Privacy Policy

This policy applies to personal data processed by Unnoodle ("Unnoodle", "we", "us") when you visit our marketing website, sign up for the product, or contact us. It covers all personal data we hold as a data controller under the EU General Data Protection Regulation (GDPR).

Data processed inside your organisation's Unnoodle workspace (for example, meeting notes, action items, and team comments) is processed by us as a data processor on behalf of your organisation, which acts as the data controller. Your organisation's own privacy policy governs that data.

Account data

• Name and work email address — to create and manage your account
• Organisation name and domain — to provision your workspace
• Password hash (bcrypt, never the plaintext password) — for authentication
• Two-factor authentication secret (AES-256-GCM encrypted at rest) — for account security

Usage data

• Feature interaction events (e.g. meeting created, action item resolved) — to understand how the product is used and improve it
• Session metadata (IP address, browser, device type) — for security monitoring and abuse prevention
• Error and performance telemetry — to diagnose bugs and maintain reliability

Communications data

• Emails and messages you send us — to respond to enquiries and provide support
• In-product feedback submissions — to inform the product roadmap

Payment data

We use Stripe to process payments. Card numbers and payment details are never stored on our systems. We retain billing history (plan, amount, date) for legal and audit purposes.

Under the EU GDPR we rely on the following lawful bases:

• Contract (Art. 6(1)(b)) — to provide the service you signed up for, including account creation, authentication, and billing
• Legitimate interests (Art. 6(1)(f)) — for security monitoring, fraud prevention, product analytics, and communications about material service changes
• Consent (Art. 6(1)(a)) — for optional marketing emails; you may withdraw consent at any time via the unsubscribe link or by emailing privacy@unnoodle.com
• Legal obligation (Art. 6(1)(c)) — to retain billing records as required by applicable tax law

We retain personal data only as long as necessary for the purpose it was collected, subject to the following defaults:

• Active account data — held while your account is active
• Inactive or closed account data — deleted within 3 years of last activity or closure
• Support communications — deleted within 3 years of the last exchange
• Security audit logs — retained for 12 months, then deleted
• Billing records — retained for 7 years to meet statutory accounting obligations

You can request earlier deletion of your account data at any time (see Your rights below).

We do not sell personal data. We share data only with subprocessors that help us deliver the service, each bound by a data processing agreement:

• Cloud infrastructure provider — for hosting, storage, and database services
• Stripe — for payment processing
• Transactional email provider — to send account and system notifications
• Error monitoring service — to capture and diagnose application errors

We may disclose personal data if required by law, court order, or to protect the rights, property, or safety of Unnoodle, its users, or the public.

We do not transfer personal data outside the EEA without ensuring an adequate level of protection, either through an EU adequacy decision or Standard Contractual Clauses.

Under the EU GDPR you have the following rights. To exercise any of them, email privacy@unnoodle.com. We will respond within one month.

• Access (Art. 15) — receive a copy of the personal data we hold about you
• Portability (Art. 20) — receive your account data in a structured, machine-readable format
• Rectification (Art. 16) — correct inaccurate data
• Erasure (Art. 17) — request deletion of your personal data where no overriding legal obligation requires us to retain it
• Restriction (Art. 18) — ask us to pause processing while a dispute is resolved
• Objection (Art. 21) — object to processing based on legitimate interests
• Withdraw consent — opt out of marketing emails at any time with no effect on service access

You also have the right to lodge a complaint with the data protection authority in your country of residence.

We use a small number of strictly necessary cookies and local storage entries to operate the product:

• Session token — keeps you authenticated; expires when you sign out or after 30 days of inactivity
• CSRF token — protects form submissions from cross-site request forgery
• UI preference keys (e.g. sidebar state) — stored in localStorage, never sent to our servers

We do not use advertising cookies, cross-site tracking, or third-party analytics cookies that send data to external advertising networks.

For any privacy question, data subject request, or concern:

• Email: privacy@unnoodle.com
• Response time: within 5 business days for general enquiries; within 1 month for formal data subject requests

We will update this policy when our practices change materially. Registered users will be notified by email for significant changes. The effective date at the top of this page shows when the current version took effect.