Privacy Policy

Last updated: May 2026


This Privacy Policy details Evidencity, Inc.'s ("Evidencity") collection and use of personal data about users of our Services, including NelsonAI, Illicit Network Intelligence Datasets, RiskSolve, and related offerings (collectively, the "Services").



This Privacy Policy is incorporated by reference into our Terms & Conditions and Data Licensing Agreement. If there is any conflict between this Privacy Policy and those agreements, the terms most protective of your privacy shall apply.


Evidencity complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Evidencity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles, the UK Extension, and the Swiss-U.S. DPF Principles with regard to the processing of personal data received from the European Union, United Kingdom, and Switzerland. If there is any conflict between this Privacy Policy and the DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.


Evidencity is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).


INFORMATION COLLECTION

You may browse our Site without providing us with any personal data.


In order to register for an account on our Site and to use our Services, we require you to submit your personal data to us. When you register for an account on our Site and to use our Services, you are required to provide us with personal data such as your first name, last name, password, email address, phone number, business address, username, and password.


When you make a purchase through the Services or subscribe to our offerings, you will be required to submit a credit card or ACH information for billing purposes. Our third party payment processor will process your payment.


We will collect any personal data that you include in your communications with us, including emails, support tickets, and other messages.


Customer is responsible for all information, data, text, messages or other materials that Customer transmit via the Service. Customer is responsible for maintaining the confidentiality of Customer's login and account, if any, and is fully responsible for any and all activities that occur under Customer's login or account. Customer agrees that Customer has provided any necessary notices to, and obtained any necessary consents from, individuals whose personally identifiable information Customer provides to Evidencity.


Customer Data

"Customer Data" means information you provide to Evidencity, including: (a) your internal business information, supply chain details, and operational data; (b) target entities, individuals, or geographic regions you request Evidencity to research; (c) your account information, user credentials, and communications with Evidencity; and (d) any personally identifiable information of your employees or representatives.


You retain ownership of Customer Data. By providing Customer Data containing personal information, you represent that you have obtained all necessary consents or established lawful basis under applicable data protection laws (including GDPR Article 6) for such processing by Evidencity.


INFORMATION USE

We use your personal data for the following purposes and rely on the following lawful bases to process your personal data:

  • Where we need to perform the contract we are about to enter into or have entered into with you. For example, when you make a purchase through our Services, that's a contract.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example, when we send you notices about updates to our Services, when we detect fraud, or when we improve our Services.
  • Where we need to comply with a legal or regulatory obligation. For example, keeping records of our sales for tax compliance.
  • Where we have your consent such as for certain cookies. Where our legal basis is consent, you have the right to withdraw consent any time.


Specifically, we use your personal data to:

  • deliver you our Services and information you have requested
  • provide you with support
  • detect fraud, illegal activities or security breaches
  • provide notices regarding services you have requested or that you may wish to use
  • verify your authority to enter certain password protected areas of the Services
  • improve the content and general administration of our Services
  • improve our research methodology and data quality
  • analyze product usage and optimize Service performance


Marketing Communications: We do not use your personal data for targeted marketing, promotional emails, or other marketing communications without your prior consent. You may opt out of marketing communications at any time by contacting privacy@evidencity.com.


CUSTOMER DATA AND LICENSED DATA PROCESSING

Customer Data Processing

We process Customer Data solely to: (i) deliver your requested Services; (ii) improve our research methodology and data quality; and (iii) create anonymized, aggregated insights that do not identify you or specific individuals.


GDPR Data Processing Roles

Where Customer Data contains personal data of EU, UK, or Swiss data subjects:


(a) Data Processing Roles: You act as the data controller. Evidencity acts as the data processor when processing Customer Data containing personal data.


(b) Lawful Basis: You represent that you have established appropriate lawful basis under GDPR Article 6 (or equivalent law) for processing personal data using our Services.


(c) Data Subject Rights: You are responsible for handling all data subject requests (access, rectification, erasure, portability, restriction, objection) related to your use of our Services. Evidencity will reasonably assist you in responding to such requests concerning Customer Data.


(d) Data Transfers: Any transfer of personal data outside the EU/EEA will be subject to appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses or adequacy decisions where applicable.


(e) Data Retention: You shall not retain personal data longer than necessary for your stated purposes and shall implement appropriate retention schedules.


(f) Breach Notification: Each party shall notify the other within 72 hours of becoming aware of any personal data breach involving data processed under our Services.


