Privacy Policy
Effective Date: June 25, 2026
PRELIMINARY NOTICE
This Privacy Policy ("Policy") is issued by Unosecur GmbH, a limited liability company (Gesellschaft mit beschrΓ€nkter Haftung) incorporated and registered under the laws of the Federal Republic of Germany, with its registered office at RosenstraΓe 2, 10178 Berlin, Germany, registered with the Amtsgericht Berlin (Charlottenburg) under commercial register number HRB 227012 B, VAT Identification Number DE342802013, represented by its Managing Director (GeschΓ€ftsfΓΌhrer) Santhosh Jayaprakash (hereinafter referred to as "Unosecur," "the Company," "we," "us," or "our").
Unosecur GmbH operates its primary digital presence at https://www.unosecur.com and conducts business operations across multiple jurisdictions, including the Federal Republic of Germany, other Member States of the European Economic Area, the United Kingdom, and the Republic of India. The Company's operations in India include commercial activities, client engagements, and the processing of personal data belonging to Indian residents and enterprise customers, which bring those activities within the scope of applicable Indian data protection legislation.
This Policy constitutes a legally binding document governing the collection, processing, storage, transfer, disclosure, and deletion of personal data in connection with your access to and use of the Unosecur platform, website at https://www.unosecur.com, and all associated services (collectively, "the Services"). This Policy has been prepared in compliance with, and shall be interpreted in accordance with, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the German Federal Data Protection Act (Bundesdatenschutzgesetz β BDSG), the Digital Personal Data Protection Act, 2023 of India ("DPDPA"), the Information Technology Act, 2000 of India ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 of India ("SPDI Rules"), and all other applicable national and international data protection legislation.
By accessing or using any part of the Services via https://www.unosecur.com or any other platform operated by the Company, you acknowledge that you have read, understood, and agree to be bound by the terms of this Policy in their entirety. If you do not agree with any provision herein, you must immediately discontinue your access to and use of the Services.
TABLE OF CONTENTS
- Definitions and Interpretation
- Identity and Contact Details of the Data Controller
- Contact Details of the Data Protection Officer and Grievance Officer
- Scope and Application of This Policy
- Categories of Personal Data Collected
- Purposes of Processing Personal Data
- Lawful Bases for Processing Under Applicable Law
- Special Categories of Personal Data and Sensitive Personal Data
- Automated Decision-Making and Profiling
- Cookies and Tracking Technologies
- Methods of Collection of Personal Data
- Use of Third-Party Analytics and Advertising Tools
- Disclosure and Transfer of Personal Data to Third Parties
- International Transfers of Personal Data
- Data Retention and Deletion
- Security of Personal Data
- Rights of Data Subjects β European Economic Area and Germany
- Rights of Data Subjects β United Kingdom
- Rights of Data Principals β Republic of India
- Children and Minors
- Links to Third-Party Websites and Services
- Data Processor Relationships and Sub-Processors
- Do-Not-Track Signals
- Updates and Amendments to This Policy
- Complaints and Supervisory Authorities
- Governing Law and Jurisdiction
- Contact Information
1. DEFINITIONS AND INTERPRETATION
For the purposes of this Policy, the following definitions shall apply:
"Applicable Law" means, collectively and as relevant to the jurisdiction of the data subject, the GDPR, the UK GDPR, the BDSG, the DPDPA, the IT Act, the SPDI Rules, and any other national or regional legislation governing the processing of personal data that applies to the activities of Unosecur GmbH.
"Company," "Unosecur," "we," "us," or "our" means Unosecur GmbH, registered at RosenstraΓe 2, 10178 Berlin, Germany, which operates the website at https://www.unosecur.com and the associated Services.
"Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's or data principal's wishes by which they, by a statement or clear affirmative action, signify agreement to the processing of personal data relating to them. In the context of Indian law, consent shall carry the meaning assigned to it under the DPDPA, 2023.
"Controller" or "Data Fiduciary" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Under the GDPR, Unosecur GmbH acts as a Controller. Under the DPDPA, 2023, Unosecur GmbH acts as a Data Fiduciary in respect of personal data of Indian data principals processed for purposes within the scope of that legislation.
"Data Principal" has the meaning assigned to it under the DPDPA, 2023, and refers to the individual to whom personal data relates, as identified or identifiable within the territory of India.
"Data Processor" or "Data Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller or Data Fiduciary.
"Data Subject" means any identified or identifiable natural person whose personal data is processed by Unosecur GmbH, including data principals under Indian law.
"DPDPA" means the Digital Personal Data Protection Act, 2023 of the Republic of India, as amended or supplemented from time to time, and any rules, regulations, or guidance issued thereunder by the Data Protection Board of India or any other competent authority.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
"Personal Data" means any information relating to an identified or identifiable natural person. For purposes of Indian law, it carries the meaning assigned under the DPDPA and the SPDI Rules, including "sensitive personal data or information" as defined therein.
"Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Sensitive Personal Data or Information" ("SPDI") has the meaning assigned under Rule 3 of the SPDI Rules, 2011, and includes passwords, financial information such as bank account or credit card details, physical, physiological, and mental health conditions, sexual orientation, medical records, and biometric information.
"Services" means the Unosecur identity security platform, website at https://www.unosecur.com, the Unified Identity Fabric, the MCP Auth Gateway, all integrated modules, tools, product features, and ancillary services offered or made available by Unosecur GmbH.
"Special Categories of Personal Data" has the meaning assigned under Article 9 of the GDPR, encompassing data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, data concerning health, and data concerning sexual life or orientation.
"Sub-Processor" means any third-party Processor engaged by Unosecur GmbH to carry out specific processing activities on behalf of the Company.
"Third Country" means a country or territory outside the European Economic Area that has not been the subject of an adequacy decision by the European Commission under Article 45 of the GDPR.
"User" means any natural or legal person who accesses, registers for, or uses the Services in any capacity, including as a prospective customer, trial user, active subscriber, partner, or website visitor.
2. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER / DATA FIDUCIARY
The entity responsible for the processing of your personal data as Data Controller (under EU/UK law) and Data Fiduciary (under Indian law) is:
Unosecur GmbH
RosenstraΓe 2
10178 Berlin
Federal Republic of Germany
Website: https://www.unosecur.com
Commercial Register: Amtsgericht Berlin (Charlottenburg), HRB 227012 B
VAT Identification Number: DE342802013
Managing Director (GeschΓ€ftsfΓΌhrer): Santhosh Jayaprakash
General Enquiries: support@unosecur.com
Data Protection and Security: security@unosecur.com
Telephone: +49 (0) 30 62937525-0
EEA Representative: Pranav Vattaparambil
EEA Contact Email: support@unosecur.com
3. CONTACT DETAILS OF THE DATA PROTECTION OFFICER AND GRIEVANCE OFFICER
3.1 Data Protection Officer (GDPR / UK GDPR)
Unosecur GmbH has appointed a Data Protection Officer ("DPO") in accordance with Article 37 of the GDPR to oversee the Company's data protection strategy and ensure compliance with applicable European data protection law.
Email: security@unosecur.com
Postal Address: Data Protection Officer, Unosecur GmbH, RosenstraΓe 2, 10178 Berlin, Germany
3.2 Grievance Officer (India β DPDPA, 2023 and IT Act, 2000)
In accordance with Section 13 of the DPDPA, 2023, and Rule 5(9) of the SPDI Rules, 2011, Unosecur GmbH has designated a Grievance Officer for the purpose of addressing grievances raised by data principals located in India. Any data principal in India may direct their grievances, complaints, or requests relating to the processing of their personal data to the Grievance Officer.
Email: security@unosecur.com
Response Timeline: The Grievance Officer shall acknowledge receipt of any grievance within five (5) business days and shall endeavour to resolve the same within thirty (30) days of receipt, in accordance with applicable Indian law.
4. SCOPE AND APPLICATION OF THIS POLICY
This Policy applies to all personal data processed by Unosecur GmbH in connection with the following activities:
(a) Visits to the Company's website at https://www.unosecur.com or any other website operated by the Company that references this Policy;
(b) Registration, onboarding, trial participation, and use of the Unosecur platform and all its integrated features, including the Unified Identity Fabric and MCP Auth Gateway, accessible through https://www.unosecur.com;
(c) Enquiries submitted through forms, chat interfaces, or direct email communications;
(d) Participation in marketing campaigns, webinars, product demonstrations, events, and commercial interactions;
(e) Subscription to newsletters, knowledge publications, reports, whitepapers, and other materials made available through https://www.unosecur.com;
(f) Commercial transactions including subscription purchases, billing, and free trial registrations;
(g) All other interactions in which personal data is voluntarily or automatically provided to or collected by the Company.
This Policy applies to users and data subjects located in all jurisdictions in which Unosecur GmbH operates, including Germany, other EEA Member States, the United Kingdom, and the Republic of India. Where the applicable law of a specific jurisdiction confers additional rights or imposes additional obligations, such law shall apply to the extent of any inconsistency with the general provisions of this Policy.
This Policy does not govern personal data processed by Unosecur GmbH acting as a Data Processor on behalf of its enterprise customers. In such circumstances, the enterprise customer is the Data Controller or Data Fiduciary, and processing is governed by a separately executed Data Processing Agreement ("DPA"). Affected data subjects should direct their enquiries to the relevant enterprise customer.
