⚠ DRAFT — This is a template.
Reviewed and approved by [LAW FIRM NAME] on [REVIEW DATE]. Last updated 2026-05-28. Contact founders@unfoldingvalues.com with legal questions.
Privacy Policy
Last updated 2026-05-28
This Privacy Policy explains how Unfold Equity ("we," "us," or "our") collects, uses, discloses, and protects personal data. It is intended to be consistent with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). It supplements our Terms of Service.
1. Data We Collect
Account information: name, work email, role, company, and authentication data.
Equity and compensation data: grant terms, vesting schedules, cap-table figures, and securities filings that you submit. We reference only the last four digits of any tax identifier where a form legally requires it — we do not store full SSNs or TINs.
Usage data: log data, device/browser information, and feature usage, used to operate and secure the Service. Our website analytics are cookieless and store no personal data (see Section 6).
2. How We Use Data
We use personal data to provide, maintain, secure, and improve the Service; to authenticate users; to send transactional and compliance notifications; to provide support; to comply with legal obligations; and to detect and prevent fraud and abuse. We do not sell personal data, and we do not use Customer Data to train machine-learning models. Our legal bases under GDPR are performance of a contract, legitimate interests, consent (where applicable), and legal obligation.
3. Third Parties (Subprocessors)
We share data with a small set of subprocessors strictly to operate the Service: Supabase (managed database, authentication, storage), Vercel (application hosting), Resend(transactional email), and Sentry (error monitoring, enabled only when configured). Each is bound by data-protection obligations. We do not otherwise disclose personal data except as required by law.
4. Data Retention
We retain Customer Data for as long as the account is active and as needed to provide the Service. Certain securities and audit records are subject to a 7-year regulatory hold and are preserved even after an erasure request, consistent with SEC retention requirements. Other data is deleted or anonymized after the applicable retention period.
5. Your Rights (Access, Erasure, Portability)
Subject to legal limits, you may request access to, correction of, deletion of, or a portable copy of your personal data. Account holders can self-serve a GDPR-compliant data export and erasure from Settings → Compliance (or Settings → Account for individual exports). Records under regulatory hold are retained as described in Section 4; where we cannot delete a record, we pseudonymize personal identifiers while preserving the action record.
6. Cookies and Analytics
We use only the cookies strictly necessary to operate the Service (for example, your authenticated session). We use Plausible Analytics, which is cookieless and stores no personal data — so no cookie-consent banner is required. We do not use third-party advertising or cross-site tracking cookies.
7. International Transfers
Our infrastructure is hosted in the United States. Where personal data is transferred from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the EU Standard Contractual Clauses. Enterprise customers may execute a Data Processing Agreement.
8. Children
The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children.
9. Security
We protect personal data with encryption at rest (AES-256) and in transit (TLS 1.3), database-level tenant isolation (row-level security), access controls, and continuous monitoring. See our Security Policy for details.
10. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated by email or in-product notice. The "Last updated" date above reflects the latest revision.
11. Contact
To exercise your rights or ask a privacy question, contact founders@unfoldingvalues.com.