Legal
Evoro Privacy Policy
This Privacy Policy explains how EVORO INT LTD trading as Evoro ("Evoro", "we", "us" or "our") processes personal data.
EVORO INT LTD is a company registered in England and Wales under company number 13376248, with its registered office at 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF.
Evoro provides an AI platform that helps business customers analyse customer conversations, identify important moments, support coaching and follow-up, and improve customer operations.
You can contact us about privacy matters at privacy@evoro.io
1. Who this policy is for
This policy is for:
- our business customers;
- users who access the Evoro platform;
- people whose calls or communications may be processed through Evoro because one of our business customers uses the Service;
- visitors to our website;
- suppliers, partners and other business contacts.
For most personal data processed through the Evoro platform, our business customer is the controller and Evoro acts as a processor under that customer's instructions and our Data Processing Addendum.
This means our customers are responsible for deciding why and how call data is collected, recorded and analysed. Our customers are also responsible for giving appropriate privacy notices and call-recording notices to their staff, callers, customers, prospects and other data subjects.
Where Evoro processes personal data for its own business purposes, such as website enquiries, sales communications, billing administration and account management, Evoro acts as a controller.
2. Personal data we process
The personal data we process depends on how you interact with us and how our customers use the Service.
2.1 Data processed through the Evoro platform
For our customers' use of the Service, we may process:
- call recordings;
- call transcripts;
- call metadata, such as phone numbers, times, durations, call direction and agent identity;
- connected CRM data, such as accounts, contacts, opportunities, deals, cases, notes and follow-up activity;
- telephony and communications data from connected systems;
- user account data, such as name, work email address, role, organisation, permissions and login details;
- derived data produced by the Service, such as summaries, topics, sentiment, scores, coaching signals, commitments, customer-risk indicators, decisions, reports and other outputs;
- customer corrections, feedback and outcomes submitted in the Service;
- usage data, such as seats, minutes, analysed calls, feature usage, exports and audit logs.
2.2 Billing and commercial data
We may process:
- customer account and billing details;
- invoices and payment status;
- subscription tier, seats and usage;
- payment method information.
Payment card data is handled by our payment provider, such as Stripe, and is not stored by Evoro.
2.3 Website and marketing data
When you visit our website or contact us, we may process:
- name;
- work email address;
- company name;
- job title;
- telephone number;
- message content;
- demo or enquiry details;
- website usage data;
- cookie and analytics data, where applicable.
2.4 Supplier and partner data
For suppliers, partners, advisers and other business contacts, we may process:
- name;
- work contact details;
- role;
- organisation;
- contract and payment information;
- communications with us.
3. How we use personal data
We use personal data to:
- provide, operate and support the Evoro platform;
- analyse calls and generate outputs for our customers;
- integrate with customer telephony, CRM and communication systems;
- create summaries, reports, scores, coaching signals, commitments and other decision-support outputs;
- maintain, secure and monitor the Service;
- manage customer accounts, billing, support and administration;
- communicate with customers, users, suppliers and prospects;
- improve and develop the Service and its analytical systems;
- maintain audit logs and operational records;
- comply with legal, regulatory and contractual obligations;
- protect our rights, customers, users and systems.
4. Service improvement and analytical learning
Evoro may use Customer Data, including call content, metadata, corrections, user feedback and outcomes, to maintain, evaluate, improve and develop the Service and its analytical systems, scoring logic, prompts, classifiers and models.
This is subject to the customer agreement, the Data Processing Addendum and the safeguards described in this policy.
Our standing guarantee is:
Evoro will not make one customer's content available to any other customer in identifiable or retrievable form.
Cross-customer learning, benchmarking and service improvement may use anonymised, aggregated or de-identified information only where it cannot reasonably identify a customer, user, caller, prospect, employee or other individual.
Evoro does not permit third-party AI model providers to use Customer Data to train their general-purpose foundation models, except where expressly disclosed in the DPA or agreed in an Order Form.
