EverWellAI — Records of Processing Activities (RoPA)

Version: 1.0 | Date: 27 October 2025

Owner: Privacy Lead / DPO (if appointed)

Review: Quarterly or on material change

Part A — Public-Facing RoPA Summary (for Website)

Who we are

EverWellAI Ltd (Company No. 16701230). Contact: privacy@everwellai.co.uk. If a DPO is appointed, details will be published here.

What we do (purposes)

We provide an AI-assisted service that records staff supervision sessions, transcribes audio (ASR) and helps generate structured supervision documentation. We also operate our platform (accounts, authentication, security logging) and provide support.

Our role

For supervision content we act as a Processor for our customers (Controllers). For account/admin data and our site/support we act as a Controller.

Data we process (categories)

Audio and transcripts; names, roles, scheduling/case metadata; opinions/notes. Content may reference third parties (including children) and may include special category data (e.g., health, trade union membership).

Where processing happens

We prioritise UK/EU data residency: AssemblyAI (EU endpoint) for transcription; Mistral (EU) for LLM structuring; hosting in Railway EU; auth/DB in Supabase Frankfurt; orchestration in n8n EU.

Sharing (processors/sub-processors)

Hosting/PaaS; auth/database/storage; workflow automation; ASR; email/docs. We sign Article 28 DPAs and keep an up-to-date list for customers.

International transfers

If a transfer occurs, we use SCCs + UK Addendum (or IDTA) and supplementary measures, and we maintain TIAs.

Retention

Raw audio only until transcription is verified (≤14–30 days). Transcripts/outputs per the customer’s policy, with configuration and secure deletion. Shorter defaults where content references children.

Children’s data

Minimisation/redaction; need-to-know access; shorter retention; Article 14 transparency for indirect collection.

Security (overview)

Encryption in transit/at rest; MFA/SSO; least-privilege; logging/monitoring; secure development; vendor assurance (e.g., SOC/ISO).

Your rights

Access/rectification/erasure/restriction/objection/portability where applicable. For supervision content, please contact your employer (Controller). You may also contact us: privacy@everwellai.co.uk.