Privacy Policy — Unabyss

Privacy Policy

Last updated: March 11, 2026

1. General Information and Scope

1.1 Purpose of the Privacy Policy. This Privacy Policy explains how OneType P.S.A ("Unabyss", "we", "us", or "our") collects, uses, processes, and protects personal data of users ("User" or "you") who access or use the Service available at unabyss.com, app.unabyss.com, ask.unabyss.com, and related web applications and APIs.

1.2 Compliance with Law. Unabyss processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Polish Act on the Protection of Personal Data, and other applicable privacy laws and regulations.

1.3 Data Controller. The controller of your personal data is OneType Prosta Spółka Akcyjna, with its registered office in Warsaw (ul. Fabryczna 4A/11, 00-446 Warszawa, Poland), entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court in Warsaw, XII Commercial Division of the National Court Register, under KRS number: 0001224271; NIP: 7011299839; share capital: PLN 200,000. Email: legal@unabyss.com.

1.4 Contact for Data Protection. For any questions regarding data protection, Users may contact the Data Protection Officer (or designated privacy contact) by email at privacy@unabyss.com.

1.5 Scope of Application. This Privacy Policy applies to:

(a) Visitors of the Unabyss website (unabyss.com).

(b) Registered Users of the Unabyss platform (app.unabyss.com), including Chatbot Owners.

(c) Public Users who interact with Chatbots hosted on ask.unabyss.com, whether anonymously or as authenticated users.

(d) Individuals whose data is processed in connection with the Research Pipeline, social media imports, or Chatbot interactions.

(e) Individuals whose data is processed in connection with communication, billing, and support.

1.6 Relationship with Terms and Conditions. This Privacy Policy forms an integral part of Unabyss's Terms and Conditions. By using the Service, you acknowledge that you have read and understood both documents.

1.7 Updates to the Privacy Policy. This Privacy Policy may be updated from time to time. The latest version will always be available at unabyss.com/privacy. Users will be informed of significant updates via email or in-app notification before they take effect.

2. Categories of Data Collected

2.1 Data Provided by the User

When creating an Account or communicating with Unabyss, the User may provide the following data:

(a) Identification and contact information such as name, surname, email address, and company name.

(b) Billing and payment information (processed through Stripe).

(c) Context Data, including structured context files, text documents, and other content uploaded to the Platform.

(d) Social media credentials and authorization tokens when connecting external accounts (such as LinkedIn, X/Twitter, or Facebook) via OAuth.

(e) Voice recordings submitted through the speech-to-text feature (processed by ElevenLabs Scribe).

(f) Correspondence and communication history with Unabyss, including support requests and feedback.

2.2 Data Collected Automatically

When the User visits the website or uses the Service, certain information may be collected automatically, including:

(a) IP address, browser type, operating system, and device identifiers.

(b) Date, time, and duration of visits.

(c) Referring pages, pages viewed, and interaction data.

(d) Cookies and similar tracking technologies used to improve performance and analyze usage.

2.3 Data Collected from Public Users

When Public Users interact with Chatbots on ask.unabyss.com, the following data may be collected:

(a) Anonymous session identifiers (UUID assigned per session).

(b) Device fingerprint hashes (used for rate limiting and abuse prevention).

(c) Messages sent to and received from Chatbots.

(d) If the Public User creates an Account, all data associated with their anonymous sessions is linked to their Account.

2.4 Data Collected via the Research Pipeline

When Users initiate the Research Pipeline, the following data may be collected from publicly available third-party sources:

(a) LinkedIn profile information, including name, job title, company, experience, and education.

(b) Publicly available social media posts and company information.

(c) Website content from URLs provided by the User or discovered during research.

This data is processed by AI to generate structured briefs, voice profiles, and other outputs. The User is responsible for ensuring they have a legitimate basis for collecting this data, as described in the Terms and Conditions.

