Privacy policy

evidencefund.com customer privacy notice

Open Development & Education is the data controller for the personal information described in this notice.

This privacy notice tells you what to expect us to do with your personal information.

Contact details
What information we collect, use, and why
Lawful bases and data protection rights
Where we get personal information from
How long we keep information
Who we share information with
Sharing information outside the UK
How to complain

Contact details

Email: [email protected]

What information we collect, use, and why

We collect or use the following personal information for dealing with queries, complaints or claims:

Names and contact details
Email correspondence content: your questions, complaints, feedback, and our responses
Communication records and timestamps

We collect or use the following information to analyse how visitors use our website to improve user experience, fix technical issues, and develop better features:

IP address (used to derive approximate location: country, city, region)
Browser type and version
Operating system and device type
Screen resolution
Pages visited (page view events)
Referrer URL (which website you came from)
PDF file opens and downloads for files attached to library items
Pseudonymous identifiers (device ID)
UTM attribution data (campaign source, medium, and related parameters)

What we do NOT collect:

We do not collect form input values, passwords, or payment information through analytics
We do not use third-party advertising or tracking cookies
We do not sell your data to advertisers

Lawful bases and data protection rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights, which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access – You have the right to ask us for copies of your personal information. You can request other information, such as details about where we get personal information from and who we share personal information with. There are some exemptions, which means you may not receive all the information you ask for. Read more about the right of access.
Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
Your right to erasure – You have the right to ask us to delete your personal information. Read more about the right to erasure.
Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
Your right to object to processing – You have the right to object to the processing of your personal data. Read more about the right to object to processing.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
Your right to withdraw consent – When we use consent as our lawful basis, you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
- We need to respond to user queries, complaints, and support requests. This directly benefits users by resolving their issues and providing customer support. Keeping communication records helps us provide consistent support and reference previous interactions.

For more information on our use of legitimate interests as a lawful basis, you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for analysing how visitors use our website are:

Consent – we ask for your consent before setting analytics cookies through our cookie consent banner. You can withdraw consent at any time by:
- Clicking "Cookie Settings" in the footer of any page
- Deleting cookies through your browser settings
Legitimate interests – for analytics data that doesn’t require cookies (such as server logs), we rely on legitimate interests. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
- Understanding how visitors use our website helps us improve user experience, fix technical issues, identify and resolve bugs, and develop features that users actually need. The data is pseudonymised where possible, and the benefits of improving our service outweigh the minimal privacy impact of collecting pseudonymous usage data.

For more information on our use of legitimate interests as a lawful basis, you can contact us using the contact details set out above.

Where we get personal information from

Directly from you when you:
- Send us an email
- Contact us with questions or complaints
Automatically collected when you visit our website:
- From your browser (browser type, screen size, device information)
- From your network connection (IP address, approximate location)
- From your interactions with our site (pages visited, clicks, time spent)
From PostHog analytics – our website analytics platform that collects pseudonymous usage data on our behalf
From Google Analytics – our website analytics platform that collects pseudonymous visit and session data on our behalf
From Cloudflare – our infrastructure provider, which processes connection data for security, bot management, and performance purposes
From Clerk – our authentication provider, which processes session data to manage user sign-in flows

How long we keep information

Data Type	Retention Period	Reason
Email correspondence	3 years from the date of last communication	To respond to follow-up queries, maintain communication history, and resolve disputes
Support ticket records	3 years from the date of resolution	To reference similar issues and improve support quality
Website analytics data (PostHog & Google Analytics)	1 year from the date of collection	To analyse trends, identify long-term patterns, and improve the product
IP address logs	24 hours from the date of collection	For security monitoring and fraud prevention

After these periods, we securely delete or anonymise personal information so it can no longer identify you.

For more information on how long we store your personal information or the criteria we use to determine this, please contact us using the details provided above.

Who we share information with

Data processors

PostHog Inc.

This data processor does the following activities for us:

Collects and stores website analytics data
Processes usage statistics and generates reports

Location: United States

Google LLC (Google Analytics)

This data processor does the following activities for us:

Collects and stores pseudonymous website analytics data
Measures visit attribution and session-level traffic data
Generates usage reports

Analytics data is only sent to Google Analytics after you have granted consent via our cookie banner.

Location: United States (and globally distributed infrastructure)

Cloudflare, Inc.

This data processor does the following activities for us:

Hosts and delivers our website via its content delivery network (CDN)
Provides bot management, DDoS protection, and rate limiting
Processes connection-level data (IP address, request metadata) for security purposes

Location: United States (and globally distributed edge network)

Clerk, Inc.

This data processor does the following activities for us:

Manages user authentication and sign-in flows
Maintains session state for authenticated users
Issues and validates session tokens

Location: United States

Vercel Inc.

This data processor does the following activities for us:

Hosts our website
Provides content delivery network (CDN) services
Processes server logs and connection data

Location: United States and globally distributed edge network

Sharing information outside the UK

Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information about the safeguards for any of the transfers below, please contact us using the contact information provided above.

