Who We Are
This Privacy Policy is issued by Evofather (“Evofather”, “we”, “us”, or “our”). We are committed to protecting and respecting your privacy in accordance with applicable data protection laws across all jurisdictions in which we operate or where our users are located.
Evofather operates globally, serving users across the European Union, the United Kingdom, the United States, Canada, South America, the Asia-Pacific region (including Australasia and the Far East), New Zealand, Australia, China, Russia, India, Africa, and worldwide.
Scope & Global Jurisdiction
This Privacy Policy applies to all individuals (“you”, “your”, “data subject”, “user”) who interact with Evofather’s websites, mobile applications, services, or any other digital products (collectively, the “Services”), regardless of where you are located. The policy is designed to comply with the requirements of all applicable privacy laws worldwide, including but not limited to those listed below.
Data We Collect
We collect information that you voluntarily provide to us and information collected automatically when you use our Services. The categories of personal data we collect include:
3.1 Information You Provide
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | Full name, username, title, date of birth | Account creation, identity verification |
| Contact Data | Email address, phone number, postal address | Communication, service delivery |
| Account Data | Username, password (hashed), profile picture | Account management |
| Financial Data | Payment card details (tokenised), billing address | Processing payments |
| Transaction Data | Purchase history, order details | Order fulfilment, legal compliance |
| Communications | Messages, support tickets, survey responses | Customer support, quality improvement |
| Preferences | Marketing preferences, notification settings | Personalisation, compliance |
3.2 Automatically Collected Data
| Category | Examples |
|---|---|
| Device & Technical Data | IP address, browser type, operating system, device identifiers |
| Usage Data | Pages visited, click-through rates, session duration, referral URLs |
| Location Data | Approximate geographic location derived from IP address |
| Cookie Data | Session cookies, persistent cookies, analytics identifiers |
3.3 Sensitive Personal Data
We do not intentionally collect special categories of sensitive personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation) unless strictly necessary for a specific service and with your explicit prior consent, or where required or permitted by applicable law.
How We Use Your Data
We use your personal data only for legitimate, specified, and explicit purposes, including:
| Purpose | Description |
|---|---|
| Service Delivery | To provide, maintain, and improve our products and Services |
| Account Management | To create and manage your user account |
| Customer Support | To respond to enquiries, complaints, and technical support requests |
| Payments & Billing | To process transactions and manage subscriptions |
| Marketing | To send promotional communications where permitted (opt-out available) |
| Analytics & Research | To understand usage patterns and improve the Services |
| Legal Compliance | To comply with applicable laws, regulations, and court orders |
| Fraud Prevention | To detect, prevent, and investigate fraud, security breaches, and illegal activity |
| Personalisation | To tailor content and recommendations to your preferences |
Legal Basis for Processing
Where required by law (particularly under GDPR and equivalent frameworks), we rely on one or more of the following legal bases for processing your personal data:
| Legal Basis | When We Rely On It |
|---|---|
| Consent | Where you have given clear, freely given, specific, and informed consent (e.g., marketing communications, non-essential cookies) |
| Contractual Necessity | Where processing is necessary to fulfil a contract with you (e.g., providing the Services you signed up for) |
| Legal Obligation | Where we must process your data to comply with a legal or regulatory obligation |
| Legitimate Interests | Where we have a legitimate business interest that is not overridden by your rights (e.g., fraud detection, improving Services) |
| Vital Interests | Where processing is necessary to protect someone’s life |
| Public Task | Where processing is necessary for a task in the public interest |
International Data Transfers
Evofather operates globally. Your personal data may be transferred to, stored, and processed in countries other than your country of residence. Such transfers occur where necessary for the performance of our Services or for legitimate business purposes.
Where we transfer personal data to countries outside the European Economic Area (EEA), the United Kingdom, or other jurisdictions with adequate data protection laws, we ensure appropriate safeguards are in place, including:
| Safeguard Mechanism | Applicability |
|---|---|
| EU Standard Contractual Clauses (SCCs) | Transfers from EU/EEA to third countries |
| UK International Data Transfer Agreements (IDTAs) | Transfers from the United Kingdom |
| Adequacy Decisions | Transfers to countries recognised as adequate by the European Commission |
| Binding Corporate Rules (BCRs) | Intra-group transfers within Evofather entities |
| Explicit Consent | Where no other mechanism applies, and you have provided explicit consent |
| APEC Cross-Border Privacy Rules | Transfers within Asia-Pacific APEC member economies |
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The criteria used to determine our retention periods include:
| Data Type | Typical Retention Period |
|---|---|
| Account Data | Duration of account plus 3 years after closure |
| Transaction & Financial Records | 7 years (legal/tax compliance) |
| Marketing Preferences | Until opt-out or 3 years of inactivity |
| Support Communications | 3 years after resolution |
| Usage & Analytics Data | 26 months (aggregated/anonymised thereafter) |
| Legal Hold Data | Duration of proceedings or as required by law |
When data is no longer required, we securely delete or anonymise it in accordance with applicable regulations.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data. We honour all applicable rights regardless of where you are located:
| Right | Description |
|---|---|
| Right of Access | Request a copy of the personal data we hold about you |
| Right to Rectification | Request correction of inaccurate or incomplete data |
| Right to Erasure | Request deletion of your personal data (“right to be forgotten”) where legally applicable |
| Right to Restriction | Request that we restrict the processing of your data in certain circumstances |
| Right to Portability | Receive your data in a structured, machine-readable format and transfer it to another controller |
| Right to Object | Object to processing based on legitimate interests or for direct marketing purposes |
| Right to Withdraw Consent | Withdraw consent at any time without affecting prior lawful processing |
| Right to Non-Discrimination | You will not be discriminated against for exercising your privacy rights (applicable in the USA/California) |
| Right to Lodge a Complaint | Lodge a complaint with your local data protection supervisory authority |
| Right to Opt-Out of Sale | Opt out of the sale or sharing of your personal data (applicable under CCPA) |
| Right Against Automated Decisions | Not be subject to solely automated processing that produces significant legal effects |
To exercise any of these rights, please contact us at simon@evofather.com or call +27 63 921 6078. We will respond within the legally required timeframe (typically 30 days or less).
