01
Who we are
Evolve (“Evolve,” “we,” “us”) is a Canadian-founded research-chemical supplier operated by Dr. Mark Weyers and the Evolve founding team. We respect your privacy and take our obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada), Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25), the EU General Data Protection Regulation (GDPR), and the UK GDPR seriously.
Data controller (PIPEDA / GDPR Article 4(7)): Evolve — c/o Dr. Mark Weyers, London, Ontario, Canada.
Hosting location: Helsinki, Finland (Hetzner Online GmbH).
Contact for privacy requests: privacy@evolvprotocol.com
02
What we collect
We collect the following categories of personal information:
2a. Provided directly by you
- Name, email address, mailing/shipping address, billing address, phone (optional).
- Age attestation and research-use attestation responses.
- Order history and product preferences.
- Payment metadata (cardholder name, card last-4, BIN, expiry; we do not store full card numbers — see Section 5 on Stripe / NOWPayments).
- Communications you send to support, the founder, or via the Site.
- Voluntary information submitted to surveys, the practitioner application, the Founding Athletes program, or community channels.
2b. Collected automatically
- IP address, browser user agent, device type, referring URL, language preference.
- Pages viewed, time on page, click-stream data on the Site.
- Cookies and similar technologies (see Section 7).
2c. We do NOT collect
- Government identification numbers (we do not request SIN, passport, or driver's licence).
- Health information. We do not ask about your health, conditions, or treatments. If you volunteer it in correspondence we will minimise its retention.
- Biometric data.
03
Lawful basis (GDPR / UK GDPR)
For Customers in the EEA and UK, we rely on the following lawful bases under GDPR Article 6:
| Purpose | Lawful basis |
|---|---|
| Fulfilling your order | Contract (Art. 6(1)(b)) |
| Sending order-related email (confirmations, dispatch, defect notices) | Contract (Art. 6(1)(b)) |
| Marketing email (after opt-in) | Consent (Art. 6(1)(a)) |
| Compliance, fraud prevention, age verification | Legal obligation + legitimate interest (Art. 6(1)(c)/(f)) |
| Improving the Site | Legitimate interest (Art. 6(1)(f)) |
For Customers in Quebec, processing is supported under Law 25’s purpose-limitation and consent principles.
04
How we use your information
We use personal information to:
- Process and fulfil orders, including dispatch and carrier hand-off.
- Verify age and research-use attestation.
- Communicate about order status, defects, recalls, and policy changes.
- Provide customer support (the named-founder support inbox — Mark Weyers reads it personally for the first cohorts).
- Send marketing emails to subscribers who have opted in (with one-click unsubscribe in every message).
- Prevent fraud, sanctions-evasion shipping, and abuse.
- Improve product mix, COA presentation, and Site UX based on aggregate behaviour.
- Comply with legal obligations (tax records, processor disclosures).
We do not sell personal information. We do not rent personal information to data brokers.
05
Third parties and sub-processors
We share personal information only with the third-party service providers necessary to operate the Site and fulfil orders. Current sub-processors:
| Sub-processor | Purpose | Location | Notes |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Helsinki, Finland | EEA hosting, GDPR-aligned |
| Stripe (or Stripe-equivalent card processor) | Card payments | USA / Ireland | PCI-DSS Level 1; full card numbers never reach Evolve |
| NOWPayments (or equivalent) | Cryptocurrency payments | Estonia | Processes crypto checkout and stablecoin refunds |
| Amazon SES (or equivalent) | Transactional and marketing email | USA (with EU region option under review) | Sender-only |
| Hermes-AI (Evolve internal agent) | First-touch customer support drafting; founder review before sending on sensitive matters | Evolve-operated infrastructure | A Data Processing Agreement is in place; Hermes-AI does not train external models on your messages |
| Carriers (courier services) | Physical delivery | Varies | Limited to shipping name, address, phone |
| Independent COA labs | Batch testing | Varies | Receive no customer data; receive product samples only |
A current sub-processor list is available on request at privacy@evolvprotocol.com. Material changes will be notified by email to registered customers where reasonably practicable.
