Privacy Policy

Last updated: April 21, 2026

This is a living document that explains what personal data Eviddo collects, why we collect it, how long we keep it, and what you can do about it. If anything here is unclear, email hi@eviddo.com and a human will reply.

1. Who we are

Eviddo is an AI-verified evidence platform for property and vehicle rental operators. This policy is issued by the company operating the service at eviddo.app. If you need a postal address for a legal request, email hi@eviddo.com.

2. What data we collect

We collect only what we need to deliver the service:

  • Account data — email, display name, hashed password (managed by Supabase Auth). You provide this at signup.
  • Organisation data — company name, logo, team member roles. You provide this during onboarding.
  • Inspection evidence — photos uploaded by you or by your tenants via walk-through links. Each photo is SHA-256 hashed, timestamped server-side, and optionally geo-tagged. Tenant email is captured at upload.
  • AI analysis output — our AI provider (Anthropic) reads the photo and returns a structured damage list. The AI output is stored on the evidence row.
  • Billing data — handled by Stripe. We store your Stripe customer id and subscription state. We never see your card details.
  • Technical logs — IP address (hashed), user agent, and error traces for debugging. Retained 30 days.

3. Why we collect it (legal basis)

We process data on three bases:

  • Contract — account data, organisation data, inspection evidence, billing. Without these we cannot deliver the service you signed up for.
  • Legitimate interest — technical logs for security and debugging.
  • Consent — any analytics or marketing cookies, and any non-essential feature you explicitly opt into.

4. Who we share it with (sub-processors)

We do not sell your data. We share it with a minimum set of sub-processors required to operate:

  • Supabase (EU region) — primary database and storage.
  • Anthropic — AI damage analysis. Uploaded photos are sent to Claude Vision and returned with structured output. Anthropic does not train on Eviddo customer data under our API terms.
  • Stripe — payment processing. Card data never touches Eviddo servers.
  • Resend — transactional email (magic links, receipts, share notifications).
  • Vercel — hosting. Receives HTTP logs.
  • Sentry — error tracking. User identifiers are hashed before transmission; raw ids never leave the Eviddo runtime.

5. How long we keep it

  • Active account data — for as long as your account exists.
  • Inspection evidence — for the life of the parent inspection record. Sealed records are immutable and kept indefinitely unless you request deletion.
  • Technical logs — 30 days, then rotated out of the hot store.
  • Deleted accounts — full erasure within 30 days of your deletion request, per Section 7.

6. Where we store it

Primary region is EU (Supabase Pro on AWS eu-west-1). We do not currently replicate to other regions. Stripe, Anthropic, Resend, Vercel, and Sentry operate global infrastructure; data may transit through the US during processing. All transfers rely on Standard Contractual Clauses where applicable.

7. Your rights

Regardless of where you live, you can ask us to do the following:

  • Access — get a machine-readable copy of every record we hold on you. Request to hi@eviddo.com. Delivered within 14 days.
  • Rectification — correct wrong data. Most fields are self-serve in /cars/settings; for edge cases email us.
  • Erasure — delete your account and every associated record within 30 days. Email hi@eviddo.com. Note that sealed inspection records may be subject to a legitimate-interest retention if another party has already relied on them in a dispute; we'll tell you specifically if this applies to your case.
  • Restriction — pause processing while a dispute is resolved.
  • Portability — receive your data in JSON.
  • Objection — opt out of processing based on legitimate interest (e.g., logs).

California residents can additionally opt out of the "sale" or "sharing" of personal information under CCPA / CPRA. We do not sell personal information. To opt out of any sharing (e.g., advertising cookies) use Your Privacy Choices in the footer or click "Reject non-essential" in the cookie banner. We also honour the Global Privacy Control (GPC) signal automatically.

EU / UK residents can lodge a complaint with their local supervisory authority if they believe we are not handling their data correctly.

8. Security

Every photo is SHA-256 hashed and server-timestamped on receipt. Multi-tenant database isolation is enforced at the row-level-security layer. API keys and service-role tokens are never shipped to the browser. Rate limits protect every public-facing endpoint. We track error tracking through Sentry with identifiers hashed before transmission.

No system is unbreakable; we'll tell you within 72 hours if a breach affecting you occurs.

9. Children

Eviddo is a business tool for rental operators. We do not knowingly collect data from children under 16. If you believe we have, email hi@eviddo.com and we'll delete it.

10. Changes

When we change this policy we bump the "Last updated" date at the top and notify active users by email. Trivial wording fixes don't trigger the notification; material changes do.

11. Contact

Email hi@eviddo.com. A human replies, typically within one business day.