1. Introduction
EvolveBPM (“EvolveBPM”, “we”, “us”, or “our”) is a global B2B demand generation partner. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights available to you under global data-protection laws — including the EU/UK GDPR, Canada's CASL and PIPEDA, and the US CCPA/CPRA, TCPA and CAN-SPAM Act.
2. Data Controller & Data Protection Officer
EvolveBPM is the data controller for personal data collected via our websites, campaigns and services. Our appointed Data Protection Officer (DPO) can be reached at DPO@evolvebpm.com for any request or complaint regarding your personal data or GDPR-related matters.
3. Scope & Applicability
This policy applies to personal data that EvolveBPM processes as (a) a controller — e.g. website visitors, prospects, contacts, and business partners; and (b) a processor — when we deliver demand-generation programs on behalf of our clients under a Data Processing Agreement (DPA).
4. Personal Data We Collect
- Identity & Contact — name, business email, phone, postal address, job title, employer.
- Business intent signals — firmographics, technographics, engagement history, content downloads.
- Third-party data — verified from partners such as Bombora, HG Insights, SalesIntel, Leadiro (aggregated intent, technographic and firmographic signals).
- Device & usage — IP address, device type, browser, page views, cookie identifiers.
- Campaign engagement — email opens/clicks, form submissions, call recordings (where consented and permitted by law).
We do not knowingly collect special-category personal data (health, race, religion, biometrics, etc.).
5. Legal Basis for Processing (GDPR)
Under the GDPR/UK GDPR we rely on:
- Legitimate interests — for B2B marketing to relevant professionals in relevant roles, subject to a balancing test.
- Consent — where required (e.g. non-essential cookies, certain marketing communications, sensitive purposes).
- Contract — to fulfil our obligations to clients and business partners.
- Legal obligation — for tax, compliance, and record-keeping requirements.
6. Purposes of Processing
- Delivering B2B demand-generation, ABM, and lead-generation programs on behalf of clients.
- Contacting prospects for relevant business communications, webinars, events, and offers.
- Improving our platforms Predictor.com, Intello and Innovator.
- Fraud prevention, security, analytics, and legal compliance.
7. Canada — CASL & PIPEDA
For recipients in Canada, we send Commercial Electronic Messages (CEMs) only where we have express or implied consent under Canada's Anti-Spam Legislation (CASL). Every CEM contains (i) sender identification, (ii) a valid physical address, and (iii) an unsubscribe mechanism that remains functional for at least 60 days. We comply with PIPEDA principles including accountability, purpose limitation, consent, accuracy, safeguards, individual access and challenging compliance.
8. United States — CCPA/CPRA, TCPA & CAN-SPAM
- CCPA/CPRA (California) — California residents may request access, deletion, correction, and opt-out of “sale”/“sharing” of personal information. We do not sell personal information for cross-context behavioural advertising.
- TCPA — telemarketing calls and SMS to US numbers are made in accordance with the Telephone Consumer Protection Act, honouring do-not-call preferences and consent requirements.
- CAN-SPAM — all commercial email includes accurate sender identity, a functional unsubscribe link, and our physical postal address.
9. Other Jurisdictions
We honour equivalent obligations under India's DPDP Act 2023, the UK Data Protection Act 2018, Brazil's LGPD, Australia's Privacy Act, Singapore's PDPA, and other applicable regional laws. Where local law is stricter than this policy, the stricter provision applies.
11. International Data Transfers
Transfers of personal data outside the EEA, UK or Canada rely on Standard Contractual Clauses (SCCs), UK IDTA/UK Addendum, adequacy decisions, or other lawful transfer mechanisms, and are subject to a transfer impact assessment where required.
12. Data Retention
We retain personal data only for as long as necessary for the purposes described, to meet contractual obligations, or to comply with applicable law. Prospect records are reviewed at least annually; unengaged records are suppressed or deleted.
13. Security Measures
EvolveBPM is a GDPR and Cyber Essentials certified organization. We implement industry-standard technical and organisational measures — role-based access control, encryption in transit and at rest, network segmentation, MFA, audit logging, incident response — to protect personal data against unauthorised access, alteration, disclosure or destruction.
14. Your Rights & Choices
You may have rights of access, rectification, erasure, restriction, portability and objection. You may also withdraw consent at any time or opt-out of marketing communications by clicking unsubscribe in any email or emailing us. To exercise your rights write to DPO@evolvebpm.com. You have the right to lodge a complaint with your local supervisory authority (e.g. ICO in the UK, CNIL in France, OPC in Canada).
16. Children's Privacy
Our services target business professionals and are not directed to individuals under 16. We do not knowingly collect data from children.
17. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated on this page with a new effective date. Continued use of our services after changes indicates acceptance of the updated policy.
