Privacy Policy

Effective date: May 23, 2026
Last updated: May 23, 2026

1. Who We Are and What This Policy Covers

This Privacy Policy describes how Evidence Analyzer, LLC, a Texas limited liability company (“Evidence Analyzer,” “we,” “us,” or “our”), collects, uses, shares, and protects information when you use Evidentix™, our digital evidence authentication platform available at evidenceanalyzer.com (the “Service”).

This Policy applies to information we collect:

when you create an account, sign in, or otherwise interact with the Service;
when you upload digital evidence files, create cases, or generate reports through the Service;
when you purchase a subscription, one-time report, or other product offered through the Service;
when you communicate with us by email or other means; and
through cookies and similar technologies used on our website, subject to your consent where required.

This Policy does not apply to information collected by third parties that operate their own services, even where those services are integrated with or linked from the Service. Those third parties’ privacy practices are governed by their own policies. We identify the principal third parties we work with in Section 4 (How We Share Information).

Contact. Questions about this Policy or our privacy practices may be directed to:

Evidence Analyzer, LLC
2001 Timberloch Place, Suite 500
The Woodlands, TX 77380
admin@evidenceanalyzer.com

2. Information We Collect

We collect information in the following categories.

2.1 Account Information

When you register for an account, we collect:

your email address;
a password, which we store only as a salted cryptographic hash (we never store your password in plain text);
your full name;
the name of your firm or organization; and
your country of residence.

Once you verify your email address, we record the date and time of verification. Until you verify, your account is created but limited in functionality.

2.2 Case and Evidence Data

When you use the Service to authenticate digital evidence, you may upload files (images, documents, video, audio) and associate them with cases you create. For each file you upload, we collect and store:

the file itself, stored in encrypted form on Amazon Web Services S3 (region: US West);
a SHA-256 cryptographic hash of the file’s contents;
a perceptual hash (“pHash”) of image files, used for similarity detection;
file metadata extracted from the file, including EXIF data, embedded GPS coordinates (if present), and creation/modification timestamps;
the case identifier and case name you supply;
any description you supply for the case; and
timestamps for each upload, modification, and access event.

If you specifically opt in to web-source detection for a given image, we transmit the image to Google Cloud Vision for analysis and store the response.

2.3 Chain-of-Custody Log

The Service maintains an automatic, cryptographically chained audit log of actions taken on the platform. Each log entry records:

the action taken (including file upload, file access, certificate generation, deletion, and similar);
the user account associated with the action and that user’s email address;
the case identifier and, where applicable, the evidence identifier;
a free-text detail field describing the action, which may include file names and error messages;
the IP address from which the action was taken;
a cryptographic hash chaining the entry to the prior entry; and
a timestamp.

Because the log is cryptographically chained, log entries cannot be modified or deleted without breaking the chain. We retain this log indefinitely for the integrity of the evidentiary record. See Section 6 (Data Retention).

2.4 Payment Information

When you purchase a subscription or one-time product, payment is processed by Stripe, Inc. We do not collect, store, or have access to your full payment card number or card security code. Stripe collects and processes that information directly under its own privacy policy. We do receive and store the following payment metadata from Stripe:

the Stripe customer identifier;
the Stripe checkout session identifier and event identifier;
the email address associated with the payment (which may differ from your account email);
the amount, currency, and product purchased;
for subscriptions, the subscription identifier and current status; and
a record of each successful or refunded transaction.

2.5 Authentication and Session Information

When you sign in, we issue a session cookie (an “access token”) that allows you to remain signed in across requests. The cookie is marked HttpOnly, Secure, and SameSite=Lax, and expires eight hours after sign-in.

2.6 Communications

If you contact us by email, we receive your email address, the contents of your message, and any attachments you choose to send.

2.7 Information Collected Automatically

When you access the Service, our servers and hosting providers automatically record standard log data including IP address, browser type, referring page, pages requested, and timestamps. This information is used for security, debugging, and basic analytics, and is described further in Section 5 (Cookies and Tracking).

