← Back to UniOps

Legal

Plain-English source documents for UniOps. If you need a signed copy of any of these for procurement or compliance, email team@uniops.app.

Privacy Policy

Effective 26 May 2026 · Version 2026-05-26.v1

This Privacy Policy explains what data UniOps collects, what we do with it, who we share it with, and how you can control it. We aim to collect the minimum data needed to run the Service well, and to be honest about the parts we have to share with infrastructure providers.

1. Who controls your data

UniOps, Inc. (Delaware, USA) is the data controller for personal data we collect about you as a user of the public website and the UniOps product. For data inside a workspace, UniOps acts as a processor on behalf of the workspace owner, who is the controller. If you are a workspace member acting under an employer's account, contact your workspace owner first for data-subject requests.

2. What we collect

Account data

  • Email address, display name, and password hash (never plaintext).
  • Two-factor secret (encrypted at rest), backup codes (hashed).
  • Email-verification timestamp and the IP+UA of the verification request.

Workspace data

  • Workspace name, plan, billing email, owner mapping, role assignments.
  • Tool metadata (which integrations you've set up, last-rotated timestamps, health state). We do not store third-party credentials in plain text; secrets are wrapped with a per-workspace KMS key.
  • Lease and presence events used to coordinate concurrent access.
  • Audit log entries describing actions taken in the workspace (who did what, when, from which IP — IP is hashed).

Operational data

  • Server access logs (URL, status code, response time, hashed IP, user-agent).
  • Error reports collected via Sentry — request context is redacted server-side to drop session tokens, auth headers, and known secret-bearing fields before sending.
  • Uptime telemetry from an external monitor (status code + latency only, no request bodies).
  • Background-job metadata (cron-job-runs table) used to ensure jobs don't double-run across replicas.

Billing data

  • Plan, seat count, addon list, renewal date, last-payment status.
  • We do not store full payment-card numbers. Our processor (Whop) tokenizes payment instruments; we keep only the tokenized handle and the last 4 digits / brand for display.

Cookies and similar

See Cookies for the full list. We only set non-essential cookies after you accept the banner.

3. How we use it

  • Operate the Service: authenticate you, route requests to your workspace, prevent stampedes on shared tools, render the dashboard.
  • Bill and renew: verify seat counts against your plan, process renewals, prevent payment fraud.
  • Secure: detect abuse, rate-limit attackers, investigate incidents.
  • Support: respond to your help requests with enough context to actually help.
  • Improve: coarse-grained product analytics on which features are used (event names, no payload content).
  • Comply with law: respond to subpoenas, tax requirements, and similar.

We do not sell your data to advertisers. We do not train machine-learning models on your workspace data without an explicit, separate opt-in.

4. Legal bases (GDPR)

  • Contract: processing necessary to provide the Service you signed up for.
  • Legitimate interest: security, fraud prevention, basic operational telemetry.
  • Consent: non-essential cookies and marketing email (you opt in; you can withdraw any time).
  • Legal obligation: tax records, KYC where required by our payment processor.

5. Subprocessors

We use the following companies to provide the Service. Each is bound by a data-processing agreement that limits what they can do with workspace data. See Subprocessorsfor the current list and the categories of data we send to each.

We notify workspace owners by email or in-product banner at least 30 days before adding a new subprocessor that has material access to customer data. If you object, you can cancel your subscription before the new subprocessor goes into effect.

6. How we share data

  • With subprocessors, only to the extent needed to run their part of the Service.
  • With workspace owners and other workspace members, for the data inside that workspace.
  • With law enforcement when compelled by valid legal process; we contest overbroad requests and notify the affected customer unless legally barred.
  • With a successor in connection with a merger, acquisition, or asset sale — your data continues to be protected by the privacy commitments in this Policy.

We do not share your data with advertisers, data brokers, or third-party marketers.

7. International transfers

Our primary infrastructure runs in the United States. If you access UniOps from the European Economic Area, the United Kingdom, or Switzerland, your data will be transferred to and processed in the United States. We rely on the EU Standard Contractual Clauses (and UK / Swiss equivalents) as the legal mechanism for these transfers.

8. Retention

  • Active account data: kept while your account is active.
  • Soft-deleted accounts: retained for 7 days in a recoverable state, then hard-deleted. See Account settings for self-serve deletion.
  • Audit logs: retained for 18 months for security investigations, then deleted.
  • Billing records: retained for 7 years to satisfy tax requirements.
  • Cookie-consent decisions: retained for 26 months to evidence consent.
  • Data export blobs: nulled 7 days after the user downloads them, or 7 days after they were built if undownloaded.

9. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to certain uses (including direct marketing).

  • Access & export: use "Export my data" in Account settings. We email you a one-time link to a JSON download containing your account, members, audit, consent, and ToS-acceptance history.
  • Delete: use "Delete my account" in Account settings. We hard-delete after the 7-day grace window.
  • Other requests (correction, restriction, objection): email team@uniops.app. We respond within 30 days.
  • You can complain to your local data-protection authority. In the EU, that's the supervisory authority where you live; in the UK, the ICO.

10. Security

Workspace secrets are encrypted at rest with workspace-scoped keys wrapped by an AWS-KMS master key. Network traffic is TLS-only with modern ciphers. Database access is restricted to bastioned admins. We log access to KMS and to the bastion. We run regular dependency scans, periodic external penetration tests, and a coordinated vulnerability-disclosure program — see team@uniops.app to report a vulnerability.

11. Children

UniOps is not directed to children under 16, and we do not knowingly collect data from them. If you believe a child has provided us data, contact team@uniops.app and we will delete it.

12. Changes

We may update this Policy from time to time. We will change the version stamp at the top, and for material changes we will notify you by email or in-product banner at least 14 days before the change takes effect.

13. Contact

Privacy questions: team@uniops.app. Security reports: team@uniops.app.