Website Privacy Notice

And Evolve Limited ("And Evolve", "we", "us" or "our") is a UK limited company and is the controller of the personal data we process about you. Our registered office is Unit 15 Warwick Innovation Centre, Warwick Technology Park, Gallows Hill, Warwick CV34 6UW. Our Companies House registration number is 09395138 and our ICO registration number is ZA234167.

We have not appointed a statutory Data Protection Officer (DPO) because we are not required to do so under UK GDPR art. 37. The lead contact for data-protection matters is Amrit Sandhar, who can be reached at amrit@and-evolve.com.

We do not regularly offer services to individuals located in the European Union and so we have not appointed an EU representative under EU GDPR art. 27. If our pattern of business changes we will review this position and update this notice accordingly.

This notice tells you what personal data we collect about you when you use our website or engage with us, why we collect it, how we use it, who we share it with, how long we keep it, the legal basis for our processing, and the rights you have under data-protection law.

We will provide additional or specific information when we collect personal data for a particular purpose (for example in a client engagement letter or on a sign-up form). Where any specific notice is inconsistent with this notice, the specific notice prevails.

This website is not aimed at children. We do not knowingly process the personal data of anyone under 13 in the United Kingdom or under the applicable age of digital consent in the relevant EU Member State (default 16, lower in some countries). If we become aware that we have collected personal data from a child without appropriate consent where required, we will take steps to delete that information.

"Personal data" means any information about an identified or identifiable individual. We may collect, use, store and transfer the following categories of personal data:

• Identity Data: first name, last name, title and business role.
• Contact Data: business or personal address, email address and telephone number.
• Financial Data: payment-card details (collected and processed directly by Stripe — see section 7) and bank-account details for invoice payments where applicable.
• Transaction Data: details of payments to and from you and of the services you have purchased from us.
• Profile Data: your interests, preferences, feedback and survey responses.
• Communications Data: correspondence with us and the content of our exchanges.
• Technical Data: IP address, browser type and version, time-zone and location, operating system and platform, and other technology on the devices you use to access our site.
• Cookie and Device Data: information stored on or read from your device through cookies and similar technologies — see section 9.
• Usage Data: how you use our website, services and communications.
• Marketing and Communications Data: your marketing and newsletter preferences and your communication preferences.

We do not knowingly collect "special category" personal data (race, ethnicity, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data used to identify you, health data, sex life or sexual orientation) or data about criminal convictions and offences. If you provide such data to us voluntarily we will process it only as necessary for the purpose for which you have provided it.

We aim to collect only the personal data that is reasonably necessary for the purposes described in this notice.

We also process Aggregated Data (statistical or demographic data) derived from personal data. Aggregated Data is not personal data in law because it cannot be used to identify you.

We collect personal data:

• Directly from you, when you fill in a contact or enquiry form, request a proposal, sign a contract, correspond with us, or subscribe to our Substack newsletter.
• Automatically as you interact with our website, through cookies and similar technologies and through server logs (see section 9).
• From third parties, where an organisation supplies us with your contact details because it wishes to engage our consultancy services in relation to you or your team. In these cases the organisation is responsible for ensuring that it has a lawful basis to share your data with us, and we will (in line with UK GDPR art. 14) provide you with this notice within one month of receiving your data or at our first communication with you, whichever is earlier.
• Occasionally from publicly available sources such as Companies House or professional networks where you have made the information available.

We process personal data only where we have a lawful basis to do so under UK GDPR art. 6 (and EU GDPR art. 6 for EU data subjects). The table below sets out each purpose, the data we use for it, the lawful basis we rely on, and how long we keep the data.

We do not rely on legitimate interests as a lawful basis for any of our processing. Our processing is supported by your consent (given by the affirmative actions described above), by our contract with you, or by a legal obligation we are under. Where consent is the basis, you can withdraw it at any time.

We do not carry out solely automated decision-making that produces legal or similarly significant effects on you within the meaning of art. 22 UK/EU GDPR. If this changes — for example if we adopt an AI-driven lead-scoring or shortlisting tool covered by art. 22 or by the EU AI Act — we will update this notice and, where required, seek your consent.