3. How We Use Information

We use the information described in Section 2 for the following purposes. Where applicable, we identify the lawful basis for processing under the European Union General Data Protection Regulation (GDPR) and analogous frameworks.

3.1 To Provide the Service

We use your account information, case and evidence data, and authentication information to create and maintain your account, allow you to sign in, store and process the files you upload, generate the cryptographic hashes and reports the Service exists to produce, and make those reports available to you. We use the country of residence you provide at registration both to determine which privacy and consumer-protection laws apply to your use of the Service and to set defaults in payment-processing workflows where useful. Lawful basis: performance of a contract (GDPR Article 6(1)(b)); legal obligation (Article 6(1)(c)) for the purpose of identifying applicable law; legitimate interest (Article 6(1)(f)) for the purpose of setting payment defaults.

3.2 To Maintain the Chain-of-Custody Log

We use case and evidence data, account information, and IP address information to create and maintain the cryptographically chained audit log described in Section 2.3. This log exists to support the evidentiary admissibility of materials processed through the Service, including under Federal Rule of Evidence 901 and analogous authentication standards in other jurisdictions. Lawful basis: legitimate interest (GDPR Article 6(1)(f)) in maintaining evidentiary integrity; and, for users in the United States, our and our users’ legal obligations regarding evidence authentication.

3.3 To Process Payments

We use payment metadata received from Stripe to confirm payment, fulfill orders, manage subscriptions, and maintain transaction records for accounting and tax purposes. Lawful basis: performance of a contract (Article 6(1)(b)); legal obligation for retention of tax records (Article 6(1)(c)).

3.4 To Communicate With You

We use your email address and, where applicable, the contents of your communications with us to respond to inquiries, send account-related notices (including email verification, password reset, and similar transactional messages), and, for users who subscribe to our Custody Monitoring product, send the alert emails that product is designed to deliver. Lawful basis: performance of a contract (Article 6(1)(b)) for transactional and product-feature emails; legitimate interest (Article 6(1)(f)) for responses to inquiries.

3.5 To Perform Optional Web-Source Detection

If you specifically opt in to web-source detection for a given image, we use the image bytes to query the Google Cloud Vision API and store the response. We do not transmit images to Google Cloud Vision without your opt-in for that image. Lawful basis: consent (Article 6(1)(a)). You may withdraw consent at any time by not opting in to the feature for future files; images already submitted will have already been transmitted at the moment of opt-in.

3.6 To Secure the Service

We use IP addresses, custody-log entries, and standard server logs to detect, investigate, and prevent unauthorized access, fraud, abuse, and other security incidents, and to maintain the integrity of the Service. Lawful basis: legitimate interest (Article 6(1)(f)).

3.7 To Improve the Service

We use aggregated, de-identified usage information to understand how the Service is used, diagnose errors, and improve features. We do not currently use the contents of evidence files you upload to train machine-learning models. If this practice changes in the future, we will update this Policy and provide notice to affected users before any such use begins. Lawful basis: legitimate interest (Article 6(1)(f)).

3.8 To Comply With Legal Obligations

We may use any information described in Section 2 to comply with applicable law, respond to lawful process (including subpoenas and court orders, subject to the procedures described in our Subpoena Policy), enforce our Terms of Use, and protect our rights and the rights of others. Lawful basis: legal obligation (Article 6(1)(c)); legitimate interest (Article 6(1)(f)).

3.9 Conversion Tracking

Upon successful purchase, we use a conversion-tracking pixel (Google Ads) to record the completed transaction for marketing-attribution purposes. This is described in Section 5 (Cookies and Tracking). Lawful basis: consent (Article 6(1)(a)).

No automated decision-making with legal effect

We do not use your information to make automated decisions that produce legal effects concerning you or similarly significantly affect you, within the meaning of GDPR Article 22.

No sale of personal information

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act.

4. How We Share Information

We do not sell your personal information. We share information only as described below.