2.5 Data from Integrated Services

When connecting external accounts or integrations (for example, LinkedIn or Google OAuth), Unabyss may receive limited account information necessary to provide the Service, such as name, profile picture, email address, and authorization tokens. Unabyss does not store or have access to passwords from third-party platforms.

2.6 Data Collected for AI Processing

When using the Unabyss platform, Context Data and conversation messages may be processed by third-party AI systems (including OpenAI, Anthropic/Claude, and Google/Gemini via LiteLLM) for the purpose of generating AI Output, powering Chatbot interactions, performing semantic search, and enabling Inbox analysis. Such processing is limited to the scope necessary for the requested functionality and is performed in accordance with GDPR and contractual safeguards. Context Data is not used to train or improve external AI models.

2.7 Analytics and Tracking Tools

Unabyss uses cookies and tracking technologies for analytics, performance measurement, and marketing. The following third-party tools are used:

(a) Google Analytics — for website traffic analysis and performance monitoring.

(b) Google Tag Manager — for managing and deploying tracking scripts.

(c) Meta Pixel (Facebook) — for conversion tracking and advertising performance.

(d) LinkedIn Insight Tag — for conversion tracking, retargeting, and campaign analytics.

Users can manage or disable cookies through their browser settings or by using cookie consent tools available on the website.

2.8 Data from Communication Channels

If the User contacts Unabyss through email, chat, or other communication channels, Unabyss may retain the content of such communications and related metadata for record-keeping and support purposes.

2.9 Optional Marketing Data

Users may voluntarily provide data (such as name and email) to subscribe to newsletters or updates. Marketing communication is sent only with the User's consent and can be withdrawn at any time.

3. Purpose and Legal Basis of Processing

3.1 Provision of the Service. Personal data is processed to register and maintain User Accounts, authenticate access, manage Context Data, power Chatbot interactions, operate the Inbox, and provide the functionalities of the Unabyss platform. Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of a contract to which the User is a party.

3.2 Payment, Credits, and Invoicing. Data such as billing details, credit balances, transaction history, and pre-authorization records are processed to manage payments, issue invoices, and operate the credit system. Legal basis: Article 6(1)(b) GDPR — contract performance; Article 6(1)(c) GDPR — compliance with legal obligations under tax and accounting laws.

3.3 AI Content Generation and Chatbot Operations. Context Data, conversation messages, and Research Pipeline inputs are processed using Unabyss's AI systems and trusted third-party AI providers (OpenAI, Anthropic, Google/Gemini) to generate AI Output, power Chatbot responses, perform Inbox evaluations, and produce research briefs. Processing is limited to what is necessary for the requested functionality and is not used for unrelated purposes. Legal basis: Article 6(1)(b) GDPR — contract performance.

3.4 Public User Interactions. Messages, anonymous session identifiers, and device fingerprint hashes from Public Users are processed to facilitate Chatbot conversations, enforce rate limits, prevent abuse, and enable account linking. Legal basis: Article 6(1)(b) GDPR — contract performance (for authenticated Public Users); Article 6(1)(f) GDPR — legitimate interest in providing the Service and preventing abuse (for anonymous Public Users).

3.5 Research Pipeline. Publicly available information from third-party sources is collected and processed by AI to generate structured context files and research briefs at the User's direction. Legal basis: Article 6(1)(b) GDPR — contract performance; Article 6(1)(f) GDPR — legitimate interest in delivering the requested research functionality.

3.6 MCP Distribution. When Users distribute Context Data to third-party AI tools via MCP, Unabyss processes the data necessary to facilitate that distribution. Once data leaves the Unabyss Platform, it is governed by the third party's terms and privacy policy. Legal basis: Article 6(1)(b) GDPR — contract performance.

3.7 Service Improvement and Product Development. Aggregated and anonymized data may be used to improve the accuracy, efficiency, and usability of the Service. If personal data is required for this purpose, separate consent will be obtained from the User. Legal basis: Article 6(1)(f) GDPR — legitimate interest in improving the Service.

