Privacy policy

Last modified: December 9, 2025

This Privacy Policy explains how EVENLY S.A. (“Evenly”, “we”, “our”) processes personal data when using https://evenly.care website, as well as the cloud-based accessibility and communication services we provide.

Evenly is committed to compliance with the GDPR, the European Artificial Intelligence Regulation (EU AI Act) and all relevant legal data protection frameworks.

1. DESCRIPTION OF SERVICES

Evenly provides cloud-based communication and accessibility solutions through SaaS products that support:

  • real-time video and audio communication;
  • AI-generated captions (speech-to-text);
  • AI-generated speech (text-to-speech);
  • real-time translations;
  • accessibility tools for digital environments;
  • event accessibility solutions (captions, translations, remote participation)

2. DATA CONTROLLER & CONTACT INFORMATION

EVENLY S.A.
Vizantiou 53, Cholargos-Papagou, 156 69, Athens, Greece
Email: legal@evenly.care
Data Protection Officer (DPO): Panagiotis Konstantinidis – panos@evenly.care
Tel.: +30 211-0130300

3. SCOPE

This Policy covers:

  • Use of the Site
  • Use of the Connect, Events, Dialog, Comply products
  • Admin Accounts Data
  • AI-based services (STT, TTS, translation)

4. DEFINITIONS

  • Personal Data (Data): Any information that identifies or can identify an individual (e.g., name, email, IP address, audio/video content).
  • Data Subject (Subject): The individual to whom the data relates.
  • Processing: Any action on personal data, including but not limited to collection, storage, use, deletion.
  • Data Controller (Controller): The party deciding why and how personal data is processed.
  • Data Processor (Processor): The party processing data on behalf of the Controller.
  • Sub-Processor: A third party engaged by Evenly that processes data to support service delivery.
  • AI System: Software that generates predictions or outputs using machine learning (used only for captions, translation, and accessibility improvements).
  • Special Categories of Data: Sensitive information such as health or biometric data. Evenly does not intentionally collect these.
  • DPIA: An assessment required when processing may involve high risks to individuals.

5. CATEGORIES OF PERSONAL DATA PROCESSED

To ensure its services function as intended, Evenly may process various categories of Personal Data. The specific categories depend on the product, the Client configuration, and the context of use. This section provides a granular, GDPR-aligned breakdown of the primary data categories, their origin, and typical use cases. Please note that this list is indicative and non-exhaustive; additional data categories may be processed based on specific Client configurations, custom feature requests, or service evolution.

Α. Identification Data

Data enabling identification of end users and administrative personnel may include:

  • First name
  • Last name
  • Display name (nickname or username)
  • Organizational identifiers (company, department)
  • User IDs generated by Evenly or Clerk
  • Role or access-level attributes

Processed for:

  • User account management
  • Authentication
  • Logging into Connect, Events, Dialog, Comply
  • Access entitlement validation (e.g., admin vs operator)

Β. Contact Data

Information used for communication between Evenly, Clients, and end users may include:

  • Email address
  • Telephone number (where provided)
  • Business contact details
  • SMS token delivery number (for MFA via M-Stat)

Processed for:

  • Account setup
  • Support communication
  • OTP / MFA authentication
  • Service notifications
  • Billing correspondence

C. Professional Data

Professional information regarding individuals interacting with the platform in a work context may include:

  • Job title
  • Organizational role
  • Department
  • User’s affiliation with a Client organization

Processed for:

  • Admin access provisioning
  • Billing, onboarding, and Client success operations
  • Compliance verification

D. Account Credentials

Data required for login and authentication may include:

  • Auth tokens (Clerk)
  • Password hashes (never stored in plaintext)
  • Multi-factor authentication metadata
  • Session tokens
  • Recovery email address

Security:

  • Managed via Clerk (ISO-certified authentication provider)
  • Encrypted in transit and at rest

E. Usage Data

Information about how users interact with Evenly services may include:

  • Clickstream data
  • Feature usage metrics
  • Time spent on pages
  • Interaction with accessibility controls
  • Session start/stop timestamps

Used for:

  • Service optimization
  • Troubleshooting
  • Product analytics (aggregate or anonymised)

Not used for:

  • Profiling
  • Behavioral advertising

F. Device Data

Data about devices connecting to the platform may include:

  • Device type (mobile, desktop)
  • Operating system
  • Browser type and version
  • Screen resolution
  • Microphone and camera availability status
  • Local device language/settings

Used for:

  • Compatibility optimization
  • Security checks
  • Diagnostics

G. Network Identifiers

Technical online identifiers automatically collected during platform use may include:

  • IP address
  • Approximate geolocation inferred from IP (country/region only)
  • Session ID
  • Connection quality metrics
  • Request headers
  • NAT traversal information (WebRTC)

Used for:

  • Securing the platform
  • Establishing real-time communication (WebRTC)
  • Load balancing (Cloudflare)

H. Logs & Diagnostics

Operational logs generated by the platform may include:

  • Application logs
  • Errors encountered
  • API call results
  • Service performance indicators
  • Security logs
  • Authentication attempts
  • Access control events
  • System anomalies
  • Call/session diagnostics
  • Packet loss
  • Jitter
  • Bandwidth estimates

Used for:

  • Incident detection
  • Service continuity
  • Client support

Retention: Short retention (7–30 days) except for necessary security logs (up to 90–180 days).

