This Privacy Policy describes how Toussi Investment & Innovation SAS collects, uses, and protects information in connection with the Evidence Mastery website and its EvidenceAi™ Suite of AI-powered tools.
This Privacy Policy applies to all users of the Evidence Mastery website (evidencemastery.com) and its associated EvidenceAi™ Suite tools, regardless of the country from which they access the services.
Toussi Investment & Innovation SAS is a company registered in France and is therefore subject to:
Where French law provides additional rights or stricter protections beyond the GDPR minimum, those apply to users in France and, where relevant, to all users of this French-registered controller.
When you contact us via the contact form or by email, we collect:
When you create an account on the Platform, we collect your email address, a hashed password, and your registration date. If you are associated with an enterprise domain, we record the domain affiliation.
When you purchase Credits or Digital Learning Products (masterclasses, audio courses, or electronic books) via Stripe, payment processing is handled entirely by Stripe. We do not receive or store your full card number; we only receive a Stripe customer ID, payment confirmation status, transaction metadata, and the identity of the product purchased, for the purpose of crediting your account or granting access to the purchased content.
When you join the masterclass waitlist or a book notification list, we collect your email address and submission date.
Our server and hosting provider (FastComet) may automatically log:
These server logs are retained by FastComet for security and operational purposes in accordance with their own privacy policy.
When you use any EvidenceAi™ tool without a registered account, the Platform issues a randomly generated anonymous session token stored in an HTTP cookie named em_anon_[hash] in your browser. This cookie:
HttpOnly and SameSite=Lax for securityThe daily quota associated with your token (a counter and a date) is stored server-side in our database and resets automatically at midnight UTC. We cannot identify you personally from this token. Clearing your browser cookies resets your anonymous session.
When you log in to your account, the Platform creates a PHP session identified by a session cookie (em_suite in production, em_dev in the development environment). This cookie contains only your session identifier, which is used to maintain your authenticated state. It is a session cookie and expires when you close your browser or after a period of inactivity.
The following EvidenceAi™ Suite modules are currently active on the Platform and may process content you submit:
Core principle: The Platform does not store, retain, log, or transmit your uploaded document or its contents to any party other than the Anthropic API for the purpose of generating your requested output. Your content is processed in server memory and permanently discarded immediately after the response is returned to your browser.
When you upload a document or enter text into any EvidenceAi™ module, the following occurs:
All AI generation within the EvidenceAi™ Suite is performed via the Anthropic API (Anthropic PBC, San Francisco, CA, USA). By submitting content to any module, you acknowledge that your input text is transmitted to Anthropic for processing. Anthropic’s processing is governed by their own Privacy Policy and API Terms of Service, available at anthropic.com/privacy. Under Anthropic’s business API terms, inputs and outputs are not used for model training by default.
Recommendation: Do not submit documents containing real patient personal data, identifiable health information, or Special Category data as defined under GDPR Article 9 (e.g. medical records, clinical trial patient data). All submitted content should be de-identified or consist solely of scientific, methodological, or aggregate-level information.
The Appraise Ai™ module verifies bibliographic references against the CrossRef database (Crossref, a not-for-profit membership organisation). Reference citation strings are sent to the CrossRef public API for matching. No personal data is transmitted to CrossRef — only bibliographic citation text.
Under GDPR Article 6, we rely on the following legal bases for processing personal data:
We use the personal data we collect exclusively for the following purposes:
We do not use your personal data for automated decision-making or profiling as defined in GDPR Article 22. We do not sell, rent, or share your personal data with third parties for marketing purposes. The Platform does not display advertising and no third-party advertising networks have access to any data from this Platform.
The Evidence Mastery website is hosted by FastComet, Inc., a web hosting provider operating data centres in multiple locations. Your access to our website may result in your IP address being processed by FastComet infrastructure. FastComet’s privacy practices are governed by their own Data Processing Agreement and Privacy Policy.
Credit purchases are processed by Stripe, Inc. (San Francisco, CA, USA). Stripe is a certified PCI-DSS Level 1 payment processor. We do not receive or store your full card number. Your payment data is governed by Stripe’s Privacy Policy. Stripe processes data under Standard Contractual Clauses for transfers from the EEA to the USA.
When you use any EvidenceAi™ module, document text is transferred to Anthropic PBC in the United States. This constitutes a transfer of data to a third country under GDPR Chapter V. We rely on Standard Contractual Clauses (SCCs) as the transfer mechanism, consistent with Anthropic’s API Terms and the European Commission’s framework for international transfers. You are informed of this transfer before submitting any content, and your use of the module constitutes informed acknowledgement of this processing.
