Legal

Evoro Privacy Policy

Effective date: 16/06/2026Last updated: 27/06/2026

This Privacy Policy explains how EVORO INT LTD trading as Evoro ("Evoro", "we", "us" or "our") processes personal data.

EVORO INT LTD is a company registered in England and Wales under company number 13376248, with its registered office at 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF.

Evoro provides an AI platform that helps business customers analyse customer conversations, identify important moments, support coaching and follow-up, and improve customer operations.

You can contact us about privacy matters at privacy@evoro.io

1. Who this policy is for

This policy is for:

  • our business customers;
  • users who access the Evoro platform;
  • people whose calls or communications may be processed through Evoro because one of our business customers uses the Service;
  • visitors to our website;
  • suppliers, partners and other business contacts.

For most personal data processed through the Evoro platform, our business customer is the controller and Evoro acts as a processor under that customer's instructions and our Data Processing Addendum.

This means our customers are responsible for deciding why and how call data is collected, recorded and analysed. Our customers are also responsible for giving appropriate privacy notices and call-recording notices to their staff, callers, customers, prospects and other data subjects.

Where Evoro processes personal data for its own business purposes, such as website enquiries, sales communications, billing administration and account management, Evoro acts as a controller.

2. Personal data we process

The personal data we process depends on how you interact with us and how our customers use the Service.

2.1 Data processed through the Evoro platform

For our customers' use of the Service, we may process:

  • call recordings;
  • call transcripts;
  • call metadata, such as phone numbers, times, durations, call direction and agent identity;
  • connected CRM data, such as accounts, contacts, opportunities, deals, cases, notes and follow-up activity;
  • telephony and communications data from connected systems;
  • user account data, such as name, work email address, role, organisation, permissions and login details;
  • derived data produced by the Service, such as summaries, topics, sentiment, scores, coaching signals, commitments, customer-risk indicators, decisions, reports and other outputs;
  • customer corrections, feedback and outcomes submitted in the Service;
  • usage data, such as seats, minutes, analysed calls, feature usage, exports and audit logs.

2.2 Billing and commercial data

We may process:

  • customer account and billing details;
  • invoices and payment status;
  • subscription tier, seats and usage;
  • payment method information.

Payment card data is handled by our payment provider, such as Stripe, and is not stored by Evoro.

2.3 Website and marketing data

When you visit our website or contact us, we may process:

  • name;
  • work email address;
  • company name;
  • job title;
  • telephone number;
  • message content;
  • demo or enquiry details;
  • website usage data;
  • cookie and analytics data, where applicable.

2.4 Supplier and partner data

For suppliers, partners, advisers and other business contacts, we may process:

  • name;
  • work contact details;
  • role;
  • organisation;
  • contract and payment information;
  • communications with us.

3. How we use personal data

We use personal data to:

  • provide, operate and support the Evoro platform;
  • analyse calls and generate outputs for our customers;
  • integrate with customer telephony, CRM and communication systems;
  • create summaries, reports, scores, coaching signals, commitments and other decision-support outputs;
  • maintain, secure and monitor the Service;
  • manage customer accounts, billing, support and administration;
  • communicate with customers, users, suppliers and prospects;
  • improve and develop the Service and its analytical systems;
  • maintain audit logs and operational records;
  • comply with legal, regulatory and contractual obligations;
  • protect our rights, customers, users and systems.

4. Service improvement and analytical learning

Evoro may use Customer Data, including call content, metadata, corrections, user feedback and outcomes, to maintain, evaluate, improve and develop the Service and its analytical systems, scoring logic, prompts, classifiers and models.

This is subject to the customer agreement, the Data Processing Addendum and the safeguards described in this policy.

Our standing guarantee is:

Evoro will not make one customer's content available to any other customer in identifiable or retrievable form.

Cross-customer learning, benchmarking and service improvement may use anonymised, aggregated or de-identified information only where it cannot reasonably identify a customer, user, caller, prospect, employee or other individual.

Evoro does not permit third-party AI model providers to use Customer Data to train their general-purpose foundation models, except where expressly disclosed in the DPA or agreed in an Order Form.

