EvocosEvocos.ai
Sign In
← Back to Home

Privacy Policy

Last updated: June 1, 2026

1. Introduction

Evocos ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our portfolio-building service.

2. Information We Collect

  • Account information: name, email address
  • Resume and career documents you upload
  • Portfolio content you create (evidence items, descriptions, artifacts)
  • Usage data: pages visited, features used, time spent

3. How We Use Your Information

  • To provide and improve the Evocos service
  • To extract skills from your resume using AI
  • To generate portfolio suggestions and coaching
  • To communicate with you about your account

We do NOT sell your personal data to third parties.

3A. Legal Basis for Processing

Where the EU/UK General Data Protection Regulation (GDPR) applies, we rely on the following lawful bases under Article 6 for each processing activity:

  • Performance of a contract (Art. 6(1)(b)): creating and authenticating your account, parsing your resume and job descriptions, matching skills, generating STAR-E coaching and portfolio artifacts, and publishing your portfolio — the core service you sign up for.
  • Legitimate interests (Art. 6(1)(f)): securing the platform (rate-limiting, fraud and abuse prevention, error monitoring) and improving the product using anonymized, aggregated usage data. We balance these against your rights and do not use them to process more data than necessary.
  • Consent (Art. 6(1)(a)): non-essential cookies/analytics (where you accept them via our cookie banner) and any optional marketing communications. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): retaining limited records, and making breach notifications, where required by applicable law.

4. AI Processing

Your content is processed by the following AI services to provide Evocos's features:

  • OpenAI (GPT-4o): Processes job descriptions, resume text, and portfolio narratives for parsing, skill matching, STAR-E coaching, and portfolio text generation.
  • Google Gemini (Gemini 2.0 Flash): Processes artifact generation prompts containing portfolio context for generating charts, diagrams, and visual artifacts.
  • Google Gemini (Gemini 2.5 Flash Image): Generates cover images for portfolio artifacts based on descriptions derived from your career content.
  • Google Stitch (Vertex AI): Generates UI mockup artifacts. Processed under Google Cloud enterprise terms.

What we send: Prompts derived from your resume text, job descriptions, STAR-E narratives, and artifact descriptions. We do NOT send your raw uploaded files (PDFs, images, videos) to AI providers unless you explicitly request AI artifact generation.

Data training: We do not opt in to any AI provider's model training programs. Your career data is not used to train AI models. OpenAI retains API data for up to 30 days for abuse monitoring. Google retains API data for up to 55 days for abuse monitoring.

5. Data Storage & Security

  • Database: Structured data (account information, STAR-E narratives, portfolio content, job descriptions) is stored in Neon PostgreSQL, a serverless database service.
  • File storage: Uploaded files (resumes, artifacts, images, videos) are stored using Vercel Blob, a cloud storage service powered by Amazon Web Services (AWS) S3 infrastructure.
  • Encryption: All data is encrypted at rest using AES-256 encryption. All data is encrypted in transit using TLS 1.2 or higher. Database encryption keys are managed via AWS Key Management Service (KMS).
  • Retention: We retain your data while your account is active. See Section 6A for data deletion details.

5A. Data Retention Schedule

We keep personal data only as long as needed for the purposes above. Our retention windows (consistent with our Written Information Security Program) are:

  • Active account data: retained while your account is active
  • Deleted accounts: permanently hard-deleted 30 days after you request deletion (see Section 6A)
  • Security & AI-processing logs: retained after account deletion with your user-id removed (anonymized) for security and product analytics — no longer personal data once anonymized
  • Error-monitoring events (Sentry): 90 days
  • Rate-limit counters: up to 1 hour
  • Database backups: 7-day point-in-time recovery window
  • Security audit log: up to 7 years (or as law requires)

5B. Where Your Data Is Processed

Evocos is operated from the United States, and your data is stored and processed in the United States by us and our service providers (see Section 7).

