Privacy Policy
Last updated: March 2026
Short summary: We keep your data under your control — we do not use your uploads to train our models, and you can request access or deletion. Note: some partner providers may retain request data for up to 60 days for investigation or fraud‑prevention; where supported we can request or enable a partner ‘no‑retention’ mode for your account. See the full policy below for details.
1. SCOPE & CONTROLLER
This Privacy Policy explains how DataUnfold (9534-9437 Québec Inc.) collects, uses, stores and discloses personal data when you use the DataUnfold platform (the “Service”). DataUnfold is the data controller for personal data processed through the Service.
2. WHAT THIS MEANS FOR YOU (SHORT)
You keep ownership of your data. DataUnfold processes data to deliver the Service; we do not use your uploads to train our proprietary models and we provide controls to access or remove your data.
3. WHAT WE COLLECT
• Account & contact information (name, email, company).
• User Data: files, documents, prompts and any content you submit.
• Usage & diagnostic data (logs, performance metrics, error reports).
• Cookies and analytics data when you interact with the website.
4. HOW WE USE DATA
We process data to provide, maintain and improve the Service, to operate features (search, reporting, agents), to investigate abuse, and to communicate with you. We also use aggregated telemetry to improve reliability and product quality.
5. AI MODELS & THIRD‑PARTY PROVIDERS
DataUnfold offers access to:
(A) DataUnfold’s proprietary models (hosted/managed by DataUnfold) and
(B) Partner Models (third-party providers such as Microsoft, Google, and AWS). If you select a partner model, requests will be transmitted to that provider and will be governed by that provider’s applicable terms, policies, and data-processing practices. DataUnfold engages only leading, reputable, and carefully vetted providers that satisfy our standards for security, reliability, and enterprise suitability. Certain partner providers may retain request data, including prompts and related metadata, for up to sixty (60) days for limited purposes such as operational monitoring, abuse investigation, or fraud prevention. Where supported by the partner platform, DataUnfold may request or enable a partner-level no-retention or data-minimization setting for your account. Available model options are identified in the user interface so that you may choose the engine that best fits your needs.
6. NO‑TRAINING & MODEL USE (DATAUNFOLD MODELS)
User Data sent to the DataUnfold AI Endpoint will not be used to train, fine‑tune, or improve DataUnfold’s proprietary models. We do not reuse your content for model training or commercial analytics outside your account.
7. PROMPTS & GENERATED OUTPUTS
Prompts and generated outputs may contain sensitive information. You are responsible for removing or redacting sensitive personal data before submission. Outputs are probabilistic and should be validated before use in decisions with legal, medical, financial or safety impact.
8. RETENTION & DELETION
We retain User Data only as long as necessary to provide the Service and for a maximum of 60 days for operational troubleshooting unless you request earlier deletion. Partner providers may have separate, limited retention windows (typically up to 60 days) to support investigation or fraud‑prevention; where supported by the partner, DataUnfold can request or enable partner no‑retention options for your account. To request deletion or to ask us to enable partner no‑retention where available, contact privacy@dataunfold.com and we will start the process promptly.
9. SECURITY & ACCESS CONTROLS
We apply administrative, technical and physical safeguards (access controls, TLS in transit, encryption at rest where applicable, monitoring). Access to customer data is restricted and logged; we require subprocessors to meet our security standards.
10. SUBPROCESSORS & THIRD PARTIES
We engage subprocessors (cloud providers, analytics, email, identity providers). Subprocessors process data only on our instructions and under contracts that require confidentiality and security. Partner model providers will process requests only when you select them.
11. INTERNATIONAL TRANSFERS
User Data may be transferred to and processed in jurisdictions where our service providers operate. We protect transfers with appropriate safeguards (standard contractual clauses or equivalent measures) when required by law.
12. COOKIES & ANALYTICS
We use cookies and analytics to operate and improve the website. You can opt out of non‑essential analytics via your browser and account preferences where available.
13. DATA SUBJECT RIGHTS
Where applicable (e.g., GDPR, Law 25), you may exercise rights to access, rectify, export, restrict processing, or delete your personal data. Submit requests to privacy@dataunfold.com. We will respond within applicable legal timeframes.
14. CHILDREN
The Service is not directed to children under 16. We do not knowingly collect personal data from minors.
15. ABUSE, MISUSE & SAFETY
You must not use the Service to create, share, or deploy content that harms people or violates applicable law. We may suspend or terminate accounts that misuse the Service; we also investigate and report illegal activity when required by law.
16. CHANGES TO THIS POLICY We may update this Privacy Policy; material changes will be posted with a new “Last updated” date and, where appropriate, communicated to account contacts.
17. CONTACT & DATA PROTECTION OFFICER
For privacy inquiries, data requests, or to exercise your rights, contact privacy@dataunfold.com.
18. DATA RESIDENCY & LOCALIZATION
Where required by the customer, DataUnfold supports data residency controls to ensure that Customer Data is stored and processed within a specified geographic region (e.g., Canada or Québec).
When deployed in customer-managed or on-premise environments, Customer Data remains entirely within the customer’s infrastructure and is not transmitted to DataUnfold systems.
For cloud deployments, DataUnfold will make commercially reasonable efforts to select infrastructure regions aligned with customer requirements and disclose any cross-border data transfers in advance.
19. CUSTOMER-HOSTED DEPLOYMENTS
When the Service is deployed within a customer-controlled environment (including private cloud or on-premise infrastructure), DataUnfold does not access, store, or process Customer Data outside of that environment, except where explicitly required for support and authorized by the customer.
In such configurations, all data processing remains under the sole control of the customer.
20. ZERO-RETENTION AI PROCESSING
Where supported by third-party AI providers, DataUnfold enables or requests “no-retention” or equivalent data minimization modes to ensure that prompts, inputs, and outputs are not stored or reused by the provider.
DataUnfold does not permit third-party AI providers to use Customer Data for training, model improvement, or commercial purposes when such controls are available.
Customers may request confirmation of the retention configuration for each AI provider used.
21. SECURITY INCIDENTS & BREACH NOTIFICATION
In the event of a confirmed security incident involving Customer Data, DataUnfold will notify the customer without undue delay and within applicable legal timeframes.
Such notification will include, to the extent known:
– the nature of the incident,
– the categories of data affected,
– the likely impact,
– and the mitigation measures taken or proposed.
DataUnfold will cooperate with customers to support any required regulatory notifications.
22. PRIVACY IMPACT ASSESSMENT (PIA)
DataUnfold supports customers in conducting Privacy Impact Assessments (PIA), including providing documentation regarding data flows, processing activities, subprocessors, and security controls.
Upon request, DataUnfold will provide reasonable assistance to help customers meet obligations under applicable privacy laws, including Québec Law 25.