5. CATEGORIES OF PERSONAL DATA COLLECTED
5.1 Data Provided Directly by You
(a) Identity Data: Full name, job title, professional designation, and employer organisation;
(b) Contact Data: Business and personal email addresses, telephone numbers, postal addresses, and country of residence;
(c) Account Credentials: Usernames and passwords (stored exclusively in encrypted form) and authentication credentials required for access to the Services at https://www.unosecur.com;
(d) Commercial and Financial Data: Subscription tier, billing address, payment method type (note: full payment card details are processed exclusively by authorised third-party payment processors and are not stored by Unosecur GmbH), invoice records, and purchase history;
(e) Communication Data: Content of emails, support tickets, feedback forms, and other written or verbal communications directed to the Company;
(f) Professional and Organisational Data: Employing organisation, industry sector, organisational size, IT infrastructure context, and role-specific information provided during onboarding or commercial negotiations.
5.2 Data Collected Automatically
(a) Technical Data: Internet Protocol (IP) address, browser type and version, operating system, device type and model, device identifiers, screen resolution, and system configuration;
(b) Usage Data: Pages visited on https://www.unosecur.com, platform features accessed, search queries entered, timestamps, session durations, click-stream data, and navigation paths;
(c) Log Data: Server-side log files recording access events, error reports, crash diagnostics, system activity, and performance information;
(d) Approximate Location Data: Geographic location derived from IP address geolocation at city or country level. Precise GPS-level location data is not collected;
(e) Cookie and Tracking Data: Data collected via cookies, web beacons, pixel tags, and similar tracking technologies as described in Section 10.
5.3 Data Received from Third Parties
(a) Analytics providers supplying aggregated behavioural and demographic data;
(b) Authorised marketing and advertising technology partners;
(c) Business referral partners and channel partners;
(d) Publicly available professional directories and platforms, including LinkedIn, used for legitimate B2B prospecting purposes within the bounds of applicable law.
6. PURPOSES OF PROCESSING PERSONAL DATA
Unosecur GmbH processes personal data for the following clearly defined and legitimate purposes:
(a) Provision and Administration of Services: To create and manage user accounts, authenticate platform access, deliver the contracted Services through https://www.unosecur.com, and ensure continuous technical operation of the platform;
(b) Customer Support: To respond to enquiries, provide onboarding support, resolve technical issues, and deliver administrative notifications;
(c) Contractual Performance: To process subscriptions, manage billing, issue invoices, and fulfil all contractual obligations to users and enterprise customers;
(d) Security, Fraud Prevention, and Threat Detection: To detect, investigate, and prevent unauthorised access, security incidents, abuse, and violations of the Company's Terms and Conditions;
(e) Analytics and Service Improvement: To analyse usage patterns, identify technical deficiencies, and improve the functionality, reliability, and user experience of the Services;
(f) Marketing and Commercial Communications: To send promotional materials, product updates, event invitations, and commercial communications, where conducted on a lawful basis;
(g) Legal and Regulatory Compliance: To fulfil obligations under applicable law, respond to lawful demands from regulatory or law enforcement authorities, and exercise or defend legal rights;
(h) Research and Development: To conduct internal research and advance the Company's identity security capabilities, conducted on an appropriately anonymised or aggregated basis wherever possible.
7. LAWFUL BASES FOR PROCESSING
7.1 Under the GDPR and UK GDPR
All processing of personal data by Unosecur GmbH in relation to EEA and UK data subjects is grounded in one or more of the following lawful bases under Article 6 of the GDPR:
(a) Consent (Article 6(1)(a) GDPR): Where you have provided explicit, informed, and freely given consent to processing for one or more specific purposes, including receipt of marketing communications or use of non-essential cookies. Consent may be withdrawn at any time by contacting security@unosecur.com or using the opt-out mechanisms provided, without affecting the lawfulness of prior processing.
(b) Performance of a Contract (Article 6(1)(b) GDPR): Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract, including account management, platform delivery, and billing.
(c) Compliance with a Legal Obligation (Article 6(1)(c) GDPR): Where processing is necessary to comply with a legal obligation under EU law or German national law, including tax, commercial, and regulatory reporting obligations.
(d) Legitimate Interests (Article 6(1)(f) GDPR): Where processing is necessary for the legitimate interests of Unosecur GmbH or a third party, and those interests are not overridden by your fundamental rights and freedoms. Legitimate interests relied upon include platform and infrastructure security, fraud prevention, B2B marketing to existing and prospective customers, internal analytics, and product development. A Legitimate Interests Assessment is maintained internally and available upon request.
(e) Vital Interests (Article 6(1)(d) GDPR): In exceptional circumstances, where processing is necessary to protect the vital interests of a data subject or another natural person.