If you access Evocos from the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to the United States. We put in place the European Commission's Standard Contractual Clauses (and the UK and Swiss addenda) in our agreements with service providers, and rely on the EU–US Data Privacy Framework where a provider is DPF-certified. We apply supplementary safeguards including encryption in transit and at rest and data minimization. Contact us for our list of sub-processors and transfer details.

6. Your Rights

You have the following rights regarding your personal data:

  • Access: View all your data in your account dashboard
  • Correction: Update your information in account settings
  • Export: Download a copy of your data at any time from Settings → Security ("Export my data")
  • Deletion: Delete your account through account settings or by emailing hello@evocos.ai (see Section 6A below for details)

To exercise any of these rights, contact us at hello@evocos.ai. We will respond within 30 days.

6A. Data Deletion

When you delete your account:

  • Your account is immediately deactivated and you can no longer sign in
  • Published portfolios are immediately unpublished and removed from public access
  • Within 30 days, we permanently delete: your user profile, resumes, job descriptions, STAR-E narratives, evidence library items, portfolios, and associated files from our storage systems
  • Data previously sent to AI providers for processing is subject to their retention policies (OpenAI: up to 30 days; Google: up to 55 days) and cannot be recalled by us
  • Anonymized, aggregated usage data (e.g., feature usage counts) may be retained
  • Database backups containing your data roll off within our 7-day point-in-time recovery window after deletion

Note: Hard deletion is performed by an automated pipeline. Your account row, owned projects and portfolios, evidence library items, STAR-E narratives, requirements, and uploaded files are permanently removed at the end of the 30-day window. Forensic records (security audit logs) are retained with your user-id anonymized. If you need expedited deletion or wish to cancel a pending deletion within the 30-day window, contact us directly.

7. Third-Party Services

We use these services to operate Evocos:

  • Vercel Inc. — Hosting, CDN, and file storage (Vercel Blob)
  • Neon Inc. — PostgreSQL database
  • Amazon Web Services (AWS) — Object storage (S3) and database encryption keys (KMS); underlies Neon and Vercel Blob
  • OpenAI — AI text processing for skill extraction, JD parsing, STAR-E coaching, and portfolio generation
  • Anthropic (Claude) — AI processing for evidence and artifact generation
  • Google LLC — AI services: Gemini 2.0 Flash for artifact generation, Gemini 2.5 Flash Image for cover image generation, and Vertex AI Stitch for UI mockups
  • Mux — Video hosting and playback for uploaded video evidence
  • Resend — Transactional email (account verification, magic-link, password reset)
  • Upstash — Rate-limiting and ephemeral cache (stores IP addresses only, no other personal data)
  • Stripe — Payment processing (billing)
  • Sentry (Functional Software, Inc.) — Error tracking and application performance monitoring. Sentry may receive technical data including error messages, browser information, and device type when errors occur. Session recordings may capture anonymized user interactions for debugging purposes; all text content and media are masked before transmission.

Each service has their own privacy policy governing their handling of data. We put in place a Data Processing Agreement with each provider that processes personal data on our behalf; contact us at hello@evocos.ai for our current sub-processor list.

7A. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

  • Notify affected users via email within 72 hours of confirming the breach
  • Notify relevant regulatory authorities as required by applicable law, including the Massachusetts Attorney General and Office of Consumer Affairs
  • Provide details of what information was affected, what we are doing to address the breach, and steps you can take to protect yourself
  • Post a notice on our website if the breach affects a large number of users

Reporting a security issue: if you believe you have found a security vulnerability, please email security@evocos.ai. See our security.txt for our coordinated-disclosure policy.

8. Cookies

  • We use essential cookies for authentication and session management
  • We may use analytics to understand how users interact with Evocos

9. Children's Privacy

  • Evocos is not intended for users under 18 years of age
  • We do not knowingly collect data from minors

10. Changes to This Policy

  • We may update this policy as our service evolves
  • We'll notify you of significant changes via email or in-app notice

11. Contact Us

Questions about this Privacy Policy? Email us at hello@evocos.ai

Privacy Policy | Evocos