Privacy Policy

Evalyze Inc. ("Evalyze," "we," "us," or "our")

Website & Services: Evalyze.ai and all related sites, apps, dashboards, APIs, extensions, and services (collectively, the "Service")
Effective date: September 2025
Last updated: September 2025
Address: 3230 Yonge Street, Toronto, ON M4N 3P6, Canada
Single contact for all matters: [email protected]

This Privacy Policy is a single, comprehensive statement for Evalyze Inc. It explains how we collect, use, disclose, transfer, secure, and retain personal information and professional data in connection with the Service. It is designed to (i) preserve Evalyze’s rights and operational flexibility, (ii) maximize transparency for users and data subjects, and (iii) minimize litigation risk by aligning with key privacy regimes (PIPEDA and provincial laws in Canada; EU/UK GDPR; U.S. CCPA/CPRA and state laws; Brazil LGPD; CASL/CAN‑SPAM; and e‑privacy principles). Where local law grants stronger rights, we honor those to the extent required.

Table of Contents

  1. Acceptance, Scope & Interpretation
  2. Roles & Responsibilities (Controller / Processor)
  3. Information We Collect (Categories & Examples)
  4. Sources of Information (Including Public Sources)
  5. Purposes of Processing & Legal Bases
  6. Use of AI/LLMs, Automation & Profiling
  7. Public‑Source Dataset Policy & Professional Outreach
  8. Marketing & Communications
  9. Sharing & Disclosures (How We Share and Why)
  10. International Transfers & Data Residency
  11. Retention & Deletion
  12. Security (Administrative, Technical, Organizational)
  13. Cookies & Similar Technologies
  14. Your Rights (By Region)
  15. Your Choices & Controls (Opt‑Outs; GPC; DNT; Model Improvement)
  16. Children’s Privacy
  17. Third‑Party Links & Integrations
  18. Payments, Currency & Financial Data (USD)
  19. Accuracy, Data Minimization & Sensitive Data
  20. Incident Response & Breach Notification
  21. Accountability, DPIAs & Records of Processing
  22. California “Notice at Collection” (CPRA)
  23. Disclaimers; Limitation of Liability (Privacy‑Related)
  24. Dispute Resolution, Governing Law & Precedence
  25. Changes to this Policy
  26. Contact (Single Point)
  27. Summary of Key Commitments

  28. Glossary

1) Acceptance, Scope & Interpretation

Acceptance. By creating an account or using the Service, you acknowledge and agree that your information will be collected and processed as described in this Policy. If you do not agree, do not use the Service. Where required by law (e.g., certain cookies, marketing in specific jurisdictions), we will also seek express consent.

Scope. This Policy covers personal information processed by Evalyze in connection with: (a) the Service (websites, apps, dashboards, APIs, extensions), and (b) our business operations (support, billing, compliance, security, and product improvement). It also covers professional data in our investor/founder datasets assembled from public sources and reputable third parties.

Interpretation. Headings are for convenience only. “Including” means “including without limitation.” Any ambiguity is construed neutrally and not against either party. For cross‑reference, capitalized terms used here but defined in our Master Terms of Service (the “ToS”) have the meanings given there.

2) Roles & Responsibility (Controller / Processor)

  • Controller. For the data we collect to operate, secure, and improve the Service (e.g., accounts, analytics, public‑source datasets, and marketing), Evalyze Inc. is the controller.
  • Processor. For enterprise/portfolio customers, when we process data under their instructions (e.g., within their Evalyze environment), we act as a processor under a separate Data Processing Addendum (DPA).

Unless expressly agreed in writing, Evalyze and any enterprise customer or partner are not joint controllers.

3) Information We Collect (Categories & Examples)

We collect the following categories of information: specific items vary by user, feature, and jurisdiction.

3.1 Information You Provide

  • Account & Profile: name, email, password, role/title, organization, country, preferences.

  • Billing: payment method and transaction details (processed by third‑party payment processors; we do not store full card numbers).

  • Content: pitch decks, business plans, fundraising materials, investor lists/notes, data room links, messages, attachments, comments, and meeting notes.

  • Communications: emails/chats with support/success teams; survey responses; webinar and event interactions.

