Privacy Policy
Last updated: July 4, 2026
MaturityHR is a product of evaluoi.ai Oy Ltd (Business ID: 3582911-8). This Privacy Policy describes how personal data is processed in the MaturityHR service available at maturityhr.com.
1. Controller
Company: evaluoi.ai Oy Ltd
Business ID: 3582911-8
Email: hello@evaluoi.ai
2. Data We Collect
We collect the following categories of personal data when you use our Service:
Account Information
- Email address
- Display name
- Password (hashed)
Assessment Data
- Maturity assessments and signals your organization creates
- Responses submitted by you or assessment participants
- Development initiatives logged at measurement points
Usage Data
- Login timestamps
- Device and browser metadata
- Aggregated page view statistics collected through Vercel's cookieless web analytics (no cookies, no cross-site tracking)
Payment Information
- Processed securely by Stripe
- We do not store credit card numbers or full payment details
Data We Do Not Process
MaturityHR is not designed to process special category data as defined in GDPR Article 9, including health data, biometric data, genetic data, or data revealing racial or ethnic origin, political opinions, religious beliefs, or sexual orientation.
Assessments concern organizational processes and practices, not individual performance evaluation.
3. Legal Bases for Processing
We process personal data under the following GDPR legal bases:
- Consent (Article 6(1)(a)): You provide explicit consent during signup and when granting specific permissions.
- Contract Performance (Article 6(1)(b)): Processing is necessary to provide the MaturityHR Service.
- Legitimate Interest (Article 6(1)(f)): For security, fraud prevention, and improving the reliability and performance of the Service.
4. Your Rights
Under GDPR, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Update your profile information at any time.
- Right to Erasure: Request account deletion, triggering a 30-day soft deletion period before permanent removal.
- Right to Data Portability: Request your data in a machine-readable format.
- Right to Withdraw Consent: Withdraw consent at any time.
- Right to Object: Object to processing based on legitimate interest.
To exercise these rights, contact: hello@evaluoi.ai
5. Security
We implement strict security standards to protect your data:
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- Database Row Level Security (RLS) for tenant isolation
- Access controls based on roles and permissions
- Audit logs retained for 90 days
- Passwords hashed using industry-standard algorithms
6. Third-Party Processors
Data processing locations:
- Primary data storage: EU (AWS eu-west-1, Ireland) via Supabase
- Application hosting and cookieless web analytics: Vercel
We work with the following GDPR-compliant processors:
Supabase
- Services: Database, authentication, storage, authentication emails
- Location: EU (AWS eu-west-1, Ireland)
- Compliance: GDPR, ISO-certified infrastructure
Vercel
- Services: Application hosting, cookieless web analytics
- Compliance: GDPR
Stripe
- Services: Payment processing
- Compliance: PCI DSS Level 1 certified
All processors operate under Data Processing Agreements (DPAs) compliant with GDPR Article 28.
7. Data Retention
- Active accounts: Retained until deletion
- Deleted accounts: 30-day soft delete, then permanent removal
- Audit logs: 90 days
- Admin logs: 1 year
- Backups: Encrypted backups retained for 90 days
8. Cookies and Local Storage
We use only strictly necessary browser storage:
- Authentication session (stored in localStorage)
- Language preference
We do not use advertising, tracking, or analytics cookies. Our web analytics (Vercel Analytics) is cookieless. For details, see our Cookie Policy.
9. Contact
- General inquiries: hello@evaluoi.ai
- Data protection: hello@evaluoi.ai
- Support: hello@evaluoi.ai