COOKIES AND ONLINE TRACKING

We use small text files called cookies to improve overall experience on the Site. A cookie is a piece of data stored on the user's hard drive containing information about the user. Cookies generally do not permit us to personally identify you. We generally use session cookies to authorize each request to use the Site and such cookies expire when you exit the Site.


Evidencity does not track users over time or over multiple websites. Evidencity does respond to browser do not track signals.


CHILDREN'S PRIVACY

Evidencity recognizes the privacy interests of children and we encourage parents and guardians to take an active role in their children's online activities and interests. The Site and Services are not directed to children under the age of 16. Evidencity does not target its Services to children under 16. Evidencity does not knowingly collect personal data from children under the age of 16. If we learn that a child under the age of 16 provided us with personal data, we will delete that information. If your child has provided personal data, please contact us so we can delete it. If you are under the age of 16, please do not provide us with any personal data.


DISCLOSURE

We provide your personal data as follows.


We provide your personal data to the vendors and service agencies that we engage to assist us in providing our services to you. For example, we may use a third party payment processor to process payments for our Services. We also engage research professionals, data management providers, and other subcontractors to support our Services. Such third party entities are bound by written confidentiality and data processing agreements and are obligated to use your personal data solely to provide the services to us.


Subprocessor Notification

We maintain a list of current subprocessors supporting our Services. We will notify you of material changes to our subprocessor list at least 30 days in advance. You may object to any subprocessor on reasonable grounds within 10 days of notification. We will discuss reasonable alternatives with you if you object.


We will disclose your personal data if we reasonably believe we are required to do so by law, regulation or other government authority or to assist in any governmental or law enforcement investigation, to protect our or our users' rights or to enforce our terms of use.


We will not sell your personal data to any company or organization except we may transfer your personal data in conjunction with a transaction such as a financing or to a successor entity upon a merger, consolidation or other corporate reorganization in which Evidencity participates or to a purchaser of all or substantially all of Evidencity's assets to which the Services relate or in the event of a bankruptcy or related or similar proceedings.


Evidencity's accountability for personal data that it receives under the Data Privacy Framework and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Evidencity remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Evidencity proves that it is not responsible for the event giving rise to the damage.


SECURITY

We employ procedural and technological measures that are reasonably designed to help protect your personal data from loss, unauthorized access, disclosure, alteration or destruction. Evidencity uses secure socket layer, firewalls, password protection and other security measures and policies to help prevent unauthorized access to your personal data.


DATA RETENTION

We will only keep your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.


To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.


By law we have to keep basic information about our customers, such as payment data, generally for seven years after they stop being customers for tax purposes. Please note that we may retain information that is otherwise deleted in anonymized and aggregated form, in archived or backup copies as required pursuant to records retention obligations, or otherwise as required by law.


In some circumstances you can ask us to delete your data; see Updating and Deleting Personal Data and Your Rights below for further information.


PRIVACY POLICY UPDATES

Evidencity may need to update this Privacy Policy from time to time. If so, Evidencity will post its updated Privacy Policy on our Site and Services along with a change notice. Evidencity may also send registered users of our Services a notice that this Privacy Policy has been changed. Evidencity encourages you to review this Privacy Policy regularly for any changes. Your continued use of the Site and/or Services and/or continued provision of personal data to us after the posting of such notice will be subject to the terms of the then-current Privacy Policy.


UPDATING AND DELETING PERSONAL DATA

Evidencity provides you with the ability to review, update and/or delete certain contact information that you provide to us by accessing your account. Your right to access your personal data may be restricted in exceptional circumstances, including, but not limited to, when the burden or expense of providing this access would be disproportionate to the risks to your privacy in the case in question, or when the rights of persons other than you would be violated by the provision of such access. If we determine that your access should be restricted in a particular instance, we will provide you with an explanation of our determination and respond to any inquiries you may have. If you are located in the European Union, you have other rights as set forth in the Your Rights Section below.