European Union — GDPR
For users located in the European Union (including all 27 member states) and the European Economic Area (Norway, Iceland, Liechtenstein), this section applies in addition to all other sections of this Privacy Policy.
We comply with Regulation (EU) 2016/679 (the General Data Protection Regulation — GDPR) and applicable national implementing legislation. Our processing activities are subject to the oversight of the relevant national Data Protection Authority (DPA) in your country of residence.
EU Data Protection Authorities
You have the right to lodge a complaint with your national DPA. A list of all EU DPAs is available at: European Data Protection Board — Member Authorities.
United Kingdom — UK GDPR & DPA 2018
For users located in the United Kingdom, we comply with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018.
The supervisory authority in the United Kingdom is the Information Commissioner’s Office (ICO). You have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.
United States of America
We comply with applicable US federal and state privacy laws, including:
| Law / Regulation | Jurisdiction | Key Rights |
|---|---|---|
| CCPA / CPRA | California | Know, Delete, Opt-Out of Sale, Non-Discrimination, Correct, Limit Sensitive Data |
| VCDPA | Virginia | Access, Deletion, Portability, Opt-Out, Correction |
| CPA | Colorado | Access, Deletion, Portability, Opt-Out |
| CTDPA | Connecticut | Access, Deletion, Portability, Opt-Out |
| MCDPA | Montana | Access, Deletion, Portability |
| TIPA | Texas | Access, Deletion, Portability, Opt-Out |
| FTC Act (§ 5) | Federal | Prohibition on unfair or deceptive practices |
| COPPA | Federal | Children’s Online Privacy Protection (under 13) |
| HIPAA | Federal | Health information, where applicable |
| CAN-SPAM Act | Federal | Commercial email requirements |
Canada — PIPEDA & Provincial Laws
For Canadian residents, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable provincial laws, including Alberta’s Personal Information Protection Act (PIPA), British Columbia’s PIPA, and Quebec’s Act respecting the protection of personal information in the private sector (Law 25 / Law 64).
Under PIPEDA, you have the right to access personal information we hold about you and to challenge its accuracy. You may also withdraw consent at any time, subject to legal and contractual restrictions. Complaints may be directed to the Office of the Privacy Commissioner of Canada at priv.gc.ca.
We comply with CASL (Canada’s Anti-Spam Legislation) for all commercial electronic messages sent to Canadian recipients.
Australia & New Zealand
Australia
We comply with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Complaints may be directed to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. Residents of New South Wales, Victoria, Queensland, and other states may also have additional rights under relevant state or territory legislation.
New Zealand
We comply with the Privacy Act 2020 and the 13 Information Privacy Principles (IPPs). Complaints may be directed to the Office of the Privacy Commissioner (OPC) of New Zealand at privacy.org.nz.
Asia Pacific — Far East & ASEAN
| Country / Region | Applicable Law | Supervisory Authority |
|---|---|---|
| Japan | Act on Protection of Personal Information (APPI) | Personal Information Protection Commission (PPC) |
| South Korea | Personal Information Protection Act (PIPA) | Personal Information Protection Commission (PIPC) |
| Singapore | Personal Data Protection Act 2012 (PDPA) | Personal Data Protection Commission (PDPC) |
| Thailand | Personal Data Protection Act B.E. 2562 (PDPA) | Office of the Personal Data Protection Committee |
| Malaysia | Personal Data Protection Act 2010 (PDPA) | Department of Personal Data Protection |
| Philippines | Data Privacy Act of 2012 (R.A. 10173) | National Privacy Commission (NPC) |
| Indonesia | Personal Data Protection Law (PDP Law 2022) | Ministry of Communication and Information Technology |
| Vietnam | Decree 13/2023/ND-CP on Personal Data Protection | Ministry of Public Security |
| Taiwan | Personal Data Protection Act (PDPA) | National Development Council |
| Hong Kong | Personal Data (Privacy) Ordinance (PDPO) | Office of the Privacy Commissioner for Personal Data |
We comply with all applicable laws in the above jurisdictions and honour requests made pursuant to those laws.