7.2 Under the Digital Personal Data Protection Act, 2023 (India)
In respect of personal data of data principals located in India processed by Unosecur GmbH in the context of its Indian operations and commercial activities, the following lawful bases under the DPDPA, 2023 apply:
(a) Consent: Processing shall be carried out with the free, specific, informed, unconditional, and unambiguous consent of the data principal, obtained through a clear affirmative action. Consent notices shall be provided in clear and plain language prior to obtaining consent. Unosecur GmbH shall maintain a record of all consents obtained. Data principals have the right to withdraw consent at any time, and the consequences of such withdrawal shall be communicated in advance. Withdrawal shall not affect the lawfulness of processing prior to such withdrawal.
(b) Legitimate Uses: Unosecur GmbH may process personal data of Indian data principals without consent where such processing constitutes a "legitimate use" as defined under Section 7 of the DPDPA, 2023, including for the performance of a contract to which the data principal is party, compliance with a legal obligation applicable to Unosecur GmbH under Indian law, processing by the State or its instrumentalities for performance of a function authorised by law, response to medical emergencies, or other legitimate uses as may be prescribed by the Central Government of India from time to time.
7.3 Under the Information Technology (SPDI) Rules, 2011 (India)
In respect of sensitive personal data or information as defined under Rule 3 of the SPDI Rules, Unosecur GmbH shall obtain prior written consent from the data subject before collecting such information, shall not retain it longer than required, and shall not transfer it without ensuring that the recipient maintains the same level of data protection. A privacy policy in compliance with Rule 4 of the SPDI Rules is maintained and accessible at https://www.unosecur.com/privacy-policy.
8. SPECIAL CATEGORIES OF PERSONAL DATA AND SENSITIVE PERSONAL DATA
Unosecur GmbH does not intentionally collect, solicit, or process Special Categories of Personal Data as defined under Article 9 of the GDPR, or Sensitive Personal Data or Information as defined under Rule 3 of the SPDI Rules, in the ordinary course of providing the Services through https://www.unosecur.com.
The Services are identity security and access management tools designed for enterprise B2B use cases. No aspect of the Services requires or solicits health data, biometric identification data, data concerning racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or similar sensitive categories.
In the event that any such data is inadvertently submitted through the Services, the Company will not process it for any purpose and will take prompt steps to delete it upon identification. All users and data subjects are requested to refrain from submitting any Special Category personal data or sensitive personal data through https://www.unosecur.com or any other Company platform.
9. AUTOMATED DECISION-MAKING AND PROFILING
Unosecur GmbH does not engage in automated individual decision-making, including profiling, that produces legal effects or similarly significant effects on data subjects, within the meaning of Article 22 of the GDPR or the corresponding provisions of the DPDPA. Where automated processing is conducted for internal analytics or product improvement purposes, it does not give rise to decisions that affect any individual's legal rights or produce comparable significant consequences.
Should the Company introduce any automated decision-making process that meets the threshold of Article 22 GDPR or equivalent provisions under Indian law, affected data subjects will be duly notified and, where required, explicit consent will be sought prior to such processing.
10. COOKIES AND TRACKING TECHNOLOGIES
10.1 General
When you visit https://www.unosecur.com or use the Services, Unosecur GmbH may use cookies and similar tracking technologies, including web beacons, pixel tags, and JavaScript-based tracking scripts, to support technical operation, understand user behaviour, ensure platform security, and deliver relevant advertising where lawfully permitted.
10.2 Categories of Cookies
(a) Strictly Necessary Cookies: Essential to the operation of the Services. These cannot be disabled as they underpin user authentication, session management, security enforcement, and core functionality of https://www.unosecur.com.
(b) Performance and Analytics Cookies: Collect aggregated information about how users interact with https://www.unosecur.com, including pages visited, time spent, and errors encountered, for the purpose of improving platform performance.
(c) Functionality Cookies: Enable the platform to remember user preferences, language settings, and login information to deliver a personalised experience.
(d) Targeting and Advertising Cookies: Used to deliver professionally relevant content and measure the effectiveness of marketing campaigns. These may be placed by authorised third-party advertising technology partners.
10.3 Google Analytics
Unosecur GmbH uses Google Analytics, operated by Google LLC, to analyse traffic and usage patterns on https://www.unosecur.com. Google Analytics may transfer collected data to servers located outside the EEA. The following Google Analytics advertising features may be enabled: Google Display Network impressions reporting, remarketing with Google Analytics, and Google Analytics Demographics and Interests Reporting. You may opt out at https://tools.google.com/dlpage/gaoptout, or at http://optout.networkadvertising.org/.
10.4 RB2B and Retention.com
The Company uses RB2B and Retention.com to identify website visitors for B2B marketing engagement. You may opt out of RB2B data collection at https://www.rb2b.com/rb2b-gdpr-opt-out, and from Retention.com communications at https://app.retention.com/optout.
