Privacy Policy

Evidara is a business records platform designed to help small and medium enterprises capture proof, track sales and expenses, manage inventory and customer debt, generate invoices and reconciliations, and produce business health and activity reports they control.

This Privacy Policy explains, in plain English, what information we collect, how we use it, how we share it, and the choices you have. It applies to use of evidara.org and any Evidara apps or services that link to this policy.

We aim to process personal information in line with applicable data protection laws in the regions where our users operate, including Zimbabwe and the regional notices set out below for South Africa, Kenya, and Nigeria.

Account data. Your name, email address, password (stored as a salted hash by our authentication provider), phone number where you provide it, business name, and profile information needed to operate your account.

Business profile data. Information you add about your business such as industry, location, currency preference (for example USD or ZiG), tax identifiers where you choose to add them, and team member details where you invite others.

Business records. Data you enter or upload while using the service, including sales, expenses, inventory items, customer and debtor details, payment references, invoices, bookings, reconciliations, and notes.

Proof uploads. Documents and images you upload as proof — for example receipts, EcoCash or OneMoney confirmations, bank deposit slips, supplier invoices, delivery notes, or photographs of paperwork.

Payment and subscription data. Plan selection, billing status, invoice history, and limited card metadata returned by our payment processor. Full card numbers are entered directly into the payment processor and are not stored on Evidara servers.

Analytics and security logs. Device type, browser type, IP address, approximate location derived from IP, pages and features used, timestamps, error logs, and audit events such as sign-in attempts and sensitive account changes.

We use the information described above to:

• Create, secure, and manage your Evidara account.
• Provide the features available inside the app and on the website.
• Store, display, and back up your business records.
• Generate invoices, reconciliations, and business health or trust reports based on the data you enter.
• Process subscription payments and manage billing.
• Send account, security, payment, and service-related notifications.
• Detect, investigate, and prevent fraud, abuse, or security incidents.
• Improve the reliability, safety, and performance of the service.
• Respond to support requests and communicate with you.
• Comply with legal and regulatory obligations where applicable.

We do not sell your personal data or your customers' personal data. We do not use your business records to train external advertising models.

Evidara is designed to let you record information about your own customers and debtors — for example names, phone numbers, outstanding balances, payment history, booking details, and invoice information. In data protection terms, you are usually the controller of that information and Evidara acts as a processor on your behalf.

You are responsible for making sure you have a lawful basis to collect and use customer or debtor information inside Evidara, and for handling any requests those individuals may make to you directly. We aim to support you by providing export, correction, and deletion tools inside the product.

We do not sell, rent, or share customer or debtor lists with third parties for marketing.

Proof uploads are stored so that you can show evidence of a sale, payment, expense, or reconciliation later — to yourself, a partner, a lender, or another stakeholder you choose.

Uploaded files are stored using our infrastructure provider's object storage and are designed to be visible only to your account and any authorised users you explicitly grant access to. We may scan uploads for security purposes (for example to detect malware), but we do not review the contents of your documents for advertising or unrelated commercial use.

Business records and evidence remain owner-controlled. Evidence is not automatically shared with lenders, partners, tax authorities, or other external institutions. Internal record-quality indicators are not public, are not credit scores, and are not shown to lenders through public pages. No consent, disclosure, partner access, tax sharing, or external routing path is active.

You can delete proof uploads from within the app. Deleted files may remain in encrypted backups for a limited period before being fully removed.

Stripe is used for Evidara subscription billing. Stripe collects and processes your card or other payment details, billing information, and transaction records in order to complete subscription payments, manage subscriptions, prevent fraud, and comply with financial regulations. Stripe's use of that information is governed by its own privacy policy and terms.

Subscription billing is separate from the merchant's business recording currency. Evidara records payments for bookkeeping; it does not process merchant customer payments, hold balances, provide payouts, or act as an acquirer, wallet, payment facilitator, or merchant of record.

Evidara receives limited information from Stripe such as the last four digits of your card, card brand, billing country, subscription status, and invoice history. We use this to operate your subscription, show your billing history inside the app, and contact you about payment issues.

We collect technical and usage logs to keep the service reliable and secure. These logs may include device and browser details, IP address, page or feature accessed, timestamps, error traces, and audit events such as sign-ins, password changes, multi-factor authentication events, and sensitive record changes.

We use these logs to investigate problems, detect suspicious activity, improve performance, and meet our security obligations. We aim to keep these logs only for as long as needed for those purposes.

We share information with a limited set of trusted service providers who help us run Evidara, and only with the information they need to do their part. These currently include:

• Supabase — authentication, database, and file storage.
• Vercel — application hosting and edge delivery.
• Stripe — subscription payments and billing.
• Google — optional Google sign-in (OAuth).
• Email and messaging providers — to send transactional emails and, where you enable it, customer reminders.