Organisation name: PostHog Inc.

Category of recipient: Analytics platform and data processor

Country where data is primarily processed: Germany (EU). PostHog Inc. is headquartered in the United States.

How the transfer complies with UK data protection law:

Transfers to PostHog Inc. are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

Organisation name: Google LLC

Category of recipient: Analytics platform and data processor

Country the personal information is sent to: United States (and globally distributed infrastructure)

How the transfer complies with UK data protection law:

Transfers to Google LLC are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

Organisation name: Cloudflare, Inc.

Category of recipient: Infrastructure, security, and CDN provider

Country the personal information is sent to: United States (and globally distributed edge network)

How the transfer complies with UK data protection law:

Transfers to Cloudflare, Inc. are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

Organisation name: Clerk, Inc.

Category of recipient: Authentication and identity management provider

Country the personal information is sent to: United States

How the transfer complies with UK data protection law:

Transfers to Clerk, Inc. are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

Organisation name: Vercel Inc.

Category of recipient: Website hosting provider

Country the personal information is sent to: United States (and globally distributed edge network)

How the transfer complies with UK data protection law:

Transfers to Vercel Inc. are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

How we protect personal information

We implement appropriate technical and organisational measures to protect your personal information:

Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest
Access controls: Limited access to personal data on a need-to-know basis
Pseudonymisation: Analytics data is pseudonymised where possible
Regular security reviews: We monitor and update our security practices
Secure data processors: We only work with processors who meet high security standards
Cookie consent management: PostHog and Google Analytics only load after you grant consent

Cookies

We use cookies to collect some of the analytics information described in this privacy notice. For detailed information about the cookies we use, please see our Cookie Policy.

Key points:

Strictly necessary cookies include our consent preference cookie (analytics_consent), a language preference cookie (NEXT_LOCALE), Cloudflare security cookies (__cf_bm, _cfuvid), and Clerk authentication cookies (__client_uat)
Optional analytics cookies from PostHog (ph_*) and Google Analytics (_ga, _ga_*) are only set after you grant consent
No third-party advertising or tracking cookies are used
You can accept or decline cookies via our cookie consent banner
You can change your preferences anytime via "Cookie Settings" in the footer

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Changes to this privacy notice

We may update this privacy notice from time to time. When we make significant changes, we will:

Update the “Last updated” date below
For material changes affecting your rights, we may seek renewed consent where required

We encourage you to review this privacy notice periodically to stay informed about how we protect your information.

Last updated

March 6, 2026

Privacy policy

evidencefund.com customer privacy notice

Open Development & Education is the data controller for the personal information described in this notice.

This privacy notice tells you what to expect us to do with your personal information.

Contact details
What information we collect, use, and why
Lawful bases and data protection rights
Where we get personal information from
How long we keep information
Who we share information with
Sharing information outside the UK
How to complain

Contact details

Email: [email protected]

What information we collect, use, and why

We collect or use the following personal information for dealing with queries, complaints or claims:

Names and contact details
Email correspondence content: your questions, complaints, feedback, and our responses
Communication records and timestamps

We collect or use the following information to analyse how visitors use our website to improve user experience, fix technical issues, and develop better features:

IP address (used to derive approximate location: country, city, region)
Browser type and version
Operating system and device type
Screen resolution
Pages visited (page view events)
Referrer URL (which website you came from)
PDF file opens and downloads for files attached to library items
Pseudonymous identifiers (device ID)
UTM attribution data (campaign source, medium, and related parameters)

What we do NOT collect:

We do not collect form input values, passwords, or payment information through analytics
We do not use third-party advertising or tracking cookies
We do not sell your data to advertisers

Lawful bases and data protection rights

Your right of access – You have the right to ask us for copies of your personal information. You can request other information, such as details about where we get personal information from and who we share personal information with. There are some exemptions, which means you may not receive all the information you ask for. Read more about the right of access.
Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
Your right to erasure – You have the right to ask us to delete your personal information. Read more about the right to erasure.
Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
Your right to object to processing – You have the right to object to the processing of your personal data. Read more about the right to object to processing.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
Your right to withdraw consent – When we use consent as our lawful basis, you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
- We need to respond to user queries, complaints, and support requests. This directly benefits users by resolving their issues and providing customer support. Keeping communication records helps us provide consistent support and reference previous interactions.

For more information on our use of legitimate interests as a lawful basis, you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for analysing how visitors use our website are:

Consent – we ask for your consent before setting analytics cookies through our cookie consent banner. You can withdraw consent at any time by:
- Clicking "Cookie Settings" in the footer of any page
- Deleting cookies through your browser settings
Legitimate interests – for analytics data that doesn’t require cookies (such as server logs), we rely on legitimate interests. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
- Understanding how visitors use our website helps us improve user experience, fix technical issues, identify and resolve bugs, and develop features that users actually need. The data is pseudonymised where possible, and the benefits of improving our service outweigh the minimal privacy impact of collecting pseudonymous usage data.

For more information on our use of legitimate interests as a lawful basis, you can contact us using the contact details set out above.

