Privacy Policy

    Last updated: July 4, 2026

    MaturityHR is a product of evaluoi.ai Oy Ltd (Business ID: 3582911-8). This Privacy Policy describes how personal data is processed in the MaturityHR service available at maturityhr.com.

    1. Controller

    Company: evaluoi.ai Oy Ltd
    Business ID: 3582911-8
    Email: hello@evaluoi.ai

    2. Data We Collect

    We collect the following categories of personal data when you use our Service:

    Account Information

    • Email address
    • Display name
    • Password (hashed)

    Assessment Data

    • Maturity assessments and signals your organization creates
    • Responses submitted by you or assessment participants
    • Development initiatives logged at measurement points

    Usage Data

    • Login timestamps
    • Device and browser metadata
    • Aggregated page view statistics collected through Vercel's cookieless web analytics (no cookies, no cross-site tracking)

    Payment Information

    • Processed securely by Stripe
    • We do not store credit card numbers or full payment details

    Data We Do Not Process

    MaturityHR is not designed to process special category data as defined in GDPR Article 9, including health data, biometric data, genetic data, or data revealing racial or ethnic origin, political opinions, religious beliefs, or sexual orientation.

    Assessments concern organizational processes and practices, not individual performance evaluation.

    3. Legal Bases for Processing

    We process personal data under the following GDPR legal bases:

    • Consent (Article 6(1)(a)): You provide explicit consent during signup and when granting specific permissions.
    • Contract Performance (Article 6(1)(b)): Processing is necessary to provide the MaturityHR Service.
    • Legitimate Interest (Article 6(1)(f)): For security, fraud prevention, and improving the reliability and performance of the Service.

    4. Your Rights

    Under GDPR, you have the following rights:

    • Right of Access: Request a copy of the personal data we hold about you.
    • Right to Rectification: Update your profile information at any time.
    • Right to Erasure: Request account deletion, triggering a 30-day soft deletion period before permanent removal.
    • Right to Data Portability: Request your data in a machine-readable format.
    • Right to Withdraw Consent: Withdraw consent at any time.
    • Right to Object: Object to processing based on legitimate interest.

    To exercise these rights, contact: hello@evaluoi.ai

    5. Security

    We implement strict security standards to protect your data:

    • Encryption at rest (AES-256)
    • Encryption in transit (TLS 1.3)
    • Database Row Level Security (RLS) for tenant isolation
    • Access controls based on roles and permissions
    • Audit logs retained for 90 days
    • Passwords hashed using industry-standard algorithms

    6. Third-Party Processors

    Data processing locations:

    • Primary data storage: EU (AWS eu-west-1, Ireland) via Supabase
    • Application hosting and cookieless web analytics: Vercel

    We work with the following GDPR-compliant processors:

    Supabase

    • Services: Database, authentication, storage, authentication emails
    • Location: EU (AWS eu-west-1, Ireland)
    • Compliance: GDPR, ISO-certified infrastructure

    Vercel

    • Services: Application hosting, cookieless web analytics
    • Compliance: GDPR

    Stripe

    • Services: Payment processing
    • Compliance: PCI DSS Level 1 certified

    All processors operate under Data Processing Agreements (DPAs) compliant with GDPR Article 28.

    7. Data Retention

    • Active accounts: Retained until deletion
    • Deleted accounts: 30-day soft delete, then permanent removal
    • Audit logs: 90 days
    • Admin logs: 1 year
    • Backups: Encrypted backups retained for 90 days

    8. Cookies and Local Storage

    We use only strictly necessary browser storage:

    • Authentication session (stored in localStorage)
    • Language preference

    We do not use advertising, tracking, or analytics cookies. Our web analytics (Vercel Analytics) is cookieless. For details, see our Cookie Policy.

    9. Contact