EvoRadar — Privacy Policy (Datenschutzerklarung)

> Change log — May 11, 2026 (PostHog person-profile clarification): § 5.7 updated to clarify that PostHog associates the captured pageview events with an anonymous person profile keyed by the random distinct ID stored in your browser. This enables aggregated analytics like "unique visitors by country" without changing what data is collected — the field set (URL, timestamp, distinct ID, IP, User-Agent) is unchanged from the prior wording, and no identifying data (email, name, account) is attached to the profile. Consent mechanism is unchanged; the cookie banner already governs this processing.

> Change log — May 10, 2026: Reclassified browser-side Sentry under § 5.8 from cookie-banner consent (Art 6(1)(a)) to legitimate-interest (Art 6(1)(f) + Recital 47), matching the established server-side basis and aligning with industry-standard practice (Vercel, Linear, Stripe, Notion, Sentry's own documentation). Decoupled from the PostHog analytics consent toggle, which now governs PostHog only. User control moved to a dedicated "Disable error reporting" toggle on this page (see § 5.8). The cookie banner copy is unchanged because it correctly mentions only PostHog now that Sentry is decoupled.

>

> Change log — May 11, 2026: Added § 5.8 (Sentry error monitoring, EU region). _(Note: the May 10, 2026 change log above supersedes the framing of this entry; the addition of § 5.8 itself remains valid.)_

>

> Change log — April 27, 2026: Added § 5.7 (PostHog product analytics) and rewrote § 6 (Cookies & Local Storage) to disclose the PostHog analytics tool, the cookie consent banner, and the categories of cookies/storage in use. Earlier versions of this policy stated EvoRadar did not use third-party analytics cookies — that statement has been corrected.

1. Controller (Verantwortlicher)

The controller responsible for data processing on this website is:

Munich, Germany

Email: info@evoradar.ai

Website: https://evoradar.ai

For the full legal identification, see our Impressum.

If you have questions about data protection, please contact us at info@evoradar.ai.

2. Overview of Data Processing

2.1 What This Policy Covers

This Privacy Policy explains how EvoRadar (operated by Kisum GmbH) collects, uses, stores, and shares your personal data when you visit our website, create an account, or use our services.

2.2 Principles

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), and the German Digital Services Act (Digitale-Dienste-Gesetz, DDG) as applicable. We follow the principles of:

• Data minimization: We collect only what is necessary
• Purpose limitation: We use data only for stated purposes
• Storage limitation: We delete data when it is no longer needed
• Transparency: We tell you exactly what we do with your data

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

3.2 Payment Data

When you make a purchase, the following data is processed:

3.3 Usage Data

When you use the platform, we collect:

3.4 Technical Data (Server Logs)

Our hosting provider (Hetzner) automatically collects:

Server logs are automatically deleted after 7 days.

3.5 Data We Do NOT Collect

• We do not use tracking pixels or third-party advertising trackers
• We do not sell your data to advertisers or data brokers
• We do not build advertising profiles
• We do not use your data for purposes unrelated to the EvoRadar service

4. Legal Basis for Processing (Art. 6 GDPR)

5. Third-Party Processors (Auftragsverarbeiter)

> Canonical sub-processor list: /sub-processors. The list below is the same information embedded in this privacy notice; the dedicated page exists for compliance counsel and B2B customers who want to monitor changes at a single stable URL.

We share personal data with the following third-party processors, each under appropriate data processing agreements:

5.1 Supabase (Auth + Database)

• Provider: Supabase Inc., San Francisco, USA
• Purpose: User authentication (Magic Link, Google OAuth), database storage for user accounts and activity
• Data shared: Email address, auth tokens, user activity data
• Transfer mechanism: EU Standard Contractual Clauses (SCCs)
• Privacy policy: https://supabase.com/privacy

5.2 Anthropic (AI Processing)

• Provider: Anthropic PBC, San Francisco, USA
• Purpose: AI-powered idea generation and evaluation (Claude language model)
• Data shared: VIP run configuration (industries, market region) and Dice seed text are sent to Anthropic's API for processing. No personal identifiers are included in API calls. For platform-generated ideas, no user data is sent.
• Data retention by Anthropic: API inputs are not used for model training under Anthropic's commercial API terms. Inputs may be retained for up to 30 days for trust and safety purposes.
• Transfer mechanism: EU Standard Contractual Clauses (SCCs)
• Privacy policy: https://www.anthropic.com/privacy

5.3 LemonSqueezy (Payments)

• Provider: Lemon Squeezy LLC, USA
• Purpose: Payment processing, subscription management, invoicing
• Data shared: Email address, billing address, payment method (processed by LemonSqueezy, not stored by us)
• Transfer mechanism: EU Standard Contractual Clauses (SCCs)
• Privacy policy: https://www.lemonsqueezy.com/privacy