10.5 Cookie Consent and Management
Where required by the GDPR or equivalent law, Unosecur GmbH will obtain your prior consent before placing non-essential cookies on your device through a consent banner presented on your first visit to https://www.unosecur.com. You may at any time modify your cookie preferences through your browser settings. Disabling certain cookies may impair the functionality of the Services.
β
11. METHODS OF COLLECTION OF PERSONAL DATA
Unosecur GmbH collects personal data through the following mechanisms:
(a) Direct Collection: When you complete registration, contact forms, or demo request forms on https://www.unosecur.com, correspond with the Company by email or telephone, or voluntarily submit information through the Services;
(b) Automated Collection: Through cookies, tracking pixels, server log files, and platform analytics embedded across https://www.unosecur.com and the Services;
(c) Third-Party Sources: From authorised data partners, referral organisations, and publicly available professional sources, subject to those sources having a lawful basis for sharing such information with the Company.
12. USE OF THIRD-PARTY ANALYTICS AND ADVERTISING TOOLS
In addition to the tools described in Section 10, Unosecur GmbH may engage other third-party analytics, advertising, and marketing technology providers to support its commercial and operational activities. All such providers are contractually bound to process personal data only on the documented instructions of Unosecur GmbH, to implement appropriate technical and organisational security measures, and to comply with applicable data protection law. A current list of third-party data recipients and Sub-Processors is maintained and accessible at https://www.unosecur.com/subprocessors.
13. DISCLOSURE AND TRANSFER OF PERSONAL DATA TO THIRD PARTIES
Unosecur GmbH does not sell, rent, trade, or otherwise transfer personal data to third parties for their independent commercial purposes. Personal data may be disclosed only in the following circumstances:
(a) Service Providers and Sub-Processors: To carefully selected third-party service providers who process data on behalf of and under the documented instructions of Unosecur GmbH, including cloud infrastructure providers, payment processors, CRM platforms, email delivery services, and security monitoring tools. All such providers are bound by data processing agreements compliant with Article 28 GDPR and equivalent provisions under Indian law;
(b) Business Partners: Where consent has been provided or legitimate interests apply, professional contact information may be shared with authorised partners in connection with co-marketing activities or events;
(c) Legal and Regulatory Disclosure: To law enforcement agencies, courts, regulatory bodies, or other competent public authorities where required by applicable law, court order, or legally enforceable governmental request, or where necessary to exercise or defend the Company's legal rights. In the context of India, this includes compliance with lawful directions of competent Indian authorities under the IT Act, 2000 and the DPDPA, 2023;
(d) Corporate Transactions: In connection with a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the successor entity, subject to the successor assuming substantially equivalent privacy obligations. Affected data subjects will be notified in advance where required by law;
(e) Protection of Rights and Safety: Where reasonably necessary to protect the rights, property, or safety of Unosecur GmbH, its staff, users, or the general public, including in the context of cybersecurity threats.
14. INTERNATIONAL TRANSFERS OF PERSONAL DATA
The Services are hosted and primarily operated from the Federal Republic of Germany, and personal data of EEA data subjects is stored on servers within Germany.
14.1 Transfers from EEA/UK
Where personal data is transferred to recipients in countries outside the EEA that do not benefit from an adequacy decision under Article 45 GDPR, Unosecur GmbH ensures appropriate safeguards are in place, including:
(a) Standard Contractual Clauses ("SCCs") adopted by the European Commission pursuant to Article 46(2)(c) GDPR;
(b) Binding corporate rules or other approved transfer mechanisms, as applicable;
(c) Derogations under Article 49 GDPR in exceptional cases, including with your explicit consent.
14.2 Transfers from India
In accordance with Section 16 of the DPDPA, 2023, Unosecur GmbH shall not transfer personal data of Indian data principals to countries or territories restricted by a notification issued by the Central Government of India. Subject to compliance with applicable Indian law and any restrictions notified by the Central Government, personal data collected from Indian data principals may be transferred to Unosecur GmbH's servers and operational infrastructure in Germany for the purpose of delivering the Services. Where such transfers occur, they are conducted pursuant to contractual protections ensuring that the receiving entity maintains data protection standards equivalent to those required under Indian law.
By accessing the Services at https://www.unosecur.com from India, you expressly acknowledge and consent, where required, to the cross-border transfer of your personal data to Germany for processing in accordance with this Policy.
15. DATA RETENTION AND DELETION
Unosecur GmbH retains personal data only for as long as necessary to fulfil the purposes set out in this Policy, unless a longer period is required or permitted by law.
