🇬🇧 PRIVACY POLICY — EVO REVIEW LAB

The Data Controller of personal data is:

EVO Review Lab collects the following categories of personal data:

Data voluntarily provided by the user:

• •Email address (during waitlist signup)
• •Any additional data communicated in the subject and body of emails sent to the contact addresses above

Data automatically collected:

• •IP address in pseudonymized form via cryptographic hash, for anti-spam and aggregate analytics purposes
• •Technical navigation data required for service operation (user agent, request timestamp)
• •Cloudflare Turnstile verification token, exclusively for anti-bot protection of the waitlist form

EVO Review Lab does not collect profiling cookies, third-party advertising cookies, or cross-site identifiers.

Consents are freely revocable at any time by writing to privacy@ev-maximizer.com or via the unsubscribe link in every email sent.

Processing is carried out using electronic tools, in compliance with the technical and organizational security measures provided by Articles 25 and 32 GDPR (privacy by design and by default). Data is protected against unauthorized access via encryption in transit (TLS 1.2+) and server-side database encryption at rest.

Personal data may be communicated to the following data processors, appointed pursuant to Article 28 GDPR:

• •Supabase Inc. — database and backend. Legal seat: 970 Toa Payoh North, Delaware, USA. Regional office: Singapore. Application servers configured in the European Union (region eu-west-1)
• •Vercel Inc. — frontend hosting and edge network. Legal seat: 340 S Lemon Ave #4133, Walnut, CA 91789, USA
• •Cloudflare Inc. — CDN, security, Turnstile anti-bot. Legal seat: 101 Townsend St, San Francisco, CA 94107, USA
• •Aruba S.p.A. — email service. Legal seat: Via San Clemente 53, 24036 Ponte San Pietro (BG), Italy

Data is not communicated to third parties for marketing purposes and is not subject to sale, exchange, or transfer to commercial entities.

Some external processors (Vercel Inc., Cloudflare Inc., Supabase Inc.) are based in the United States. The extra-EU transfer of personal data is regulated by Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Implementing Decision 2021/914, supplemented by additional measures where applicable (end-to-end encryption, pseudonymization).

The user may request a copy of the guarantees activated by writing to privacy@ev-maximizer.com.

Upon expiration of the above terms, data will be deleted or made irreversibly anonymous.

Under Articles 15-22 GDPR, the data subject has the right to:

• •Access (Art. 15): obtain confirmation of processing and a copy of the data
• •Rectification (Art. 16): correct inaccurate data or complete incomplete data
• •Erasure (Art. 17): obtain deletion of data in the cases provided ("right to be forgotten")
• •Restriction (Art. 18): request temporary blocking of processing
• •Portability (Art. 20): receive data in a structured, machine-readable format
• •Objection (Art. 21): object to processing based on legitimate interest
• •Withdrawal of consent (Art. 7(3)): withdraw consents at any time, without prejudice to the lawfulness of prior processing

Rights requests must be addressed to privacy@ev-maximizer.com.

The Controller will respond within 30 days of receipt, extendable by a further 60 days in case of particular complexity of the request, pursuant to Art. 12 GDPR.

The data subject has the right to lodge a complaint with the Italian Data Protection Authority — Garante per la Protezione dei Dati Personali (Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it) if they believe that the processing of their data violates the GDPR or applicable Italian law.

The EVO Review Lab website exclusively uses:

• •Technical session cookies: necessary for the operation of the waitlist form (duration: browser close). They do not require consent under Article 122 of the Italian Privacy Code
• •Cloudflare Turnstile: privacy-friendly anti-bot verification mechanism that, unlike other CAPTCHA solutions, does not use persistent or tracking cookies. It may temporarily store a verification token in the user's browser for the duration of the form submission session only. Compliant with the Italian Authority Guidelines of June 10, 2021

The site does not use profiling cookies, third-party analytics cookies (e.g., Google Analytics), or advertising cookies. For this reason, no consent cookie banner is displayed, in compliance with the Authority Guidelines.

The EVO Review Lab service is reserved for adults (18 years of age or older). The Controller does not knowingly collect personal data of minors under 18 years of age. Waitlist signup constitutes an implicit declaration of legal age.

Should the Controller become aware of processing of a minor's data, immediate deletion will be performed. Parents or legal guardians who believe their minor child has provided personal data to the service may request its deletion by writing to privacy@ev-maximizer.com.

Supplementary terms regarding the processing of personal data required for the activation of EVO Base, EVO Pro, and Token Review plans (in particular hand histories and payment data) will be published with at least 30 days' notice prior to the activation of the commercial service, and will become effective only after explicit user acceptance.

It is anticipated that the processing of hand histories will be governed by:

• •Legal basis: contract performance (Art. 6(1)(b) GDPR)
• •Pseudonymization: automatic removal of identifying nicknames before long-term archiving
• •Dedicated retention: automatic deletion 90 days after review delivery, unless the user explicitly requests retention for subsequent comparative reviews
• •Dedicated sub-processors: use of PokerTracker 4 in local worker mode (not cloud) for technical normalization of gameplay data

The Controller, as a natural person and considering the nature and scope of the processing carried out in the current phase of the service, is not subject to the obligation to appoint a Data Protection Officer (DPO) pursuant to Article 37 GDPR.

The Controller further declares that, in the currently active waitlist phase, no automated decision-making or profiling activities are carried out within the meaning of Article 22 GDPR. Any automated decision-making related to future paid services (e.g., automatic analysis of hand histories by the EVO AI system) will be subject to specific notice at the time of activation of the relevant plan, with explicit indication of the operating logic and the rights of the data subject.

This Privacy Policy is drafted in Italian and English. In case of interpretative discrepancy between the two versions, the Italian version shall prevail, as the Controller has its registered seat in Italy and is subject to Italian and European jurisdiction.

The Controller reserves the right to modify this privacy policy to adapt it to regulatory developments or service changes. Changes will be communicated by email to waitlist-registered users at least 14 days before they become effective, except for purely formal changes or changes of immediate application required by law.