Evallume

Privacy Policy

Effective date: May 30, 2026

1. Introduction

1.1. This Privacy Policy ("Policy") describes how EVALLUME LLC ("we," "us," "our," or the "Company") collects, uses, stores, shares, and protects personal data of users ("you," "your," or "User") of the Evallume service, accessible at evallume.com (the "Website" or "Service").

1.2. EVALLUME LLC is a limited liability company organized under the laws of the State of Wyoming, United States. Registered address: 30 N Gould St Ste N, Sheridan, WY 82801, United States. EIN: 372185127.

1.3. We are committed to protecting your privacy and processing your personal data in compliance with:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR");
  • The California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA");
  • Other applicable data protection laws.

1.4. This Policy is an integral part of the Terms of Service published on the Website.

1.5. By using the Service — including browsing the Website, creating an account, uploading files, or making a payment — you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please discontinue use of the Service.

1.6. We provide exclusively informational services for the interpretation of medical lab results using artificial intelligence. We do NOT provide medical services, medical advice, diagnosis, or treatment recommendations.

2. Definitions

2.1. Key terms used in this Policy:

  • Personal Data — any information relating to an identified or identifiable natural person ("Data Subject"), as defined by Article 4(1) of the GDPR.

  • Processing — any operation performed on Personal Data, whether by automated means or otherwise, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

  • Data Controller — EVALLUME LLC, which determines the purposes and means of processing Personal Data.

  • Data Processor — a natural or legal person that processes Personal Data on behalf of the Data Controller.

  • Special Category Data — Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, or data concerning health, as defined by Article 9 of the GDPR.

  • Cookies — small text files placed on your device when you visit the Website, used to identify your browser and store preferences.

3. Data Controller

3.1. The Data Controller for the purposes of this Policy is:

EVALLUME LLC 30 N Gould St Ste N, Sheridan, WY 82801, United States Email: support@evallume.com

4. Legal Bases for Processing (GDPR Article 6)

4.1. We process your Personal Data on the following legal bases:

  • Consent (Article 6(1)(a) GDPR) — you provide consent by creating an account, uploading files, or using the Service. For health data (Special Category Data), we rely on your explicit consent under Article 9(2)(a) GDPR;

  • Performance of a contract (Article 6(1)(b) GDPR) — processing is necessary to provide the Service as described in the Terms of Service;

  • Legitimate interests (Article 6(1)(f) GDPR) — processing is necessary for the operation, improvement, and security of the Service, and fraud prevention. Our legitimate interests do not override your fundamental rights and freedoms;

  • Legal obligations (Article 6(1)(c) GDPR) — processing is necessary to comply with applicable legal requirements, including tax and accounting obligations.

4.2. You may withdraw your consent at any time as described in Section 11. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

5. Categories of Personal Data We Collect

5.1. Data you provide directly:

  • Email address;
  • Age and sex of the person whose lab results are being analyzed;
  • Uploaded medical documents (lab result files);
  • Additional information you choose to provide (symptoms, chronic conditions, comments);
  • Account data when signing in via third-party services (Google) — identifier, name, email.

5.2. Data collected automatically:

  • IP address;
  • Browser type and version (User-Agent);
  • Operating system and device type;
  • Screen resolution;
  • Browser language;
  • Date and time of visit;
  • Pages viewed on the Website;
  • Referral source (referrer URL, UTM parameters);
  • Cookie data;
  • Interaction data (clicks, scrolling, form submissions);
  • Approximate geographic location (based on IP address, no precise coordinates).

5.3. Payment-related data:

  • Payment transaction information (date, amount, status);
  • Transaction identifier from the payment processor.

5.4. We do NOT collect or store payment card data (card number, expiration date, CVV). All payment data is processed exclusively by our Merchant of Record, Lemon Squeezy (Sold through Link, LLC), in compliance with PCI DSS standards.

6. Health Data (Special Category Data)

6.1. Medical documents you upload may contain information about health, which constitutes Special Category Data under Article 9 of the GDPR.

6.2. We process health data only with your explicit consent, which you provide by:

  • Checking the consent box before uploading medical documents;
  • Uploading medical documents to the Website.

6.3. Medical documents are processed solely for the purpose of providing the informational interpretation service. We do not use health data for advertising, profiling, sale to third parties, or any purpose other than delivering the Service to you.

6.4. If you upload medical documents belonging to another person (including family members), you are solely responsible for obtaining that person's explicit consent for the processing of their Personal Data, including health data.