We may also share information when we are legally required to do so, when needed to protect the rights, safety, or property of Evidara, our users, or others, or in connection with a corporate transaction such as a merger or acquisition (in which case we would aim to give affected users notice).

A current list of our service providers and subprocessors is available on our Subprocessors page.

We do not sell your personal information.

We keep your information for as long as your account is active or as long as needed to provide the service, meet legal and tax obligations, resolve disputes, prevent fraud, and enforce our agreements.

You can request deletion of your account and data by contacting support. We process deletion requests after verifying account ownership. Active account data deletion begins after verification and is typically processed within 30 days where legally and technically possible.

Some records may be retained temporarily where required for legal, security, fraud prevention, tax and accounting, dispute resolution, backup, or audit reasons. Backups are deleted automatically according to their normal expiry cycles.

We take reasonable technical and organisational steps to protect your information against unauthorised access, loss, misuse, or alteration. These include encryption in transit (HTTPS), database-level access controls, audit logging, secret management, and optional multi-factor authentication for your account.

For more detail, see our Security page. No internet-based service can be guaranteed to be completely secure, and you are responsible for keeping your login details safe and signing out of shared devices.

Evidara uses cloud infrastructure that may store and process data in regions outside the country where you live or operate your business. Where personal information is transferred across borders, we aim to rely on appropriate safeguards offered by our infrastructure providers, such as contractual protections and recognised transfer mechanisms, where applicable.

If you have specific data residency requirements, contact us at privacy@evidara.org.

Depending on where you live, you may have rights in relation to your personal information, including the right to access, correct, object to certain processing, restrict processing, request deletion, and request a portable export, where legally allowed.

You can exercise many of these rights directly inside the app — for example by updating your profile, exporting your records, or deleting entries. For other requests, contact us at privacy@evidara.org. We may need to verify your identity before acting on a request.

This section applies to users whose personal information is processed in South Africa. Evidara aims to process personal information in line with the Protection of Personal Information Act, 2013 (POPIA), where applicable.

Personal information we may process includes the account, business profile, business records, proof uploads, payment, and analytics and security log categories described in section 2.

Why we process it: to provide and secure the service, to operate your subscription, to support you, to detect and prevent fraud or abuse, and to comply with applicable legal obligations.

Your rights under POPIA, where applicable, include the right to be notified about the processing of your personal information, to access your personal information, to request correction or deletion where legally allowed, to object to certain processing, and to lodge a complaint.

You can raise any privacy concern with Evidara first by contacting privacy@evidara.org. If you are not satisfied with our response, you may also contact the Information Regulator (South Africa).

This section applies to users whose personal data is processed in Kenya. Evidara aims to process personal data in line with Kenya's Data Protection Act, 2019, where applicable.

Categories of personal data we may process:

• Account data (name, email, password hash, phone where provided).
• Business profile data (business name, industry, location, currency, tax identifiers where you add them).
• Sales, payment, and reconciliation data.
• Inventory data.
• Debtor and customer data you record.
• Proof uploads (receipts, payment confirmations, supplier invoices, photos of paperwork).
• Analytics and security logs (device, browser, IP, usage events, audit events).

Purposes of processing: to operate your account, deliver the features you use, generate reports based on data you enter, process subscription payments, support you, secure the platform, and meet applicable legal obligations.

Your rights under the Data Protection Act, where applicable, include the right to be informed of the use of your personal data, to access your personal data, to request correction or deletion where applicable, to object to processing, and to data portability.

For privacy requests, contact privacy@evidara.org. You may also have the right to lodge a complaint with the Office of the Data Protection Commissioner (Kenya).

This section applies to users whose personal data is processed in Nigeria. Evidara aims to handle personal data in line with Nigerian data protection requirements, including the Nigeria Data Protection Regulation (NDPR) principles, where applicable. Specific compliance obligations may depend on the scale of processing, the user base, and other applicable Nigerian law.

Data we collect: the account, business profile, business records, proof uploads, payment, and analytics and security log categories described in section 2.

Purposes of processing: to provide the service, operate your subscription, secure the platform, support you, and comply with applicable law.

Service provider sharing: we share limited personal data with the service providers listed in section 8 (such as hosting, authentication, storage, payments, and email) so they can perform their role in delivering the service.

We do not sell your personal data.

Your rights, where applicable, include the right to access, correct, object to certain processing, and request deletion of your personal data.

For privacy requests, contact privacy@evidara.org.

Evidara is intended for business users and is not directed at children. You must be at least 18 years old to create an account.

We may update this Privacy Policy from time to time. When we do, we will update the date at the top of this page and, for significant changes, give additional notice in the app or by email. Continued use of Evidara after changes take effect means you accept the updated policy.

Questions about this Privacy Policy, or to make a privacy request, can be sent to privacy@evidara.org.

Founder contact: malcolm@evidara.org.