3.8 Customer Support and Communication. Data such as contact details and message history are processed to respond to inquiries, provide assistance, and manage customer relationships. Legal basis: Article 6(1)(b) GDPR — contract performance; Article 6(1)(f) GDPR — legitimate interest in providing effective support.

3.9 Marketing and Newsletters. With the User's explicit consent, Unabyss may use contact data to send marketing communications, updates, and newsletters via Resend. Users can withdraw consent at any time. Legal basis: Article 6(1)(a) GDPR — consent of the data subject.

3.10 Analytics and Website Optimization. Cookies and analytics tools (including Google Analytics, Google Tag Manager, Meta Pixel, and LinkedIn Insight Tag) are used to understand website traffic, performance, and effectiveness of marketing campaigns. Legal basis: Article 6(1)(a) GDPR — consent through cookie banner or preferences; Article 6(1)(f) GDPR — legitimate interest in maintaining secure and efficient website performance (for essential cookies only).

3.11 Compliance with Legal Obligations. Personal data may be processed to comply with legal obligations, including bookkeeping, fraud prevention, or responding to lawful requests by public authorities. Legal basis: Article 6(1)(c) GDPR — compliance with legal obligations.

3.12 Protection of Rights and Interests. Personal data may be processed when necessary to establish, exercise, or defend legal claims, or to prevent abuse, fraud, or misuse of the Service. Legal basis: Article 6(1)(f) GDPR — legitimate interest in protecting the company's rights and ensuring service integrity.

3.13 Recruitment and Collaboration. If individuals apply for employment or partnership opportunities with Unabyss, their personal data will be processed for recruitment or evaluation purposes. Legal basis: Article 6(1)(b) GDPR — pre-contractual measures; Article 6(1)(a) GDPR — consent, where applicable.

4. Data Sharing and Subprocessors

4.1 General Rules. Unabyss does not sell or rent personal data. Data may be shared only with trusted partners and subprocessors where necessary to operate the Service, fulfill contractual obligations, or comply with legal requirements. Each subprocessor is bound by a written data processing agreement ensuring confidentiality, security, and GDPR compliance.

4.2 Categories of Recipients. Personal data may be shared with the following categories of recipients:

(a) Technical service providers supporting hosting, infrastructure, or storage.

(b) Payment processors and financial institutions.

(c) Analytics and advertising partners.

(d) Communication and email delivery platforms.

(e) AI technology providers used for content generation, chatbot operations, transcription, or analysis.

(f) Data collection providers used for the Research Pipeline.

(g) Chatbot Owners, who receive Inbox items containing summaries of Public User conversations (not raw personal data unless voluntarily shared by the Public User).

(h) Public authorities when required by law.

4.3 Core Subprocessors and Providers. To deliver the Service, Unabyss currently engages the following subprocessors and technology partners:

Hosting and Infrastructure:

  • Contabo — VPS hosting, S3-compatible cloud storage, and application infrastructure.
  • Cloudflare, Inc. — edge delivery, CDN, and Workers for signed URL proxy.

Payments and Billing:

  • Stripe, Inc. — payment processing, subscription management, and pre-authorization holds.

Analytics and Advertising:

  • Google LLC (Google Analytics, Google Tag Manager) — analytics and performance tracking.
  • Meta Platforms Ireland Ltd. (Meta Pixel) — conversion tracking and campaign optimization.
  • LinkedIn Ireland Unlimited Company (LinkedIn Insight Tag) — conversion tracking and retargeting.

Artificial Intelligence and Content Generation:

  • OpenAI, L.L.C. — text generation, analysis, and research processing.
  • Anthropic PBC (Claude) — reasoning, text generation, and chatbot operations.
  • Google LLC (Gemini) — natural language processing, accessed via LiteLLM.

Speech-to-Text:

  • ElevenLabs, Inc. (Scribe) — real-time speech-to-text transcription.

Email and Communication:

  • Resend — transactional and marketing email delivery.
  • Slack Technologies, LLC — internal organization and operational notifications.