5.4 Hetzner (Hosting)

• Provider: Hetzner Online GmbH, Gunzenhausen, Germany
• Purpose: Server hosting for the EvoRadar platform
• Data shared: All platform data is stored on Hetzner servers; server logs include IP addresses
• Data location: Germany (EU)
• Privacy policy: https://www.hetzner.com/legal/privacy-policy

5.5 Resend (Email)

• Provider: Resend Inc., USA
• Purpose: Transactional email delivery (login links, purchase confirmations, evaluation results)
• Data shared: Email address, email content
• Transfer mechanism: EU Standard Contractual Clauses (SCCs)
• Privacy policy: https://resend.com/legal/privacy-policy

5.6 Google (OAuth)

• Provider: Google Ireland Limited, Dublin, Ireland
• Purpose: Optional OAuth sign-in
• Data shared: When you choose Google sign-in, Google provides us with your email, name, and profile picture. We do not share your EvoRadar data back to Google.
• Data location: EU (Google Ireland)
• Privacy policy: https://policies.google.com/privacy

5.7 PostHog (Product Analytics)

• Provider: PostHog Inc. (EU-hosted instance: eu.i.posthog.com)
• Purpose: Anonymous product analytics — pageview and page-leave events to help us understand which features are used and where users encounter friction
• Data shared: Page URL, timestamp, anonymous distinct ID (UUID stored in your browser), IP address (used for rough geo and abuse prevention; not linked to your account), browser User-Agent. We do not call PostHog's identify() API, so PostHog does not receive your email or name.
• Anonymous person profile: PostHog associates the captured events with an anonymous person profile keyed by the random distinct ID. This is purely an internal data-organisation choice on PostHog's side and enables aggregated analytics such as "unique visitors by country" or "returning visitor rate". The profile contains only the same fields listed above (no identifying data); the distinct ID itself is a random UUID generated in your browser the first time you accept analytics consent, persisted in your browser's localStorage, and cleared if you later withdraw consent via Cookie Preferences.
• What is NOT collected: Auto-captured clicks (autocapture is disabled), session recordings (disabled), keystrokes, form-field contents, mouse movements
• Data location: EU (eu.i.posthog.com) — no transfer to non-EEA countries for analytics events
• Legal basis: Art. 6(1)(a) GDPR — your consent given through our cookie banner. Analytics is off by default until you actively opt in.
• Withdrawal: You can withdraw consent at any time via the "Cookie Preferences" link in the page footer. Withdrawal stops all PostHog tracking immediately and clears stored identifiers.
• Privacy policy: https://posthog.com/privacy

5.8 Sentry (Error Monitoring)

• Provider: Functional Software Inc. (Sentry, EU region — Frankfurt)
• Purpose: Capture production exceptions thrown by the EvoRadar server and browser code so we can fix bugs before they hit more users; detect and respond to security-relevant runtime anomalies.
• Data shared: Stack traces of crashes; the textual error message (with email and IPv4 patterns scrubbed before send by beforeSend); the URL where the error occurred; runtime metadata (Node.js version, browser User-Agent). No request bodies, cookies, request headers, or user identifiers are sent.
• What is NOT collected: Session replays (disabled — replaysSessionSampleRate: 0 and replaysOnErrorSampleRate: 0), performance traces (disabled — tracesSampleRate: 0), automatic breadcrumbs of user typing, request/response payloads. The Sentry SDK runs with sendDefaultPii: false.
• Data location: EU (Frankfurt) — o4511365858131968.ingest.de.sentry.io. No transfer to non-EEA countries.
• Legal basis (server side AND browser side): Art. 6(1)(f) GDPR — legitimate interest in network and information security and in keeping the EvoRadar service functioning correctly (Recital 47 GDPR explicitly recognizes this). The data fields shared with Sentry are technical-only (no personal identifiers, after the beforeSend scrubbing), so the balancing test favours the controller. This is the same legal basis used by Vercel, Linear, Stripe, Notion, and recommended by Sentry's own documentation for error monitoring.
• Why not consent (Art. 6(1)(a)): Tying error visibility to cookie-banner opt-in rates (~50% in practice) would mean we cannot diagnose bugs affecting half of all users — a poor outcome for everyone, including the users who experience the bugs. Recital 47 + the data-minimization measures listed above support legitimate-interest framing without the proportionality concerns that would attach to broader telemetry.
• Right to object (Art. 21 GDPR): You may opt out of browser-side error reporting at any time using the "Disable error reporting" toggle at the bottom of this Privacy Policy page. The setting persists in your browser's localStorage (key evoradar_sentry_opt_out) and is applied immediately to all subsequent errors. Server-side error tracking continues under legitimate interest regardless of this preference, because server logs do not involve cookies or browser-side tracking.
• Privacy policy: https://sentry.io/privacy/
• Legitimate Interest Assessment: A formal LIA (Legitimate Interest Assessment) documenting the purpose / necessity / balance test for this processing is maintained internally at docs/compliance/lia-sentry-2026-05-10.md and is available to supervisory authorities on request.