I. Communication Content

This is the core data category processed by Evenly modules and may include:

  • Real-time audio streams
  • Real-time video streams
  • Chat messages
  • Shared documents
  • Screen shares
  • Multimedia shared by users

Characteristics:

  • Processed in real time
  • Not stored unless Client enables retention
  • Used exclusively for communication and accessibility

NOT used for:

  • Model training
  • Behavioral analysis
  • Sales/advertising

J. Documents & Textual Content (Connect, Dialog)

May include:

  • Uploaded files (PDF, Word, text documents)
  • Extracted text
  • User-written queries and information
  • Summaries and structured outputs
  • Q&A interactions

Used for:

  • Accessibility purposes

Not used for:

  • Dataset creation
  • Internal model refinement

K. Accessibility Preferences

Data supporting individualized accessibility options may include:

  • Caption language settings
  • Translation preferences
  • Text-to-speech voice, speed, pitch
  • Screen reader preferences
  • Simplified UI toggle
  • High-contrast mode

Used for:

  • Storing and applying user accessibility settings

Not used for:

  • Inferring disability
  • Profiling accessibility needs

(Accessibility preferences are not processed as health data.)

L. Transcript Data

Data generated only when captions/transcripts are used and may include:

  • Real-time speech-to-text output
  • Real-time text-to-speech output
  • Time-aligned caption segments
  • Translations of caption segments

Characteristics:

  • Ephemeral by default
  • Stored only if the Controller requests transcript retention

Used for:

  • Accessibility
  • Internal enterprise documentation

Not used for:

  • Analytics
  • Profiling

M. Event Participation Data

Data processed via Evenly Events may include:

  • Event registration details
  • Event room join/leave timestamps
  • Language/caption preferences
  • Role (host, speaker, interpreter, attendee)

Used for:

  • Providing event accessibility
  • Access control
  • Interpreting service scheduling

N. AI Processing Metadata

Metadata produced by AI systems during operation, but not content itself, may include:

  • Confidence scores from STT models
  • Latency measurements
  • Translation engine performance
  • Error codes
  • Token counts (for computational usage)

Used for:

  • Improving system performance
  • Debugging
  • Scaling infrastructure

Not used for:

  • User scoring
  • Profiling
  • Behavioral analysis

6. SENSITIVE PERSONAL DATA & BIOMETRIC DATA ANALYSIS

Evenly does not intentionally collect sensitive data. Voice data is not treated as biometric data because we do not analyze voice patterns to identify individuals. Audio and video are used solely to enable communication, captioning, translation, and accessibility. If a user voluntarily shares sensitive information, the Client (Controller) is responsible for ensuring its lawful basis.

7. LEGAL BASES FOR PROCESSING

We process personal data based on:

  • Contract necessity: Delivering our services and enabling communication features.
  • Legitimate interests: Maintaining security, preventing fraud, improving functionality.
  • Consent: Non-essential cookies, newsletter subscriptions, optional recordings.
  • Legal obligations: Accounting, security incident reporting.
  • Vital interests: Rare cases involving safety.

8. DATA MINIMIZATION & PURPOSE LIMITATION

Evenly adheres to GDPR Articles 5(1)(b)–(c):

A. Purpose specification

Personal Data may be processed only for the following purposes:

  • Provision of communication services
  • Accessibility enhancement (captions, translations)
  • User account management
  • Security and fraud detection
  • Performance monitoring and error diagnostics
  • Website operation

B. Minimization

Evenly collects the minimum data required for functionality; deletes transient data after processing; avoids unnecessary storage; avoids collecting any special category data unless instructed by the Client; and, isolates and anonymizes analytics data whenever possible.

C. No secondary use

Personal Data is never used for:

  • Advertising
  • Cross-platform profiling
  • Selling to third parties
  • Training machine-learning models

9. CONTROLLER / PROCESSOR ROLE MATRIX

Below is the full breakdown of Evenly’s role per processing activity:

PROCESSING ACTIVITY DESCRIPTION EVENLY ROLE CLIENT’S ROLE
Website visits & cookies Analytics, security logs Controller
Marketing communications Emails, newsletters Controller
Support interactions Logs, messages, diagnostics Controller
Account creation Org admins, platform operators Controller
Video/Audio call sessions Audio, video, real-time streams Processor Controller
AI-generated captions and audio content Speech-to-text/text-to-speech Processor Controller
Translation Bidirectional/multilingual translation Processor Controller
Sign language interpretation Third-party interpreters Processor Controller
Documents Text extraction, Q&A, TTS Processor Controller

Key principle: For all end-user data processed within a Client’s environment (e.g., sessions, events, documents, chats, audio/video), the Client remains the Controller and Evenly, the Processor.

