Privacy
Privacy Policy
Effective date: 6 May 2026. Version 2.1.
In short
You give us your email when you join The Workshop Circle. We use it to send you the monthly letter. We store it with Resend (an EU-based email service) and in our own database. We do not sell, rent, or share it with anyone for marketing. We do not use tracking cookies. We do not run ad pixels or third-party analytics. You can ask us to delete your data at any time by clicking Unsubscribe or by emailing [email protected].
1. Who we are
This site (evervel.com) is operated by Evervel, Unipessoal LDA, a Portuguese single-shareholder limited liability company.
- NIF (tax number): 519 159 462
- Registered office: Lisbon, Portugal
- Privacy contact: [email protected]
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Portuguese Law 58/2019, we are the data controller for the personal data described below. We have not appointed a Data Protection Officer because we are not legally required to. Privacy questions go to [email protected].
2. What we collect, and why
We collect personal data only when you give it to us, or when our infrastructure logs it for security.
2.1 Email address (Workshop Circle)
When you submit the Workshop Circle form, we record your email address along with the date, your IP address, and your browser's user-agent string. We use this to send you the monthly Workshop Circle letter, occasional updates about Evervel's launch, and the welcome email confirming your subscription.
Lawful basis: your consent (Article 6(1)(a) GDPR). You give consent by submitting the form. You can withdraw it at any time by clicking the Unsubscribe link in any email, or by emailing [email protected]. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
2.2 Email correspondence
If you write to [email protected], [email protected], or any other Evervel address, we keep your email and our reply in the relevant inbox.
Lawful basis: our legitimate interest (Article 6(1)(f) GDPR) in handling and documenting communications, balanced against your right to privacy.
2.3 Server and edge logs
Our hosting provider (Cloudflare) and our edge functions record technical metadata for each request: IP address, user-agent, request path, response code, and timestamp. We use these logs to keep the site secure (rate limiting, abuse prevention, debugging).
Lawful basis: our legitimate interest (Article 6(1)(f) GDPR) in operating a secure service.
3. What we do not do
- We do not run analytics that profile visitors (no Google Analytics, no Plausible, no Mixpanel).
- We do not place tracking or advertising cookies. The site sets only the strictly-necessary storage that the browser itself uses for security.
- We do not sell, rent, or license your data.
- We do not "sell" or "share" your personal information within the meaning of the California Consumer Privacy Act (CCPA), the Texas Data Privacy and Security Act (TDPSA), the Connecticut Data Privacy Act (CTDPA), or any other US state privacy law.
- We do not use your data to train AI models or share it with companies that do.
- We do not make automated decisions about you, including profiling, with legal or similarly significant effects.
- Content on the Site is written and reviewed by Evervel personnel. Where AI tools assist drafting, the final text is reviewed and approved before it is published. We do not publish unmodified AI-generated content.
4. Who processes your data on our behalf
We use a small set of technical service providers (processors) that handle parts of the operation under written contracts. Where personal data is transferred outside the European Economic Area, the contracts incorporate the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (controller to processor), with the supplementary technical and organisational measures described in each provider's Data Processing Agreement.
| Provider | Role | Data processed | Where |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, edge functions, KV storage, DNS, edge security | Email (stored in KV), IP, user-agent, request logs | Cloudflare is US-based with global edge infrastructure. EU data residency commitments and ISO/IEC 27701:2019 certification apply. Transfers to the US are covered by SCCs Module Two and the EU-US Data Privacy Framework. DPA · Privacy policy. |
| Resend, Inc. | Transactional email delivery, audience and newsletter management | Email address, email content, delivery metadata (opens, clicks, bounces) | Resend is US-based and its primary processing operations take place in the United States. Sending uses the eu-west-1 region for outbound delivery. Resend operates its own chain of sub-processors (AWS, Vercel, Snowflake, Datadog, Anthropic, and others) listed at resend.com/legal/subprocessors. Transfers to the US and onward to Resend's sub-processors are covered by SCCs Module Two. DPA · Privacy policy. |
These are the only third parties that touch your data. We do not pass it to any other service.
5. International transfers
Your email is processed by infrastructure in both the European Union and the United States. Cloudflare KV holds the primary record under Cloudflare's EU data residency commitments. Resend, Inc. is US-based and processes contact data primarily in the United States, with EU sending infrastructure (eu-west-1) for outbound delivery. Resend's own chain of sub-processors is also US-based.
All transfers of personal data outside the European Economic Area are governed by the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (controller to processor), together with each provider's supplementary technical and organisational measures (encryption in transit and at rest, access controls, audit logging). For Cloudflare, the EU-US Data Privacy Framework applies as an additional safeguard.