Our newsletter is published through Substack Inc. ("Substack"). When you subscribe to our newsletter you do so directly on Substack's subscription form by entering your email address and confirming your subscription. Your subscription is processed on the basis of your consent under UK/EU GDPR art. 6(1)(a) and Substack acts as a processor of your subscription data on our behalf. Substack's own privacy notice is available at substack.com/privacy.

We may also send direct marketing emails about our consultancy services where:

• you have given us specific consent to do so; or
• you have previously enquired about or purchased similar services from us, we offered you a simple way to opt out at the time, and we offer you that same opt-out in every subsequent message (the "soft opt-in" under PECR reg. 22(3)); or
• you are a business contact who has ticked a marketing-consent box on one of our forms or otherwise given us a clear and active indication that you would like us to contact you about our services.

You can stop receiving marketing from us at any time by clicking the unsubscribe link in any newsletter or marketing email, by managing your subscription in your Substack account, or by emailing hello@and-evolve.com. Your right to object to direct marketing is absolute: once you object we will stop sending you marketing communications. Stopping marketing will not affect our ability to contact you about ongoing services or about a contract we have with you.

We share personal data only with parties that need it to provide a service to us or to you, that we have assessed for data-protection compliance, and that are bound by appropriate written terms (including a UK GDPR art. 28 processor agreement where required). The parties we share personal data with are:

• Stripe Payments Europe Limited (and, where applicable, Stripe Inc. in the United States) — our payment processor. When you pay us by card your payment data is collected and processed directly by Stripe under its own privacy policy (stripe.com/privacy). We do not store full card numbers on our systems.
• Lovable AB (Sweden) — the platform on which our website is built and hosted.
• GoDaddy Inc. — our domain registrar and DNS provider.
• Cloudflare, Inc. — provides bot management and protection for our website.
• Microsoft Corporation (Microsoft 365) — provides our email, document storage and productivity tools, including the spreadsheet-based contact records that act as our CRM.
• Substack Inc. — operates our newsletter and processes subscription, delivery and engagement data on our behalf.
• Google LLC (Google Analytics 4) — provides aggregated website-usage analytics, only where you have given the relevant cookie consent.
• Professional advisers (accountants, lawyers, auditors and insurers) where this is necessary for the management of our business.
• Government bodies, regulators and law-enforcement authorities where we are legally required to disclose information (for example HMRC, the ICO or a court).
• Successors in interest, in the unlikely event of a sale, merger or restructuring of our business, subject to confidentiality undertakings.

Each processor is required to process personal data only on our documented instructions, to keep it secure, to assist us in responding to data-subject requests and personal-data breaches, and to delete or return the data at the end of the engagement.

We are a UK-based controller. Several of the providers we use have group entities or infrastructure in the United States — most notably Stripe Inc., GoDaddy Inc., Cloudflare Inc., Google LLC and Substack Inc. — and Lovable AB is based in Sweden (an EU/EEA country covered by UK adequacy regulations). Where we or a processor on our behalf transfer your personal data to a country outside the UK we ensure that one of the following protections is in place:

• UK adequacy: the destination country is the subject of UK adequacy regulations under UK GDPR art. 45 (the UK has its own adequacy list, broadly mirroring the EU's — Sweden and other EEA countries are covered).
• UK–US Data Bridge: the recipient in the United States is self-certified under the EU–US Data Privacy Framework and has opted into the UK extension. The UK Government recognised the Data Bridge as providing adequate protection on 12 October 2023. Each US provider's live status can be checked at dataprivacyframework.gov.
• UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), supported by a documented Transfer Risk Assessment that addresses the "not materially lower" standard introduced by the Data (Use and Access) Act 2025 and by ICO guidance updated on 15 January 2026.

You can request information about the safeguards in place for any specific transfer by emailing support@and-evolve.com.