    3.2 Information We Generate

  • Scores & Insights: Investor Readiness Score™, benchmarking, investor matches, recommendations, entity/industry tags.

  • CRM/Workflow Data: outreach logs, follow‑ups, meeting notes, status changes, scheduling cues, and derived analytics.

    3.3 Information Collected Automatically

  • Usage & Device: IP address, device IDs, browser/OS type, settings, time zone, language, referral URLs, pages viewed, clickstream, session duration, crash/performance logs, and coarse location from IP.

  • Cookies & Similar Technologies: first‑party/third‑party cookies, local storage, pixels, and SDKs for authentication, analytics, A/B testing, personalization, security/fraud prevention, and marketing. See Section 13.

    3.4 Information from Public/Third‑Party Sources

  • Publicly Available Professional Data (Investors & Founders): firm and portfolio websites, thesis pages, conference agendas, news and regulatory filings, professional directories, and public social/professional profiles.

  • Licensed Data & Enrichment: reputable partners and enrichment providers that supply professional or firm‑level data consistent with law and their terms.

    4) Sources of Information (Including Public Sources)

We use lawful sources appropriate to B2B professional data. We do not knowingly bypass paywalls or technical restrictions without permission. If you believe a public‑source record about you is inaccurate or out‑of‑date, see Section 14 (rights) and Section 7 (opt‑out/suppression within 7 days).

5) Purposes of Processing & Legal Bases

Where the GDPR/UK GDPR applies, our legal bases are indicated in italics:

  1. Provide & Operate the Service (authentication, core features, customer success/support). Contractual necessity; Legitimate interests.
  2. Fundraising Automation (investor matching, scoring, application auto‑fill, CRM, reminders, and analytics). Contractual necessity; Legitimate interests.
  3. Improve & Secure the Service (quality, debugging, security monitoring, fraud/abuse prevention, feature testing). Legitimate interests; Legal obligations (security).
  4. Model & Product Improvement (using de‑identified/aggregated data derived from your content/usage to improve models/heuristics). Legitimate interests; Consent where required.
  5. Personalization (tailored matches, recommendations, user experience). Legitimate interests; Consent for certain cookies/trackers.
  6. Marketing & Communications (product updates, offers where permitted). Legitimate interests; Consent where required by CASL/e‑privacy.
  7. Payments & Billing (processing USD pricing, invoices, refunds, chargebacks). Contractual necessity; Legitimate interests; Legal obligations.
  8. Compliance & Protection (record‑keeping, lawful requests, enforcing ToS, protecting rights/safety). Legal obligations; Legitimate interests.

We do not rely solely on automated decisions that produce legal or similarly significant effects without appropriate safeguards and avenues for human review. See Section 6.

6) Use of AI/LLMs, Automation & Profiling

We use multiple AI/ML services (including large language models), automation platforms, analytics, and enrichment tools as processors under contract to perform: text analysis, summarization, classification, entity extraction, deduplication, scoring, personalization, and application auto‑fill. We implement role‑based access controls, logging, and other safeguards when transferring data to such providers.

  • Third‑party model training. We do not permit third‑party foundation model providers to train their models on your personal information except as allowed by law and contract.
  • Internal model improvement. We may use de‑identified/aggregated data derived from your use of the Service to improve our models and features. You may opt out of internal model‑improvement use at any time by emailing [email protected].

  • Automated decision‑making/profiling. Our scoring, investor fit, and workflow automation involve algorithmic processing and profiling to generate recommendations and prioritizations. You can request human review, an explanation, or to contest a significant outcome. See Section 14 and Section 15.

7) Public‑Source Dataset Policy & Professional Outreach

  • Public‑source focus. We assemble professional investor/founder datasets from public sources and reputable partners for B2B uses compatible with the context of publication.
  • Legitimate‑interest outreach. Where permitted, we may contact professionals whose public theses or profiles indicate a legitimate interest in our offerings.
  • Opt‑out & 7‑day suppression. Email [email protected] to opt out. We will remove or irreversibly suppress your record within 7 days of verification and maintain a suppression list to prevent further contact.
  • Accuracy & no duty to monitor. We strive for accuracy but do not guarantee completeness or timeliness, and have no ongoing duty to monitor every source.
  • Not a consumer reporting agency. We are not a CRA, and our outputs must not be used for FCRA‑regulated purposes (employment, credit, housing, insurance).