(a) Account Data: Retained for the duration of the active contractual relationship. Following account termination, personal data in active systems is deleted or anonymised within three (3) months for EEA users (per GDPR requirements) and within a reasonable period for users in other jurisdictions, consistent with applicable law;
(b) Communication Data: Retained for up to twelve (12) months from closure of the relevant interaction, unless required longer for legal or evidentiary purposes;
(c) Financial and Commercial Records: Retained for a minimum of ten (10) years in accordance with German commercial and tax law obligations (Handelsgesetzbuch and Abgabenordnung), and in compliance with Indian statutory requirements where applicable;
(d) Log and Technical Data: Retained for up to ninety (90) days, unless extended retention is necessary for a security investigation;
(e) Marketing Data: Retained until consent is withdrawn, following which processing ceases immediately and data is deleted or anonymised within thirty (30) days;
(f) Indian Jurisdiction: In accordance with the DPDPA, 2023 and SPDI Rules, personal data of Indian data principals shall not be retained beyond the period necessary for the purpose for which it was collected, and shall be deleted upon withdrawal of consent, fulfilment of the purpose, or upon a valid deletion request, subject to any overriding legal obligations under Indian law.
16. SECURITY OF PERSONAL DATA
Unosecur GmbH implements comprehensive technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or unlawful disclosure. These measures include:
(a) Encryption of personal data in transit using industry-standard TLS protocols;
(b) Encryption of personal data at rest using AES-256 or equivalent standards;
(c) Role-based access controls limiting access to authorised personnel on a need-to-know basis;
(d) Multi-factor authentication for access to systems that process personal data;
(e) Regular security assessments, penetration testing, and vulnerability management;
(f) Data breach incident response procedures compliant with Articles 33 and 34 of the GDPR and, in respect of Indian operations, with applicable provisions of the IT Act, 2000 and CERT-In directions;
(g) Staff training and ongoing data protection awareness programmes;
(h) Contractual security obligations binding all Sub-Processors and third-party service providers.
Unosecur GmbH maintains ISO 27001 certification, SOC 2 attestation, GDPR compliance frameworks, HIPAA compliance measures, and CStar Level 1 certification, evidencing its commitment to internationally recognised information security best practices.
In accordance with Rule 8 of the SPDI Rules, 2011, Unosecur GmbH has implemented reasonable security practices and procedures as mandated under the IT Act, 2000 for the protection of sensitive personal data or information of Indian data subjects.
Notwithstanding the foregoing, no method of transmission over the internet or electronic storage can be guaranteed to be completely secure. Transmission of personal data to and from the Services at https://www.unosecur.com is undertaken at your own risk, and you are responsible for maintaining the confidentiality of your access credentials.
In the event of a personal data breach posing a risk to the rights and freedoms of data subjects, the Company will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware, and will communicate the breach to affected data subjects without undue delay where required by Article 34 GDPR. In the context of India, breach notifications will be issued to CERT-In and affected Indian data principals in accordance with applicable Indian law.
17. RIGHTS OF DATA SUBJECTS β EUROPEAN ECONOMIC AREA AND GERMANY
Data subjects located in the EEA, including Germany, have the following rights under the GDPR and BDSG:
17.1 Right of Access (Article 15 GDPR): To obtain confirmation of whether personal data concerning you is being processed and, if so, to access that data and receive information about the processing.
17.2 Right to Rectification (Article 16 GDPR): To obtain the correction of inaccurate personal data and the completion of incomplete personal data without undue delay.
17.3 Right to Erasure / Right to be Forgotten (Article 17 GDPR): To obtain the deletion of personal data where it is no longer necessary for the purpose collected, consent is withdrawn, the data has been unlawfully processed, or erasure is required by law.
17.4 Right to Restriction of Processing (Article 18 GDPR): To restrict processing where accuracy is contested, processing is unlawful but erasure is opposed, the data is needed for legal claims, or an objection is pending.
17.5 Right to Data Portability (Article 20 GDPR): To receive your personal data in a structured, machine-readable format and to transmit it to another controller, where processing is automated and based on consent or contract.
17.6 Right to Object (Article 21 GDPR): To object to processing based on legitimate interests, including profiling, and to object unconditionally to processing for direct marketing purposes.
17.7 Right to Withdraw Consent (Article 7(3) GDPR): To withdraw consent at any time without prejudice to the lawfulness of prior processing.
17.8 Right Not to be Subject to Automated Decision-Making (Article 22 GDPR): To not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, subject to applicable exceptions.
To exercise any of the above rights, submit a written request to security@unosecur.com. The Company will respond within one (1) calendar month of receipt, extendable by two (2) further months in complex cases. Identity verification may be required prior to processing any request.
