Privacy Policy
We are uncompromising about trust, respect and integrity and process your Personal Data in accordance with the following principles.
Purpose and Scope
Eve Works Ltd (“Eve Works”, “we”, “our”) develops and operates Reveal, a software-as-a-service analytics and optimisation platform that helps SaaS companies understand and improve product activation.
This Privacy & Security Posture describes how we collect, process, store, and protect data on behalf of our clients and their end-users.
It applies to all data collected through the Reveal snippet, SDK, APIs, dashboards, and support channels.
2. Data Categories We Collect
Category | Examples | Typical Use |
|---|---|---|
Telemetry / Events | page or screen views, clicks, step IDs, dwell time, validation errors, API latency, backtracks | Diagnose friction and compute activation metrics |
Session Context | device type, browser version, OS, IP address, country/region, timestamp | Performance monitoring and geographic routing |
Outcome Labels | reached AHA (Y/N), time-to-value, experiment assignment | Measure success of experiments |
User Feedback / Chat | messages submitted to in-app feedback or support | Improve customer support and model prescriptions |
Account Metadata | company name, plan tier, contact email (client accounts only) | Contract fulfilment and billing |
We do not record free-text content entered into a client’s product unless that product deliberately integrates a feedback or support module.
Legal Basis of Processing Your Personal Data
GDPR lawful bases: legitimate interests (analytics & optimisation) and performance of contract.
CCPA/CPRA role: service provider / data processor.
Processing is limited to delivering contracted functionality, generating anonymised benchmarks, and maintaining platform security.
Data Minimisation and Anonymisation
Client end-user identifiers are pseudonymised (hashed user IDs).
IP addresses are truncated and stored separately from event payloads.
Sensitive input fields (passwords, payment data, PII) are automatically excluded from capture.
Sampling and field allow-lists restrict unnecessary collection.
Retention and Deletion
Raw event data: retained for 90 days by default, then deleted or irreversibly aggregated.
Aggregated metrics and benchmark models: retained indefinitely in anonymised form.
Upon termination or written request, all client data is deleted within 30 days.
Security Controls
Layer | Control |
|---|---|
Hosting | AWS (EU regions) and Supabase (EU region) with ISO 27001-certified infrastructure. |
Encryption | TLS 1.2+ in transit; AES-256 at rest. |
Access Control | Role-based permissions, least-privilege, MFA required for internal accounts. |
Logging & Monitoring | Continuous audit logs; anomaly alerts. |
Segregation | Separate environments for dev/staging/prod; per-tenant data isolation in databases. (If multi-tenant is used, logical segregation and row-level security are enforced.) |
Back-ups | Encrypted, 30-day retention, stored in same legal region. |
Sub-Processors
Category | Provider | Region | Purpose |
|---|---|---|---|
Cloud Infrastructure | AWS | EU (Ireland/London) | Compute & storage |
Managed Database | Supabase | EU | Postgres storage |
Model APIs | OpenAI LLC, Anthropic PBC | US | LLM inference for prescription generation |
Communications | Email / ticketing provider (TBD) | UK/EU | Support communications |
Standard Contractual Clauses (SCCs) are used for any data transferred outside the UK or EEA.
Client Controls
Clients may:
Disable capture of specific event categories.
Set data-retention limits shorter than 90 days.
Request deletion at any time.
Review and approve their event schema prior to deployment.
Obtain a list of current sub-processors upon request.
Data Subject Rights (GDPR/UK GDPR)
Individuals may exercise rights of access, rectification, erasure, restriction, portability, and objection by contacting hello@eve.works.
Requests are verified and completed within 30 days.
Incident Response Plan (Outline)
Detection: automated alerts or staff reports of potential breach.
Assessment: within 24 hours determine scope, data types, and affected clients.
Containment & Mitigation: isolate compromised systems, revoke credentials, apply patches.
Notification:
Regulators and affected clients within 72 hours of confirmation, per GDPR Art. 33.
Include: incident summary, data types, likely impact, mitigation steps, and contact point.
Remediation: root-cause analysis, security hardening, internal debrief.
Documentation: full report retained for 24 months.
Compliance
Eve Works aligns with:
UK GDPR / EU GDPR
Data Protection Act 2018 (UK)
CCPA/CPRA (USA)
ISO 27001 principles for information-security management.
Industry-specific obligations (health, finance, education) are reviewed per-client before onboarding.
Contact Us
Data Protection Officer / Privacy Enquiries
Eve Works Ltd
71–75 Shelton Street, London WC2H 9JQ