Data Collection (Research Pipeline):

  • Specialized third-party providers for social media data collection and website content extraction.

All subprocessors are contractually obliged to handle data securely, process it only on documented instructions, and comply with the GDPR or equivalent safeguards.

4.4 International Transfers. Some subprocessors may process data outside the European Economic Area (EEA), particularly in the United States. In such cases, Unabyss ensures adequate protection by relying on Standard Contractual Clauses (SCCs) approved by the European Commission or other lawful transfer mechanisms recognized under the GDPR.

4.5 Access Control. Access to personal data within Unabyss is strictly limited to authorized employees and contractors who require access for the performance of their duties. All individuals with access are bound by confidentiality agreements and receive training in data protection principles.

4.6 Updates to the List of Subprocessors. The list of subprocessors may change from time to time to reflect operational needs. An updated list will be maintained by Unabyss and made available to Users upon request. In the event of a material change affecting personal data, Users will be notified prior to the new subprocessor's engagement.

5. International Transfers and Data Storage

5.1 Data Storage Locations. Personal data collected and processed by Unabyss is primarily stored on secure servers located within the European Economic Area (EEA), hosted by Contabo. However, some data may be transferred or temporarily processed outside the EEA by subprocessors located in countries that do not provide an equivalent level of data protection.

5.2 Legal Safeguards for Transfers. When personal data is transferred outside the EEA, Unabyss ensures that such transfers are protected by appropriate legal safeguards, including:

(a) Standard Contractual Clauses (SCCs) adopted by the European Commission.

(b) Adequacy decisions issued by the European Commission for certain jurisdictions.

(c) Other mechanisms permitted under Articles 45–49 of the GDPR.

5.3 Countries of Transfer. Certain subprocessors, such as OpenAI, Anthropic, ElevenLabs, Stripe, and Google (for Gemini AI processing), may process data in the United States or other non-EEA jurisdictions. In all such cases, Unabyss requires that these entities apply GDPR-equivalent security and privacy measures and sign binding data processing agreements that include SCCs.

5.4 Data Retention. Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, including to meet legal, accounting, or reporting obligations. Retention periods are determined as follows:

(a) Account data — retained for the duration of the Account and up to 90 days after deletion, unless otherwise required by law.

(b) Context Data and context files — retained for the duration of the User's Account and deleted upon account closure or earlier at the User's request.

(c) AI Output and Chatbot conversation logs — retained for the duration of the User's Account. Anonymous Chatbot conversations may be retained in anonymized form for analytics.

(d) Research Pipeline outputs — retained as Context Data for the duration of the User's Account.

(e) Payment, credit transaction, and invoicing data — retained for at least five (5) years as required by Polish tax law.

(f) Anonymous session data and device fingerprints — retained for up to 90 days for abuse prevention purposes.

(g) Communication records — retained for up to two (2) years for support and administrative purposes.

5.5 Backups and Recovery. Regular data backups are performed to ensure continuity and resilience. Backup data is stored securely on S3-compatible storage and subject to the same protection measures as production data.

5.6 Data Deletion Requests. Upon User request, Unabyss will delete or anonymize all personal data associated with their Account, unless retention is required by law. Requests can be submitted to privacy@unabyss.com. Upon deletion, all Chatbots created by the User will be deactivated.

5.7 Security of Transfers. All international data transfers and remote accesses are protected by encryption and secure communication protocols (TLS/HTTPS). Access to data by subprocessors is limited to specific, documented processing tasks and is monitored through contractual and technical controls.

6. Data Security Measures

6.1 General Commitment. Unabyss applies appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing of personal data. These measures are designed to prevent unauthorized access, alteration, disclosure, or destruction of information.

6.2 Technical Measures. The following technical safeguards are implemented:

(a) Encryption of data in transit (TLS/HTTPS) and at rest.

(b) Secure server configuration, firewalls, and Nginx reverse proxy to prevent unauthorized access.

(c) JWT-based authentication with short-lived access tokens (60 minutes) and rotating refresh tokens.

