GDPR Compliance

1. Our Commitment to GDPR

UnnaData was built from the ground up with the General Data Protection Regulation (EU) 2016/679 at its core. Privacy and data protection are not afterthoughts retrofitted into our product — they are foundational principles woven into every architectural decision, every line of code, and every business process we operate.

We believe that a company whose mission is to help others achieve GDPR compliance must itself be the gold standard of data protection practice. This is not merely a legal obligation for us; it is a matter of professional integrity. Our customers trust us with their most sensitive compliance data, and we honour that trust through rigorous, transparent, and continuously improving data protection measures.

Our commitment to GDPR compliance is reflected in the following principles:

• Privacy by design and by default — We embed data protection into the design of our systems and business practices from the earliest stages of development. We process only the minimum amount of personal data necessary for each specific purpose, and default settings always favour the most privacy-protective option.
• Transparency — We provide clear, accessible, and honest information about how we collect, use, store, and share personal data. We never hide behind legal jargon or obscure practices.
• Accountability — We maintain comprehensive records of all processing activities, conduct regular audits, and can demonstrate our compliance to any data subject, customer, or supervisory authority at any time.
• Continuous improvement — Data protection is not a one-time exercise. We continuously monitor regulatory developments, reassess our practices, and invest in improving our privacy posture.
• Proportionality — We ensure that every data processing activity is proportionate to its purpose and that we never collect or retain more data than is strictly necessary.

2. Data Controller Information

For the purposes of the GDPR and applicable data protection legislation, the data controller is:

Our designated Data Protection Officer (DPO) is responsible for overseeing our data protection strategy and ensuring compliance with GDPR requirements. The DPO can be contacted directly at:

We encourage you to contact our DPO with any questions, concerns, or requests relating to the processing of your personal data or your rights under data protection law. We are committed to responding to all enquiries promptly and thoroughly.

3. Lawful Basis for Processing

Under Article 6 of the GDPR, every processing activity must be grounded in a lawful basis. We rely on the following legal bases, and we carefully assess which basis applies to each category of processing before any data is collected or used:

3.1 Performance of a Contract (Article 6(1)(b))

We process personal data where it is necessary for the performance of our contract with you — that is, to provide the UnnaData platform and its associated services. This includes:

• Creating and managing your user account (name, email address, authentication credentials)
• Associating your account with your organisation and managing role-based access
• Processing and storing documents you upload for compliance analysis
• Facilitating AI-powered chat interactions for compliance guidance and document generation
• Managing projects, sessions, and templates within your workspace
• Processing payments and managing your subscription
• Providing technical support and resolving service-related issues

3.2 Legitimate Interests (Article 6(1)(f))

We process certain personal data where it is necessary for our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. We conduct a Legitimate Interests Assessment (LIA) for each activity relying on this basis. Our legitimate interests include:

• Security and fraud prevention — Monitoring for unauthorised access, detecting anomalous behaviour, and protecting the platform and its users from security threats, abuse, and fraudulent activity
• Service reliability and performance — Logging API requests, tracking error rates, and monitoring system health to ensure the platform remains available, performant, and reliable
• Product improvement — Analysing aggregated, anonymised usage patterns to understand how our platform is used and to identify opportunities for improvement, new features, and better user experiences
• Business administration — Managing our internal operations, maintaining financial records, and ensuring the effective management of customer relationships

You have the right to object to processing based on legitimate interests at any time. If you do, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

3.3 Consent (Article 6(1)(a))

For certain processing activities, we rely on your freely given, specific, informed, and unambiguous consent. Consent is always optional and can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal. We rely on consent for:

• Marketing communications — Sending newsletters, product updates, industry insights, and promotional materials via email
• Optional analytics — Collecting detailed usage analytics beyond what is strictly necessary for service provision, where such analytics are used for feature prioritisation and user experience research
• Third-party integrations — Sharing data with third-party services that you choose to connect to your account beyond those necessary for core platform functionality

You can manage your consent preferences at any time through your account settings or by contacting us at privacy@unnadata.com.

