Last updated 6 June 2026

Privacy Policy

How Evalda collects, uses, shares and protects your personal data, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Introduction

This Privacy Policy explains how Evalda (“Evalda”, “we”, “us”) processes personal data when you visit evalda.eu, run a Compliance Check, interact with the Evalda assistant, or contact us. Evalda is a service operated by Adara Srl — gussago (BS), via gramsci 45/a, CAP 25064 — n. REA BS-614246 — C.F. e P.IVA 04429800982, which is the data controller for this processing. For any privacy matter you can reach us at privacy@evalda.eu.

2. Information we collect

Information you provide. When you fill in a contact or lead form, request a report, or create an account, we collect details such as your name, email address, company and the content of your message. When you run a Compliance Check or use the Evalda assistant, we process the product or packaging data and any documents you upload, and the questions you submit by text or voice.

Information collected automatically. When you use the site we collect technical and usage data such as IP address, browser and device type, pages visited and timestamps, through server logs and strictly necessary cookies.

3. How we use your information

  • To provide the Compliance Check, the Evalda assistant and related reports;
  • To generate and, where requested, email your results;
  • To respond to your enquiries and provide support;
  • To operate, secure, debug and improve the service;
  • To comply with legal obligations.

We do not sell your personal data, and we do not use it for automated decisions producing legal effects about you.

4. Legal basis for processing (GDPR)

We rely on the following lawful bases under Article 6 GDPR:

  • Performance of a contract — to deliver the services you request;
  • Legitimate interests — to secure, maintain and improve the service, provided your rights do not override them;
  • Consent — for non-essential cookies and optional marketing communications, which you may withdraw at any time;
  • Legal obligation — where processing is required by law.

5. Data sharing and third parties

We share personal data only with service providers that process it on our behalf under a data processing agreement, including:

  • Authentication — Clerk, for sign-in and account management;
  • AI processing — OpenAI, which processes the text and documents you submit in order to generate the assistant’s responses and Compliance Check output;
  • Hosting and infrastructure — Vercel;
  • Database and file storage — Neon and Vercel Blob;
  • Transactional email — Resend.

We may also disclose data where required by law or to protect our rights. We do not sell your data to third parties.

6. Data retention

We keep personal data only as long as necessary for the purposes above. Account data is retained for the life of your account and deleted on request; enquiry and lead data is retained for the period needed to handle your request and our legitimate follow-up; data and documents submitted for a Compliance Check are retained only as long as needed to deliver and document the result. We delete or anonymise data when it is no longer required.

7. Your rights (GDPR)

Subject to applicable law, you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data rectified;
  • have your data erased;
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent at any time, without affecting prior processing.

To exercise any of these rights, contact us at privacy@evalda.eu. You also have the right to lodge a complaint with your local data protection supervisory authority.

8. International data transfers

Some of our providers process data outside the European Economic Area, including in the United States. Where this happens, the transfer is protected by appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision.

9. Data security

We protect personal data with encryption in transit (TLS), access controls, and reputable infrastructure and processors. No method of transmission or storage is completely secure, but we work to protect your data and to address incidents promptly.

10. Children’s privacy

The service is intended for business users and is not directed to children under 16. We do not knowingly collect personal data from children; if you believe we have, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. The current version is indicated by the “Last updated” date at the top of this page; we will signal material changes by appropriate means.

12. Contact

For any question about this policy or about how we handle your personal data, contact the data controller, Adara Srl, at privacy@evalda.eu.