5. Our role and lawful bases
Where Evoro acts as a processor, our customer is responsible for identifying and communicating the lawful basis for processing personal data. We process that data on the customer's documented instructions, subject to our Data Processing Addendum.
Where Evoro acts as a controller, we rely on one or more of the following lawful bases:
- Performance of a contract — to provide, support, bill for and administer the Service under our customer agreements, and to manage our agreements with suppliers and partners.
- Legitimate interests — to operate, secure, develop and improve our business and the Service, to manage customer and supplier relationships, to communicate about Evoro, to detect and prevent misuse or fraud, and to establish or defend legal claims.
- Consent — where required, such as for non-essential cookies or certain marketing communications. You can withdraw consent at any time.
- Legal obligation — to comply with applicable laws, regulations, tax requirements and lawful requests from authorities.
Where we rely on legitimate interests, we consider and balance our interests against the rights and freedoms of the individuals whose data is processed.
6. Where data is processed and stored
We use third-party providers to operate the Service.
6.1 Hosting and storage
Our primary databases and backups are hosted by AWS in the United Kingdom.
Application servers are hosted by Fly.io in the United Kingdom.
6.2 AI analysis
The Service uses AI providers to generate analysis and outputs.
At the date of this policy, transcripts may be processed by Anthropic in the United States to generate the Service's analysis. This involves the transfer of transcript content to the United States.
Anthropic does not use our data to train its general-purpose models.
International transfers are handled in accordance with our Data Processing Addendum and applicable transfer safeguards, which may include the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.
6.3 Transcription
Where the customer's telephony platform does not provide a transcript, we may use Speechmatics for transcription.
6.4 Other providers
We also use providers for authentication, payments, email delivery, error monitoring and related operational services.
Current providers include:
- WorkOS for authentication and single sign-on;
- Stripe for payments;
- Resend for transactional email delivery;
- Sentry for application error and performance monitoring.
We do not currently use third-party web analytics, product analytics, session-replay, advertising or behavioural-tracking providers in the Evoro platform or on our website.
6.5 Current sub-processors
Our current sub-processors are:
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Amazon Web Services (AWS) | Primary hosting, databases, storage, backups | United Kingdom |
| Fly.io | Application servers and edge | United Kingdom |
| Anthropic | AI inference for analysis of transcripts | United States |
| Speechmatics | Speech-to-text transcription, where used | United Kingdom |
| WorkOS | Authentication and single sign-on | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Application error and performance monitoring | United States |
Customers will be notified of material sub-processor changes in accordance with the DPA.
7. Regulated and UK-only processing options
Some customers may require additional controls around data location, inference processing or sub-processors.
Customers requiring data never to leave the UK should contact us to discuss available or planned regulated options. Any such arrangement must be agreed in an Order Form or other written agreement.
Unless expressly agreed in writing, the standard Service may involve AI inference processing outside the UK, as described in this policy and the DPA.
8. How long we keep personal data
We keep personal data only for as long as needed for the purposes described in this policy, the customer agreement, the DPA, our Documentation or applicable law.
Default retention periods are:
| Data category | Default retention |
|---|---|
| Call recordings | 30 days from capture, unless an extended retention period is agreed in an Order Form |
| Transcripts and derived data (summaries, scores, coaching signals, commitments and other outputs) | For the duration of the customer's subscription, plus a 30-day post-termination export window |
| System backups | Rolling 35-day cycle |
| Anonymised, aggregated insights and benchmarks | Indefinitely — these do not identify any individual, customer, caller or prospect |
| Demo, sales-enquiry and prospect data | 24 months from last contact, unless a relationship continues |
| Billing, invoicing and tax records | 7 years, in line with HMRC and UK statutory requirements |
| Suppression and unsubscribe lists | Indefinitely, so we can honour opt-outs |
| Website and security logs | 12 months |
| Supplier, partner and contractor records | 7 years from the end of the relationship |
After the applicable retention period, personal data is deleted, anonymised or overwritten in the ordinary course, unless we are required to keep it for legal, regulatory, security or dispute-resolution reasons.