3.4 Legal Obligation (Article 6(1)(c))

We process personal data where it is necessary to comply with legal obligations to which we are subject. This includes:

• Tax and accounting records — Retaining invoicing and payment data as required by applicable tax legislation
• Regulatory requirements — Responding to lawful requests from supervisory authorities, law enforcement, or courts of competent jurisdiction
• Audit trails — Maintaining records of data processing activities as required by Article 30 of the GDPR
• Data breach notification — Processing data necessary to fulfil our obligations to notify supervisory authorities and affected data subjects in the event of a personal data breach

4. Your Rights as a Data Subject

The GDPR grants you a comprehensive set of rights over your personal data. We are committed to facilitating the exercise of these rights in a timely, transparent, and straightforward manner. You do not need to justify your request, and exercising any right will never result in penalty or disadvantage.

4.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to receive a copy of that data together with key information about the processing. This includes the purposes of processing, the categories of data concerned, the recipients to whom data has been disclosed, the envisaged retention period, and the existence of any automated decision-making. We will provide this information in a structured, commonly used, and machine-readable format upon request.

4.2 Right to Rectification (Article 16)

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. If you believe any information we hold about you is incorrect or out of date, you can update most account details directly through the platform or contact us for assistance. We will rectify inaccuracies without undue delay.

4.3 Right to Erasure (Article 17)

You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for its original purpose, where you withdraw consent, where you object to processing and there are no overriding legitimate grounds, or where the data has been unlawfully processed. Upon receiving a valid erasure request, we will delete your data from all active systems and instruct our sub-processors to do the same. Please note that we may need to retain certain data to comply with legal obligations or to establish, exercise, or defend legal claims.

4.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain situations, such as while we verify the accuracy of contested data, when you have objected to processing pending verification of legitimate grounds, when processing is unlawful but you prefer restriction over erasure, or when we no longer need the data but you require it for legal claims. When processing is restricted, we will store the data but will not process it further without your consent, except for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another person.

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. This right applies to data you have provided to us, where the processing is based on consent or contract and is carried out by automated means. We support data export in standard formats (JSON, CSV) and can facilitate direct transmission to another controller where technically feasible.

4.6 Right to Object (Article 21)

You have the right to object at any time to the processing of your personal data based on legitimate interests, including profiling. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. Where personal data is processed for direct marketing, you have an absolute right to object, and we will cease processing for that purpose immediately and without exception.

4.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. UnnaData does not currently engage in solely automated decision-making that produces legal or similarly significant effects. Our AI-powered compliance analysis is designed as a decision-support tool that provides guidance and suggestions — it does not make binding decisions on behalf of users. All AI-generated outputs are presented as recommendations that require human review and judgement.

Exercising Your Rights

To exercise any of these rights, please contact our Data Protection Officer:

We will acknowledge your request within 48 hours and provide a substantive response within 30 calendar days of receipt. In cases of particularly complex or numerous requests, we may extend this period by a further 60 days, in which case we will inform you of the extension and the reasons for it within the initial 30-day period. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, with justification.

To protect your data, we may need to verify your identity before processing your request. We will aim to do so using the least intrusive method available.

5. Data We Process

We are committed to data minimisation and process only the personal data that is strictly necessary for the purposes described in this notice. Below is a comprehensive overview of the categories of data we process:

5.1 Account Data

When you create an account and use our platform, we process:

• Full name and display name
• Email address
• Company name and organisational details
• Profile avatar (if provided via OAuth)
• User role within your organisation (e.g., Admin, DPO, Viewer)
• OAuth provider and associated identifiers (we do not store OAuth provider passwords)
• Account creation and last login timestamps

5.2 Document Data

When you upload documents for compliance analysis, we process:

• Document file content (privacy policies, DPIAs, records of processing activities, contracts, and other compliance documentation)
• Document metadata (filename, file type, file size, upload date)
• Document classifications (compliance category, scope, tags)
• Document descriptions provided by users

Documents may contain personal data relating to third parties (e.g., names of data subjects mentioned in DPIAs). In this capacity, you remain the data controller for such third-party data, and we act as your data processor in accordance with Article 28 of the GDPR.

