations

3.3 Legal Obligations (Article 6(1)(c) UK GDPR)

  • Complying with accounting and tax obligations
  • Responding to lawful requests from authorities
  • Maintaining required records

3.4 Consent (Article 6(1)(a) UK GDPR)

  • Sending marketing communications (where consent required)
  • Setting non-essential cookies
  • Any other processing where we specifically request consent

4. How We Share Your Personal Data

4.1 Service Providers

We share personal data with trusted service providers who assist us in operating the Service:

  • Cloud infrastructure: IBM Cloud (EU/UK data centres only)
  • Payment processing: Stripe (PCI-DSS compliant)
  • Email services: For transactional and marketing communications
  • Analytics: Privacy-focused analytics (with consent)

All service providers are bound by data processing agreements and are required to process data only as instructed and in compliance with applicable law.

4.2 Legal Requirements

We may disclose personal data if required by law, court order, or government request, or to protect our rights, safety, or property.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to this Privacy Policy.

4.4 With Your Consent

We may share personal data for other purposes with your explicit consent.

4.5 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

5. International Data Transfers

We are committed to keeping your data within the UK and European Economic Area (EEA). Our primary infrastructure is hosted on IBM Cloud in the London (eu-gb) region.

Where data transfers outside the UK/EEA are necessary (e.g., for certain service providers), we ensure appropriate safeguards are in place:

  • UK International Data Transfer Agreement (IDTA)
  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions where the destination country has been deemed adequate by UK/EU authorities

For more information about specific transfers or to request copies of safeguards, contact [email protected].

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy:

  • Account data: For the duration of your account plus 7 years for legal/tax purposes
  • Customer Data: As specified in your subscription agreement; typically 90 days after account termination unless you request earlier deletion
  • Billing records: 7 years as required by UK tax law
  • Marketing data: Until you unsubscribe or withdraw consent
  • Website analytics: 26 months maximum
  • Security logs: 12 months for security and fraud prevention

Transparency Log data: Due to the immutable nature of our Transparency Log (using WORM storage), data appended to the log cannot be deleted. This is essential for audit integrity. We design the log to exclude PII, using hashes and identifiers rather than personal data.

7. Data Security

We implement robust technical and organisational measures to protect your personal data:

  • Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
  • Key management: HSM-backed cryptographic keys via IBM Key Protect
  • Access controls: Role-based access, multi-factor authentication
  • Infrastructure: Secure IBM Cloud data centres with physical security
  • Monitoring: Continuous security monitoring and logging
  • Testing: Regular security assessments and penetration testing
  • Incident response: Documented procedures for security incidents

While we implement industry-standard security measures, no system is completely secure. If you become aware of any security issues, please contact [email protected] immediately.

8. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You can request a copy of the personal data we hold about you and information about how we process it.

8.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances (e.g., when data is no longer necessary, you withdraw consent, or processing is unlawful).

8.4 Right to Restriction (Article 18)

You can request that we limit the processing of your personal data in certain circumstances.

8.5 Right to Data Portability (Article 20)

You can request a copy of your personal data in a structured, commonly used, machine-readable format.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. We do not currently make such decisions.

8.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.

8.9 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within one month. We may need to verify your identity before processing your request. There is no fee for most requests, but we may charge a reasonable fee for manifestly unfounded or excessive requests.

9. Cookies

We use cookies and similar technologies on our website. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

10. Marketing Communications

We may send you marketing communications about our products, services, and industry news if you have opted in or if we have a legitimate interest to do so (for existing customers).

You can opt out of marketing communications at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Emailing [email protected]
  • Updating your preferences in your account settings

Please note that opting out of marketing does not affect transactional communications about your account or service.

11. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website at least 30 days before changes take effect. The "Last Updated" date indicates when the policy was last revised.

Continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Complaints

If you have concerns about how we handle your personal data, please contact us first at [email protected]. We will investigate and attempt to resolve any complaints.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

15. Contact Us

For questions about this Privacy Policy or our data practices, please contact:

Procure Ally AI Ltd (trading as Evidary)
Company Number: 15559154
Email: [email protected]
Website: www.evidary.com

16. Data Processing Addendum

For enterprise customers, we offer a Data Processing Addendum (DPA) that provides additional contractual commitments for the processing of Customer Data. The DPA includes:

  • Detailed processing instructions and scope
  • Security measures and audit rights
  • Sub-processor management
  • UK IDTA / EU Standard Contractual Clauses
  • Data breach notification procedures

To request a DPA, contact [email protected].

Related policies: Terms of Service · Cookie Policy · Subprocessors