CrossRef servers may be located outside the EEA. The data transmitted to CrossRef consists solely of bibliographic citation strings — no personal data — and therefore falls outside the scope of GDPR personal data transfer restrictions.
| Data Category | Retention Period |
|---|---|
| AI module submitted content | Zero retention. Processed in server memory and discarded immediately after each request. Never written to disk. |
| Registered account data | Retained for the duration of your account plus 3 years following account closure, in accordance with French civil law prescription periods (Art. 2224 Civil Code). |
| Credit purchase and transaction records | Retained for 10 years as required by French commercial law (Art. L123-22 Code de Commerce) and tax regulations. |
| Digital Learning Product purchase records | Retained for 10 years as required by French commercial law (Art. L123-22 Code de Commerce) and tax regulations. |
| Course access and progress records | Retained for the duration of your Account plus 3 years following account closure, in accordance with French civil law prescription periods (Art. 2224 Civil Code). Retained to support licence verification, account reactivation, and post-purchase support. |
| Contact form submissions and email correspondence | Retained for 3 years from the date of last contact, in accordance with applicable French prescription periods. |
| Waitlist and notification email addresses | Retained until the relevant product is launched and you have been notified, or until you request deletion, whichever occurs first. |
Anonymous session tokens (em_anon_ cookie) |
Cookie: 30-day browser expiry. Server-side quota record: reset daily at midnight UTC. No cumulative personal data is retained. |
Registered session cookies (em_suite) |
Session cookie: expires on browser close or inactivity timeout. No persistent personal data stored in the cookie itself. |
| Server access logs | Retained by FastComet for up to 12 months for security and operational purposes, in line with CNIL guidance on log retention. |
Under the GDPR (Articles 15–22), you have the following rights with respect to personal data we hold about you:
To exercise any of these rights, please contact us at contact@evidencemastery.com. We will respond within one month of receipt as required by GDPR Article 12(3).
You have the right to give us instructions regarding the storage, deletion, and communication of your personal data after your death (directives anticipées relatives au sort des données à caractère personnel). These instructions may be general or specific. In the absence of such instructions, your heirs may exercise your rights under Article 85 of the Loi Informatique et Libertés.
As a French company, our data processing activities fall under the supervision of the Commission Nationale de l’Informatique et des Libertés (CNIL). If you believe your rights have not been respected, you have the right to lodge a complaint:
In compliance with Article 47 of the Loi Informatique et Libertés, no decision producing legal effects concerning you is made solely on the basis of automated processing. Our AI tools generate professional outputs but do not make decisions about individuals.
In accordance with Article 121 of the Loi Informatique et Libertés, we implement technical and organisational measures proportionate to the nature of the data and the risks involved, to preserve the security of personal data and prevent it from being distorted, damaged, or accessed by unauthorised third parties.
The Evidence Mastery website does not use advertising cookies, tracking cookies, or third-party analytics cookies.
The following cookies and technologies are used:
em_anon_[hash])An HTTP cookie containing a random cryptographic token, issued to anonymous users to enforce daily usage quotas. Contains no personal data. 30-day expiry. HttpOnly. See Section 2.3 for full details.
em_suite / em_dev)A PHP session cookie containing only a session identifier, used to maintain your authenticated state between page loads. Expires on browser close or inactivity. No personal data stored in the cookie itself; session data is stored server-side.
This website loads fonts from Google Fonts (fonts.googleapis.com). When your browser requests a font, your IP address is transmitted to Google’s servers. Google’s Privacy Policy applies to this interaction. If you prefer to avoid this, you may use a browser extension that blocks Google Fonts requests.
The Learn page embeds YouTube video playlists. YouTube (operated by Google LLC) may set cookies when you interact with the embedded player, subject to Google’s Privacy Policy. You may block YouTube cookies through your browser settings or a cookie management extension.
FastComet, our hosting provider, maintains standard server access logs (IP address, page requested, time, user agent) for security and operational purposes. These are not cookies and are not used for advertising or tracking.
In accordance with CNIL guidance (Délibération n°2020-091 du 17 septembre 2020) and Article 82 of the Loi Informatique et Libertés, we do not require your consent for strictly necessary technical operations (session management, quota enforcement). Optional third-party elements (YouTube) may be controlled through your browser settings.
The Evidence Mastery website and its tools are intended for use by adults and qualified healthcare or scientific professionals. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected personal data from a minor under 16 without appropriate parental consent, we will delete that information promptly.
Under French law (Article 45 of the Loi Informatique et Libertés, implementing GDPR Article 8), the age of consent for information society services in France is 15 years. For users between 15 and 18, parental authorisation is not required but is recommended.
We may update this Privacy Policy from time to time to reflect changes in our practices, the tools we offer, or applicable law. The “Last updated” date at the top of this page indicates when the most recent revisions were made.
Where changes are material, we will take reasonable steps to notify users — for example, by displaying a notice on the Platform dashboard or by email to registered users. Continued use of the website or tools after changes to this policy constitutes acceptance of those changes.
For any questions about this Privacy Policy, to exercise your GDPR rights, or to raise a concern about how your data is handled, please contact us:
If you are not satisfied with our response, you have the right to lodge a complaint with: