Privacy Policy

1. Controller

The controller responsible for data processing on this website pursuant to Art. 13(1)(a) GDPR is:

2. What Data We Collect

When you use Evolve Performance, we collect the following data:

• Discord account information: User ID, username, and avatar (provided via Discord OAuth2)
• System specifications: CPU, GPU, RAM, motherboard, storage, and cooler details you submit during checkout
• Purchase records: Plan purchased, transaction ID, payment amount, currency, and email address associated with payment
• Support ticket references: Discord channel IDs for your support tickets
• Hardware ID (HWID): A unique identifier derived from your hardware configuration, used for license activation and binding
• Cryptocurrency payment data: If you pay with cryptocurrency, we store the payment amount, cryptocurrency type, and transaction reference for tax and accounting purposes

3. Why We Collect This Data

We process your data based on the following legal grounds (GDPR Art. 6):

• Contract fulfillment (Art. 6(1)(b)): Discord OAuth2 authentication, system specs processing, purchase record management, license activation, and support ticket creation
• Contract fulfillment (Art. 6(1)(b)): Avatar storage for user profile display
• Legitimate interest (Art. 6(1)(f)): Fraud prevention via HWID binding (one license per device), purchase record maintenance for accounting and support
• Consent (Art. 6(1)(a)): Website analytics via Umami. Only activated if you explicitly accept in our consent banner. You can withdraw consent at any time by clearing your cookies.

4. Third-Party Services

We share data with the following third parties, only as needed to provide our services:

• Creem - Payment processing and affiliate referral tracking. Receives your email and payment details. If you arrive at our site through an affiliate link, Creem sets a cookie on your device to attribute any subsequent purchase to the referring affiliate (180-day duration). The cookie stores only the referral identifier - no personal data is collected beyond the attribution. Creem acts as Merchant of Record and handles tracking, attribution, payouts, and compliance automatically. Registered in Estonia (EU). No third-country transfer.
• Discord - Authentication and support delivery. We access your public profile via OAuth2 and create support tickets in our server. Registered in the US. Transfer safeguard: EU-US Data Privacy Framework.
• Vercel - Hosting provider. Processes HTTP requests and logs. Serverless functions run in Frankfurt, Germany (fra1). No third-country transfer.
• NOWPayments - Cryptocurrency payment processing. Receives payment amount, currency, and order reference. Registered in the Netherlands (EU). No third-country transfer.
• Netcup GmbH - Server hosting provider. Our PostgreSQL database and backend API run on Netcup infrastructure. Stores purchase records, system specifications, license keys, and support ticket references. Registered in Germany. No third-country transfer.
• Umami - Privacy-friendly website analytics (self-hosted on our Netcup server). Only activated with your explicit consent. Collects anonymous page view data (page URL, referrer, browser, OS, screen size). No personal data, no cookies, no cross-site tracking. All data stays on our server in Germany. No third-country transfer.

5. Desktop Application (Evolve Optimizer)

The Evolve Optimizer desktop application collects and processes additional data beyond what is described above. Use of the desktop application is governed by its own End User License Agreement (EULA) presented during installation, which contains detailed data collection disclosures. A summary follows:

• Hardware Identifier (HWID): A SHA-256 hash derived from your CPU Processor ID, storage drive serial number, and motherboard serial number, collected via Windows Management Instrumentation (WMI). The raw serial numbers are not transmitted - only the composite hash. This hash constitutes pseudonymized data under GDPR. Legal basis: contractual necessity (Art. 6(1)(b)) for license validation and multi-device detection.
• System specifications (automatic): CPU model, GPU model, total RAM, RAM module details (capacity, speed, type, manufacturer), motherboard model/vendor, and Windows version. Collected automatically via WMI during authentication. Legal basis: contractual necessity (Art. 6(1)(b)) for hardware-specific optimization.
• BIOS/UEFI NVRAM data: If you voluntarily initiate the BIOS optimization feature, your firmware settings are exported and transmitted to our server for manual analysis. This data may contain hardware serial numbers embedded in firmware. Legal basis: consent (Art. 6(1)(a)) - you can decline this feature without affecting other functionality.
• Credential storage: Your license key is stored locally on your device, encrypted via Windows Data Protection API (DPAPI). This data never leaves your device.
• Update checks: The application periodically contacts our server to check for available updates. This request contains no personal data beyond the standard HTTPS connection.

BIOS/UEFI data is deleted within 30 days of processing. All other desktop application data follows the retention policy below.

6. Data Retention

We retain your purchase records for as long as your account exists or as required by applicable tax and accounting laws (typically 10 years for financial records in Germany). You may request deletion at any time - see Your Rights below.

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): You can export all data we store about you from your profile page.
• Right to erasure (Art. 17): You can delete all your data from your profile page. This removes your purchase records from our database.
• Right to rectification (Art. 16): You can request correction of inaccurate personal data.
• Right to restriction of processing (Art. 18): You can request restriction of processing under certain conditions.
• Right to data portability (Art. 20): Your data export is provided as a standard JSON file.
• Right to lodge a complaint: You have the right to lodge a complaint with the Hessischer Beauftragter für Datenschutz und Informationsfreiheit.

8. Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

9. Cookies & Local Storage

We use the following cookies:

• evolve_session - httpOnly session cookie for authentication. Contains a signed token, is not readable by client-side JavaScript, expires after 7 days, and is cleared when you log out.
• evolve_consent - Stores your analytics consent choice (accepted or rejected). Expires after 365 days. Required for GDPR compliance - not gated behind consent itself.
• Affiliate referral cookie - Set by Creem only when you arrive via an affiliate referral link. Stores the referral identifier to attribute your purchase to the referring affiliate. Expires after 180 days. Legal basis: legitimate interest (Art. 6(1)(f)). Not gated behind consent as it serves a contractual attribution purpose, not behavioral profiling.

We also use browser localStorage to cache minimal display data (plan names, dates) for faster page loads - this data never leaves your device and is cleared on logout. No third-party tracking cookies are used.

10. Contact

For any privacy-related questions or to exercise your rights, contact us at: support@evolveperf.com or through our Discord server.