6.5. We apply enhanced security measures to health data, as described in Section 8.

7. Purposes of Processing

7.1. We process your Personal Data for the following purposes:

  • Service delivery — processing uploaded medical documents, generating interpretation results, providing access to results in your account;

  • Account management — creating and maintaining your account, authentication, providing access to your personal dashboard;

  • Communication — sending notifications about order status, interpretation results, changes to the Service, and responding to support inquiries;

  • Payment processing — facilitating payments through Lemon Squeezy, maintaining financial records as required by law;

  • Service improvement — analyzing usage patterns, identifying technical issues, optimizing performance and user experience;

  • Analytics — collecting anonymized statistical data about website traffic, traffic sources, and user behavior;

  • Security — preventing fraud, unauthorized access, and abuse;

  • Legal compliance — fulfilling legal obligations, including tax and accounting requirements.

7.2. We do not process Personal Data for purposes not listed in this Policy.

8. Data Security

8.1. We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, alteration, or disclosure, in accordance with Article 32 of the GDPR.

8.2. Technical measures:

  • All data transmitted between you and the Service is encrypted using HTTPS (TLS 1.2 or higher);
  • Passwords are stored using cryptographically secure hashing algorithms;
  • Medical documents are encrypted at rest on our servers;
  • Access to Personal Data is restricted through server infrastructure access controls;
  • Software is regularly updated and vulnerabilities are patched;
  • Firewalls and intrusion detection systems are in place;
  • Regular data backups ensure data integrity;
  • Suspicious activity and unauthorized access attempts are monitored.

8.3. Organizational measures:

  • Access to Personal Data is limited to authorized personnel only;
  • Personnel with access to Personal Data are trained on data protection requirements;
  • Access control procedures and data protection policies are maintained.

8.4. Enhanced measures for health data:

  • Medical documents are stored in encrypted form;
  • Access to medical documents is restricted to automated processing systems;
  • Medical documents are automatically deleted after the retention period;
  • Medical documents are not used for algorithm training, marketing, or any purposes beyond delivering the Service to you.

9. Data Retention

9.1. We retain Personal Data only for as long as necessary for the purposes described in this Policy or as required by law:

  • Uploaded medical documents — 30 (thirty) calendar days from the date of upload, after which they are automatically deleted from our servers;

  • Interpretation results — 30 (thirty) calendar days from the date of generation, after which they may be deleted;

  • Account data (email, authentication) — until you delete your account or withdraw consent for processing;

  • Payment records — for the period required by applicable tax and accounting laws (generally up to 7 years);

  • Cookie and analytics data — in accordance with cookie settings (from session to up to 2 years) and the policies of the respective analytics services;

  • Server logs (IP address, User-Agent) — no longer than 90 (ninety) calendar days.

9.2. When the purpose of processing has been fulfilled or the retention period has expired, Personal Data is securely deleted or anonymized, unless applicable law requires longer retention.

10. Sharing Personal Data with Third Parties

10.1. We do not sell, rent, or trade your Personal Data.

10.2. We may share Personal Data with the following categories of third parties:

  • Merchant of Record — Lemon Squeezy (Sold through Link, LLC): As our Merchant of Record, Lemon Squeezy processes all payment transactions. When you make a purchase, your payment information, email, name, and billing address are processed by Lemon Squeezy in accordance with their Privacy Policy and Buyer Terms. Lemon Squeezy handles sales tax/VAT collection and remittance. We do not have access to your payment card details;

  • Analytics providers — Google Analytics (Google LLC): We use Google Analytics 4 to collect anonymized data about website traffic and user behavior. This data does not directly identify individual users. Google processes this data in accordance with their Privacy Policy;

  • Authentication providers — Google (Google LLC): If you sign in using Google OAuth, we receive your identifier, name, and email address (with your consent) from Google. Google processes authentication data in accordance with their Privacy Policy;

  • AI processing services: To generate interpretation results, the text content of your uploaded documents (without your identifying information such as name or email) may be transmitted to artificial intelligence services. Data is anonymized to the maximum extent possible before transmission;

  • Government authorities: We may disclose Personal Data if required by law, court order, or valid legal process;

  • With your consent: In any other case, we will only share your Personal Data with your prior explicit consent.

10.3. We require all third-party recipients to maintain appropriate data protection standards and to process Personal Data only as instructed.

11. International Data Transfers

11.1. Your Personal Data may be transferred to and processed in countries outside your country of residence, including the United States, where our servers are located, and other countries where our service providers operate.

11.2. For transfers from the European Economic Area (EEA) to countries without an adequate level of data protection:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission;
  • We implement supplementary measures where necessary to ensure an adequate level of protection;
  • We ensure that any transfer is based on a valid legal mechanism under Chapter V of the GDPR.

11.3. For AI processing, text content from uploaded documents is anonymized (direct identifiers such as name and email are removed) before transmission to external services.

11.4. By using the Service, you acknowledge that your data may be transferred internationally as described in this Section.

