Privacy Policy

Last updated: 8th June 2026

In plain English

EvenStance helps you resolve disputes with companies. To do that, we need some of your personal information. We treat it with care, never sell it, and give you full control over it. This policy explains exactly what we collect, why, and what rights you have.

1. Who we are

EvenStance is operated by EvenStance Ltd (Company No. 17214222), registered in England & Wales, with registered address at 1 Spring Avenue, Ashby-de-la-Zouch, Leicestershire LE65 2RB. For the purposes of UK GDPR, EvenStance Ltd is the data controller.

ICO Registration Number: ZC146340 (registered 13 May 2026, expires 12 May 2027)

You can contact us at privacy@evenstance.com.

2. What we collect

  • Account information: Name, email address, and hashed password when you register. If you sign in with Google or Apple, we receive your name and email from those providers.
  • Case information: Details you provide about your dispute, including the company name, category, description, dates, correspondence, and uploaded documents.
  • Payment information: Processed securely by Stripe. We do not store your card details. We store your subscription status and Stripe customer ID.
  • Usage data: We collect anonymised usage data via PostHog to improve the platform. You can opt out at any time using the toggle in Section 7 below.
  • Communications: Emails forwarded to your case, communication logs, and AI chat messages.

3. How we use your data

  • To provide the service: Managing your cases, generating letters, providing AI guidance, and sending notifications about deadlines.
  • To process payments: Managing your subscription via Stripe.
  • To communicate with you: Account verification, password resets, deadline reminders, and service updates.
  • To improve the platform: Via anonymised analytics. You can opt out below.

4. AI and your data

EvenStance uses a multi-provider AI stack to provide case assessments, draft letters, route disputes to the correct regulator, and offer guidance. The current providers are Microsoft Azure AI Foundry (GPT-5.5 family) hosted in the UK South region, Databricks model serving (llama-4-maverick and embedding models) hosted in the UK, Anthropic Claude (via the Anthropic API), and Google Gemini.

Before any case data is sent to an AI provider, a server-side redaction layer removes personally identifiable information (PII) including names, addresses, phone numbers, postcodes, dates of birth, NI numbers, and account numbers. The AI provider sees structured fields (dispute category, dates, amounts) and redacted free text, never raw personal data.

AI providers do not retain your data for model training under our commercial agreements. Where a provider supports zero-retention or enterprise-grade processing modes, we use those modes by default.

EvenStance is not regulated to provide legal or financial advice. AI-generated content is informational only. Every AI-generated output carries an AI disclaimer at the foot of the page.

5. Data sharing

We never sell your personal data. We share data only with the following categories of processor, each under a written data processing agreement:

  • Stripe: Payment processing.
  • Resend: Transactional email delivery (account verification, password resets, deadline reminders).
  • AI providers (Microsoft Azure AI Foundry, Databricks, Anthropic, Google): Case assessment and letter drafting, with PII redacted before any call. See Section 4.
  • External AI assistants you choose to connect (Claude, ChatGPT, Perplexity, others): If you connect EvenStance as a connector inside an AI assistant, that AI assistant accesses your case data on your behalf when you ask it to. See Section 6.
  • Microsoft 365 / Google Workspace: Only if you choose to connect your email or calendar for case import or export, and only for the specific case and time window you authorise.
  • PostHog: Analytics (opt out below).
  • Hosting (Microsoft Azure, uksouth region): Infrastructure for the EvenStance platform itself. UK data residency.

6. AI assistants and the MCP connector

EvenStance can be added as a connector inside an external AI assistant such as Claude (Anthropic) or ChatGPT (OpenAI). When you connect EvenStance to one of these assistants, you authorise that assistant to access your EvenStance data on your behalf through the Model Context Protocol (MCP). This section explains how that relationship works for privacy purposes.

What the AI assistant can access

The AI assistant can only access the data covered by the specific permissions you approve on the EvenStance consent screen. Available permissions are:

  • View your cases: Read your dispute cases, assessments, deadlines, and timeline.
  • Create and update cases: Create new cases, update status, and add communications.
  • Search companies: Look up company information, reviews, and regulator details from the EvenStance company database.
  • Generate letters: Create complaint letters and formal correspondence.
  • Save conversations: Save AI chat summaries to your case timelines.

Who controls what

EvenStance remains the data controller for your case data stored on our platform. When the AI assistant fetches that data on your behalf, the assistant's own privacy policy governs what happens to the data inside that assistant's session (model processing, chat history, caching, training-mode policy). Before connecting an AI assistant to EvenStance, you should read that assistant's privacy policy directly. We link to the main assistants' privacy policies on Settings > Connect your AI.

How we secure the connection

The connector uses OAuth 2.1 with PKCE (S256) and audience-bound tokens (RFC 8707). Tokens are stored on the EvenStance side, scoped to the specific permissions you approved, and bound to the assistant's account that requested them. Access tokens expire after one hour. Refresh tokens expire after 30 days.

How to revoke

You can revoke any connected AI assistant at any time on Settings > Connect your AI. Revocation is immediate: the assistant can no longer access your data through EvenStance from the moment you click revoke. Any cached content already inside the assistant's own systems is governed by that assistant's policy on retention and erasure.

What we log

We keep an audit log of which tool calls an AI assistant made on your behalf (tool name, timestamp, success or failure) for 12 months for security and forensic purposes. We do not retain the full content of the AI assistant's prompts to you, only the specific tool calls that touched your EvenStance data.

7. Your rights under UK GDPR

You have the right to:

  • Access:Request a copy of all your data (available in Settings > Data Export).
  • Rectification: Correct inaccurate information in your profile or cases.
  • Erasure:Delete your account and all associated data (available in Settings > Delete Account, with a 7-day cooling-off period).
  • Portability: Export your data in a structured format.
  • Object: Opt out of analytics at any time using the toggle in Section 8 below.

8. Cookies

We use essential cookies for authentication and session management. Analytics cookies (PostHog) are active by default to help us improve the platform. You can opt out at any time using the toggle below.

9. Data retention

We retain your case data for as long as your account is active. When you delete your account, all personal data is permanently removed after a 7-day cooling-off period. Audit logs (including MCP connector tool-call logs described in Section 6) are retained for 12 months for security purposes, then automatically deleted.

OAuth tokens issued to AI assistants you have connected are retained while the connection is active. Access tokens expire after one hour; refresh tokens expire after 30 days unless rotated by the assistant. When you revoke a connection (or when a refresh token expires without rotation), the tokens are deleted within 24 hours of revocation or expiry.

10. Security

We protect your data with encryption in transit (HTTPS/TLS), encrypted database storage, rate limiting, CSRF protection, and regular security audits. Passwords are hashed using bcrypt and never stored in plain text.

For the MCP connector specifically, we use OAuth 2.1 with PKCE (S256), audience-bound tokens (RFC 8707), Dynamic Client Registration (RFC 7591), Protected Resource Metadata (RFC 9728), and Authorization Server Metadata (RFC 8414). The connector endpoint enforces Origin validation, protocol version checks against MCP spec 2025-06-18, and rate limiting per token. Tool calls that mutate your data are audit-logged.

11. Contact

For any privacy-related queries, contact us at privacy@evenstance.com. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.