(d) Regular software updates and patch management.

(e) Anonymization or pseudonymization of data where appropriate, including device fingerprint hashing.

(f) Secure deletion and overwriting of data when no longer needed.

(g) Automated database backups to S3-compatible cloud storage.

(h) Continuous monitoring of infrastructure and detection of potential threats.

6.3 Organizational Measures. Organizational controls applied by Unabyss include:

(a) Restricted access to data based on role and necessity.

(b) Confidentiality agreements for employees and contractors.

(c) Mandatory data protection and cybersecurity training.

(d) Clear internal procedures for handling data breaches.

(e) Regular security audits and compliance reviews.

6.4 Incident Management and Data Breach Response. In the event of a personal data breach, Unabyss will:

(a) Assess the scope and impact of the incident.

(b) Take immediate steps to mitigate harm.

(c) Notify the competent supervisory authority (President of the Personal Data Protection Office in Poland) within 72 hours if required under Article 33 of the GDPR.

(d) Inform affected Users when the breach is likely to result in a high risk to their rights and freedoms.

6.5 Subprocessor Security. All subprocessors used by Unabyss are required to implement comparable security measures and to comply with GDPR standards. Their compliance is verified through contractual guarantees and, where possible, security documentation or audits.

6.6 Data Integrity and Confidentiality. Unabyss ensures that personal data remains accurate, complete, and confidential throughout its lifecycle. Regular reviews are carried out to maintain the integrity of stored information.

6.7 Physical Security. Data centers hosting the Service are maintained by professional providers (Contabo) that ensure physical security, including restricted access, 24/7 monitoring, and environmental controls.

7. User Rights under GDPR

7.1 General Information. Users whose personal data is processed by Unabyss have the rights described in this section. Unabyss respects and facilitates the exercise of these rights in accordance with Articles 12–23 of the GDPR.

7.2 Right of Access. Users have the right to obtain confirmation as to whether or not their personal data is being processed, and, where that is the case, to access such data and receive information about its source, purpose, and recipients.

7.3 Right to Rectification. Users have the right to request correction of any inaccurate or incomplete personal data concerning them.

7.4 Right to Erasure ("Right to be Forgotten"). Users have the right to request the deletion of their personal data when:

(a) The data is no longer necessary for the purposes for which it was collected.

(b) The User withdraws consent (where consent was the legal basis).

(c) The User objects to processing and there are no overriding legitimate grounds.

(d) The processing is unlawful.

(e) Deletion is required by law.

This right may not apply where data retention is required for compliance with legal obligations or for the establishment, exercise, or defense of legal claims.

7.5 Right to Restriction of Processing. Users may request restriction of processing where:

(a) The accuracy of personal data is contested.

(b) The processing is unlawful but the User opposes deletion.

(c) Unabyss no longer needs the data but the User requires it for legal claims.

(d) The User has objected to processing pending verification of legitimate grounds.

7.6 Right to Data Portability. Users have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible. This includes Context Data, context files, and conversation histories.

7.7 Right to Object. Users have the right to object at any time to the processing of their personal data based on legitimate interests or for direct marketing purposes. In such cases, Unabyss will stop processing the data unless it demonstrates compelling legitimate grounds or the processing is required for legal claims.

7.8 Right to Withdraw Consent. Where processing is based on consent, the User may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

7.9 Right to Lodge a Complaint. Users have the right to lodge a complaint with the competent supervisory authority if they believe that the processing of their personal data infringes applicable data protection laws. In Poland, the supervisory authority is the Personal Data Protection Office (UODO), ul. Stanisława Moniuszki 1A, 00-014 Warszawa, Poland. Website: https://uodo.gov.pl.

7.10 Public User Rights. Public Users who interact with Chatbots anonymously have limited data associated with them (anonymous session identifiers and device fingerprints). Public Users who create an Account gain full data subject rights over all data linked to their Account, including previously anonymous conversation data. Anonymous Public Users may exercise their rights by contacting privacy@unabyss.com with their anonymous session identifier.