10. PRODUCT-SPECIFIC PROCESSING DETAILS

Below is the enterprise-level description of each product’s processing operations.

A. Evenly Connect

A platform enabling:

  • Real-time video and audio communication
  • AI-powered captions
  • AI-powered translations
  • Sign language interpretation
  • Document sharing
  • Secure chat
  • Remote/on-site hybrid communication

Data processed:

  • Audio and video streams (real time)
  • Generated captions (ephemeral unless Client stores)
  • Translations (ephemeral)
  • Chat messages
  • Usernames and session metadata
  • Connection quality and device information

Processing characteristics:

  • No storage of real-time audio/video
  • STT and translation performed via encrypted channels
  • No training of models on Client data

B. Evenly Events

Accessibility suite for events and conferences:

  • real-time captions
  • multilingual translation
  • remote participation
  • on-site captioning displays

Data processed:

  • audio streams (real time)
  • transcripts
  • translation strings
  • event metadata

C. Evenly Dialog

AI-driven document interaction platform allowing:

  • natural language Q&A
  • voice-controlled browsing
  • AI translation
  • AI text-to-speech
  • AI speech-to-text

Data processed:

  • Uploaded documents (text, PDF, Word)
  • User queries
  • Voice commands
  • System-generated responses

Processing is:

  • performed only for accessibility purposes
  • transient unless documents are stored by the Client

D. Evenly Comply

Digital accessibility module enabling:

  • chat and voice navigation
  • WCAG 2.2 enhancements
  • content simplification

Data processed:

  • interaction logs
  • voice commands
  • accessibility preferences

11. REAL-TIME AUDIO, VIDEO & RECORDING PROCESSING

Evenly processes real-time audio and video streams exclusively for the purpose of enabling its communication and accessibility features, such as captions and translations.

A. Real-time audio & video streaming

During an Evenly session:

  • Audio/video streams pass through encrypted channels.
  • Streams are not stored by Evenly.
  • Temporary buffering is used only for transmission and deleted immediately.
  • No biometric identification, profiling, or emotion analysis is performed.

B. Video recording (Only upon explicit Client instruction)

By default, Evenly does not record sessions.

Recordings occur only when:

  • The Client (Controller) enables recording in their own environment, or
  • A specific legal requirement mandates retention (e.g., for public sector accessibility compliance), or
  • The Client obtains explicit consent from end-users.

When recordings are enabled:

  • Evenly acts strictly as Processor.
  • The Client defines the purpose, legal basis, and retention period.
  • Recordings are encrypted and stored according to the Client’s storage policy.
  • Evenly never accesses recordings unless expressly authorized for support purposes.

C. Purpose of recordings

Typical purposes defined by Clients include:

  • documenting communications for accessibility
  • regulatory compliance
  • training authorized staff (e.g., interpreters)
  • event archiving

Evenly never uses recordings for:

  • analytics
  • AI model training
  • user profiling
  • product development

D. Retention of recordings

Retention periods are defined by the Client. Examples:

  • 30 days (common for public sector regulatory compliance)
  • Custom retention (corporate policy)
  • Immediate deletion after processing (highest privacy protection)

If the Client deletes a recording:

  • Evenly deletes all encrypted copies automatically
  • Backups are purged based on secure deletion workflows

E. Access to recordings

Access is controlled exclusively by the Client. Evenly personnel can only access recordings if:

  • the Client provides a written or logged authorization, and
  • only for debugging, technical support, or incident response. All access is logged and auditable.

F. User rights regarding recordings

Users retain the full GDPR rights:

  • Access copies of recordings
  • Request deletion (unless overriding legal obligations apply)
  • Withdraw consent (for future recordings)
  • Request restrictions on processing

If a conflict exists between a user’s request and a legal obligation, the Client (Controller) decides.

12. REAL-TIME TRANSCRIPTION & TRANSLATION PROCESSING

Real-time captions and translations are generated temporarily and deleted after use unless the Client chooses to save transcripts. Evenly does not access transcripts unless the Client requests support.

13. AI SYSTEMS & EU AI ACT FULL COMPLIANCE

AI Act Compliance: Evenly uses AI only for assistive purposes (captions, translations, text-to-speech). Our systems fall under Minimal or Limited Risk under the EU AI Act. We provide transparency, human oversight, accuracy monitoring, and do not perform profiling, biometric identification, or automated decision-making.