06
International transfers
The Site is hosted in Finland. Some sub-processors (notably card and email processors) are located outside the EEA and Canada. Where personal information is transferred outside the EEA, we rely on the European Commission’s Standard Contractual Clauses or equivalent transfer mechanisms. Customers in Canada acknowledge that their personal information will be hosted in Finland and processed by sub-processors in Canada, the United States, and the EU.
07
Cookies
We use a minimal set of cookies:
- Strictly necessary (cart, session, age-gate state, CSRF). Cannot be disabled.
- Analytics (anonymised, aggregated). Disabled by default in jurisdictions where consent is required prior to setting; otherwise opt-out via the cookie banner.
- No advertising cookies. No cross-site tracking. No Facebook pixel.
08
Retention
We retain personal information for as long as needed for the purpose collected and for the additional period required to meet legal, tax, and accounting obligations.
| Data | Retention |
|---|---|
| Account email, addresses, order history | Duration of account + 7 years (tax / record-keeping) |
| Age attestation log | 7 years |
| Marketing list | Until unsubscribe + 30 days |
| Support emails | 3 years from last contact |
| Payment processor records | Per processor's retention schedule |
| Anonymised analytics | 26 months |
You may request deletion sooner under Section 9. Some records (tax, fraud-prevention, age-attestation) cannot be deleted before their statutory minimum retention.
09
Your rights
Depending on your jurisdiction, you may have the right to:
- Access your personal information.
- Correct inaccurate personal information.
- Delete (“be forgotten”) your personal information, subject to retention requirements.
- Restrict or object to processing.
- Portability — receive your data in a machine-readable format.
- Withdraw consent at any time (does not affect prior lawful processing).
- Lodge a complaint with a supervisory authority.
To exercise any of these, email privacy@evolvprotocol.com with your order email and the specific right you wish to exercise. We respond within 30 days (PIPEDA) / 30 days extendable to 90 (GDPR).
Supervisory authorities:
- Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
- Quebec: Commission d’accès à l’information — cai.gouv.qc.ca
- EU: Your local Data Protection Authority. Finland: Tietosuojavaltuutetun toimisto (tietosuoja.fi).
- UK: Information Commissioner’s Office — ico.org.uk
10
Security
We implement reasonable technical and organisational measures to protect personal information:
- TLS 1.3 in transit; encryption at rest for the order database.
- Principle-of-least-privilege access controls; only the founder and named operations team have administrative access.
- No customer health data collected, so no special-category processing under GDPR Art. 9.
- Vendor security review before adding any new sub-processor.
No system is perfectly secure. In the event of a personal-data breach affecting your data, we will notify affected Customers and the relevant supervisory authority within the windows required by applicable law (72 hours for GDPR; ASAP under PIPEDA where there is a real risk of significant harm).
11
Children
The Site is intended for adults aged 18+ (or the higher age of majority in the user’s jurisdiction). We do not knowingly collect personal information from minors. If you believe a minor has provided personal information, contact privacy@evolvprotocol.com and we will delete it.
12
AI processing disclosure
Evolve operates Hermes-AI, an internal customer-support agent that drafts replies to incoming customer messages. The named founder reviews drafts before release on sensitive matters (defect claims, regulatory questions, refund disputes). Hermes-AI:
- Does not train external foundation models on your messages.
- Does not share your messages with third-party AI providers without contractual protection.
- May use anonymised, aggregated patterns to improve template quality.
This disclosure is provided in the spirit of the radical transparency that Evolve committed to after the February 2026 MEDVi incident, in which a competitor was found to have used deepfaked patient images and unsupervised AI for medical-style consultations. Evolve will never deepfake customer images, fabricate testimonials, or use AI as a substitute for the named founder on medical-style questions (we don’t answer medical questions; see Terms of Service Section 5).
13
Changes
We will update this policy as our practices evolve. Material changes will be notified by email and by a banner on the Site. The “Last updated” date reflects the most recent revision.
14
Contact
Evolve — Privacy
Email: privacy@evolvprotocol.com
Postal: c/o Dr. Mark Weyers, [London ON address — to be added]
For EU GDPR-related requests, the named founder presently acts as the privacy point of contact pending appointment of a formal Data Protection Officer if and when required by GDPR Art. 37.
Drafted by the Evolve founding team. Pending counsel review.