5. Our role and lawful bases

Where Evoro acts as a processor, our customer is responsible for identifying and communicating the lawful basis for processing personal data. We process that data on the customer's documented instructions, subject to our Data Processing Addendum.

Where Evoro acts as a controller, we rely on one or more of the following lawful bases:

  • Performance of a contract — to provide, support, bill for and administer the Service under our customer agreements, and to manage our agreements with suppliers and partners.
  • Legitimate interests — to operate, secure, develop and improve our business and the Service, to manage customer and supplier relationships, to communicate about Evoro, to detect and prevent misuse or fraud, and to establish or defend legal claims.
  • Consent — where required, such as for non-essential cookies or certain marketing communications. You can withdraw consent at any time.
  • Legal obligation — to comply with applicable laws, regulations, tax requirements and lawful requests from authorities.

Where we rely on legitimate interests, we consider and balance our interests against the rights and freedoms of the individuals whose data is processed.

6. Where data is processed and stored

We use third-party providers to operate the Service.

6.1 Hosting and storage

Our primary databases and backups are hosted by AWS in the United Kingdom.

Application servers are hosted by Fly.io in the United Kingdom.

6.2 AI analysis

The Service uses AI providers to generate analysis and outputs.

At the date of this policy, transcripts may be processed by Anthropic in the United States to generate the Service's analysis. This involves the transfer of transcript content to the United States.

Anthropic does not use our data to train its general-purpose models.

International transfers are handled in accordance with our Data Processing Addendum and applicable transfer safeguards, which may include the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.

6.3 Transcription

Where the customer's telephony platform does not provide a transcript, we may use Speechmatics for transcription.

6.4 Other providers

We also use providers for authentication, payments, email delivery, error monitoring and related operational services.

Current providers include:

  • WorkOS for authentication and single sign-on;
  • Stripe for payments;
  • Resend for transactional email delivery;
  • Sentry for application error and performance monitoring.

We do not currently use third-party web analytics, product analytics, session-replay, advertising or behavioural-tracking providers in the Evoro platform or on our website.

6.5 Current sub-processors

Our current sub-processors are:

Sub-processorPurposeProcessing location
Amazon Web Services (AWS)Primary hosting, databases, storage, backupsUnited Kingdom
Fly.ioApplication servers and edgeUnited Kingdom
AnthropicAI inference for analysis of transcriptsUnited States
SpeechmaticsSpeech-to-text transcription, where usedUnited Kingdom
WorkOSAuthentication and single sign-onUnited States
StripePayment processingUnited States
ResendTransactional email deliveryUnited States
SentryApplication error and performance monitoringUnited States

Customers will be notified of material sub-processor changes in accordance with the DPA.

7. Regulated and UK-only processing options

Some customers may require additional controls around data location, inference processing or sub-processors.

Customers requiring data never to leave the UK should contact us to discuss available or planned regulated options. Any such arrangement must be agreed in an Order Form or other written agreement.

Unless expressly agreed in writing, the standard Service may involve AI inference processing outside the UK, as described in this policy and the DPA.

8. How long we keep personal data

We keep personal data only for as long as needed for the purposes described in this policy, the customer agreement, the DPA, our Documentation or applicable law.

Default retention periods are:

Data categoryDefault retention
Call recordings30 days from capture, unless an extended retention period is agreed in an Order Form
Transcripts and derived data (summaries, scores, coaching signals, commitments and other outputs)For the duration of the customer's subscription, plus a 30-day post-termination export window
System backupsRolling 35-day cycle
Anonymised, aggregated insights and benchmarksIndefinitely — these do not identify any individual, customer, caller or prospect
Demo, sales-enquiry and prospect data24 months from last contact, unless a relationship continues
Billing, invoicing and tax records7 years, in line with HMRC and UK statutory requirements
Suppression and unsubscribe listsIndefinitely, so we can honour opt-outs
Website and security logs12 months
Supplier, partner and contractor records7 years from the end of the relationship

After the applicable retention period, personal data is deleted, anonymised or overwritten in the ordinary course, unless we are required to keep it for legal, regulatory, security or dispute-resolution reasons.