5.3 AI Interaction Data

When you use our AI-powered compliance assistant, we process:

• Chat messages and prompts you submit
• AI-generated responses and compliance guidance
• Session metadata (creation time, associated project)
• References to documents included in chat context
• Token usage statistics (input and output token counts, associated costs)

AI interactions are processed using Anthropic's Claude API. We transmit only the content necessary for generating responses, and our agreement with Anthropic ensures that your data is not used to train their models.

5.4 Usage Data

To maintain and improve our service, we collect:

• Features accessed and actions performed within the platform
• Session duration and frequency of use
• Error occurrences and diagnostic information
• API request logs (method, endpoint, response time, status code)

5.5 Technical Data

When you access our platform, your device automatically transmits certain technical data:

• IP address
• Browser type and version
• Operating system and device type
• Screen resolution and language preference
• Referring URL

We minimise the collection of technical data and do not use it to identify or profile individual users beyond what is necessary for security and service operation.

5.6 Payment Data

Subscription and payment processing is handled by Stripe. We store:

• Subscription plan and status
• Invoice amounts and dates
• Stripe customer and subscription identifiers

We do not store credit card numbers, CVVs, or full payment card details. All sensitive payment data is processed and stored exclusively by Stripe in accordance with PCI DSS standards.

6. Data Protection Measures

We implement comprehensive technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Our security posture is continuously assessed and improved.

6.1 Encryption

• In transit — All data transmitted between your browser or device and our servers is encrypted using TLS 1.3 (Transport Layer Security). We enforce HTTPS across all endpoints and use HSTS headers to prevent downgrade attacks.
• At rest — All stored data, including database records, uploaded documents, and backups, is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys) via AWS server-side encryption.
• Secrets management — Encryption keys, API credentials, and other secrets are managed through secure key management practices and are never stored in source code.

6.2 Access Controls and Authentication

• Authentication via established OAuth 2.0 providers (Google, Microsoft, GitHub, Apple) — we never handle or store user passwords
• JWT (JSON Web Token) based session management with short-lived access tokens and secure refresh token rotation
• Role-based access control (RBAC) ensuring users can only access data within their organisation and in accordance with their assigned role
• Principle of least privilege applied across all internal systems and employee access
• Comprehensive audit logging of all authentication events and data access

6.3 Infrastructure Security

• Hosted on Amazon Web Services (AWS) in the EU (eu-west-1, Ireland) — a cloud provider that maintains SOC 2, ISO 27001, and other internationally recognised security certifications
• Network security controls including VPC isolation, security groups, and restricted ingress
• Regular security patching and updates for all server software and dependencies
• Automated monitoring and alerting for security events and anomalous activity

6.4 Organisational Measures

• Data protection training for all team members, conducted upon onboarding and refreshed regularly
• Confidentiality agreements with all employees and contractors who have access to personal data
• Regular internal reviews of data processing activities and security measures
• Documented security policies and procedures covering data handling, incident response, access management, and secure development
• Vendor risk assessments conducted before engaging any new sub-processor

6.5 Secure Development Practices

• Security-conscious software development lifecycle (SDLC) with code reviews and testing
• Input validation and output encoding to prevent injection attacks
• Dependency scanning for known vulnerabilities
• Separation of development, testing, and production environments

6.6 Incident Response

We maintain a documented incident response plan that is tested and updated regularly. Our incident response procedures are designed to ensure rapid detection, containment, and remediation of security incidents. See Section 10 for details on our data breach notification procedures.

7. Sub-Processors

We engage a carefully selected and regularly reviewed set of sub-processors to help deliver our services. Each sub-processor has been assessed for GDPR compliance, and we have entered into Data Processing Agreements (DPAs) with each one that include the contractual clauses required by Article 28 of the GDPR.