7.11 Exercising Rights. Requests regarding any of the above rights can be submitted by email to privacy@unabyss.com. Unabyss will respond to verified requests within one month of receipt, or within three months in complex cases, in accordance with Article 12(3) of the GDPR.

8. Cookies and Tracking Technologies

8.1 Use of Cookies. Unabyss's websites and web applications use cookies and similar tracking technologies to ensure proper functionality, analyze performance, and improve the User experience. Cookies are small text files stored on the User's device by their browser.

8.2 Types of Cookies Used. The following types of cookies may be used:

(a) Essential cookies — required for the basic operation of the website, including login (JWT token management), navigation, and session management.

(b) Functional cookies — enable enhanced functionality, such as remembering preferences, anonymous session identifiers, and improving usability.

(c) Analytics cookies — collect information on how Users interact with the website to help improve performance and content (Google Analytics, Google Tag Manager).

(d) Marketing cookies — track User interactions for advertising and remarketing purposes (Meta Pixel, LinkedIn Insight Tag).

8.3 Cookie Consent. On the first visit to the Unabyss website, Users are presented with a cookie banner allowing them to accept or reject non-essential cookies. Consent is recorded and can be modified or withdrawn at any time through the cookie settings interface or browser preferences.

8.4 Third-Party Cookies. Some cookies may be placed by third-party service providers integrated with the website. These providers include:

(a) Google LLC — for analytics (Google Analytics), tag management (Google Tag Manager), and marketing.

(b) Meta Platforms Ireland Ltd. — for marketing and conversion tracking (Meta Pixel).

(c) LinkedIn Ireland Unlimited Company — for conversion tracking and retargeting (LinkedIn Insight Tag).

Each third party is responsible for its own privacy practices. Users are encouraged to review their privacy policies at: Google: https://policies.google.com/privacy; Meta: https://www.facebook.com/privacy/policy; LinkedIn: https://www.linkedin.com/legal/privacy-policy.

8.5 Managing Cookies. Most browsers allow Users to control cookies through settings that block, delete, or alert them about cookie use. However, disabling certain cookies may affect the functionality or performance of the website.

8.6 Retention of Cookie Data. Cookies are stored for varying durations depending on their type: session cookies are deleted automatically when the browser is closed; persistent cookies remain stored for a defined period or until manually deleted.

8.7 Analytics and Anonymization. Data collected through analytics tools is processed in an aggregated and anonymized form whenever possible. IP anonymization is enabled for Google Analytics to comply with GDPR requirements.

8.8 Withdrawal of Consent. Users can withdraw consent to non-essential cookies at any time by updating their cookie preferences on the website or through their browser settings.

9. Marketing Communication and Newsletters

9.1 Voluntary Subscription. Users may voluntarily subscribe to receive newsletters, updates, or promotional materials related to Unabyss's services, features, or events. Subscription requires the provision of an email address and may include additional optional information, such as name or company name.

9.2 Legal Basis. Marketing communication is sent only based on the User's explicit consent in accordance with Article 6(1)(a) of the GDPR and Article 10 of the Polish Act on Providing Services by Electronic Means.

9.3 Double Opt-In. To ensure valid consent, Unabyss may use a double opt-in procedure for newsletter subscriptions. After subscribing, the User will receive an email asking them to confirm their address by clicking a verification link. The subscription becomes active only after confirmation.

9.4 Content of Communication. Marketing communication may include:

(a) Information about new features, updates, or product releases.

(b) Educational content related to AI, context management, and professional workflows.

(c) Invitations to events, beta programs, or surveys.

(d) Limited promotional offers or discounts.

9.5 Email Platform. Email communication is managed using Resend for both transactional and marketing email delivery. Resend is bound by a GDPR-compliant data processing agreement.

9.6 Unsubscribing. Users may unsubscribe from marketing communication at any time by clicking the "unsubscribe" link included in each email or by contacting privacy@unabyss.com. Unsubscribing will not affect transactional or essential service-related messages (for example, billing or system notifications).