6. How long we keep your data
- Workshop Circle email (active subscription): as long as you remain subscribed.
- After unsubscribe: we delete the entry from our database immediately. We keep a record that an unsubscribe occurred (email hash, date) for up to 24 months as proof of consent withdrawal, in line with the Portuguese Data Protection Authority's direct-marketing guideline (CNPD DIRETRIZ/2022/1).
- Resend audience: when you unsubscribe, your contact in Resend is marked as "unsubscribed" rather than deleted, so that future sends automatically skip you. You can ask us to fully delete the Resend record by writing to [email protected]; we will do so within 30 days.
- Email correspondence: as long as the matter is open, plus up to 36 months for our records.
- Server and edge logs: retained by Cloudflare per their default retention (typically up to 30 days).
We process unsubscribe requests within 48 hours, in line with industry standards (RFC 8058 one-click unsubscribe; Gmail and Yahoo bulk-sender requirements 2024).
7. Your rights
If you are in the EEA, the UK, or any other jurisdiction with comparable rules, you have the right to:
- Access the personal data we hold about you.
- Rectify data that is inaccurate or incomplete.
- Erase your data ("right to be forgotten").
- Restrict our processing of your data.
- Object to processing based on legitimate interest.
- Port your data in a structured, machine-readable format.
- Withdraw consent at any time, without affecting the legality of processing carried out before withdrawal.
- Lodge a complaint with a supervisory authority (see section 12).
To exercise any of these rights, write to [email protected]. We respond within one month, as required by GDPR Article 12. We may ask for proof of identity to make sure we are talking to the right person.
If you are a US resident, you have analogous rights under your state's privacy law, including the California Consumer Privacy Act (CCPA/CPRA), the Texas Data Privacy and Security Act (TDPSA), the Connecticut Data Privacy Act (CTDPA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA). These rights typically include the right to know, delete, correct, and opt out of "sale", "sharing", or targeted-advertising processing of your personal information. We do not engage in any of these processing activities, so the opt-out is satisfied by default. We honor the Global Privacy Control (GPC) signal where it applies. To exercise any state-law right, write to [email protected].
8. Cookies and similar storage
We do not set cookies for tracking, advertising, profiling, or analytics. The Site uses two categories of strictly-necessary storage, both exempt from consent under Article 5(3) of the ePrivacy Directive (2002/58/EC) as transposed into Portuguese law:
- Edge security cookies set by Cloudflare (for example,
__cf_bmfor bot management,cf_clearancefor challenge passthrough). These are issued by our hosting provider, last 30 minutes to a few hours, and exist solely to keep the Site available and free of automated abuse. - Functional browser storage set by Evervel (sessionStorage, localStorage) used for in-page state - for example, to remember that the welcome confirmation card has been shown, or to keep scroll progress smooth. This data stays on your device and is never sent to our server.
The CJEU ruling in Planet49 (Case C-673/17) confirms that these strictly-necessary categories do not require a consent banner. We will publish a separate Cookie Notice and add a consent banner if and when we ever introduce cookies that go beyond strict necessity.
9. Children
Under Portuguese Law 58/2019 (Article 16), the age at which a minor can consent to information society services is 13 - one of the lowest thresholds in the European Union. Below that age, consent must come from the holder of parental responsibility.
The Workshop Circle is not directed to children. Our Terms of Use require subscribers to be at least 16. We do not knowingly collect personal data from anyone under 13. If you are a parent or guardian and you believe your child has signed up, write to [email protected] and we will delete the entry promptly.
10. Security
We protect your data with industry-standard measures: HTTPS for all traffic, encryption at rest with our providers, scoped API keys, environment-based secrets management, and access limited to the minimum necessary personnel. No system is perfectly secure, and we cannot guarantee that. If we ever discover a personal data breach that is likely to result in a risk to your rights, we will notify you and the supervisory authority within 72 hours, as required by GDPR Article 33-34.
11. Changes to this policy
If we update this policy, we will publish the new version on this page and update the effective date and version number above. Material changes that affect how we use existing subscribers' data will be communicated in a Workshop Circle email before they take effect.
12. Contact and complaints
For any privacy question, write to:
Evervel, Unipessoal LDA
NIF 519 159 462
Lisbon, Portugal
[email protected]
You also have the right to lodge a complaint with your local data-protection supervisory authority. In Portugal, this is the:
Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa
+351 21 392 84 00
[email protected] · cnpd.pt
If you live elsewhere in the EEA, your local DPA can also accept the complaint. UK residents may complain to the Information Commissioner's Office (ico.org.uk).