Last updated: March 2026
UnnaData ("we", "us", or "our") is an AI-powered GDPR compliance and privacy management platform designed to help Data Protection Officers and organisations manage their data protection obligations. We are committed to protecting your personal data and respecting your privacy.
This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform at app.unnadata.com, our website at www.unnadata.com, and any related services (collectively, the "Service"). As a company that helps others achieve GDPR compliance, we hold ourselves to the highest standards of data protection practice.
UnnaData is operated from the European Union and is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection legislation. By using our Service, you acknowledge that you have read and understood this Privacy Policy.
When you create an account, we collect the following personal data through your chosen OAuth provider (Google, Microsoft, GitHub, or Apple):
We do not collect or store passwords. All authentication is handled through third-party OAuth providers.
When you set up your organisation within UnnaData, we collect:
To provide our compliance and privacy management services, we process documents and content you upload or create within the platform:
When you use our AI assistant feature, we process:
We automatically collect certain technical information when you use the Service:
If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store:
We use your personal data to provide and maintain the Service, including:
When you use the AI assistant, your messages and selected document context are sent to our AI provider (Anthropic) for processing. The AI generates responses to help you with GDPR compliance tasks, document analysis, and privacy management. We use AI interaction data to:
We do not use your documents or AI conversations to train AI models. Your data is processed solely to generate responses within your sessions.
We use technical and usage data to:
We may use your email address to:
We do not send marketing emails without your explicit consent. You can opt out of non-essential communications at any time.
We process your personal data on the following legal bases:
Processing your account data, documents, and AI interactions is necessary to perform our contract with you -- namely, to provide the UnnaData platform and the services you have signed up for. This includes authentication, document storage and management, AI assistant functionality, and billing.
We rely on legitimate interests for:
We have conducted a balancing test and concluded that these interests do not override your fundamental rights and freedoms, particularly given the security-enhancing nature of the processing.
Where required, we obtain your explicit consent before processing. This applies to:
You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
We may process certain data to comply with legal obligations, such as tax and accounting requirements related to billing, or in response to lawful requests from public authorities.
We do not sell your personal data. We share data only with the following categories of third-party processors, all of whom are bound by data processing agreements:
Our platform is hosted on AWS infrastructure in the EU (eu-west-1 region, Ireland). AWS provides compute, storage (including S3 for document storage), and content delivery services. AWS acts as a data processor under our instructions and maintains comprehensive security certifications including ISO 27001, SOC 2, and GDPR compliance.
When you use the AI assistant, your messages and selected document context are sent to Anthropic's Claude API for processing. Anthropic processes this data solely to generate responses and does not use your data to train its models. We have a data processing agreement with Anthropic that governs the handling of personal data. We use the minimum data necessary for each AI interaction and do not send your entire document library -- only the specific documents you select for a given conversation.
Stripe handles all payment processing for paid subscriptions. When you subscribe to a paid plan, Stripe collects and processes your payment details directly. Stripe is certified as a PCI Level 1 Service Provider and acts as an independent data controller for payment data. Please refer to Stripe's Privacy Policy for details on how they handle your payment information.
We use OAuth 2.0 for authentication through Google, Microsoft, GitHub, and Apple. When you sign in, these providers share limited profile information with us (as described in Section 2.1). Each provider operates as an independent data controller. We encourage you to review each provider's privacy policy for details on their data practices.
We use AWS CloudFront as a content delivery network (CDN) to serve our web application efficiently. This may involve processing your IP address and request headers to route content from the nearest edge location.
UnnaData is based in the European Union, and our primary infrastructure is hosted in the AWS eu-west-1 region (Ireland). We are committed to keeping your data within the European Economic Area (EEA) wherever possible.
Where data transfers outside the EEA are necessary (for example, when using Anthropic's AI services based in the United States), we ensure that appropriate safeguards are in place:
You may request a copy of the safeguards we have in place by contacting us at privacy@unnadata.com.
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.
Your account information is retained for the duration of your active account. If you request account deletion, we will erase your personal data within 30 days, except where retention is required for legal obligations (e.g., billing records).
Documents and project data are retained for as long as your account is active. When you delete a document, it is soft-deleted (made inaccessible) immediately and permanently erased from our storage within 30 days. When your account is deleted, all associated documents are permanently removed.
Chat session history is retained for the duration of your account to allow you to reference past conversations. AI interactions are not retained by our AI provider (Anthropic) beyond the processing window needed to generate a response.
API request logs, error logs, and security-related logs are retained for a maximum of 90 days, after which they are automatically purged. Aggregated, anonymised analytics derived from these logs may be retained longer.
Invoice and subscription records are retained for 7 years after the end of the relevant billing period, as required by applicable tax and accounting legislation.
As a data subject under GDPR, you have the following rights. We are committed to making these rights easy to exercise:
You have the right to obtain confirmation of whether we process your personal data and to access a copy of that data. You can view and export much of your data directly within the platform. For a comprehensive data access request, contact us at privacy@unnadata.com.
You have the right to correct inaccurate personal data. You can update your profile information directly through your account settings or by contacting us.
You have the right to request deletion of your personal data ("right to be forgotten"). You can delete individual documents and projects within the platform. To request complete account and data deletion, contact us at privacy@unnadata.com. We will process your request within 30 days, subject to any legal retention obligations.
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of data or when processing is unlawful but you prefer restriction over erasure.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. We support data export functionality within the platform and can provide your data in standard formats (JSON, CSV) upon request.
You have the right to object to processing based on legitimate interests (Section 4.2). Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Our AI assistant provides suggestions and analysis to support your decision-making, but it does not make automated decisions that produce legal effects or similarly significantly affect you. All AI-generated content is advisory in nature, and you retain full control over any actions taken based on AI output.
If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of these rights, please contact our Data Protection Officer at privacy@unnadata.com. We will respond to your request within one month, as required by GDPR. If we need additional time due to the complexity of your request, we will notify you within the initial month and may extend the response period by up to two additional months.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.
Our website and platform use a limited number of cookies and similar technologies. We use localStorage for essential functionality such as preserving your theme preference (light or dark mode) and storing authentication tokens for your session.
For detailed information about the specific cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy.
UnnaData is a professional B2B platform designed for organisations and their Data Protection Officers. Our Service is not directed at individuals under the age of 16, and we do not knowingly collect personal data from children.
If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that data. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@unnadata.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:
We aim to respond to all privacy-related enquiries within 48 hours and to formal data subject requests within one month, in accordance with GDPR requirements.