Sub-Processor	Purpose	Data Location	Safeguards
Amazon Web Services (AWS)	Cloud infrastructure, compute, storage, and database hosting	EU (eu-west-1, Ireland)	DPA, SOC 2, ISO 27001, C5
Anthropic	AI language model processing (Claude) for compliance analysis and chat functionality	United States	DPA, SCCs, zero data retention for API usage
Stripe	Payment processing, subscription management, and invoicing	EU / United States	DPA, PCI DSS Level 1, SOC 2, SCCs
Google (OAuth)	Authentication provider — user identity verification	EU / United States	DPA, ISO 27001, SOC 2, SCCs
Microsoft (OAuth)	Authentication provider — user identity verification	EU / United States	DPA, ISO 27001, SOC 2, SCCs
GitHub (OAuth)	Authentication provider — user identity verification	United States	DPA, SOC 2, SCCs
Apple (OAuth)	Authentication provider — user identity verification	EU / United States	DPA, ISO 27001, SCCs

We will notify you of any intended changes to our sub-processors, giving you the opportunity to object before such changes take effect. A current list of sub-processors is always available on this page.

8. International Data Transfers

Our primary infrastructure is hosted within the European Union (AWS eu-west-1, Ireland), ensuring that the majority of your data is processed and stored within the EU/EEA at all times.

However, certain processing activities involve the transfer of personal data to countries outside the EU/EEA, specifically the United States (for Anthropic AI processing and certain OAuth authentication services). For all such transfers, we ensure an adequate level of data protection through the following mechanisms:

• EU-U.S. Data Privacy Framework — Where our sub-processors are certified under the EU-U.S. Data Privacy Framework, we rely on this adequacy decision as the basis for transfer.
• Standard Contractual Clauses (SCCs) — We execute the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with all sub-processors that process data outside the EU/EEA, supplemented by additional technical and organisational measures where necessary.
• Transfer Impact Assessments — We conduct Transfer Impact Assessments (TIAs) for each international transfer to evaluate the data protection landscape of the recipient country and confirm that the SCCs, together with any supplementary measures, provide an essentially equivalent level of protection.
• Data minimisation — For AI processing, we transmit only the minimum data necessary for generating responses and do not transfer entire datasets internationally.

We continuously monitor legal and regulatory developments regarding international data transfers, including decisions by the Court of Justice of the European Union (CJEU), and will promptly adjust our transfer mechanisms if required.

9. Data Retention

We retain personal data only for as long as it is necessary for the purposes for which it was collected, or as required by applicable law. We have established specific retention periods for each category of data, reviewed annually:

Data Category	Retention Period	Basis
Account data	Duration of account + 30 days after deletion request	Contract performance; erasure upon request
Uploaded documents	Duration of account; deleted upon account closure or individual document deletion	Contract performance
AI interaction data (chat history)	Duration of account; individual sessions can be deleted at any time by the user	Contract performance
Usage and technical data	12 months from collection, then aggregated and anonymised	Legitimate interest
Payment and invoice data	7 years from the date of the transaction	Legal obligation (tax and accounting law)
Audit logs	24 months from creation	Legitimate interest; legal obligation
Marketing consent records	Duration of consent + 3 years after withdrawal (for proof of consent)	Legal obligation; legitimate interest
Support correspondence	24 months from resolution	Legitimate interest

Deletion Procedures

When personal data reaches the end of its retention period, or when an erasure request is received and validated, we follow a structured deletion process:

1. Identification — All instances of the data across our systems (primary databases, backups, caches, and sub-processor systems) are identified.
2. Deletion from active systems — Data is permanently removed from all primary databases and active storage within 30 days of the retention period expiring or the erasure request being validated.
3. Deletion from backups — Data in backup systems is purged as backup cycles rotate, typically within 90 days. During this period, restored backups will have the deleted data re-purged.
4. Sub-processor notification — All relevant sub-processors are instructed to delete the data in accordance with our DPAs.
5. Verification — Deletion is verified and logged for accountability purposes.

10. Data Breach Procedures

Despite our robust security measures, we recognise that no system is completely immune to security incidents. We have therefore established comprehensive data breach detection, assessment, and notification procedures that meet and exceed the requirements of Articles 33 and 34 of the GDPR.

