Effective date: 30.5.2025
Thank you for choosing Unburdend ("Company", "we", "our" or "us"). This Privacy Policy explains how we collect, use, disclose and secure personal data when you visit Unburdend (the "Service") or interact with any of our products, websites, mobile or desktop applications, widgets, and related services.
Plain‑English summary – We operate an AI‑powered customer‑support platform for small‑to‑mid‑size e‑commerce businesses. To do that we process information about (a) visitors to our marketing site, (b) the merchants who create an account with us, and (c) the merchants’ own customers whose enquiries are handled through our platform. We keep that information secure, use it only for clearly defined purposes, and give every individual the rights provided by the EU GDPR, the Slovenian ZVOP‑2 and—if applicable—the CCPA/CPRA.
Controller –Unburdend, is the controller for all personal data described in this notice (Art. 4 § 7 GDPR).
Representative – if you are located in the EEA we are established in Slovenia and can be contacted directly.
Data‑protection officer (DPO) – info@unburdend.com
| Context | Categories of personal data | Typical source |
|---|---|---|
| Site visitors | IP address, browser fingerprints, referral URL, session logs, cookies, support enquiries | Your device, analytics & marketing tools |
| Account owners / users | Name, business e‑mail, password hash, job title, billing address, VAT ID, plan & usage metrics, profile photo | You, SSO providers (Google OAuth2, Microsoft, etc.), payment processors |
| End‑customers of our merchants | Names, postal addresses, e‑mail addresses, phone numbers, order & shipment details, conversation transcripts, sentiment scores, language preference, refund/return history | The merchant’s e‑commerce platform (Shopify, WooCommerce…), e‑mail inbox (Gmail/IMAP), chat widgets, delivery APIs |
| Automatically‑collected data | Logs of API calls, error traces, performance metrics | Your device, our servers |
Special categories – We do not intentionally collect sensitive personal data (Art. 9 GDPR). If you believe we inadvertently processed such data, please contact us for deletion.
| Purpose | Legal basis | Details |
| Provide & secure the Service | Art. 6 (1)(b) GDPR – contract | Create accounts, authenticate users, route messages, generate AI responses, provide dashboards, prevent fraud |
| Improve & debug | Art. 6 (1)(f) GDPR – legitimate interest | Analyse aggregated usage, train / fine‑tune models (with rigorous anonymisation), run A/B tests |
| Marketing & newsletters | Art. 6 (1)(a) GDPR – consent (opt‑in) | Send product updates, case studies; you can unsubscribe any time |
| Compliance & accounting | Art. 6 (1)(c) GDPR – legal obligation | Tax records, invoicing, know‑your‑customer (KYC) checks |
| Support queries | Art. 6 (1)(f) GDPR – legitimate interest | Respond to tickets, reproduce issues, log chat with our staff |
| Processing our merchants’ customer data | Art. 28 GDPR – processor | We act as processor; the merchant remains the controller. Processing is governed by our Data‑Processing Agreement (DPA). |
We never sell personal data. We disclose it only to:
Sub‑processors strictly necessary to run the Service (servers hosted on Hetzner Online GmbH data centres in Germany (Nuremberg) and Finland (Helsinki), e‑mail delivery via SendGrid, payment through Stripe Europe, etc., payment through Stripe Europe, etc.).
Professional advisers & auditors (lawyers, accountants) under NDA.
Authorities where required by law or court order.
Corporate transactions – if we merge, acquire or sell assets, data may be transferred subject to confidentiality.
Every sub‑processor is bound by written data‑processing terms that provide at least the same level of protection.
We do NOT use Google Workspace APIs to develop, improve, or train generalized AI and/or machine learning models.
Your data is stored exclusively on Hetzner Online servers located within the European Union (Germany and Finland). When we must transfer outside the EEA/UK/Switzerland we rely on:
Adequacy decisions (e.g. EU–US Data Privacy Framework), or
Standard Contractual Clauses (SCCs) with supplementary measures (encryption in transit & at rest, strict access controls). A copy is available on request.
| Data set | Retention period |
| Account records & billing data | 10 years after contract end (legal obligations) |
| Conversation logs | Configurable by merchant; default 24 months, then anonymised |
| Model training datasets | Anonymised snapshots kept indefinitely |
| Marketing lists | Until you withdraw consent or after 24 months of inactivity |
| Back‑ups | Encrypted, rolled every 35 days |
We follow industry best practices:
AES‑256 encryption at rest, TLS 1.3 in transit
OWASP ASVS Level 2 secure‑coding standards (Laravel)
Role‑based access control & MFA for staff
Annual penetration testing & SOC 2 (Type 1) audit in progress
Incident‑response plan with 72‑hour breach notification timeline
You can request access, rectification, erasure, restriction, portability or objection at any time. If we process data on behalf of a merchant, please contact that merchant first; we will assist them in fulfilling your request.
You also have the right to lodge a complaint with the Slovenian Information Commissioner (Dunajska 22, 1000 Ljubljana, gp.ip@ip‑rs.si) or your local supervisory authority.
We use:
Strictly necessary cookies – session cookies for log‑in and CSRF tokens
Analytics cookies – first‑party privacy‑friendly analytics (Matomo Cloud EU); no cross‑site tracking
Marketing cookies – only if you accept our banner (Google Ads, LinkedIn Insight Tag)
You can adjust your preferences in the cookie banner or via your browser settings.
Our Service is not directed to children under 16. If you believe a child has provided us personal data, please contact us and we will delete it.
We may update this Privacy Policy from time to time. The new version will be posted on this page and, where appropriate, we will notify you by e‑mail or in‑app banner. The date of the latest revision is shown at the top.
If you have any questions about this Privacy Policy or our data‑handling practices, please contact our DPO:
E‑mail: info@unburdend.com