DORA Compliance: Evenly aligns with DORA principles regarding:

  • operational resilience
  • incident reporting
  • ICT risk management
  • business continuity
  • use of regulated third-party service providers (Azure, Google, Cloudflare)

Evenly maintains strong technical and organizational measures to ensure continuity and resilience.

14. THIRD-PARTY PROVIDERS & SUB-PROCESSORS

We use trusted providers including but not limited to Microsoft Azure, Google Cloud, VideoSDK, Ably, Clerk, M-Stat, DigitalOcean, Cloudflare, and SendGrid. All are subject to strict contractual safeguards, including SCCs where required.

15. INTERNATIONAL DATA TRANSFERS

We primarily process data in the EU. Transfers outside the EEA use Standard Contractual Clauses (SCCs) and additional safeguards. Clients may request EU-only processing for eligible service tiers.

16. SECURITY MEASURES (TECHNICAL & ORGANISATIONAL)

Evenly maintains a security framework consistent with:

  • OWASP standards
  • Cloud Security Alliance (CSA) guidelines
  • GDPR Article 32 (security of processing)

A. Technical measures

Encryption

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • HSTS enabled
  • Encrypted media channels (SRTP, DTLS)

Network security

  • DDoS protection
  • WAF via Cloudflare
  • Network segmentation
  • Hardened firewalls

Application security

  • Secure development life cycle
  • Automated code scanning
  • Dependency vulnerability monitoring
  • Penetration testing

Infrastructure

  • Hosted primarily on Microsoft Azure (EU regions)
  • Redundancy & failover across zones
  • System integrity monitoring

B. Organizational measures

  • Role-based access control
  • Principle of least privilege
  • Multi-factor authentication
  • Background checks for personnel
  • Mandatory confidentiality agreements
  • Continuous training on GDPR & AI compliance

C. Incident response

Evenly maintains:

  • 24/7 incident monitoring
  • security incident response plan
  • max 72-hour GDPR reporting commitment
  • forensic logging and secure evidence preservation

17. WCAG 2.2 ACCESSIBILITY COMPLIANCE

Evenly is committed to digital accessibility and designs following:

  • WCAG 2.2 AA
  • EN 301 549
  • European Accessibility Act (EAA) obligations where applicable

This may include:

  • keyboard navigability
  • screen-reader compatibility
  • high-contrast modes
  • text resizing support
  • captioning and audio description capabilities
  • accessible error messages and form controls

Accessibility is both a legal and core product requirement.

18. RETENTION POLICY

Retention periods may vary depending on:

  • the type of data
  • the applicable legal requirements
  • Client (Controller) configuration

Transient data is deleted immediately. Logs follow short retention periods unless required for security.

19. DATA SUBJECT RIGHTS

Evenly ensures end-users can exercise their rights under GDPR Articles 12–23.

A. Available rights

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction
  • Right to object
  • Right to data portability
  • Right to withdraw consent
  • Right not to be subject to automated decision-making

Since Evenly acts as Processor, most rights requests must be directed to the Customer (Controller). Evenly assists Controllers in fulfilling requests.

B. How requests are handled

Requests should be submitted to: legal@evenly.care

Evenly:

  • verifies identity
  • logs the request
  • forwards Processor-related requests to the Client (where applicable)
  • responds within statutory timeframes

20. CLIENT RESPONSIBILITIES (WHEN EVENLY ACTS AS PROCESSOR)

The Client, as Controller, must:

  • ensure a lawful basis for all processing
  • obtain valid consent for recordings or sensitive data
  • configure retention settings in compliance with law
  • manage user access rights
  • provide privacy notices to end-users
  • ensure data provided to Evenly is lawful

Evenly supports Clients through DPAs, documentation, DPIA materials, and configurable privacy settings.

21. DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)

Evenly assists Clients in conducting DPIAs by providing:

  • full data flow descriptions
  • security & infrastructure details
  • AI system documentation
  • transfer impact assessments
  • access control diagrams
  • risk mitigation guidance

Evenly performs its own internal DPIA for high-risk features (e.g., real-time AI processing).

22. CHANGES TO THIS POLICY

Evenly may update this Policy:

  • to reflect legal changes
  • to introduce new modules
  • to adjust security practices
  • to improve transparency

Material updates will be communicated through:

  • email notifications, or
  • a notice on the Evenly website

23. CONTACT INFORMATION

For questions or rights requests:

EVENLY S.A.
Vizantiou 53, Cholargos-Papagou, 156 69, Athens, Greece
Email: legal@evenly.care

24. SUPERVISORY AUTHORITY

Users may file a complaint with:

Hellenic Data Protection Authority (HDPA)
Kifisias 1-3, 11523 Athens, Greece
Email: complaints@dpa.gr
Website: www.dpa.gr