Legal
Privacy policy
Last updated May 12, 2026
This Privacy Policy explains how Unison, Inc. ("Unison", "we") collects, uses and protects personal data when you use unison.ink (the "service"). It applies to visitors of the marketing site and to registered customers.
We follow the principles of data minimization, purpose limitation and storage limitation. We do not sell personal data and we do not run advertising trackers.
1. Who is responsible
Unison, Inc. is the controller of personal data processed through the service. For privacy questions, data subject requests, or to exercise the rights described below, contact hello@unison.ink.
2. What we collect
a. Account data
When you sign up we collect:
- Email address.
- Display name and (optionally) avatar.
- Hashed password, or the OAuth identifier from your sign-in provider (Google, X, LinkedIn).
b. Connected channel credentials
When you connect a third-party social network we store the OAuth tokens (or, where the network does not support OAuth, the app password or bot token) that allow Unison to act on your behalf within the scopes you grant. These credentials are encrypted at rest using AES-256-GCM with keys held in a managed KMS, and are accessible only to processes that need them to fulfil a publish or fetch request you initiated.
We never request the password to your social account.
c. Content you create
Posts, drafts, attachments, scheduling metadata, draft history, replies and inbox conversations that flow through Unison are stored so we can render them, schedule them, deliver them and let you search and reply to them.
d. Usage data
We log basic technical data needed to operate the service: IP address, user agent, request paths, response status codes, error stack traces. Logs are kept for up to 30 days and used for debugging, abuse prevention and capacity planning.
e. Billing data
Stripe processes payment-card information directly; we receive only a customer ID, billing email, country, postal code where required for tax, and the invoice line items. We do not store full card numbers.
f. Cookies
See the Cookie Policy for the full inventory. We set only essential cookies and do not run third-party analytics, ad pixels or session replay.
3. Why we use it (legal bases)
| Purpose | Legal basis (GDPR) |
|---|---|
| Operate your account, schedule and publish posts, render the inbox | Performance of the contract |
| Prevent abuse, secure the service, debug failures | Legitimate interests |
| Send service notifications (publish failures, outages, billing) | Performance of the contract |
| Send product updates and tips | Consent (you can unsubscribe at any time) |
| Comply with legal obligations (tax records, lawful requests) | Legal obligation |
We do not use your post content or inbox messages to train any machine learning model. AI assistance features inside Unison call third-party LLM providers only when you actively trigger them, and only with the snippet you explicitly send.
4. Third-party services we share data with
To provide the service we rely on the subprocessors listed at /legal/subprocessors. The most important categories are:
- Connected social networks: when you publish or fetch replies, the relevant data goes to the network you targeted (X, Telegram, Threads, LinkedIn, Bluesky, Instagram, Facebook, TikTok, YouTube, Mastodon, Pinterest). Each network has its own privacy policy.
- Hosting and infrastructure: AWS (compute and S3 object storage), Vercel (edge hosting for the marketing site), a managed Postgres provider.
- Payment processing: Stripe.
- Transactional email: Postmark.
- Customer support: hello@unison.ink mailbox provided by our email hosting partner.
- Optional AI assistance: Anthropic and OpenAI APIs, only when you trigger an AI feature.
We sign data-processing agreements with each subprocessor and choose providers that offer industry-standard security controls.
5. International transfers
Our infrastructure is located in the United States. If you access Unison from outside the United States, your personal data may be transferred to, stored and processed in the United States and other countries where we or our subprocessors operate. For transfers from the European Economic Area, United Kingdom or Switzerland we rely on the European Commission's Standard Contractual Clauses.
6. How long we keep it
| Data | Retention |
|---|---|
| Account data | While your account is active, plus 30 days after deletion |
| Channel credentials | While the channel is connected; deleted within 7 days of disconnection |
| Posts and inbox | While your account is active, or until you delete them |
| Server logs | Up to 30 days |
| Billing records | 7 years (tax compliance) |
Account deletion details: see the Data Deletion Policy.
7. Your rights
Depending on where you live you may have the right to:
- Access the personal data we hold about you.
- Receive a copy of your data in a portable format.
- Correct inaccurate data.
- Delete your data ("right to be forgotten").
- Restrict or object to certain processing.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights write to hello@unison.ink. We respond within 30 days. We may need to verify your identity before acting on a request.
California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information are collected and the right not to be discriminated against for exercising those rights. We do not sell or share personal information for cross-context behavioural advertising.
8. Security
We protect your data with:
- TLS 1.2 or higher in transit.
- AES-256-GCM encryption at rest for channel credentials.
- Hashed passwords (bcrypt with per-account salt).
- Principle of least privilege for internal access.
- Audit logging of administrative actions.
- Annual vulnerability review and continuous dependency scanning.
No system is perfectly secure. If we ever experience a personal-data breach that is likely to affect you we will notify you and the relevant authority without undue delay, and in any event within 72 hours where required.
9. Children's privacy
Unison is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact hello@unison.ink and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced by email or in-app notice at least 30 days before they take effect. The "last updated" date at the top of this page always reflects the most recent revision.
11. Contact
Questions, requests, or concerns:
- Email: hello@unison.ink
- Postal address: provided on request to the address above
For users in the European Economic Area, our representative under Article 27 GDPR can be contacted at the same address.