Your privacy preferences

We use cookies to remember your preferences, measure traffic (Plausible), and show relevant ads (Meta, LinkedIn).

Privacy Policy
EEvalProf

Privacy Policy

Last updated: May 2026

EvalProf is committed to protecting your personal data. This policy explains what data we collect, why, and what your rights are. It applies to all users of the evalprof.com platform, whether individual teachers (B2C) or school representatives (B2B).

1. Data Controller

Francis Munabeno, sole trader (SIRET 897 576 112 00014), 70 rue de Chevilly, 94800 Villejuif, France, is the data controller for your personal data. For any questions, contact us via the contact form.

2. Data Collected and Purposes

Depending on your use of the platform and your consent choices, we collect the following data:

Account dataFirst name, last name, email, hashed password — required to create and manage your account.
Language cookie (lang)Remembers your preferred language. Legal basis: legitimate interest.
Consent cookie (consent)Stores your privacy choices. Legal basis: legal obligation.
IP geolocationDerived from your IP address via ipapi.co to adapt local formats. Collected only with your consent.
Audience data (Plausible)Pages visited, traffic source, country — anonymous, no tracking cookie. Collected only with your consent.
Advertising (Meta Pixel)Browsing events sent to Meta. Collected only with your consent.
Advertising (LinkedIn Insight)Browsing events sent to LinkedIn. Collected only with your consent.
Payment dataHandled exclusively by Stripe. We never store card numbers.
Submitted files (B2B)Digital exam papers and files submitted by students, stored on AWS S3 (Paris, eu-west-3).
Support attachmentsFiles attached to support tickets (images, PDFs), stored on AWS S3 (Paris, eu-west-3).
Server logsIP address, timestamp, HTTP requests — retained 12 months for security purposes.

3. Legal Basis

  • Contract performance: account data, payments.
  • Legitimate interest: language cookie, security logs.
  • Legal obligation: consent cookie.
  • Consent: IP geolocation, analytics, advertising.
  • Public interest / B2B contract: student data processed on behalf of educational institutions.

4. Sub-processors and Third-Party Services

EvalProf uses the following providers. Each is bound by contractual GDPR-compliant data protection obligations:

Vercel Inc. (USA)Frontend hosting. Primary compute: Paris, France (cdg1 / eu-west-3). Policy: vercel.com/legal/privacy-policy
Railway Corp. (USA)Backend API hosting. Primary compute: Amsterdam, Netherlands (EU West). Policy: railway.app/legal/privacy
MongoDB Atlas — MongoDB Inc. (USA)Application database. Cluster: AWS Paris (eu-west-3). Policy: mongodb.com/legal/privacy-policy
Amazon Web Services (AWS, USA)File storage for submitted work (S3 bucket evalprofupload, region Paris eu-west-3). Policy: aws.amazon.com/privacy
Anthropic PBC (USA)Claude LLM API for grading assistance. This is the professional API (not the claude.ai consumer product). See AI section. Policy: anthropic.com/legal/privacy
Brevo SAS (France)Transactional emails. EU-hosted data. Policy: brevo.com/legal/privacypolicy
Cloudflare Inc. (USA)DNS resolution only (DNS-only mode, no HTTP proxy). Policy: cloudflare.com/privacypolicy
Stripe Inc. (USA)Payment processing. Policy: stripe.com/privacy
ipapi.coIP geolocation (with consent). Policy: ipapi.co/privacy
Plausible Analytics (EU)Cookie-free audience measurement (with consent). Policy: plausible.io/privacy
Meta Platforms (USA)Advertising pixel (with consent). Policy: facebook.com/privacy
LinkedIn Corp. (USA)Insight Tag advertising (with consent). Policy: linkedin.com/legal/privacy-policy

5. AI Processing (Anthropic Claude API)

EvalProf uses the Anthropic Claude API to assist with grading assessments. This is the professional B2B API — distinct from the claude.ai consumer product.

  • Data transmitted: submission content and marking schemes. Student names are only transmitted if necessary for the grading task.
  • Data never transmitted to AI: photographs, biometric data, age, health data, any sensitive data under Art. 9 GDPR.
  • No training: by default, inputs and outputs sent via the Claude API are not used to train Anthropic's models, unless the Development Partner Program is opted into or data is submitted as feedback/bugs. EvalProf has not enrolled in these programmes.
  • Anthropic retention: data sent via the standard API is not retained beyond immediate processing of the request. Some Anthropic features have specific retention policies, but EvalProf uses only the standard API.
  • Human-in-the-loop: all AI suggestions are reviewed and validated by the teacher before being recorded. No automated decision within the meaning of Art. 22 GDPR is made without human intervention.
  • Contractual safeguard: archived Anthropic DPA (anthropic.com/legal/data-processing-addendum) + SCCs for the transfer outside the EU.

6. International Transfers — EU-first Approach

EvalProf adopts an EU-first approach: primary computing and storage infrastructure is hosted within the European Union:

  • Vercel frontend: Paris (cdg1, eu-west-3).
  • Railway API: Amsterdam, Netherlands (EU West).
  • MongoDB Atlas database: AWS Paris (eu-west-3).
  • S3 file storage: AWS Paris (eu-west-3).
  • Brevo emails: French company, EU servers.
  • Cloudflare: DNS only, no HTTP proxy — application data does not transit through Cloudflare.

Governed transfers outside the EU may occur for secondary operations: provider technical support, infrastructure monitoring, AI processing (Anthropic, USA), payments (Stripe, USA), consent-based advertising (Meta, LinkedIn), consent-based IP geolocation (ipapi.co).

All such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework for certified providers. Full details per provider are available in the DPA (evalprof.com/dpa — Annex A).

Student data (names, grades, exam papers) never transits through advertising services (Meta, LinkedIn), analytics tools (Plausible), or ipapi.co.

7. Student Data — School Clients (B2B)

Under contracts with educational institutions, EvalProf acts as a data processor under Article 28 GDPR. The institution is the data controller for its students' data.

  • Categories of data: first and last names, grades and results, submitted papers and files.
  • Excluded data: no photographs, no age, no biometric data, no health data.
  • Student data is never used for advertising or commercial profiling.
  • A GDPR Art. 28 Data Processing Agreement (DPA) is signed with each school client before any processing.

To obtain the DPA or for questions about student data, visit evalprof.com/dpa or contact us.

8. Data Retention

  • Account data: subscription duration + 3 years.
  • Preference and consent cookies: 1 year.
  • Server logs: 12 months.
  • Payment data (Stripe): as required by applicable tax regulations.
  • Submitted files / student data (B2B): per DPA terms with the institution, deleted within 30 days of contract end.
  • Support attachments: retained for the duration of ticket processing, then covered by S3 Lifecycle policy (old versions auto-deleted after 30 days).
  • S3 file versions: automatic deletion after 30 days (S3 Lifecycle policy configured).

9. Your Rights (GDPR)

Under the GDPR, you have the following rights: access, rectification, erasure, portability, objection, restriction of processing, withdrawal of consent at any time.

To exercise these rights, contact us via the contact form. We will respond within 30 days. For requests relating to student data, contact your educational institution directly.

10. Complaints

If you believe your rights are not being respected, you may lodge a complaint with your local data protection authority. In France: CNIL at cnil.fr.

11. Changes

We may update this policy at any time. The last updated date is shown at the top. For material changes, we will notify you by email.