β
18. RIGHTS OF DATA SUBJECTS β UNITED KINGDOM
Data subjects in the United Kingdom are afforded equivalent rights under the UK GDPR as described in Section 17 above. Complaints may be submitted to the Information Commissioner's Office ("ICO") at https://ico.org.uk/make-a-complaint/.
β
19. RIGHTS OF DATA PRINCIPALS β REPUBLIC OF INDIA
Data principals located in India whose personal data is processed by Unosecur GmbH in connection with the Company's Indian operations and the provision of Services to Indian customers have the following rights under the DPDPA, 2023 and allied Indian legislation:
19.1 Right to Access Information (Section 11, DPDPA): To obtain a summary of the personal data being processed, the processing activities undertaken, and the identities of all Data Processors and other Data Fiduciaries to whom the data has been disclosed.
19.2 Right to Correction and Erasure (Section 12, DPDPA): To obtain the correction of inaccurate or misleading personal data, the completion of incomplete personal data, and the erasure of personal data that is no longer necessary for the purpose for which it was collected or where consent has been withdrawn. Erasure requests shall be processed subject to any overriding legal obligation requiring retention.
19.3 Right of Grievance Redressal (Section 13, DPDPA): To have any grievance relating to the processing of personal data, or the exercise of rights under the DPDPA, addressed by the Grievance Officer of Unosecur GmbH within the timeframes prescribed under applicable law.
19.4 Right to Nominate (Section 14, DPDPA): To nominate another individual to exercise rights on your behalf in the event of your death or incapacity, in accordance with the procedure prescribed under the DPDPA.
19.5 Right to Withdraw Consent: To withdraw consent to the processing of your personal data at any time. Upon withdrawal, Unosecur GmbH shall cease to process the relevant personal data and shall, where required, cause its Data Processors to do likewise. The consequences of consent withdrawal will be communicated to you prior to or at the time of obtaining consent.
19.6 Right to Complain to the Data Protection Board of India: Where a grievance is not resolved to the data principal's satisfaction by the Company's Grievance Officer, the data principal has the right to lodge a complaint with the Data Protection Board of India, once constituted and operational, in accordance with the mechanism prescribed under the DPDPA, 2023.
19.7 Additional Rights under SPDI Rules, 2011: Indian data subjects who have provided sensitive personal data or information as defined under Rule 3 of the SPDI Rules have the right to review such information and to have it corrected or amended as necessary. Requests may be directed to security@unosecur.com.
All requests from Indian data principals regarding the exercise of the above rights should be directed to the Company's Grievance Officer at security@unosecur.com. The Company will endeavour to respond within a reasonable period, and in any event within the timeframes mandated under the DPDPA and SPDI Rules.
β
20. CHILDREN AND MINORS
The Services available through https://www.unosecur.com are designed exclusively for enterprise B2B use and are intended solely for individuals who are at least eighteen (18) years of age. Unosecur GmbH does not knowingly collect, process, or retain personal data from individuals under the age of eighteen (18).
By accessing the Services, you represent and warrant that you are at least eighteen (18) years of age. The company does not process personal data of children as defined under the DPDPA, 2023, and shall implement appropriate technical and organisational measures to avoid doing so.
If you are a parent or legal guardian and have reason to believe that a minor for whom you are responsible has provided personal data through https://www.unosecur.com without your consent, please contact us immediately at security@unosecur.com. Upon verification, the company will take all necessary steps to delete such data promptly.
β
21. LINKS TO THIRD-PARTY WEBSITES AND SERVICES
The Services and https://www.unosecur.com may contain hyperlinks to websites, platforms, or services operated by third parties unrelated to Unosecur GmbH. The inclusion of any such hyperlink does not constitute an endorsement, sponsorship, or approval of the content, products, services, or privacy practices of any such third party.
This Policy applies solely to personal data processed by Unosecur GmbH. The Company accepts no responsibility or liability for the data protection or privacy practices of any third-party website. You are strongly encouraged to review the privacy policies of any third-party platforms you access through links on https://www.unosecur.com.
22. DATA PROCESSOR RELATIONSHIPS AND SUB-PROCESSORS
22.1 Processing as Data Processor
Where Unosecur GmbH processes personal data in its capacity as a Data Processor on behalf of enterprise customers acting as Data Controllers or Data Fiduciaries, such processing is exclusively governed by the applicable DPA executed between the parties. In such circumstances, the enterprise customer determines the purposes and means of processing, and Unosecur GmbH acts solely on documented instructions. Data subjects whose data is processed in this capacity should direct all enquiries to the relevant enterprise customer.