9. Individual rights

Individuals have rights under data protection law, which may include the right to:

  • access personal data;
  • correct inaccurate personal data;
  • request deletion;
  • restrict processing;
  • object to processing;
  • request data portability;
  • withdraw consent, where processing is based on consent;
  • complain to the Information Commissioner's Office.

Where personal data is processed through the Evoro platform on behalf of one of our customers, the customer is usually the controller. In that case, requests should be directed to the relevant customer, such as the business you called, work for, or interacted with.

Evoro supports its customers in responding to rights requests in accordance with the DPA.

Where Evoro is the controller, such as for our own website, marketing, billing and business contact data, you can contact us at privacy@evoro.io.

You may also complain to the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/.

10. Customer responsibility for call recording and notices

Our customers are responsible for ensuring that calls and communications processed through Evoro are lawfully recorded, uploaded, transmitted, analysed and otherwise processed.

This includes responsibility for:

  • call-recording notices;
  • workplace monitoring notices;
  • employee, contractor and agent privacy notices;
  • customer and prospect privacy notices;
  • lawful basis assessments;
  • telephony and CRM permissions;
  • compliance with applicable telecommunications, employment, privacy and data protection laws.

Evoro processes call data that our customers provide, connect or make available to the Service.

11. Cookies and website tracking

Our website currently uses only essential cookies and similar technologies needed to operate the site, including for security and spam protection on our demo enquiry form (Cloudflare Turnstile).

We do not currently use web analytics, product analytics, session-replay, advertising or behavioural-tracking cookies on the Evoro website.

If we add any non-essential cookies in future, we will request consent through a cookie banner where required by law, and update this section to describe what they do.

12. The Evoro browser extension

Evoro offers an optional Chrome browser extension that displays the relevant Evoro briefing alongside the CRM record an authenticated user is viewing. The extension operates only on supported CRM domains, such as Salesforce, HubSpot and Microsoft Dynamics 365. On those pages it detects which CRM record is on screen, from the page's record identifier, and uses the user's existing authenticated Evoro session to retrieve and show that account's Evoro context in a side panel.

It sends only the on-screen record identifier to Evoro to fetch the matching context. It does not transmit the contents of the CRM page, and it does not capture, read or transmit call recordings or transcripts. It does not track browsing outside the supported CRM domains, and contains no advertising, analytics or behavioural-tracking technologies.

The extension's permissions are limited to:

  • access to the supported CRM domains, to detect the on-screen record;
  • local storage, to hold sign-in state;
  • the side panel, to display the briefing;
  • sign-in, to authenticate the user to Evoro.

Data handled through the extension is processed in line with the rest of this policy.

13. Security

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.

These measures may include:

  • encryption in transit and at rest;
  • access controls;
  • tenant-isolation controls;
  • audit logging;
  • backup and recovery processes;
  • monitoring and alerting;
  • secure development practices;
  • supplier and sub-processor controls;
  • role-based access controls.

No system can be guaranteed to be completely secure, but we take reasonable steps to protect the Service and Customer Data.

A security summary for customer due diligence is available on request.

14. International transfers

Where personal data is transferred outside the United Kingdom or European Economic Area, we use appropriate safeguards where required by data protection law.

These may include:

  • adequacy regulations;
  • the UK International Data Transfer Agreement;
  • the UK Addendum to the EU Standard Contractual Clauses;
  • contractual, technical and organisational safeguards;
  • transfer risk assessments, where required.

Further details are set out in our DPA and sub-processor list.

15. Children

The Service is intended for business use and is not directed at children.

Customers should not use the Service to intentionally process children's personal data unless they have the lawful right to do so and have agreed appropriate terms with Evoro.

16. Changes to this policy

We may update this Privacy Policy from time to time.

When we make changes, we will update the "Last updated" date above. Where changes are material, we may provide additional notice, such as through the Service, by email, or through our website.

17. Contact us

For privacy questions or requests where Evoro is the controller, contact:

EVORO INT LTD trading as Evoro
167-169 Great Portland Street
5th Floor
London
England
W1W 5PF

Email: privacy@evoro.io

ICO registration number: ZC175182