A cookie is a small text file placed on your device when you visit a website. We use cookies and similar technologies to make our site work, to keep it secure, and — where you allow it — to measure how visitors use the site through Google Analytics. The cookies currently in use on www.and-evolve.com are:

Strictly-necessary cookies are set automatically because the website cannot function correctly without them; we do not require your consent for those, in line with PECR reg. 6(4)(b). Analytics cookies are only set after you have given your consent through our cookie banner the first time you visit. The banner records your choice; you can change your cookie choices at any time by clearing your browser cookies for our site or by emailing us at amrit@and-evolve.com.

In the EU we apply the ePrivacy Directive standard of explicit prior consent for analytics cookies. In the UK we currently apply the same standard, although the Data (Use and Access) Act 2025 introduces statutory exceptions for purely audience-measurement cookies subject to clear notice and a simple opt-out; we will keep this practice under review.

We do not currently use marketing, advertising or third-party tracking cookies. If that changes we will update this notice and seek your consent before any new cookie is set.

We have technical and organisational security measures in place appropriate to the risk, as required by UK GDPR art. 32. These include encryption of personal data in transit, role-based access controls, multi-factor authentication for administrative accounts, secure backups, supplier due diligence, staff training and a written information-security policy.

Despite our best efforts no system can be guaranteed completely secure. If a personal-data breach occurs and is likely to result in a risk to your rights and freedoms we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR art. 33, and we will inform you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms, as required by art. 34.

Where we need personal data by law, or under the terms of a contract with you, and you do not provide that data, we may be unable to provide certain services or fulfil our contractual obligations.

Specific retention periods are set out in the processing table at section 5. In each case we will keep your personal data only for as long as is necessary to fulfil the purpose for which it was collected, including for the purposes of meeting any legal, accounting or reporting requirements. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use that anonymised data indefinitely without further notice to you.

Under UK and EU data-protection law you have the following rights in relation to your personal data:

• The right to be informed about how we use your personal data — the purpose of this notice.
• The right of access — you can ask us for a copy of the personal data we hold about you (a "subject access request").
• The right to rectification — you can ask us to correct inaccurate personal data and to complete incomplete data.
• The right to erasure ("the right to be forgotten") — you can ask us to delete your personal data in certain circumstances. This right is not absolute; we may need to keep some data for legal, tax or contractual reasons.
• The right to restrict processing — you can ask us to suspend processing of your personal data in certain circumstances.
• The right to data portability — where we process your personal data by automated means on the basis of consent or contract, you can ask us to send it to you, or to another controller, in a structured, commonly used and machine-readable format.
• The right to object — you have an absolute right to object to direct marketing at any time, and we will stop immediately. Because we do not rely on legitimate interests as a lawful basis, the qualified right to object to legitimate-interests processing does not apply to our processing.
• Rights related to automated decision-making and profiling — you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not carry out such processing.
• The right to withdraw consent — where our processing is based on your consent, you can withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights please email support@and-evolve.com. We will not charge you a fee unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, as permitted by UK GDPR art. 12(5).

We may need to ask you for proof of identity before we can act on your request. We will respond to most requests within one month. If your request is particularly complex or you have made a number of requests we may need a further two months, and we will let you know within the first month if that is the case.

If you are unhappy with how we have handled your personal data, please contact us first by emailing amrit@and-evolve.com. Under the Data (Use and Access) Act 2025 (Part 5, in force 5 February 2026) we are required to acknowledge your complaint and respond to it within one month before you escalate it to the ICO.

If you remain dissatisfied after our response, or if we do not respond in time, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data-protection matters: www.ico.org.uk, telephone 0303 123 1113, address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

If you are in the EU you also have the right to complain to the supervisory authority in the EU Member State where you live, work, or where the alleged infringement took place.

Our website may contain links to and from third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control those third-party websites and are not responsible for their privacy practices. When you leave our website we encourage you to read the privacy notice of every website you visit.

We review this notice regularly and may update it from time to time. When we make a material change we will update the "Last updated" date at the top of the notice and, where appropriate, notify you directly. Previous versions of this notice are available on request.

Lead contact for data-protection enquiries: Amrit Sandhar, And Evolve Limited, Unit 15 Warwick Innovation Centre, Warwick Technology Park, Gallows Hill, Warwick CV34 6UW. Email: support@and-evolve.com. Companies House: 09395138. ICO registration: ZA234167.