  • Source disclosure on request. Where feasible, we will disclose the type of public source(s) used for your profile upon a verified request.

8) Marketing & Communications

  • Transactional emails (non‑marketing). By signing up, you acknowledge that we send necessary account/service emails (e.g., verification, security alerts, essential product/feature notices, billing/receipts). These are not marketing and are not subject to opt‑out, except by closing your account (subject to legal/operational notices).
  • Newsletter & opportunities (default enrollment). By creating an account, you authorize us to add your account email to our newsletter and opportunities/updates list by default. You can opt out at any time using the unsubscribe link or by emailing [email protected]; removals are processed within 7 days.
  • Your outreach compliance. If you export contacts or use templates, you are responsible for your compliance with anti‑spam/privacy laws (CASL, CAN‑SPAM, e‑privacy). We disclaim liability for your independent outreach.

  • Suppression records. We retain minimal suppression data to honor your marketing preferences and demonstrate compliance.

9) Sharing & Disclosures (How We Share and Why)

We share personal information only as necessary and in line with this Policy:

  • Service providers/processors. Hosting, storage, AI/LLM providers, analytics, security, email/SMS, support, and payment processors under confidentiality and data‑protection terms.
  • Enterprise/portfolio customers. If your account is under an organization’s license, authorized administrators may access certain information consistent with that organization’s policies.
  • Legal/compliance. To comply with law, regulation, subpoena, or court order, or to protect rights, safety, and property. We may challenge overbroad requests at our discretion, but are not obligated to do so.
  • Business transactions. In connection with mergers, financings, acquisitions, bankruptcy, or dissolution, subject to appropriate safeguards, successors will be bound by this Policy or a policy with materially similar protections.
  • At your direction. When you connect integrations or instruct us to share data with third‑party tools.

We do not sell personal information as “sell” is defined by CCPA/CPRA. We may engage in cross‑context behavioral advertising (targeted advertising); see Section 15 for opt‑out controls.

10) International Transfers & Data Residency

We operate globally and may transfer data across borders (including to the U.S., Canada, and the EU/UK). Where required, we rely on Standard Contractual Clauses (SCCs), UK addenda, adequacy decisions, or other lawful transfer mechanisms, and implement additional safeguards (encryption, access controls). On request, we can provide an overview of transfer mechanisms relevant to your data flows.

11) Retention & Deletion

We retain data only as long as necessary for the purposes described or as required by law.

Typical retention periods:

  • Account & Billing: up to 7 years after account closure (tax/audit/legal).
  • User‑Uploaded Content: up to 3 years after last access or until you delete or request deletion.
  • Public‑Source Profiles (Investors/Founders): retained while relevant and accurate; upon verified opt‑out, removed or irreversibly suppressed within 7 days.
  • Usage/Analytics Logs: typically 2 years from collection.
  • Legal Holds: specific records retained beyond normal periods where required.

Minimal suppression/audit records may be retained to honor opt‑outs and demonstrate compliance. Deletion from backups occurs in the ordinary course of our backup cycles.

12) Security (Administrative, Technical, Organizational)

We employ layered safeguards designed to protect data, including: encryption in transit and at rest; role‑based and least‑privilege access; logging and monitoring; network segmentation; vulnerability management; and vendor diligence. No method is 100% secure; you must safeguard credentials, configure available security features, and notify us promptly of suspected compromise.

We may throttle, rate‑limit, or otherwise control access to protect the Service and comply with the law. We reserve the right to geo‑block or suspend accounts where risk is detected.

13) Cookies & Similar Technologies

We use cookies, pixels, and local storage to authenticate sessions, remember preferences, analyze usage, measure campaigns, and personalize features. Where required, we present a consent banner allowing you to accept, reject, or customize non‑essential cookies. You can also control cookies via browser settings; blocking cookies may limit functionality.