Where we get personal information from

Directly from you when you:
- Send us an email
- Contact us with questions or complaints
Automatically collected when you visit our website:
- From your browser (browser type, screen size, device information)
- From your network connection (IP address, approximate location)
- From your interactions with our site (pages visited, clicks, time spent)
From PostHog analytics – our website analytics platform that collects pseudonymous usage data on our behalf
From Google Analytics – our website analytics platform that collects pseudonymous visit and session data on our behalf
From Cloudflare – our infrastructure provider, which processes connection data for security, bot management, and performance purposes
From Clerk – our authentication provider, which processes session data to manage user sign-in flows

How long we keep information

Data Type	Retention Period	Reason
Email correspondence	3 years from the date of last communication	To respond to follow-up queries, maintain communication history, and resolve disputes
Support ticket records	3 years from the date of resolution	To reference similar issues and improve support quality
Website analytics data (PostHog & Google Analytics)	1 year from the date of collection	To analyse trends, identify long-term patterns, and improve the product
IP address logs	24 hours from the date of collection	For security monitoring and fraud prevention

After these periods, we securely delete or anonymise personal information so it can no longer identify you.

For more information on how long we store your personal information or the criteria we use to determine this, please contact us using the details provided above.

Who we share information with

Data processors

PostHog Inc.

This data processor does the following activities for us:

Collects and stores website analytics data
Processes usage statistics and generates reports

Location: United States

Google LLC (Google Analytics)

This data processor does the following activities for us:

Collects and stores pseudonymous website analytics data
Measures visit attribution and session-level traffic data
Generates usage reports

Analytics data is only sent to Google Analytics after you have granted consent via our cookie banner.

Location: United States (and globally distributed infrastructure)

Cloudflare, Inc.

This data processor does the following activities for us:

Hosts and delivers our website via its content delivery network (CDN)
Provides bot management, DDoS protection, and rate limiting
Processes connection-level data (IP address, request metadata) for security purposes

Location: United States (and globally distributed edge network)

Clerk, Inc.

This data processor does the following activities for us:

Manages user authentication and sign-in flows
Maintains session state for authenticated users
Issues and validates session tokens

Location: United States

Vercel Inc.

This data processor does the following activities for us:

Hosts our website
Provides content delivery network (CDN) services
Processes server logs and connection data

Location: United States and globally distributed edge network

Sharing information outside the UK

Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information about the safeguards for any of the transfers below, please contact us using the contact information provided above.

Organisation name: PostHog Inc.

Category of recipient: Analytics platform and data processor

Country where data is primarily processed: Germany (EU). PostHog Inc. is headquartered in the United States.

How the transfer complies with UK data protection law:

Transfers to PostHog Inc. are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

Organisation name: Google LLC

Category of recipient: Analytics platform and data processor

Country the personal information is sent to: United States (and globally distributed infrastructure)

How the transfer complies with UK data protection law:

Transfers to Google LLC are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

Organisation name: Cloudflare, Inc.

Category of recipient: Infrastructure, security, and CDN provider

Country the personal information is sent to: United States (and globally distributed edge network)

How the transfer complies with UK data protection law:

Transfers to Cloudflare, Inc. are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

Organisation name: Clerk, Inc.

Category of recipient: Authentication and identity management provider

Country the personal information is sent to: United States

How the transfer complies with UK data protection law:

Transfers to Clerk, Inc. are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

Organisation name: Vercel Inc.

Category of recipient: Website hosting provider

Country the personal information is sent to: United States (and globally distributed edge network)

How the transfer complies with UK data protection law:

Transfers to Vercel Inc. are made in reliance on its certification under the UK Extension to the EU-U.S. Data Privacy Framework.

How we protect personal information

We implement appropriate technical and organisational measures to protect your personal information:

Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest
Access controls: Limited access to personal data on a need-to-know basis
Pseudonymisation: Analytics data is pseudonymised where possible
Regular security reviews: We monitor and update our security practices
Secure data processors: We only work with processors who meet high security standards
Cookie consent management: PostHog and Google Analytics only load after you grant consent

Cookies

We use cookies to collect some of the analytics information described in this privacy notice. For detailed information about the cookies we use, please see our Cookie Policy.

Key points:

Strictly necessary cookies include our consent preference cookie (analytics_consent), a language preference cookie (NEXT_LOCALE), Cloudflare security cookies (__cf_bm, _cfuvid), and Clerk authentication cookies (__client_uat)
Optional analytics cookies from PostHog (ph_*) and Google Analytics (_ga, _ga_*) are only set after you grant consent
No third-party advertising or tracking cookies are used
You can accept or decline cookies via our cookie consent banner
You can change your preferences anytime via "Cookie Settings" in the footer

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Changes to this privacy notice

We may update this privacy notice from time to time. When we make significant changes, we will:

Update the “Last updated” date below
For material changes affecting your rights, we may seek renewed consent where required

We encourage you to review this privacy notice periodically to stay informed about how we protect your information.

Last updated

March 6, 2026