5.9 International Data Transfers

For US-based processors (Supabase, Anthropic, LemonSqueezy), data transfers are protected by EU Standard Contractual Clauses (SCCs) in accordance with Art. 46(2)(c) GDPR. We assess the data protection level in the recipient country and implement supplementary measures where necessary. Hetzner, Google Ireland, Resend (EU instance), PostHog (EU instance), and Sentry (EU region) operate within the EEA, so no third-country transfer applies for those processors.

6. Cookies and Local Storage

6.1 Cookie Consent Banner

When you first visit EvoRadar, a cookie consent banner asks you to choose which categories of cookies and local storage to allow. The banner offers three actions of equal prominence:

• Accept all — enables essential storage and analytics
• Reject all — enables only essential storage; no analytics, no tracking
• Customize — toggle each category individually

No non-essential storage is set or analytics request is sent before you make a choice. Your choice is recorded in our consent audit log (timestamp, decision, policy version) as required by GDPR Art. 7(1). You can change your choice at any time via the "Cookie Preferences" link in the page footer.

6.2 Essential Cookies and Storage (always on)

These items are strictly necessary for the platform to operate. They are set without consent because the service cannot function without them:

6.3 Analytics (off by default — requires opt-in consent)

PostHog is configured for minimum collection: pageview and page-leave events only. Auto-click capture, session recording, and PostHog's identify-API are disabled. See § 5.7 for full details. All PostHog activity stops immediately when you withdraw consent.

6.4 Non-Essential Cookies Not in Use

EvoRadar does not use:

• Advertising or marketing cookies
• Social-media tracking pixels (Facebook Pixel, LinkedIn Insight, Twitter Pixel, etc.)
• Cross-site tracking
• Third-party widgets that load before consent

If we introduce any new non-essential cookies in the future, we will update this policy and the cookie banner before they are activated.

6.5 Local Storage for UI Preferences

We may use browser local storage to cache non-sensitive UI preferences (e.g., theme settings, last-viewed page). This data remains on your device and is not transmitted to our servers.

7. Data Retention

After the retention period expires, data is permanently deleted or irreversibly anonymized.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation of whether we process your personal data, and if so, to receive a copy of that data along with information about the processing.

8.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate personal data or completion of incomplete data.

8.3 Right to Erasure (Art. 17 GDPR)

You have the right to request deletion of your personal data, provided there is no legal obligation requiring us to retain it (e.g., tax records). Upon a valid erasure request, we will:

• Delete your account and associated data
• Remove your data from active systems within 30 days
• Retain only data required by law (billing records for up to 10 years)

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing in certain circumstances (e.g., while we verify the accuracy of your data or assess a legitimate interest claim).

8.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON) and to transmit it to another controller. This applies to data processed based on consent or contract performance.

8.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interest (Art. 6(1)(f) GDPR) at any time. We will then cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

8.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

8.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority. The competent authority for Kisum GmbH is:

Promenade 18

91522 Ansbach, Germany

https://www.lda.bayern.de

8.9 How to Exercise Your Rights

To exercise any of the above rights, contact us at:

Email: info@evoradar.ai

We will respond to your request within one month of receipt, as required by Art. 12(3) GDPR. In complex cases, this period may be extended by two further months, in which case we will inform you of the extension and the reasons for the delay.

We may request proof of identity before processing your request to prevent unauthorized access to personal data.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit: All data transmitted between your browser and our servers uses TLS/HTTPS encryption
• Encryption at rest: Database backups are encrypted
• Access controls: Access to personal data is restricted to authorized personnel only
• Authentication security: Passwords are never stored; authentication is handled via Magic Link (email-based) or Google OAuth
• Infrastructure security: Our servers are hosted at Hetzner in Germany, within EU jurisdiction, with physical and network security measures
• Regular updates: We keep our software and dependencies updated to address security vulnerabilities

Despite these measures, no system is completely secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify you and the competent supervisory authority as required by Art. 33 and 34 GDPR.

10. VIP Custom Runs and Dice Analyses — Special Data Handling

When VIP users run custom idea generation or Dice deep analyses:

• Your configuration (chosen industries, market region) is sent to Anthropic's API for AI processing
• No personal identifiers (name, email) are included in the API call — only the configuration and seed idea text
• The resulting ideas and analyses are stored in our database, associated with your account, and visible only to you
• Run configuration data is retained for 90 days after delivery of results, then deleted
• We do not use your VIP-generated ideas for the public platform or show them to other users
• We do not add your run data to any training dataset

11. Children

EvoRadar is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a person under 18, we will delete that data promptly. If you believe a minor has provided us with personal data, please contact us at info@evoradar.ai.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

• A notice on the EvoRadar website
• An email to registered users (for significant changes)

The updated policy will indicate the new "Last Updated" date at the top. We encourage you to review this policy periodically.

13. Contact

For any questions or concerns about this Privacy Policy or our data processing practices:

Email: info@evoradar.ai

Website: https://evoradar.ai