Legal
This Privacy Policy explains how Unytea (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you use our platform. We are committed to complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
Last updated: April 2026
Unytea acts as the data controller for the personal data collected through this platform. This means we determine the purposes and means of processing your personal data.
For all data protection inquiries, you may contact our Data Protection Officer at dpo@unytea.com.
We collect information you provide directly and data generated through your use of the platform. This includes:
Account data: name, email address, profile picture, and authentication credentials (managed through our identity provider).
Profile data: biography, interests, community memberships, and publicly visible activity within communities you join.
Content data: posts, comments, course progress, messages, uploaded files, whiteboard sessions, and any other content you create on the platform.
Usage data: pages visited, features used, session duration, device type, browser information, IP address, and general location derived from IP.
Communication data: support requests, feedback, and any messages you send through the platform's real-time chat features.
Under the GDPR, we process your personal data based on the following legal grounds:
Contractual necessity (Art. 6(1)(b)): processing required to provide you with our services — account creation, community access, course delivery, live sessions, messaging, payments, and subscription management.
Consent (Art. 6(1)(a)): processing based on your explicit opt-in — analytics cookies, marketing communications, and optional AI-powered personalization features. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legitimate interest (Art. 6(1)(f)): processing necessary for our legitimate business interests — platform security, fraud prevention, abuse detection, service improvement, and aggregated analytics. We conduct balancing tests to ensure these interests do not override your fundamental rights.
Legal obligation (Art. 6(1)(c)): processing required to comply with applicable laws — financial record-keeping, tax reporting, and responding to lawful government requests.
We process your data to operate and improve the platform. Specific purposes include:
Providing core services such as community access, course delivery, live video sessions, real-time messaging, and content collaboration tools.
Personalizing your experience through AI-powered features, including content recommendations and moderation assistance. These features use third-party AI services that process content in accordance with their own privacy policies.
Processing payments, managing subscriptions, generating invoices, and facilitating creator payouts through our payment infrastructure.
Enforcing platform policies, detecting abuse, preventing fraud, and maintaining the security and integrity of the service.
Communicating with you about account activity, security alerts, product updates, and (with your consent) promotional content.
We integrate with trusted third-party providers (sub-processors) to deliver platform functionality. Each provider receives only the minimum data required for their service and is bound by data processing agreements:
Payment processing: billing data is handled by Stripe. We do not store full card numbers. Stripe processes payment information under its own privacy policy, PCI DSS compliance, and acts as an independent data controller for fraud prevention.
Video sessions: live video and audio streams are processed by our video infrastructure provider for the duration of each session.
Real-time messaging: chat messages are transmitted through our real-time messaging provider to enable instant delivery.
AI features: content submitted to AI-powered features (chat assistance, moderation, recommendations) is processed by third-party AI providers. We do not use your content to train AI models.
File storage: uploaded images and files are stored through our cloud storage provider with access controls.
We do not sell personal data to third parties. We may share data when required by law or to protect the safety of our users and platform. A complete list of sub-processors is available upon request at dpo@unytea.com.
Your data may be processed in countries outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:
Adequacy decisions: transfers to countries recognized by the European Commission as providing adequate data protection.
Standard Contractual Clauses (SCCs): EU-approved contractual terms that bind the data importer to protect your data to European standards.
EU-U.S. Data Privacy Framework: where applicable, transfers to U.S. providers certified under the Data Privacy Framework.
We retain your data for as long as your account is active and as needed to provide services. After account deletion, we remove personal data within 30 days, except where retention is required for legal compliance, fraud prevention, financial record-keeping, or dispute resolution.
Anonymized and aggregated data that cannot identify you may be retained indefinitely for analytics and product improvement purposes.
We implement technical and organizational measures to protect your data, including encrypted connections (TLS/SSL), secure authentication flows, role-based access controls, rate limiting on sensitive endpoints, and regular security audits.
While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. In the event of a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and will notify affected individuals without undue delay when the breach poses a high risk to their rights and freedoms.
Unytea is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us so we can take appropriate action to delete such data.
If you are located in the European Economic Area, you have the following rights under GDPR:
Right of access (Art. 15): request a copy of the personal data we hold about you.
Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17): request deletion of your personal data (“right to be forgotten”).
Right to restrict processing (Art. 18): request that we limit how we process your data in certain circumstances.
Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): object to processing based on legitimate interests, including profiling.
Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at dpo@unytea.com. We will respond within 30 days as required by GDPR Article 12.
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
The right to know what personal information is collected, used, shared, or sold.
The right to delete personal information held by us and our service providers.
The right to opt-out of the sale of personal information. We do not sell your personal information.
The right to non-discrimination for exercising your CCPA rights.
We use automated systems for content moderation and recommendation features. These systems assist in flagging potentially harmful content and suggesting relevant communities or courses. No automated decisions are made that produce legal or similarly significant effects on you without human review. You have the right to request human intervention in any automated decision that affects you.
If you believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or by email at least 14 days before taking effect. Your continued use of the service after changes take effect constitutes acceptance of the revised policy. Previous versions of this policy are available upon request.
For privacy requests or questions about this policy:
Data Protection Officer: dpo@unytea.com
General privacy: privacy@unytea.com