NOTICE TO USERS OUTSIDE OF THE UNITED STATES

While Evidencity is an international business, we operate primarily in the United States, and as a result regardless of where you use our Services or otherwise provide information to us, the information we collect may be transferred to and maintained on servers located in the United States. The laws, regulations and standards of the country in which this information is stored may be different from your own country. The European Union's General Data Protection Regulation ("GDPR") allows for transfer of personal data from the European Union to a third country in certain situations. By consenting and agreeing to the terms of use and this Privacy Policy, you agree to the transfer of all such information to the United States of America which may not offer an equivalent level of protection to that required in other countries, particularly the European Union, and to the processing of that information by Evidencity on servers located in the United States of America as described in this Privacy Policy. We also comply with the EU-US Data Privacy Framework, its UK Extension, and the Swiss-US Data Privacy Framework. In our discretion, we may adopt other means, such as entering into data processing agreements that include the EU Standard Contractual Clauses or enter into different certification programs under applicable law for ensuring adequate safeguards. If you wish to execute a data processing agreement with us, please contact us.


YOUR RIGHTS

If the General Data Protection Regulation or the UK GDPR applies to you because you are in the European Union or the United Kingdom, you have rights under data protection laws in relation to your personal data:


  • The right to be informed – that's an obligation on us to inform you how we use your personal data (and that's what we're doing that in this Privacy Policy);
  • The right of access – that's a right to make what's known as a 'data subject access request' for copy of the personal data we hold about you;
  • The right to rectification – that's a right to make us correct personal data about you that may be incomplete or inaccurate;
  • The right to erasure – that's also known as the 'right to be forgotten' where in certain circumstances you can ask us to delete the personal data we have about you (unless there's an overriding legal reason we need to keep it);
  • The right to restrict processing – that's a right for you in certain circumstances to ask us to suspend processing personal data;
  • The right to data portability – that's a right for you to ask us for a copy of your personal data in a common format (for example, a .csv file);
  • The right to object – that's a right for you to object to us processing your personal data (for example, if you object to us processing your data for direct marketing); and
  • Rights in relation to automated decision making and profiling – that's a right you have for us to be transparent about any profiling we do, or any automated decision making.


For purposes of Article 27 of the GDPR, Evidencity, Inc., which is not established in the European Union, has appointed the Evidencity Privacy Team in the European Union as its EU Representative to act as its point of contact for data subjects and supervisory authorities with respect to matters relating to the processing of personal data under the GDPR. The EU Representative may be contacted at:


Evidencity Privacy Team

c/o Evidencity, Inc.

Rosselló 265, Eixample 08008

Barcelona, Spain

Email: privacy@evidencity.com


EU data subjects and EU supervisory authorities may contact the EU Representative regarding issues related to GDPR compliance. The appointment of an EU Representative does not affect Evidencity's responsibility or liability under applicable data protection laws.


California Privacy Rights (CCPA)

If you are located in California, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete personal information we have collected, the right to opt out of the sale or sharing of your personal information, the right to correct inaccurate personal information, and the right to limit our use of your personal information. To exercise CCPA rights, contact privacy@evidencity.com.


UK Data Protection Rights

If you are located in the United Kingdom, you have similar rights under the Data Protection Act 2018 and UK GDPR as described in the rights section above. Such requests should be directed to privacy@evidencity.com.


EXERCISING YOUR RIGHTS

If you wish to exercise any of the rights set out above, please contact us at privacy@evidencity.com.


You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.


We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.


We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


ACCESS STATEMENT

Pursuant to the Data Privacy Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Data Privacy Frameworks, should direct their query to privacy@evidencity.com. If requested to remove data, we will respond within a reasonable timeframe.


CHOICE STATEMENT

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@evidencity.com.


COMPLAINTS

In compliance with the Data Privacy Framework Principles, Evidencity commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the Data Privacy Frameworks. European Union, United Kingdom, and Swiss individuals with DPF inquiries or complaints should first contact Evidencity by email at privacy@evidencity.com. Evidencity has further committed to cooperate with the panel of European Data Protection Authorities (DPAs), the UK Information Commissioner's Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved DPF complaints concerning data transferred from the EU, UK, and Switzerland respectively.


If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the relevant authority for more information or to file a complaint:


For EU residents: Contact your local EU DPA (https://edpb.europa.eu/about-edpb/about-edpb/members_en) For UK residents: Contact the UK ICO (https://ico.org.uk/) For Swiss residents: Contact the Swiss FDPIC (https://www.edoeb.admin.ch/)


The services of EU DPAs, UK ICO, and Swiss FDPIC are provided at no cost to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.


See Data Privacy Framework Program.


QUESTIONS

If you have any questions regarding this Privacy Policy including any requests to exercise your legal rights, please contact us via email at privacy@evidencity.com.