Evidri beta

Evidri Privacy Policy

Version 2 · effective May 25, 2026

Evidri Privacy Policy

This Privacy Policy describes how Nils Wloka, the operator of Evidri, processes your personal data when you use the Service. It is provided in fulfilment of Articles 13 and 14 of the General Data Protection Regulation (GDPR).

1. Controller

The controller responsible for processing your personal data is:

  • Nils Wloka
  • Niederzielenbach 9, 51597 Morsbach, Germany
  • contact@evidri.com

The Provider operates the Service as a private individual; no data protection officer is required at this scale (Art. 37 GDPR).

2. Personal data we process

We process the following categories of your personal data:

  • Account data received from our identity provider (Zitadel Cloud): your email address, display name, and OIDC subject identifier.
  • Product activity captured by our analytics provider (PostHog): the pages and features you use, anonymised event metadata, and a session identifier.
  • Support communications handled by our customer-support provider (Crisp IM SARL) when you contact us through the in-app chat: your email address, the organisation you belong to, the messages you send us, and basic technical metadata (such as browser and the page you were on) that helps us assist you.
  • Technical logs: your IP address, browser user agent, and timestamps of requests, kept in access logs for security and abuse-prevention purposes.

This Privacy Policy covers the data we process about you as the user. The personal data of third parties contained in content you upload (for example, interview participants in transcripts you import) is processed under the separate Data Processing Agreement, where you are the controller and we are the processor.

3. Purposes and legal bases

Purpose Legal basis
Operating your account, authenticating you, and providing the Service Art. 6(1)(b) GDPR — performance of a contract
Understanding how the Service is used so we can improve it (PostHog analytics) Art. 6(1)(f) GDPR — legitimate interest. You may object at any time (Art. 21 GDPR) by contacting us.
Responding to you when you contact us through the in-app support chat (Crisp) Art. 6(1)(b) GDPR — performance of a contract; and Art. 6(1)(f) GDPR — our legitimate interest in supporting users. You may object at any time (Art. 21 GDPR).
Maintaining technical logs for security and operations Art. 6(1)(f) GDPR — legitimate interest in service security

4. Recipients (sub-processors)

We use the following sub-processors. Each is contractually bound to process your data only on our instructions and to maintain a level of security required by Art. 28 GDPR.

Sub-processor Purpose Country
Hetzner Online GmbH Hosting (servers and storage volumes) Germany
Backblaze, Inc. Encrypted off-site database backups EU (Frankfurt region)
Zitadel GmbH Identity provider (authentication) Germany / Switzerland
PostHog, Inc. Product analytics EU (Frankfurt region)
Crisp IM SARL In-app customer support chat France; data stored in the EU (Netherlands and Germany)
OpenRouter, Inc. LLM gateway — routes inference requests to one of its model-provider partners United States
Anthropic PBC LLM provider (used directly and via OpenRouter) United States
OpenAI, OpCo, LLC Embedding model provider (via OpenRouter) United States

OpenRouter sub-providers: When OpenRouter receives an inference request for a non-Anthropic, non-OpenAI model, it forwards the request to one of several provider partners. Today, the Service uses OpenRouter for Qwen-family models (used for classification, extraction, suggestion, naming, and chat). Qwen requests are typically routed to one of: DeepInfra, NovitaAI, Together AI, Fireworks, or Hyperbolic — each an independent processor in the United States. The live list of provider partners for any given model is published at openrouter.ai/<model>/providers. We update this section and notify you under our Data Processing Agreement when the set of provider partners changes materially.

A current list of sub-processors is also available in Annex 2 of the Data Processing Agreement.

5. International transfers

Some sub-processors are established in the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and on additional safeguards where appropriate. Please note: when content you upload contains personal data and is processed by an LLM sub-processor, that content is sent to a US-based provider for the duration of the request.

6. Retention

We retain your personal data for as long as you have an account. When you delete your account or we terminate it, we delete your data within 30 days. Encrypted backups containing your data may persist for up to a further 30 days, after which they are pruned automatically.

7. Your rights

You have the following rights with respect to your personal data:

  • Access (Art. 15) — you may request a copy of your data.
  • Rectification (Art. 16) — you may request correction of inaccurate data.
  • Erasure (Art. 17) — you may request deletion. The simplest way is to delete your account in the Service.
  • Restriction (Art. 18) — you may request that we restrict processing.
  • Portability (Art. 20) — you may request a machine-readable export.
  • Objection (Art. 21) — you may object to processing based on legitimate interest.
  • Withdrawal of consent — to the extent processing is based on your consent, you may withdraw it at any time, with effect for the future.
  • Complaint to a supervisory authority (Art. 77) — you may complain to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) or the data protection authority of your habitual residence.

To exercise these rights, contact us at contact@evidri.com.

8. Cookies and local storage

The Service uses:

  • A session cookie to keep you logged in. Strictly necessary; no consent required (§ 25(2)(2) TTDSG).
  • Local storage for your in-app preferences (e.g. last-selected workspace). Strictly necessary; no consent required.
  • PostHog analytics, which sets a first-party cookie to identify your session for product analytics. Processed under our legitimate interest in improving the Service; you may object as described above.
  • Crisp support chat, which sets cookies in your browser to maintain your support-chat session and recognise you across visits. Loaded only when you are signed in. Processed under our legitimate interest in providing support; you may object as described above.

9. Automated processing

The Service uses large language models (LLMs) to classify, extract, and suggest based on the content you upload. These automated steps suggest edits to evidence and clusters; they do not produce decisions that have legal effects on you or significantly affect you within the meaning of Art. 22 GDPR. Every classification can be reviewed and overridden by you.

10. Security

We use TLS for all network traffic, encrypt data at rest in the database and in backups, restrict access to operational systems, and maintain a sub-processor list. Detailed technical and organisational measures are described in Annex 1 of the Data Processing Agreement.

11. Changes

When we publish a new version of this Privacy Policy, you will be presented with the updated text on your next login and asked to accept it. You may decline; in that case your account will be terminated and your data deleted as described in our Terms of Service.

12. Contact

For all privacy-related questions and requests:

  • Nils Wloka
  • Niederzielenbach 9, 51597 Morsbach, Germany
  • contact@evidri.com