Legal

Privacy Policy

Effective Date: March 16, 2026 · Last Updated: March 16, 2026

At UNIVU (“we,” “us,” or “our”), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the UNIVU platform, website, and all related services (collectively, the “Service”). Please read this Privacy Policy carefully. By using the Service, you consent to the data practices described in this policy.

This Privacy Policy should be read in conjunction with our Terms of Service and Usage Agreement.

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when you use the Service, including:

  • Account Information: Name, email address, password, and profile details when you create an account.
  • Billing Information: Payment method details, billing address, and transaction history. Payment card information is processed and stored by our payment processor, Stripe, and is never stored on UNIVU servers.
  • Brand & Content Data: Brand names, descriptions, visual identity configurations (colors, fonts, styles), page content, media files, articles, and all other content you create or upload through the Service.
  • Communication Data: Messages, feedback, support requests, and other communications you send to us.
  • Team Information: Names and email addresses of team members you invite to your Organization.

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

  • Device & Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Usage Data: Pages viewed, features used, clicks, navigation paths, session duration, time spent on pages, and interaction patterns within the Service.
  • Log Data: Server logs including access times, referring URLs, error logs, and API request metadata.
  • Location Data: Approximate geographic location derived from your IP address (country and region level only).

1.3 Information from Third Parties

We may receive information about you from third parties, including:

  • Authentication Providers: If you sign in using a third-party service (e.g., Google, GitHub), we receive your name, email, and profile picture as permitted by the provider.
  • Payment Processor: Stripe may provide us with transaction status, payment confirmation, and billing-related information (but not full card numbers).

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Operate, maintain, and deliver the features and functionality of the platform, including hosting your Brands, Sites, content, and media.
  • Process Transactions: Process payments, manage subscriptions, send billing notifications, and handle refunds.
  • Communicate With You: Send account verification emails, security alerts, technical notices, support responses, billing reminders, and service updates.
  • Improve the Service: Analyze usage patterns, diagnose technical issues, conduct research, and develop new features and improvements.
  • Provide Analytics: Generate analytics dashboards and insights about your Site’s performance for your use.
  • Ensure Security: Monitor for fraudulent activity, enforce our Terms, detect and prevent abuse, and protect the security of the Service and its users.
  • Marketing: Send promotional communications about new features and updates (with your consent, where required by law).
  • Legal Compliance: Comply with applicable laws, legal processes, and regulatory requirements.

3. Cookies & Tracking Technologies

3.1 Cookies We Use

We use the following types of cookies and similar technologies:

  • Essential Cookies: Required for the Service to function properly. These include session cookies for authentication, CSRF protection tokens, and preference storage. These cannot be disabled.
  • Analytics Cookies: Help us understand how users interact with the Service. We use PostHog for product analytics and Tinybird for real-time data processing. These cookies collect information about feature usage, navigation patterns, and performance metrics.
  • Functional Cookies: Remember your preferences such as theme selection (light/dark mode), language, and interface settings.

3.2 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies. However, disabling essential cookies may prevent you from using certain features of the Service.

3.3 Do Not Track

We currently do not respond to “Do Not Track” browser signals. However, you may opt out of analytics tracking through your account privacy settings.

4. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf. These providers are contractually obligated to use your information only as necessary to provide services to us and are bound by confidentiality obligations. Our service providers include:

  • Stripe (San Francisco, CA) — Payment processing. Receives billing information and transaction data. Stripe’s privacy policy: stripe.com/privacy
  • Neon (San Francisco, CA) — Database hosting. Stores account data, brand configurations, content, and application data. Neon’s privacy policy: neon.tech/privacy-policy
  • Fly.io (Chicago, IL) — Application hosting. Processes requests and serves application code. May process IP addresses and request metadata. Fly.io’s privacy policy: fly.io/legal/privacy-policy
  • Tigris — Object storage and CDN. Stores and delivers media files (images, documents) uploaded to the platform.
  • Cloudflare (San Francisco, CA) — DNS, CDN, and security services. Processes IP addresses and request data for performance and security. Cloudflare’s privacy policy: cloudflare.com/privacypolicy
  • Resend — Email delivery. Receives email addresses and message content for transactional and marketing emails. Resend’s privacy policy: resend.com/legal/privacy-policy
  • Tinybird (Madrid, Spain) — Real-time analytics. Processes event data including page views, interactions, and anonymized usage metrics. Tinybird’s privacy policy: tinybird.co/legal/privacy-policy
  • PostHog (San Francisco, CA) — Product analytics and feature management. Collects usage data, feature interaction data, and session information. PostHog’s privacy policy: posthog.com/privacy
  • Twilio (San Francisco, CA) — Communication services. Processes phone numbers and message content for SMS and messaging features. Twilio’s privacy policy: twilio.com/legal/privacy
  • Upstash (San Francisco, CA) — Serverless caching and rate limiting. Processes request metadata for performance optimization and abuse prevention. Upstash’s privacy policy: upstash.com/trust/privacy

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), including to:

  • Comply with a legal obligation or lawful request.
  • Protect and defend the rights or property of UNIVU.
  • Prevent or investigate possible wrongdoing in connection with the Service.
  • Protect the personal safety of users of the Service or the public.
  • Protect against legal liability.

