Privacy Policy

1. Introduction

illumEval ("we", "our", "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use our platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

We collect the following types of data:

• Account information: name, email address, and organisation membership details provided during registration
• Project content: documents, chat messages, questionnaire responses, and evaluation reports you create within the platform
• Usage data: interaction logs, feature usage patterns, and technical information necessary to operate the Service
• Authentication data: securely hashed credentials managed through our authentication provider

3. How We Use Your Data

We use your data to:

• Provide and maintain the illumEval platform
• Enable collaboration features (chat, notifications, team management)
• Process documents through our AI analysis pipeline
• Generate evaluation reports and insights
• Send service-related notifications and updates
• Improve the quality and reliability of the Service

4. AI Processing

When you use AI-powered features, your project content may be processed by third-party AI model providers to generate analysis, summaries, and report content. This processing is conducted under strict data processing agreements. Your content is not used to train AI models. Processed data is not retained by AI providers beyond the duration of the request.

5. Data Storage and Security

Your data is stored securely using industry-standard encryption at rest and in transit. We use Supabase as our infrastructure provider, with data hosted in secure cloud environments. Access controls, row-level security policies, and audit logging protect your data from unauthorised access.

6. Data Sharing

We do not sell your personal data. We share data only with:

• Infrastructure providers: for hosting, authentication, and data storage (under data processing agreements)
• AI model providers: for processing evaluation content (under strict data processing terms)
• Your organisation: organisation administrators can view member details and project activity within their organisation

7. Your Rights

Under the UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Request erasure of your personal data
• Restrict or object to processing of your data
• Data portability — receive your data in a structured format
• Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact your organisation administrator or reach out to us through the platform.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Project data is retained for 30 days after deletion to allow recovery, after which it is permanently removed. Upon account closure, personal data is deleted within 90 days, except where retention is required by law.

9. Cookies

We use essential cookies for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled. We do not use advertising or tracking cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact

For privacy-related enquiries, please contact us through the platform or reach out to your organisation's administrator. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).