Plain-English summary: Project Evan collects only the minimum data needed to run the service. Your messages and plan content are end-to-end encrypted — we cannot read them. We do not sell your data and we do not run advertising. We are a Community Interest Company whose constitutional purpose is your social wellbeing, not profit.
1. Who We Are
Project Evan CIC ("Project Evan", "we", "us", "our") is a Community Interest Company registered in England and Wales. Our registered office is in the United Kingdom. We are the data controller for personal data processed in connection with the Project Evan mobile application and website.
We are registered with the Information Commissioner's Office (ICO) under the UK GDPR and the Data Protection Act 2018. Our Data Protection contact is reachable at privacy@projectevan.app.
2. Data We Collect
2.1 Data you provide directly
- Account data: your name, email address, and optionally a profile photo and display name when you register.
- Profile preferences: interests, activity categories, and availability windows you set to receive relevant plan recommendations.
- Plan content: plan titles, descriptions, locations, dates, and attendee lists you create or respond to. This content is end-to-end encrypted.
- Messages: direct messages between you and other users. These are end-to-end encrypted; Project Evan cannot access their content.
- Swipe session signals: your accept/decline responses to suggested plans (stored as preference signals, not linked to specific plan details you viewed).
2.2 Data collected automatically
- Device information: device model, OS version, and a random installation identifier (not linked to your identity).
- App usage metadata: feature interaction timestamps (e.g., when a plan was created) used to improve reliability — no content is captured.
- Crash reports: anonymised stack traces to diagnose and fix bugs.
- IP address: logged transiently for security and rate-limiting, not stored persistently or profiled.
2.3 Data from third parties
- Calendar providers (Google, Microsoft): if you connect a calendar, we receive availability signals with your explicit consent. See Section 5.
- Identity providers (Google, Microsoft, Apple Sign-In): if you use social sign-in, we receive your email address and name only. We do not receive access to your contacts, photos, or any other resources.
3. How We Use Your Data
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Creating and maintaining your account | Contract (Art. 6(1)(b)) |
| Delivering plan recommendations personalised to you | Contract (Art. 6(1)(b)) |
| End-to-end encrypting your messages and plans | Contract (Art. 6(1)(b)) |
| Sending transactional notifications (plan updates, RSVPs) | Contract (Art. 6(1)(b)) |
| Detecting fraud and abuse | Legitimate interests (Art. 6(1)(f)) |
| Improving service reliability and fixing bugs | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Calendar availability sync (optional) | Consent (Art. 6(1)(a)) |
We do not use your data for advertising, do not build advertising profiles, and do not sell or licence your data to any third party for commercial purposes.
4. End-to-End Encryption
Messages and plan content on Project Evan are protected using end-to-end encryption (E2EE). The cryptographic keys that can decrypt this content are generated on your device and are never transmitted to Project Evan servers in a form we can access.
This means:
- Project Evan employees cannot read your messages or plan details, even if compelled to do so.
- Our servers store only ciphertext — encrypted blobs that are meaningless without the device keys.
- If you lose access to all your enrolled devices and your recovery key, your encrypted content cannot be recovered.
For a full technical description of our encryption framework, please read the Technical Security Whitepaper.
5. Calendar Data
Calendar integration is entirely optional. If you choose to connect Google Calendar or Microsoft Outlook, Project Evan will:
- Request only the minimum OAuth scopes needed (read-only or read-write depending on the features you enable).
- Store calendar event metadata (busy/free windows, event titles) in an encrypted form linked to your account to power availability-aware recommendations.
- Never share your calendar data with other users, third-party advertisers, or data brokers.
You can disconnect your calendar at any time from the Settings screen. Upon disconnection, all cached calendar data is deleted within 48 hours.
6. Sharing & Disclosure
We do not sell your data. We may share data in the following limited circumstances:
- With other users: your display name and any plan details you choose to share are visible to plan participants.
- Infrastructure providers: cloud hosting and database providers under strict data processing agreements (DPAs). These providers act as data processors and may not use your data for their own purposes.
- Legal requirements: if required by a court order, warrant, or equivalent legal process under UK law. We will notify you where legally permitted to do so.
- Business transfers: if Project Evan CIC is acquired, merges with, or transfers assets to another entity, we will ensure data protections are maintained and notify you in advance.
7. Retention & Deletion
We retain your personal data only as long as necessary for the purposes described in this policy:
- Account data: retained while your account is active plus 30 days after deletion request.
- Message and plan ciphertext: retained until you delete the content or close your account.
- Usage logs: anonymised after 30 days; raw logs deleted after 90 days.
- Calendar data: deleted within 48 hours of disconnection.
To delete your account and all associated data, go to Settings > Account > Delete Account in the app, or contact us at privacy@projectevan.app.
8. Your Rights
Under the UK GDPR you have the following rights:
- Access: request a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate data.
- Erasure ("right to be forgotten"): request deletion of your data where there is no overriding legitimate purpose to retain it.
- Restriction: request that we limit processing in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
- Withdraw consent: withdraw any consent you have given (e.g., calendar integration) at any time.
To exercise any of these rights, contact us at privacy@projectevan.app. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk.
9. Children's Privacy
Project Evan is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you become aware that a child has provided us with personal information, please contact us at privacy@projectevan.app and we will take steps to remove that information and terminate the relevant account.
10. Cookies & Analytics
Our website uses a minimal set of cookies necessary for the site to function (session management, security tokens). We do not use third-party advertising cookies or tracking pixels.
We use self-hosted, privacy-preserving analytics (no third-party analytics vendors) that collect only page-view counts and referrer domains — no individual user tracking or cross-site profiling.
11. International Transfers
Your data is processed and stored within the United Kingdom and the European Economic Area. Where any transfer to a third country is required (e.g., a cloud infrastructure provider), we ensure appropriate safeguards are in place — such as UK/EU Standard Contractual Clauses or adequacy decisions — in accordance with UK GDPR Chapter V.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the app and by email (if provided) at least 14 days before the changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy. The version history and date of last update are always shown at the top of this page.
13. Contact Us
For any privacy-related questions or to exercise your data rights:
- Email: privacy@projectevan.app
- Post: Data Protection, Project Evan CIC, United Kingdom
- ICO complaint: ico.org.uk/make-a-complaint