9.7 Frequency of Messages. Unabyss limits the frequency of marketing messages to a reasonable level to prevent spam and ensure relevance.

9.8 Data Retention. Personal data collected for marketing purposes will be retained until the User withdraws consent or unsubscribes, after which it will be deleted or anonymized within thirty (30) days.

9.9 Analytics of Engagement. Unabyss may analyze anonymized engagement metrics such as open rates, click rates, and unsubscribe statistics to improve the relevance and quality of its communication. This data is never used for profiling or automated decision-making that produces legal effects.

10. Automated Decision-Making and Profiling

10.1 No Automated Decisions with Legal Effects. Unabyss does not engage in automated decision-making that produces legal effects or similarly significant consequences for Users within the meaning of Article 22 of the GDPR.

10.2 AI-Driven Processing. The Unabyss platform uses artificial intelligence technologies to assist Users in managing context, generating content, powering Chatbot interactions, analyzing conversations for the Inbox, and conducting research. Such processing is always initiated by the User (or by Public User interaction with a Chatbot configured by the User) and serves only to deliver requested functionality. AI systems do not make autonomous decisions about Users, nor do they evaluate or score individuals.

10.3 Inbox AI Evaluation. When Inbox routing is enabled, AI evaluates Chatbot conversations to determine whether they are noteworthy for the Chatbot Owner. This evaluation produces summaries and interestingness scores but does not constitute profiling of the Public User. The evaluation is based on conversation content, not on personal characteristics of the Public User.

10.4 Limited Personalization. Some personalization may occur within the Service to improve User experience, such as recommending context file organization or suggesting chatbot configurations. This personalization is rule-based and does not involve behavioral profiling or automated evaluation of personality, preferences, or performance.

10.5 Human Oversight. All AI-based operations performed within the Service are subject to human oversight. Users maintain full control over their AI Output and must review and approve all generated content. Chatbot Owners are responsible for reviewing Inbox items and Chatbot behavior.

10.6 Transparency of AI Providers. AI processing is performed using trusted third-party providers (OpenAI, Anthropic/Claude, Google/Gemini, and ElevenLabs). Each provider operates under contractual terms that ensure GDPR compliance, confidentiality, and limited data use. Context Data and conversation data are not used to train or improve external AI models.

10.7 User Control. Users can manage their Context Data, disable specific Chatbot features, or delete their data through the account settings or by contacting privacy@unabyss.com.

10.8 No Profiling for Marketing. Unabyss does not use profiling to serve targeted advertising or to create marketing segments based on User behavior. Marketing communication is based solely on explicit consent and general subscription preferences.

11. Data Retention and Deletion

11.1 General Principle. Personal data is retained only for as long as necessary to achieve the purposes for which it was collected or to comply with legal, accounting, or reporting obligations. After this period, data is securely deleted or anonymized.

11.2 Retention Periods by Category. The following retention rules apply unless a longer period is required by law:

(a) Account data — retained for the duration of the User's Account and up to 90 days after termination, unless otherwise requested.

(b) Context Data, context files, and AI Output — retained for the duration of the User's Account and deleted upon account closure or earlier at the User's request.

(c) Chatbot conversation logs — retained for the duration of the Chatbot Owner's Account. Anonymized conversation data may be retained for analytics.

(d) Research Pipeline outputs — retained as Context Data for the duration of the User's Account.

(e) Payment, credit transaction, and billing information — retained for five (5) years as required by Polish tax and accounting regulations.

(f) Anonymous session identifiers and device fingerprints — retained for up to 90 days.

(g) Customer support communications — retained for up to two (2) years to ensure service quality and resolve potential disputes.

(h) Newsletter and marketing data — retained until the User withdraws consent or unsubscribes, after which data is deleted or anonymized within thirty (30) days.

(i) Backups — retained for a limited period (up to ninety (90) days) for system recovery and continuity purposes.