4.1 Service Providers

We rely on a small set of third-party service providers to operate the Service. Each is subject to a contract requiring it to process information only on our instructions and to maintain appropriate security. The principal service providers are:

Provider	Purpose	Information Shared	Location
Amazon Web Services, Inc.	File storage (Amazon S3)	Evidence files, generated reports, and certificate PDFs	United States (US West region)
Stripe, Inc.	Payment processing	Information you submit through the Stripe checkout interface, including payment card information (which we do not see), and the email address and amount associated with the transaction	United States
Resend, Inc.	Transactional and alert email delivery, including Custody Monitoring alerts	Recipient email address, case identifier, case name, file name, evidence identifier, SHA-256 hash, uploading user’s email, and event timestamp	United States
Google LLC (Google Cloud Vision)	Optional, opt-in web-source detection for images	The image bytes you specifically authorize for analysis	United States
Google LLC (Google Ads)	Conversion tracking on purchase completion (subject to consent)	The fact that a purchase occurred and the Stripe session identifier of that purchase	United States

In addition to the providers listed above, we use commercial cloud-hosting providers to host our application servers and databases. These providers have access to information described in Section 2 in the course of providing hosting services, but do not use that information for their own purposes.

Each provider processes information under its own privacy policy and security practices. Links to those policies are available on request.

4.2 Professional Advisors

We may share information with our attorneys, accountants, auditors, and insurers when reasonably necessary to obtain advice, defend legal claims, or comply with professional obligations. These advisors are bound by professional duties of confidentiality.

4.3 Legal Process

We may disclose information when we believe in good faith that disclosure is required by law, regulation, court order, subpoena, or other legal process; necessary to protect the rights, property, or safety of Evidence Analyzer, our users, or others; or appropriate to investigate fraud, security incidents, or violations of our Terms of Use. Our procedures for responding to subpoenas and other legal process are described in our Subpoena Policy.

4.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, information described in this Policy may be transferred or disclosed as part of that transaction. Any successor entity may adopt its own privacy practices with respect to the transferred information, and we will provide notice of any material change before the change takes effect.

4.5 With Your Direction

We may share information when you specifically direct us to do so — for example, by sharing a report you generated through the Service with a third party.

4.6 No Other Sharing

We do not share your personal information with any third party except as described in this Section 4.

5. Cookies and Tracking

The Evidentix platform sets a small number of cookies to operate. None of them are used for advertising or tracking across other websites except as described below.

Cookies we always set: A session cookie (named access_token) records that you are logged in. It is HttpOnly, Secure, and expires when your session ends or you log out. A consent cookie (named cookie_consent) records your choice about analytics cookies. It is set when you make a choice and persists for twelve months unless you change it.

Analytics cookies (conditional): On the checkout-success page only, and only if you have accepted analytics cookies, we load Google’s gtag.js script to record that an advertising click resulted in a purchase. This allows us to measure the effectiveness of advertising spend. No analytics cookies are set on any other page of the Service, and none are set if you decline or if your browser sends a Global Privacy Control signal as described below.

Global Privacy Control: If your browser sends a Sec-GPC: 1 header, we treat that as a declined preference for analytics cookies, consistent with California Consumer Privacy Act enforcement guidance. If you later affirmatively accept analytics cookies through the Service, your explicit choice supersedes the GPC signal.

Changing your preference: You may view or change your cookie preference at any time at /cookie-preferences. You may also clear cookies through your browser’s settings, which will reset both the session cookie (logging you out) and the consent cookie (returning your state to undecided).

Do Not Track. The Service does not currently respond to Do Not Track browser signals, because there is no consistent industry standard for how to interpret them. The Service does honor Global Privacy Control signals as described above where required by applicable law.

6. Data Retention

We retain information for the periods described below.

6.1 Account Information and Case Data

We retain your account information and the case and evidence data you upload for as long as your account remains active. We do not automatically delete inactive accounts. If you wish to delete your account or any case or evidence file you have uploaded, you may do so as described in Section 7 (Your Rights) or by contacting us at admin@evidenceanalyzer.com.