22.2 Sub-Processors
Unosecur GmbH engages trusted third-party Sub-Processors to assist in delivering the Services. All Sub-Processors are bound by contractual data processing agreements requiring them to process personal data only on documented instructions, implement appropriate security measures, and comply with applicable data protection law. A current and publicly accessible list of Sub-Processors is maintained at https://www.unosecur.com/subprocessors. Enterprise customers who have executed a DPA with the Company will be provided advance notice of any intended additions or replacements to the Sub-Processor list in accordance with the notification procedures set out in that DPA.
23. DO-NOT-TRACK SIGNALS
Various web browsers, operating systems, and mobile applications include a Do-Not-Track ("DNT") feature that transmits a signal to websites requesting that user browsing activity not be tracked. As no uniform technical standard for the recognition or implementation of DNT signals has been established or formally adopted at the time of the most recent revision of this Policy, Unosecur GmbH does not currently alter its data collection or processing practices at https://www.unosecur.com in response to DNT signals. Should a binding and technically standardised framework for DNT implementation be adopted by competent regulatory or standards bodies, this Policy and the Company's practices will be updated accordingly.
24. UPDATES AND AMENDMENTS TO THIS POLICY
Unosecur GmbH reserves the right to update, amend, or replace this Policy at any time, including to reflect changes in applicable law, regulatory guidance, business operations, or processing activities. The current version of this Policy is always accessible at https://www.unosecur.com/privacy-policy.
Material amendments will be communicated to registered users by email to the address associated with their account, and the revised Policy will be posted at https://www.unosecur.com/privacy-policy with an updated effective date. For Indian data principals, where required under the DPDPA, updated consent notices will be provided and fresh consent sought for any materially different processing activities.
Your continued use of the Services following publication of an amended Policy constitutes your acceptance of the revised terms, to the extent permitted by applicable law. We recommend that you periodically review this Policy to remain informed of how your personal data is being processed.
25. COMPLAINTS AND SUPERVISORY AUTHORITIES
Without prejudice to any other administrative or judicial remedy available to you, you have the right to lodge a complaint with a competent supervisory or regulatory authority if you believe that the processing of your personal data infringes applicable data protection law.
For data subjects in Germany:
Berliner Beauftragte fΓΌr Datenschutz und Informationsfreiheit (BlnBDI)
FriedrichstraΓe 219, 10969 Berlin, Germany
Website: https://www.datenschutz-berlin.de
For data subjects in other EEA Member States:
The national data protection authority of your country of habitual residence, place of work, or the place of the alleged infringement.
For data subjects in the United Kingdom:
The Information Commissioner's Office (ICO)
Website: https://ico.org.uk/make-a-complaint/
For data principals in India:
Once constituted and operational, the Data Protection Board of India, established under the DPDPA, 2023, in accordance with the procedures prescribed thereunder. Prior to the Board becoming operational, grievances may be directed to the Company's Grievance Officer as set out in Section 3.2 of this Policy.
Unosecur GmbH encourages all data subjects to contact the Company directly at security@unosecur.com in the first instance, so that concerns may be addressed promptly and without necessitating formal regulatory intervention.
26. GOVERNING LAW AND JURISDICTION
This Policy and all matters arising out of or in connection with the processing of personal data by Unosecur GmbH shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, without prejudice to the mandatory rights afforded to data subjects under the GDPR, the UK GDPR, the DPDPA, the IT Act, the SPDI Rules, or any other applicable national data protection legislation of the jurisdiction in which a data subject is habitually resident.
Nothing in this Policy is intended to limit, restrict, or override any statutory rights conferred upon data subjects or data principals under applicable local law, including Indian law applicable to data principals in India.
Any disputes arising in connection with this Policy that cannot be resolved amicably and are not subject to mandatory local jurisdiction shall be subject to the non-exclusive jurisdiction of the courts of Berlin, Germany, subject to the rights of consumers and data principals in their respective jurisdictions to bring claims before competent local courts or regulatory bodies.
27. CONTACT INFORMATION
For all matters relating to this Privacy Policy, the exercise of data subject or data principal rights, or any privacy-related concerns, please contact:
Unosecur GmbH β Data Protection Enquiries
RosenstraΓe 2, 10178 Berlin, Federal Republic of Germany
Website: https://www.unosecur.com
Privacy Policy URL: https://www.unosecur.com/privacy-policy
Sub-Processors List: https://www.unosecur.com/subprocessors
Data Protection / Security: security@unosecur.com
General Support: support@unosecur.com
Telephone: +49 (0) 30 62937525-0
For Indian data principals (Grievance Officer):
Email: security@unosecur.com
Response within 5 business days; resolution within 30 days.
The Company is committed to acknowledging all privacy-related enquiries within five (5) business days and resolving them within the statutory timeframes prescribed by applicable law.
This Privacy Policy was last reviewed and updated on June 25, 2026 and supersedes all prior versions. The current version is published and maintained at https://www.unosecur.com/privacy-policy.