11.3 Criteria for Retention. Retention periods are determined based on the duration of the contractual relationship, applicable legal requirements, the nature and sensitivity of the data, and the potential risk of unauthorized use or disclosure.

11.4 Secure Deletion. Once data reaches the end of its retention period, it is securely deleted or irreversibly anonymized using appropriate technical measures to prevent recovery.

11.5 User-Initiated Deletion. Users may request deletion of their Account and associated data at any time by contacting privacy@unabyss.com or through the account settings. Deletion requests will be processed within thirty (30) days unless retention is required by law or legitimate business necessity (for example, unresolved payment obligations). Upon deletion, all Chatbots created by the User will be deactivated.

11.6 Exceptions. Certain data may be retained for a longer period if necessary for compliance with legal or regulatory requirements, establishment, exercise, or defense of legal claims, or prevention of fraud, abuse, or misuse of the Service.

11.7 Anonymization for Statistical Use. Unabyss may retain anonymized and aggregated data after Account deletion for statistical analysis, service improvement, or research purposes. Such data cannot be linked to any identifiable User.

12. Children's Data

12.1 Age Restriction. The Unabyss Service is intended exclusively for individuals who are at least eighteen (18) years old. Unabyss does not knowingly collect or process personal data from children under this age.

12.2 Parental Consent. If it becomes apparent that personal data has been collected from a minor without verifiable parental consent, Unabyss will take immediate steps to delete such data and, where applicable, to disable the associated Account.

12.3 Responsibility of Users. Users creating an Account on behalf of an organization are responsible for ensuring that all individuals who access the Service under their authorization meet the minimum age requirement. Chatbot Owners are responsible for ensuring their Chatbots do not knowingly collect data from minors.

12.4 Reporting. Parents or guardians who believe that their child has provided personal data to Unabyss without consent are encouraged to contact privacy@unabyss.com. Unabyss will investigate and act promptly to remove the data in accordance with applicable law.

13. Changes to the Privacy Policy

13.1 Right to Update. Unabyss reserves the right to modify or update this Privacy Policy at any time to reflect changes in legal requirements, technology, or the operation of the Service.

13.2 Notification of Changes. In the event of material changes affecting the way personal data is processed, Unabyss will notify Users by email or by displaying a notice within the Service prior to the effective date of the updated Privacy Policy.

13.3 Acceptance of Changes. Continued use of the Service after the effective date of the revised Privacy Policy constitutes acceptance of the updated version. Users who do not agree to the modifications may discontinue use of the Service and request deletion of their data.

13.4 Historical Versions. Previous versions of this Privacy Policy will be archived and made available upon request.

13.5 Effective Date. This Privacy Policy enters into force on the date of publication on the Unabyss website and remains valid until replaced by a new version.

14. Contact Information and Supervisory Authority

14.1 Data Controller Contact. For any questions, requests, or concerns related to this Privacy Policy or the processing of personal data, Users may contact Unabyss at: OneType Prosta Spółka Akcyjna, ul. Fabryczna 4A/11, 00-446 Warszawa, Poland. KRS: 0001224271; NIP: 7011299839. Email: privacy@unabyss.com. Website: unabyss.com.

14.2 Data Protection Officer. If Unabyss designates a Data Protection Officer (DPO), the contact details of the DPO will be published on the Unabyss website. Until such designation, all data protection inquiries should be directed to privacy@unabyss.com.

14.3 Supervisory Authority. Users have the right to lodge a complaint with the competent supervisory authority if they believe that their personal data is being processed in violation of applicable law. The competent authority in Poland is the Personal Data Protection Office (UODO), ul. Stanisława Moniuszki 1A, 00-014 Warszawa, Poland. Website: https://uodo.gov.pl.

14.4 Language of Communication. Communication regarding privacy and data protection matters may be conducted in English or Polish.

14.5 Final Provision. This Privacy Policy applies to all services provided by Unabyss under the domains unabyss.com, app.unabyss.com, and ask.unabyss.com and their subdomains.