6.2 Chain-of-Custody Log

Because the chain-of-custody log described in Section 2.3 is cryptographically chained, removing individual entries would invalidate the integrity of the entire log. We therefore retain custody-log entries indefinitely, even after the corresponding case or evidence file is deleted, to preserve the evidentiary integrity of the record. Custody-log entries associated with a deleted case retain only the identifiers and metadata necessary to maintain the chain; the underlying evidence files are removed at the time of deletion.

6.3 Payment Records

We retain payment metadata (Section 2.4) for at least seven years following the transaction date, as required by applicable tax and recordkeeping laws.

6.4 Communications

We retain communications you send to us for as long as reasonably necessary to respond to and resolve your inquiry, and thereafter for a reasonable period to maintain a record of the communication.

6.5 Server Logs

Standard server logs (Section 2.7) are retained for a limited period determined by our hosting provider’s standard log-retention practices, after which they are deleted automatically.

6.6 Deletion Mechanics

When you delete a case or an individual evidence file, we remove (a) the corresponding database records, (b) the associated files from our file-storage provider, and (c) the related fingerprint index entries. The action of deletion is itself recorded in the chain-of-custody log to preserve evidentiary integrity. We do not maintain backup copies of deleted files outside of standard provider-level backup-retention windows, which expire on a rolling basis.

7. Your Rights

You have rights with respect to the information we hold about you. The specific rights available to you depend on the law of the jurisdiction in which you reside. The rights described in this Section may be exercised by contacting us at admin@evidenceanalyzer.com or, where available, by using the controls in your account.

7.1 Rights Available to All Users

Regardless of where you reside, you may:

Access: request a copy of the personal information we hold about you;
Correct: request that we correct inaccurate or incomplete personal information;
Delete: request that we delete your account and the personal information associated with it, subject to the limitations described in Section 7.4;
Export: request a portable copy of information you have provided to us, in a commonly used format; and
Withdraw consent: withdraw any consent you have previously given (for example, for web-source detection or for analytics and advertising cookies), without affecting the lawfulness of processing carried out before withdrawal.

7.2 Additional Rights for California Residents

If you are a California resident, the California Consumer Privacy Act (“CCPA”) gives you additional rights, including:

the right to know the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purposes for collecting it, and the categories of third parties with whom we share it;
the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising (we do not sell or share your personal information in this manner, but you may submit a request to confirm this);
the right to limit the use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right);
the right not to be discriminated against for exercising any of your rights under the CCPA; and
the right to designate an authorized agent to exercise these rights on your behalf.

7.2A Additional Rights for Residents of Texas, Virginia, Colorado, Connecticut, and Utah

If you reside in Texas, Virginia, Colorado, Connecticut, or Utah, the Texas Data Privacy and Security Act (“TDPSA”), Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CTDPA”), or Utah Consumer Privacy Act (“UCPA”), as applicable, gives you the following rights:

the right to confirm whether we are processing your personal data and to access that data;
the right to correct inaccuracies in your personal data;
the right to delete personal data we have collected from you or about you;
the right to obtain a portable copy of personal data you previously provided to us;
the right to opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in any of these activities, but you may submit a request to confirm this);
the right to appeal a decision we make in response to a rights request; and
the right not to be discriminated against for exercising any of these rights.

To submit an appeal, email admin@evidenceanalyzer.com with the subject line “Privacy Rights Appeal.” We will respond to your appeal within sixty days. If we deny your appeal, we will provide you with information about how to contact the attorney general or equivalent regulator in your state.

7.3 Additional Rights for Residents of the European Economic Area, the United Kingdom, and Switzerland

If you reside in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation and analogous laws give you additional rights, including:

the right to object to processing based on legitimate interests;
the right to restrict processing in certain circumstances;
the right to lodge a complaint with your local data protection authority; and
the rights described in GDPR Articles 15–22 generally.