Cookie categories:

  • Strictly necessary (authentication, security, load balancing);
  • Functional (preferences, improvements);
  • Analytics (usage metrics, performance, A/B testing);

  • Marketing/advertising (campaign measurement, retargeting where permitted).

14) Your Rights (By Region)

Your rights depend on your jurisdiction and may include: access/portability, correction, deletion, restriction/objection (including to marketing/profiling), withdrawal of consent, opt‑out of targeted advertising, human review of significant automated outcomes, and appeals. We respond within statutory timeframes (typically 30–45 days). We do not discriminate for exercising rights.

  • Canada (PIPEDA/provincial laws): access, correction, withdrawal of consent.
  • EU/EEA & UK (GDPR/UK GDPR): access/portability, rectification/erasure, restriction/objection (including to profiling for direct marketing), human review of significant automated outcomes, lodge a complaint with your DPA/ICO.
  • California (CCPA/CPRA): know/access, correction, deletion, opt‑out of sharing for cross‑context behavioral advertising; we do not use sensitive PI beyond permitted purposes; non‑discrimination.
  • Other U.S. States (e.g., VA, CO, CT, UT): similar rights, including opt‑out of targeted advertising/profiling; appeal rights.
  • Brazil (LGPD) & other regions: rights as applicable under local law.

How to submit requests. Email [email protected] from your account email with your request and sufficient details to identify you and the data at issue. We may require reasonable verification (email confirmation, login, or ID attestation). Authorized agents (e.g., California) must provide proof of authority and identity.

If we deny your request, you may appeal by replying to our decision. If unresolved, contact your supervisory authority or Attorney General.

15) Your Choices & Controls (Opt‑Outs; GPC; DNT; Model Improvement)

  • Email preferences. Unsubscribe from marketing using the link in our emails or by emailing [email protected]; we process removals within 7 days.
  • Targeted advertising. Use browser signals such as the Global Privacy Control (GPC) where supported; we honor GPC where required by law.
  • Do Not Track (DNT). We do not currently respond to all DNT signals due to limited industry consensus; we honor legally required signals.
  • Model‑improvement opt‑out. Email [email protected] to opt out of internal model‑improvement use of your data.

  • Profiling choices. You may object to certain profiling or request human review of significant automated outcomes as described above.

16) Children’s Privacy

The Service is not intended for children under 16 (or a higher age threshold where required). We do not knowingly collect children’s data. If you believe a child provided personal information, contact [email protected]; we will delete it promptly and take steps to prevent further collection.

17) Third‑Party Links & Integrations

The Service may link to or integrate with third‑party tools (e.g., email, calendar, storage, analytics). Their privacy practices are their own; review their policies before use. We are not responsible for third‑party content, security, or practices.

18) Payments, Currency & Financial Data (USD)

We display pricing in USD and process payments through third‑party processors (e.g., card networks/Stripe‑like providers). We receive limited billing details and rely on processors for secure payment handling. Currency conversion or bank charges may apply. Refunds/chargebacks follow our ToS and processor rules.

19) Accuracy, Data Minimization & Sensitive Data

We strive for accuracy—particularly for public‑source professional datasets—and collect only what is reasonably necessary for the purposes described. The Service is not designed for special categories of data (e.g., health, biometric, precise geolocation, racial/ethnic origin, religious or union membership) or children’s data—do not upload such information. If uploaded inadvertently, email [email protected] for assistance with removal.

20) Incident Response & Breach Notification

We maintain procedures for detecting, investigating, and responding to security incidents. If a breach occurs that is likely to create a risk to your rights and freedoms, we will: (i) investigate and mitigate; (ii) notify relevant authorities within required timelines (e.g., 72 hours under GDPR where applicable); (iii) inform affected users without undue delay where required; and (iv) provide details on the nature of the breach, likely consequences, measures taken, and a contact point for more information.

21) Accountability, DPIAs & Records of Processing

We maintain internal policies and records of processing activities commensurate with our obligations. Where required, we conduct Data Protection Impact Assessments (DPIAs) and implement privacy‑by‑design measures. We vet subprocessors and maintain contractual safeguards, including data‑transfer mechanisms.

