Privacy Policy
This Privacy Policy explains how UnnaData collects, uses, stores, and protects your personal data when you use our platform and services.
1. Introduction
UnnaData ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy describes how we collect, use, and share information about you when you use our AI-powered GDPR compliance platform, website, and related services (collectively, the "Services").
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.
Our commitment: As a company dedicated to helping organizations achieve GDPR compliance, we hold ourselves to the highest standards of data protection. We practice what we preach.
2. Data Controller
The data controller for the personal data processed through our Services is:
UnnaData
Email: privacy@unnadata.com
Data Protection Officer: dpo@unnadata.com
3. Data We Collect
3.1 Information You Provide
- Account Information: Name, email address, and organization details when you register.
- Organization Information: Organization name, address, industry, and other organizational details you provide during setup.
- Documents: Files you upload to the platform for compliance management, including privacy policies, contracts, and assessments.
- Chat Content: Messages and queries you send through our AI chat feature.
- Communications: Information you provide when contacting our support team.
3.2 Information Collected Automatically
- Usage Data: Information about how you interact with our Services, including features used, pages visited, and actions taken.
- Device Information: Browser type, operating system, device identifiers, and screen resolution.
- Log Data: IP addresses, access timestamps, API request logs, and error information.
- AI Usage Metrics: Token usage, model interactions, and response quality metrics (without content).
3.3 Information from Third Parties
- Payment Processor: Stripe provides us with transaction details (we do not store full card numbers).
4. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Description |
|---|---|
| Service Delivery | To provide, maintain, and improve our compliance platform and AI features. |
| Authentication | To verify your identity and manage access to your account. |
| AI Processing | To provide contextual AI responses based on your uploaded documents and queries. |
| Billing | To process payments, manage subscriptions, and issue invoices. |
| Communication | To send service-related notifications, updates, and support responses. |
| Security | To detect, prevent, and address fraud, abuse, and security issues. |
| Analytics | To understand usage patterns and improve our Services (aggregated data only). |
Important: Your documents and chat content are used solely to provide you with AI-powered compliance assistance. We never use your data to train AI models or share it with other customers.
5. Legal Basis for Processing
Under the GDPR, we process your personal data based on the following legal grounds:
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide our Services as agreed in our Terms of Service.
- Legitimate Interests (Art. 6(1)(f)): For security, fraud prevention, service improvement, and analytics where our interests do not override your rights.
- Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for marketing communications or optional cookies.
- Legal Obligation (Art. 6(1)(c)): Where we are required to process data to comply with legal requirements (e.g., tax records, regulatory requests).
6. Data Sharing & Processors
We do not sell your personal data. We share data only with the following categories of recipients:
- Cloud Infrastructure: Amazon Web Services (AWS) -- EU region (eu-west-1, Ireland) for hosting and storage.
- AI Provider: Anthropic -- for AI-powered compliance analysis. Data is processed under a Data Processing Agreement and is not used for model training.
- Payment Processor: Stripe -- for subscription billing and payment processing.
All sub-processors are bound by Data Processing Agreements (DPAs) that require them to protect your data in compliance with GDPR.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
- Account Data: Retained while your account is active, plus 30 days after deletion to allow recovery.
- Documents: Retained while your account is active. Permanently deleted within 30 days of account deletion.
- Chat History: Retained while your account is active. You can delete individual sessions at any time.
- Audit Logs: Retained for 2 years for security and compliance purposes.
- Billing Records: Retained for 7 years as required by tax and financial regulations.
8. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
- Right of Access (Art. 15): Request a copy of your personal data.
- Right to Rectification (Art. 16): Request correction of inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
- Right to Restrict Processing (Art. 18): Request limitation on how we process your data.
- Right to Data Portability (Art. 20): Receive your data in a machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, please contact us at privacy@unnadata.com. We will respond within 30 days as required by the GDPR.
You also have the right to lodge a complaint with your local supervisory authority if you believe your rights have been violated.
9. International Data Transfers
Your data is stored and processed exclusively within the European Union (AWS eu-west-1, Ireland). We do not transfer personal data outside the European Economic Area (EEA) unless:
- The recipient country has an adequacy decision from the European Commission.
- Appropriate safeguards are in place (e.g., Standard Contractual Clauses).
- A derogation under Article 49 GDPR applies.
For AI processing through Anthropic, data may be processed in the United States under Standard Contractual Clauses (SCCs) and supplementary measures to ensure an adequate level of protection.
10. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- JWT-based authentication with short-lived access tokens
- Role-based access controls
- Comprehensive audit logging
- Regular security assessments
- Incident response procedures
11. Cookies
We use minimal cookies necessary for the operation of our Services. For detailed information about the cookies we use, please refer to our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, sending you a notification. The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- General Privacy Inquiries: privacy@unnadata.com
- Data Protection Officer: dpo@unnadata.com
- Data Subject Requests: privacy@unnadata.com