12. Your Rights

12.1. Under the GDPR, you have the following rights regarding your Personal Data:

  • Right of access (Article 15) — obtain confirmation of whether we process your data and request a copy of your Personal Data;

  • Right to rectification (Article 16) — request correction of inaccurate or incomplete Personal Data;

  • Right to erasure ("right to be forgotten") (Article 17) — request deletion of your Personal Data when it is no longer necessary for the purposes of processing, when you withdraw consent, or when processing is unlawful;

  • Right to restriction of processing (Article 18) — request that we restrict processing of your Personal Data in certain circumstances;

  • Right to data portability (Article 20) — receive your Personal Data in a structured, commonly used, machine-readable format, and transmit it to another controller;

  • Right to object (Article 21) — object to processing based on legitimate interests or for direct marketing purposes;

  • Right to withdraw consent (Article 7(3)) — withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

  • Right to lodge a complaint (Article 77) — lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

12.2. For users in California (CCPA/CPRA): You also have the right to know what Personal Data we collect and share, the right to delete your Personal Data, the right to opt out of the sale or sharing of Personal Data (we do not sell your data), and the right to non-discrimination for exercising your privacy rights.

12.3. How to exercise your rights:

To exercise any of the above rights, please contact us at: support@evallume.com

Your request should include:

  • Your name;
  • The email address registered with the Service;
  • A description of the requested action;
  • Proof of identity (if the request is made on behalf of another person, a valid authorization).

12.4. We will respond to your request within 30 (thirty) calendar days, or within the timeframe required by applicable law. We may request additional information to verify your identity.

12.5. Consequences of withdrawing consent or requesting erasure:

  • Cessation of processing for consent-based purposes;
  • Deletion of your account;
  • Deletion of uploaded medical documents and interpretation results;
  • Inability to continue providing the Service.

12.6. Withdrawal of consent does not affect data processed on other legal bases (e.g., payment records retained for legal compliance).

13. Cookies and Tracking Technologies

13.1. The Service uses cookies and similar technologies to ensure proper functioning, personalize content, and collect analytics data.

13.2. Types of cookies we use:

  • Strictly necessary cookies — required for the Website to function, including authentication, session management, and CSRF protection. Without these, the Website cannot operate correctly. Duration: session or up to 30 days;

  • Functional cookies — store your preferences (cookie consent, form states). Duration: up to 1 year;

  • Analytics cookies — collect anonymized data about website traffic and user behavior to help us improve the Service. Set by Google Analytics 4. Duration: up to 2 years.

13.3. Google Analytics:

We use Google Analytics 4 (Measurement ID: G-RZRN267WK3) — a web analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

Google Analytics collects:

  • Pages visited;
  • Time spent on pages;
  • Traffic sources and referrals;
  • Device and browser technical characteristics;
  • Geographic location (city-level);
  • Interactions on pages.

Data collected by Google Analytics is processed in accordance with Google's Privacy Policy. The collected data is anonymized and does not directly identify individual users.

13.4. Managing cookies:

You can manage cookies through your browser settings:

  • Block all or specific types of cookies;
  • Delete previously set cookies;
  • Set up notifications when cookies are placed.

Blocking cookies may limit Website functionality, including the inability to sign in or use the Service. Disabling analytics cookies does not affect Service functionality.

13.5. Upon your first visit, we display a cookie notice. Continued use of the Website after the notice is displayed constitutes your consent to the use of cookies.

14. Children's Privacy

14.1. The Service is not intended for use by persons under the age of 18.

14.2. Uploading medical documents of minors is permitted only by their legal guardians (parents, adoptive parents, legal guardians).

14.3. A legal guardian uploading a minor's data confirms that they are acting in the child's best interest and have the legal authority to do so.

14.4. If we become aware that we have collected Personal Data from a person under 18 without parental consent, we will promptly delete such data.

15. Data Breach Notification

15.1. In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Take immediate steps to contain the breach and minimize its impact;
  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR;
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR;
  • Conduct an internal investigation and implement measures to prevent future breaches.

15.2. Notification to affected individuals may be made by email to the address registered with the Service and/or by posting information on the Website.

16. Changes to This Policy

16.1. We may update this Policy from time to time. We will notify you of material changes by posting the updated Policy on the Website and updating the effective date at the top.

16.2. The updated Policy takes effect upon posting at evallume.com/en/legal/privacy, unless a different effective date is specified.

16.3. We encourage you to review this Policy periodically. Continued use of the Service after changes are posted constitutes your acceptance of the updated Policy.

16.4. For material changes that affect how we process health data, we will make reasonable efforts to provide direct notice (e.g., by email) and, where required, obtain your renewed consent.

17. Contact Us

17.1. For any questions about this Policy, your Personal Data, or to exercise your rights, please contact us:

EVALLUME LLC Email: support@evallume.com Address: 30 N Gould St Ste N, Sheridan, WY 82801, United States

17.2. EU Supervisory Authority:

If you are in the EU/EEA, you have the right to lodge a complaint with the data protection authority in your country of residence. A list of EU supervisory authorities is available at the European Data Protection Board website.

Support

We reply on Telegram

Message us on Telegram — we'll help with any question about the service.

Message on Telegram