Who We Are

• Data Controller: 42nd Universe Ltd
• Address: 71-75 Shelton Street, London, WC2H 9JQ, UK
• Contact: contact@unattach.com
• Privacy Contact: Dr Rok Strniša

How We Protect Your Email Privacy

Unattach is a web application that runs entirely in your browser. All email processing (removing attachments, reducing image sizes) happens on your device. We never send your email content to our servers or any other location, except when you choose to upload to your Dropbox account.

Your email content stays between your browser and Gmail, and all communication is encrypted. When you sign in with Google, we receive basic profile information (your email address, name, and profile picture) from Google OAuth to create and manage your account.

Unattach's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What We Collect and Why

We collect and process the following personal data:

• Account Information (email address, name, profile picture, settings):
  Why: To provide the Unattach service, manage your account, and remember your preferences.
  Legal Basis: Contract performance (necessary to provide the service you signed up for).
  Required: Yes. Without this information, we cannot provide the service.
• Subscription and Payment Information (subscription status, payment provider details):
  Why: To manage your subscription and process payments.
  Legal Basis: Contract performance.
  Required: Only if you choose to subscribe to a paid plan.
• Usage and Error Logs (actions performed, errors encountered, browser information):
  Why: To improve our service, fix bugs, and ensure security. We take care to exclude personal data from these logs.
  Legal Basis: Legitimate interest (improving service quality and security).
  Retention: Server logs are kept for 24 hours.
• Transactional Emails (order confirmations, subscription updates, service notifications):
  Why: To fulfill our contractual obligations and keep you informed about your account.
  Legal Basis: Contract performance. You cannot opt out of these emails as they are essential to the service.
• Newsletter (optional):
  Why: To send you product updates and news (only if you choose to subscribe).
  Legal Basis: Consent. You can unsubscribe at any time on the account page.
  Required: No. Newsletter subscription is completely optional.
• Contact Form Data (message content, email address, request metadata like user-agent):
  Why: To respond to your inquiries and troubleshoot issues.
  Legal Basis: Legitimate interest (customer support).
• Website Analytics (Vercel) (anonymous page views, performance metrics):
  Why: To understand how our website is used and improve performance. Vercel Analytics is privacy-focused and cookieless. This data is fully anonymous and cannot be linked to you.
  Legal Basis: Legitimate interest (service improvement).
• Google Analytics (usage data, device information, page interactions - only with your consent):
  Why: To analyze website usage patterns and improve user experience.
  Legal Basis: Consent.
• Cloudflare Turnstile (browser challenge data, device signals):
  Why: To protect public forms (contact, newsletter signup) from spam and automated abuse.
  Legal Basis: Legitimate interest (security and fraud prevention).
• Review Invitations (name, email address, feedback reference):
  Why: After you submit feedback through our website, we may share your name and your email address with Trustpilot, so they can send you a review request.
  Legal Basis: Legitimate interest (collecting customer feedback). You can ignore the request.
• Session Recording (user interactions, clicks, scrolls via LogRocket - only with your consent):
  Why: To understand user behavior and improve the website experience.
  Legal Basis: Consent.
  Retention: LogRocket data is automatically deleted after 1 month.

For any processing based on your consent (newsletter, Google Analytics, LogRocket), you can withdraw your consent at any time, through the account page (newsletter) and (Google Analytics, LogRocket).

Who We Share Your Data With

We use trusted service providers to help us deliver the Unattach service:

• Google OAuth - for secure authentication.
• Vercel - website hosting and anonymous analytics.
• AWS S3 - secure storage of profile images.
• Postmark - sending transactional and newsletter emails.
• Paddle, PayPal, Stripe - payment processing (only if you subscribe).
• Google Analytics - website analytics (only with your consent). Described in detail above.
• LogRocket - session recording (only with your consent).
• Dropbox - optional integration for uploading to your Dropbox account.
• Cloudflare Turnstile - bot protection on public forms.
• Trustpilot - public review platform. When we send review requests, Trustpilot acts as a processor on our behalf under our Data Processing Agreement. If you choose to post a review on Trustpilot, Trustpilot then becomes the controller of that review under its own privacy policy.

We do not sell or share your personal data with third parties for their own marketing purposes.

International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. When we transfer your data internationally, we ensure appropriate safeguards are in place to protect your personal data in accordance with GDPR requirements. These safeguards include Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), the UK Addendum to SCCs, and adequacy regulations where applicable.

How Long We Keep Your Data

• Account data: Until you delete your account. You can delete your account by contacting us.
• Subscription and payment records: As required by law for tax and accounting purposes (typically 7 years).
• Server logs: 24 hours.
• Session recording (LogRocket): 1 month (automatic deletion).
• Newsletter subscription: Until you unsubscribe.
• Support messages: until your issue is resolved and for a limited period afterwards, unless longer retention is required for legal, accounting, fraud prevention, or dispute resolution purposes.

Your Privacy Rights

Under GDPR and other privacy laws, you have the following rights:

• Right to Access: You can download a copy of all your personal data from your account page.
• Right to Rectification: You can update your account information by contacting us.
• Right to Erasure: You can request account deletion by contacting us. We will delete your personal data, except where we are legally required to keep certain records (e.g., payment history for tax purposes).
• Right to Restrict Processing: You can ask us to limit how we use your data.
• Right to Object: You can object to processing based on legitimate interests.
• Right to Data Portability: You can download your data in a machine-readable format.
• Right to Withdraw Consent: For newsletter and analytics cookies, you can withdraw consent at any time (unsubscribe from newsletter or change cookie preferences).
• Right to Complain: You can lodge a complaint with the UK Information Commissioner's Office (ICO), or with your local supervisory authority if applicable.

To exercise any of these rights, contact us. We will respond within one month.

Security

We use industry-standard security practices to protect your data, including encrypted connections (HTTPS), secure token storage, and access controls. However, no method of transmission over the Internet or storage is 100% secure.

External Links

Our website may link to external sites that we do not operate. We are not responsible for the privacy practices of these sites. Please review their privacy policies separately.

Changes to This Policy

We may update this privacy policy from time to time. The "Last Updated" date at the top shows when the latest changes were made. We encourage you to review this policy periodically.

Questions

If you have any questions about how we handle your data, contact us.