10.1 Detection and Assessment

Our breach detection capabilities include continuous system monitoring, automated alerting, and established reporting channels for employees and contractors. Upon detecting a potential breach, we immediately:

1. Activate our incident response team
2. Contain the breach to prevent further data exposure
3. Assess the scope, nature, and severity of the incident
4. Determine the categories and approximate number of data subjects affected
5. Evaluate the likely consequences for affected data subjects

10.2 Notification to the Supervisory Authority

Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. The notification will include:

• The nature of the breach, including the categories and approximate number of data subjects and records concerned
• The name and contact details of our Data Protection Officer
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects

10.3 Notification to Data Subjects

Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, we will notify the affected individuals directly and without undue delay, as required by Article 34 of the GDPR. The notification will be communicated in clear and plain language and will include:

• A description of the nature of the breach
• The contact details of our Data Protection Officer
• A description of the likely consequences
• Specific, actionable steps the data subject can take to protect themselves
• A description of the measures we have taken in response

10.4 Documentation

All breaches, regardless of whether notification is required, are fully documented in our breach register. This register records the facts of the breach, its effects, and the remedial actions taken. This documentation is maintained for a minimum of five years and is available for review by supervisory authorities.

10.5 Customer Notification

Where UnnaData acts as a data processor on behalf of our customers (e.g., for documents uploaded by customers that contain third-party personal data), we will notify the affected customer (as data controller) without undue delay upon becoming aware of a breach, enabling them to fulfil their own notification obligations.

11. Data Protection Impact Assessments

In accordance with Article 35 of the GDPR, we conduct Data Protection Impact Assessments (DPIAs) before commencing any processing activity that is likely to result in a high risk to the rights and freedoms of data subjects. We also proactively conduct DPIAs for any significant new feature, system, or processing activity, even where not strictly mandated.

When We Conduct DPIAs

• When introducing new types of data processing, particularly those involving new technologies
• When processing involves systematic and extensive profiling or automated decision-making
• When processing personal data on a large scale, especially sensitive categories
• When integrating new sub-processors or third-party services
• When significantly changing existing processing activities
• When processing data for AI model interactions (particularly regarding the content of user queries and documents)

Our DPIA Methodology

Our DPIA process follows a structured methodology:

1. Description — A systematic description of the processing activity, its purposes, the data involved, and the legitimate interests where applicable
2. Necessity and proportionality — An assessment of whether the processing is necessary and proportionate in relation to its purpose
3. Risk assessment — An evaluation of the risks to the rights and freedoms of data subjects, considering both the likelihood and severity of potential impacts
4. Mitigation measures — Identification of measures to address and reduce the identified risks to an acceptable level
5. DPO consultation — Review and sign-off by our Data Protection Officer
6. Ongoing review — DPIAs are treated as living documents and are revisited whenever the processing activity changes or new risks emerge

Where a DPIA indicates that processing would result in a high risk that cannot be sufficiently mitigated, we will consult the relevant supervisory authority before proceeding, as required by Article 36 of the GDPR.

12. Children's Data

UnnaData is a professional compliance platform designed for use by organisations and their authorised personnel. Our services are not directed at children under the age of 16, and we do not knowingly collect or process personal data from children.

Our platform requires authentication through enterprise OAuth providers, and account creation is restricted to individuals acting in a professional capacity within their organisation. These measures serve as safeguards against the inadvertent collection of children's data.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such data from our systems and notify the relevant supervisory authority if required. If you believe that a child has provided us with personal data, please contact our DPO immediately at dpo@unnadata.com.

13. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority. You may do so in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.

We would always appreciate the opportunity to address your concerns directly before you approach a supervisory authority. Our DPO is available at dpo@unnadata.com to discuss and resolve any issues.

A directory of EU/EEA supervisory authorities is maintained by the European Data Protection Board (EDPB) at edpb.europa.eu.

14. Contact Our DPO

We welcome any questions, comments, or concerns about our data protection practices. Our Data Protection Officer is available to assist you with any matter related to the processing of your personal data or the exercise of your rights under the GDPR.

We aim to acknowledge all enquiries within 48 hours and provide a full response within 30 calendar days. For urgent matters relating to data breaches or security concerns, please mark your email as urgent and we will prioritise your request accordingly.

Changes to This Page

We may update this GDPR compliance page from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make material changes, we will notify you through the platform and update the "Last updated" date at the top of this page. We encourage you to review this page periodically to stay informed about how we protect your data.