4.3 Business Transfers

If UNIVU is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5. Data Retention

5.1 Active Accounts

We retain your information for as long as your account is active or as needed to provide you with the Service. This includes all Brand data, content, media, analytics, and account information.

5.2 After Account Deletion

When you delete your account or cancel your subscription:

  • Your data is retained in a read-only state for 90 days to allow you to export your content and data.
  • After the 90-day retention period, we initiate permanent deletion of your data from our primary systems.
  • Residual copies in backups may persist for up to an additional 30 days before being overwritten through the normal backup cycle.

5.3 Aggregated Data

Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytics, benchmarking, and service improvement purposes.

5.4 Legal Requirements

We may retain certain information for longer periods as required by law, including tax and financial records, fraud prevention data, and information relevant to ongoing legal proceedings.

6. Data Security

6.1 Security Measures

We implement and maintain appropriate technical and organizational security measures to protect your information, including:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. SSL certificates are provided for all published Sites.
  • Encryption at Rest: Sensitive data stored in our databases is encrypted at rest using industry-standard encryption algorithms.
  • Access Controls: Strict role-based access controls limit employee access to user data to those who require it for their job functions.
  • Infrastructure Security: Our infrastructure providers (Fly.io, Neon, Cloudflare, Tigris) maintain SOC 2 and/or ISO 27001 compliance.
  • Monitoring: Continuous monitoring for unauthorized access attempts, anomalous activity, and security threats.

6.2 Breach Notification

In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities as required by law. Notification will be provided via email and/or through a prominent notice within the Service, typically within 72 hours of becoming aware of the breach.

6.3 Your Responsibility

While we take reasonable measures to protect your information, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for managing access permissions within your Organizations and Brands.

7. Your Rights & Choices

Depending on your location and applicable law, you may have certain rights regarding your personal information:

7.1 Access & Portability

You have the right to request a copy of the personal information we hold about you. You may also export your Brand data, content, and media at any time through the Service’s export features.

7.2 Correction

You may update or correct your account information at any time through your account settings. If you believe other information we hold about you is inaccurate, you may contact us to request correction.

7.3 Deletion

You may delete your account at any time, which will initiate the data deletion process described in Section 5. You may also request deletion of specific personal information by contacting us, subject to legal retention requirements.

7.4 Objection & Restriction

You may object to certain processing of your personal information or request that we restrict processing in certain circumstances, as provided by applicable law.

7.5 Withdraw Consent

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

7.6 Opt-Out of Marketing

You may opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email or by updating your notification preferences in your account settings.

7.7 Exercising Your Rights

To exercise any of these rights, contact us at privacy@univu.cloud. We will respond to your request within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

8. International Data Transfers

8.1 Transfer Locations

UNIVU is based in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

8.2 Transfer Safeguards

When we transfer personal information outside of the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data processing agreements with our service providers that include adequate data protection commitments.
  • Transfers to countries recognized as providing an adequate level of data protection.

9. Regional Privacy Rights

9.1 European Economic Area, United Kingdom & Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including the rights described in Section 7. Our legal bases for processing your information include:

  • Contract Performance: Processing necessary to provide the Service you have requested.
  • Legitimate Interests: Processing for our legitimate business interests, such as improving the Service, ensuring security, and conducting analytics, where these interests do not override your fundamental rights.
  • Consent: Processing based on your explicit consent, such as marketing communications.
  • Legal Obligation: Processing necessary to comply with applicable laws.

You may lodge a complaint with your local data protection authority if you believe your rights have been violated.

9.2 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

  • Right to Know: The right to request information about the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: The right to request correction of inaccurate personal information.
  • Right to Opt Out: The right to opt out of the sale or sharing of your personal information. We do not sell your personal information.
  • Non-Discrimination: The right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.

To exercise your CCPA/CPRA rights, contact us at privacy@univu.cloud.

9.3 Other Jurisdictions

If you are located in another jurisdiction with applicable data protection laws (e.g., Brazil’s LGPD, Canada’s PIPEDA, Australia’s Privacy Act), you may have similar rights. Contact us at privacy@univu.cloud to exercise any applicable rights under your local laws.

10. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that a child under 18 has provided us with personal information, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at privacy@univu.cloud.

11. Your Responsibilities as a Data Controller

When you use the Service to collect, store, or process personal data from your own users (e.g., Site visitors, email subscribers, form respondents), you act as the data controller and UNIVU acts as the data processor. In this capacity:

  • You are responsible for determining the purposes and means of processing personal data collected through your Sites.
  • You must provide appropriate privacy notices to your Site visitors and obtain all necessary consents.
  • You must ensure your data collection and processing practices comply with all applicable data protection laws.
  • You must respond to data subject requests from your Site visitors regarding their personal data.
  • You must not use the Service to collect sensitive personal data (e.g., health information, financial account numbers, government identifiers) unless you have implemented appropriate safeguards and obtained necessary consents.

UNIVU provides tools to help you manage data subject requests and maintain compliance, but the responsibility for compliance remains with you as the data controller.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by posting a prominent notice within the Service, sending an email to the address associated with your account, or by other appropriate means at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The “Last Updated” date at the top of this page indicates when this policy was last revised.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

By using the UNIVU platform, you acknowledge that you have read and understood this Privacy Policy and consent to the data practices described herein.