LEGAL

Privacy Policy

Effective date: 1 February 2025

Evolve Unlimited AB ("we", "us", "our") operates ExposureIndex at exposureindex.io. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the General Data Protection Regulation (GDPR), the Swedish Data Protection Act, and applicable requirements under NIS2 and ISO 27001.

1. Data Controller

The data controller is Evolve Unlimited AB, registered in Sweden. Contact: exposureindex@evolvecybersec.se

2. Data We Collect

We collect the following categories of personal data:

  • Contact & account data: name, email address, phone number, job title, company name and address, VAT number.
  • Technical data: IP addresses, browser type, operating system — collected during phishing simulation tests and platform usage.
  • Payment metadata: transaction ID, plan type, currency — processed via Stripe. We do not store card numbers.
  • Scan data: domain names, subdomain lists, vulnerability findings, email security records — generated as part of the security assessment.

3. Legal Bases for Processing

  • Contract performance (Art. 6(1)(b) GDPR): to deliver the security testing services you ordered.
  • Legitimate interests (Art. 6(1)(f) GDPR): fraud prevention, platform security, and service improvement.
  • Legal obligation (Art. 6(1)(c) GDPR): where required by applicable law, including NIS2 incident reporting obligations.

4. Data Retention

privacy.s4_body

5. Third-Party Processors

We share data only with the following sub-processors under GDPR-compliant Data Processing Agreements:

  • Stripe Payments Europe Ltd — payment processing (Dublin, Ireland, EU adequacy).
  • Brevo SAS (formerly Sendinblue) — transactional email delivery (Paris, France, EU).

6. Your Rights

Under the GDPR (Art. 15–22) you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Request erasure ("right to be forgotten"), subject to legal retention requirements.
  • Receive your data in a portable, machine-readable format.
  • Object to processing based on legitimate interests.
  • Request restriction of processing while a complaint is being investigated.

To exercise these rights, email exposureindex@evolvecybersec.se. We will respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

7. Security Measures

We implement technical and organisational security measures aligned with ISO 27001, SOC 2 Type II, and NIST SP 800-53 controls, including: encryption in transit (TLS 1.2+) and at rest, access control with least-privilege principles, regular vulnerability assessments, audit logging, and incident response procedures.

8. Cookies

We use only strictly necessary cookies: a session cookie for authenticated users, and a language-preference cookie ("lang") to remember your selected language. No third-party tracking or analytics cookies are set.

9. International Transfers

Data is processed within the European Economic Area (EEA). Any transfer outside the EEA is subject to appropriate safeguards (Standard Contractual Clauses or an EU adequacy decision).

10. Changes to This Policy

We will notify registered users of material changes at least 30 days in advance via email. The current version is always available at exposureindex.io/privacy-policy.

Data Protection Contact

For privacy inquiries contact: exposureindex@evolvecybersec.se | Evolve Unlimited AB, Sweden.