9. Individual rights
Individuals have rights under data protection law, which may include the right to:
- access personal data;
- correct inaccurate personal data;
- request deletion;
- restrict processing;
- object to processing;
- request data portability;
- withdraw consent, where processing is based on consent;
- complain to the Information Commissioner's Office.
Where personal data is processed through the Evoro platform on behalf of one of our customers, the customer is usually the controller. In that case, requests should be directed to the relevant customer, such as the business you called, work for, or interacted with.
Evoro supports its customers in responding to rights requests in accordance with the DPA.
Where Evoro is the controller, such as for our own website, marketing, billing and business contact data, you can contact us at privacy@evoro.io.
You may also complain to the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/.
10. Customer responsibility for call recording and notices
Our customers are responsible for ensuring that calls and communications processed through Evoro are lawfully recorded, uploaded, transmitted, analysed and otherwise processed.
This includes responsibility for:
- call-recording notices;
- workplace monitoring notices;
- employee, contractor and agent privacy notices;
- customer and prospect privacy notices;
- lawful basis assessments;
- telephony and CRM permissions;
- compliance with applicable telecommunications, employment, privacy and data protection laws.
Evoro processes call data that our customers provide, connect or make available to the Service.
11. Cookies and website tracking
Our website currently uses only essential cookies and similar technologies needed to operate the site, including for security and spam protection on our demo enquiry form (Cloudflare Turnstile).
We do not currently use web analytics, product analytics, session-replay, advertising or behavioural-tracking cookies on the Evoro website.
If we add any non-essential cookies in future, we will request consent through a cookie banner where required by law, and update this section to describe what they do.
12. The Evoro browser extension
Evoro offers an optional Chrome browser extension that displays the relevant Evoro briefing alongside the CRM record an authenticated user is viewing. The extension operates only on supported CRM domains, such as Salesforce, HubSpot and Microsoft Dynamics 365. On those pages it detects which CRM record is on screen, from the page's record identifier, and uses the user's existing authenticated Evoro session to retrieve and show that account's Evoro context in a side panel.
It sends only the on-screen record identifier to Evoro to fetch the matching context. It does not transmit the contents of the CRM page, and it does not capture, read or transmit call recordings or transcripts. It does not track browsing outside the supported CRM domains, and contains no advertising, analytics or behavioural-tracking technologies.
The extension's permissions are limited to:
- access to the supported CRM domains, to detect the on-screen record;
- local storage, to hold sign-in state;
- the side panel, to display the briefing;
- sign-in, to authenticate the user to Evoro.
Data handled through the extension is processed in line with the rest of this policy.
13. Security
We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.
These measures may include:
- encryption in transit and at rest;
- access controls;
- tenant-isolation controls;
- audit logging;
- backup and recovery processes;
- monitoring and alerting;
- secure development practices;
- supplier and sub-processor controls;
- role-based access controls.
No system can be guaranteed to be completely secure, but we take reasonable steps to protect the Service and Customer Data.
A security summary for customer due diligence is available on request.
14. International transfers
Where personal data is transferred outside the United Kingdom or European Economic Area, we use appropriate safeguards where required by data protection law.
These may include:
- adequacy regulations;
- the UK International Data Transfer Agreement;
- the UK Addendum to the EU Standard Contractual Clauses;
- contractual, technical and organisational safeguards;
- transfer risk assessments, where required.
Further details are set out in our DPA and sub-processor list.
15. Children
The Service is intended for business use and is not directed at children.
Customers should not use the Service to intentionally process children's personal data unless they have the lawful right to do so and have agreed appropriate terms with Evoro.
16. Changes to this policy
We may update this Privacy Policy from time to time.
When we make changes, we will update the "Last updated" date above. Where changes are material, we may provide additional notice, such as through the Service, by email, or through our website.
17. Contact us
For privacy questions or requests where Evoro is the controller, contact:
EVORO INT LTD trading as Evoro
167-169 Great Portland Street
5th Floor
London
England
W1W 5PF
Email: privacy@evoro.io
ICO registration number: ZC175182