22) California “Notice at Collection” (CPRA)

Categories of personal information collected: identifiers (name, email, device IDs, IP), commercial information (billing/transactions), internet/electronic activity (usage logs), professional information (role/title, public‑source profiles), inferences (scores/recommendations). We do not collect precise geolocation or sensitive personal information for purposes beyond those permitted by CPRA.

Purposes: see Section 5 (provide Service, security, analytics, personalization, marketing where permitted, payments, compliance).

Retention: see Section 11.
Sources: see Section 4.
Disclosure: to service providers, processors, enterprise admins, and as legally required (see Section 9).
Sale/Sharing: we do not sell personal information; we may engage in cross‑context behavioral advertising (you may opt out—see Section 15).
Rights: access, correction, deletion, opt‑out of sharing, and non‑discrimination (see Section 14). Requests to [email protected].

23) Disclaimers; Limitation of Liability (Privacy‑Related)

To the maximum extent permitted by law, the Service, datasets, and outputs are provided “as is” and “as available.” We disclaim all warranties not required by law. Evalyze and its affiliates, officers, employees, and agents are not liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, revenues, goodwill, or data arising from this Policy or our processing activities. In all cases, our aggregate liability for privacy‑related claims is limited to the greater of (a) US $100 or (b) the amounts you paid to Evalyze in the 12 months before the event—unless a different cap is set in our ToS, in which case the ToS cap controls. Some jurisdictions do not allow certain limitations; we apply the maximum allowed by law.

24) Dispute Resolution, Governing Law & Precedence

Unless prohibited by local law, this Policy and any dispute arising from it are governed by the laws of Ontario, Canada, and the federal laws of Canada applicable therein, with exclusive jurisdiction in Toronto, Ontario.

Precedence. If this Policy conflicts with our Master Terms of Service (including arbitration/class‑action waiver, remedies, and liability limits), the ToS controls. Before initiating proceedings, email [email protected] a Notice of Dispute and allow 30 days for good‑faith resolution.

25) Changes to this Policy

We may update this Policy periodically. We will post the updated version with a revised "Last updated" date. Material changes will be notified in‑product or by email where appropriate. Continued use after the effective date constitutes acceptance of the updated Policy. We archive prior versions and will provide a summary of changes on request.

26) Contact (Single Point)

All notices, requests, takedowns, opt‑outs (including marketing and public‑dataset suppression), privacy rights requests, DMCA/copyright notices, billing issues, legal notices, and general inquiries must be sent to [email protected]. We may route or tag messages internally for faster handling.

Postal: Evalyze Inc., 3230 Yonge Street, Toronto, ON M4N 3P6, Canada.

27) Summary of Key Commitments

  • Acceptance occurs by creating an account or using the Service.

  • We collect investor and founder data from public sources; professionals may receive legitimate‑interest outreach with a 7‑day opt‑out/suppression.

  • We use LLMs/AI/automation providers under processor terms; we do not permit third‑party model training on your PI; internal model‑improvement uses de‑identified/aggregated data and is opt‑out.

  • Transactional emails are necessary for account operation (no opt‑out). New signups are added to the newsletter/opportunities list by default with easy opt‑out.

  • USD pricing; payments handled by third‑party processors; we do not store full card numbers.

  • We implement industry‑standard security, maintain records of processing, and conduct DPIAs where required.

  • Single contact address: [email protected].

  • ToS precedence: Liability limits, arbitration, and remedies are governed by the ToS.

    28) Glossary (Selected)

  • Controller / Processor: Roles under GDPR defining who decides the purposes/means of processing (controller) versus who processes on another’s behalf (processor).

  • Personal Information (PI): Any information about an identifiable person, including professional data tied to a person.

  • Public‑Source Data: Information publicly available via firm websites, filings, directories, conference agendas, or public profiles.

  • Targeted Advertising / Cross‑Context Behavioral Advertising: Ads based on PI collected across different businesses, websites, apps, or services.

  • SCCs: Standard Contractual Clauses used for international data transfers.
    Suppression: Maintaining minimal records to ensure opted‑out addresses are not contacted again.

  • DPIA: Data Protection Impact Assessment used to evaluate and mitigate privacy risks of processing.

  • ROPA: Records of Processing Activities maintained to document data flows and obligations.