South America
| Country | Applicable Law | Key Features |
|---|---|---|
| Brazil | Lei Geral de Proteção de Dados (LGPD) — Law 13.709/2018 | GDPR-inspired framework; ANPD supervisory authority |
| Argentina | Law No. 25.326 (PDPL) — Personal Data Protection Law | Habeas data constitutional right; AAIP supervisory authority |
| Colombia | Law 1581 of 2012; Decree 1377 of 2013 | SIC supervisory authority; habeas data rights |
| Chile | Law No. 19.628 (and Bill to Modernise) | Habeas data; comprehensive reform underway |
| Mexico | Ley Federal de Protección de Datos Personales (LFPDPPP) | INAI supervisory authority; ARCO rights |
| Uruguay | Law No. 18.331 — PDPL | EU adequacy status; URCDP supervisory authority |
| Peru | Law No. 29733 — Personal Data Protection Law | ANPD supervisory authority |
| Ecuador | Organic Law on Personal Data Protection (LOPDP) | SNAI supervisory authority |
| Venezuela, Bolivia, Paraguay, Guyana, Suriname, Trinidad & Tobago | Constitutional habeas data rights and applicable national frameworks | Rights honoured in accordance with applicable national provisions |
Africa
| Country / Region | Applicable Law | Supervisory Authority |
|---|---|---|
| South Africa | Protection of Personal Information Act (POPIA) — Act 4 of 2013 | Information Regulator (South Africa) |
| Nigeria | Nigeria Data Protection Act 2023 (NDPA); NDPR 2019 | Nigeria Data Protection Commission (NDPC) |
| Kenya | Data Protection Act 2019 | Office of the Data Protection Commissioner (ODPC) |
| Ghana | Data Protection Act 2012 (Act 843) | Data Protection Commission |
| Egypt | Personal Data Protection Law No. 151 of 2020 | Personal Data Protection Centre |
| Morocco | Law No. 09-08 on Personal Data Protection | Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP) |
| Tunisia | Organic Law No. 63 of 2004 | Instance Nationale de Protection des Données Personnelles (INPDP) |
| Mauritius | Data Protection Act 2017 | Data Protection Office |
| Rwanda | Law No. 058/2021 on Protection of Personal Data and Privacy | Rwanda Utilities Regulatory Authority (RURA) |
| All Other African Nations | AU Data Policy Framework; constitutional privacy rights | Relevant national authority, where applicable |
We comply with the African Union’s Data Policy Framework and the applicable national laws across all 54 African countries. Where dedicated data protection legislation is not yet enacted in a specific African jurisdiction, we apply POPIA-equivalent standards as a baseline.
Russia & China
Russian Federation
We comply with Federal Law No. 152-FZ “On Personal Data” (as amended). Personal data of Russian citizens is stored on servers located in the Russian Federation or processed in accordance with applicable data localisation requirements. The supervisory authority is Roskomnadzor (Federal Service for Supervision of Communications, Information Technology, and Mass Media).
People’s Republic of China
For users located in the People’s Republic of China, we comply with the Personal Information Protection Law (PIPL, effective November 2021), the Data Security Law (DSL, effective September 2021), and the Cybersecurity Law (CSL, effective June 2017). Cross-border transfers of personal information are subject to required security assessments or standard contract approval by the Cyberspace Administration of China (CAC). The supervisory authority is the Cyberspace Administration of China (CAC).
India — DPDPA 2023
For users located in India, we comply with the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology Act, 2000 (as amended), including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Under DPDPA, you have the right to access information about your personal data, the right to correction and erasure, the right to grievance redressal, and the right to nominate a representative. The supervisory authority will be the Data Protection Board of India (pending full establishment). You may raise grievances through our contact channels listed in Section 24.
Children’s Privacy
Our Services are not directed at children under the age of 13 (or such higher age as required by applicable law in your jurisdiction — 16 in the EU under GDPR, 13 in the USA under COPPA, and 18 in some other jurisdictions).
We do not knowingly collect personal data from children below the applicable minimum age without verifiable parental consent. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe we may have collected information from or about a child, please contact us at simon@evofather.com.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include, but are not limited to: encryption in transit (TLS/SSL) and at rest, access controls and authentication, regular security audits and penetration testing, employee training and confidentiality obligations, incident response and breach notification procedures.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (typically 72 hours under GDPR).
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (where we have your email address) or by posting a prominent notice on our website, and update the “Last Updated” date at the top of this policy.
We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes become effective constitutes your acceptance of the updated policy, to the extent permitted by applicable law.
Contact Us & Supervisory Authority
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing activities, please contact us using the details below. We are committed to resolving your concerns promptly and fairly.
Evofather — Data Privacy Contact
Email: simon@evofather.com
WhatsApp: +27 63 921 6078
We aim to respond to all privacy-related requests within 30 days (or within the shorter period required by applicable law). If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your jurisdiction.
Related Legal Documents
This Privacy Policy should be read in conjunction with our Terms & Conditions and our Disclaimer.