The legal basis on which we rely for each processing activity is described in Section 3 (How We Use Information).

7.4 Limits on Deletion

When you exercise the right to delete, we will delete the personal information we hold about you, subject to the following limits:

Chain-of-custody log entries that document actions taken on the platform will not be removed from the cryptographically chained audit log, because doing so would invalidate the integrity of the log. After deletion of your account, custody-log entries that referenced you will be retained in a form that preserves the chain but does not associate the entries with personal information beyond what is necessary for that purpose.
Payment and transaction records will be retained for the period required by applicable tax and recordkeeping laws (see Section 6.3).
Information we are required to retain to comply with legal obligations, exercise or defend legal claims, or maintain the security of the Service will be retained as necessary for those purposes.

7.5 How to Exercise Your Rights

To exercise any of the rights described in this Section, email admin@evidenceanalyzer.com from the email address associated with your account. We may ask for additional information to verify your identity before fulfilling the request, particularly for requests to delete or export data. We will respond to verifiable requests within forty-five days, or such shorter period as may be required by applicable law. If we need additional time, we will tell you why and when to expect a response.

7.6 No Discrimination

We will not deny service, charge a different price, or provide a different level of quality to you because you exercised any right described in this Section.

7.7 Authorized Agents

You may designate an authorized agent to make a request on your behalf. To do so, the agent must provide written authorization signed by you, and we may ask you to verify your identity directly with us before processing the request.

8. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect the information we hold against unauthorized access, disclosure, alteration, and destruction. These safeguards include:

transport-layer encryption (HTTPS/TLS) for all communications between your browser and the Service;
at-rest encryption of evidence files stored with our file-storage provider;
storage of account passwords only as salted cryptographic hashes;
session cookies marked HttpOnly, Secure, and SameSite=Lax, with limited session lifetimes;
restricted administrative access to production systems on a least-privilege basis; and
maintenance of the cryptographically chained chain-of-custody log described in Section 2.3, which is itself a security control against undetected alteration of evidentiary records.

No system is perfectly secure, and we cannot guarantee that information will never be subject to unauthorized access or disclosure. If we become aware of a security incident affecting your personal information, we will notify you and the appropriate authorities as required by applicable law.

9. International Users

The Service is operated from the United States, and our service providers identified in Section 4 are located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States. The laws of the United States may differ from those of your country of residence, and may not provide the same level of protection.

For transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards under the GDPR and analogous laws, including, where applicable, the European Commission’s Standard Contractual Clauses and the data transfer addenda incorporated into our contracts with service providers.

By using the Service, you understand that your information will be processed in the United States as described in this Policy.

10. Children’s Privacy

The Service is not directed to children under sixteen, and we do not knowingly collect personal information from anyone under sixteen. If you are under sixteen, do not use the Service or provide any information to us. If we learn that we have collected personal information from a person under sixteen, we will delete that information promptly. If you believe we may have collected information from a person under sixteen, contact us at admin@evidenceanalyzer.com.

11. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top of this Policy. For material changes, we will email you at the address associated with your account before the change takes effect. Your continued use of the Service after a change becomes effective constitutes acceptance of the revised Policy. If you do not agree to a revised Policy, you should stop using the Service and may request deletion of your account as described in Section 7.

12. Contact Us

If you have questions, concerns, or requests regarding this Policy or our handling of your personal information, contact us at:

Evidence Analyzer, LLC
2001 Timberloch Place, Suite 500
The Woodlands, TX 77380
admin@evidenceanalyzer.com

If you reside in the European Economic Area, the United Kingdom, or Switzerland and we have not satisfactorily addressed your concern, you have the right to lodge a complaint with your local data protection authority.

If you reside in California and we have not satisfactorily addressed your concern, you may contact the California Privacy Protection Agency.

If you reside in Texas and we have not satisfactorily addressed your concern, you may contact the Texas Attorney General. Information on the appeal process for Texas, Virginia, Colorado, Connecticut, and Utah residents is provided in Section 7.2A.