Privacy Policy
Last updated: March 14, 2026
1. Who We Are
Unne is currently operated by the Unne project and its founders, based in Finland. We are responsible for the processing of personal data described in this Privacy Policy. Contact: hi@unne.io
2. What Data We Collect
We collect only the data necessary to provide our service:
Account data — when you sign up, we collect your email address and your role selection (artist or venue). We also record whether you have agreed to our Terms of Service and whether you have opted in to marketing emails.
Profile data — depending on your role, you provide your name, a short bio or description, your city, your art type or venue type, and whether you are willing to travel (artists only). You also upload images of your artworks or venue space.
Usage data (with your consent) — if you opt in to analytics cookies, we use Google Analytics 4 to collect pseudonymized usage data such as page views, session duration, and general location at country level. This data does not personally identify you.
Anonymous usage data — we use Vercel Analytics to collect anonymous, aggregated usage data such as page views, visitor counts, and traffic sources. Vercel Analytics does not use cookies and does not collect personal identifiers. Visitors are identified by a temporary hash derived from the incoming request, which is automatically discarded after 24 hours. This data cannot be used to identify or re-identify individual users.
Technical data — our hosting infrastructure (Vercel, Supabase) processes your IP address and basic request data to deliver the service. This processing is strictly necessary and does not require consent.
3. Why We Process Your Data (Legal Basis)
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email, role | Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Profile data, images | Enabling the marketplace service | Performance of contract (Art. 6(1)(b)) |
| Terms acceptance date | Demonstrating consent to Terms of Service | Legitimate interest (Art. 6(1)(f)) |
| Marketing email consent | Sending news and updates about our service | Consent (Art. 6(1)(a)) |
| Analytics cookies | Understanding app usage patterns | Consent (Art. 6(1)(a)) via cookie banner |
| Technical/server logs | Security, fraud prevention, service delivery | Legitimate interest (Art. 6(1)(f)) |
| Anonymous usage data (Vercel Analytics) | Understanding page views and traffic patterns | Legitimate interest (Art. 6(1)(f)) |
4. Cookies
Unne uses a session cookie managed by Supabase to keep you securely logged in. This cookie is strictly necessary for the service to function and does not require your consent. We also store your language preference in a cookie called locale so the interface appears in your chosen language when you return to the service.
| Cookie | Purpose | Expiry |
|---|---|---|
| supabase-auth-token | Maintains secure login session | Until logout or session cleared |
| locale | Stores language preference | Up to 1 year or until deleted |
With your explicit opt-in consent via our cookie banner, we use Google Analytics 4, which sets the following cookies:
| Cookie | Purpose | Expiry |
|---|---|---|
| _ga | Distinguishes users across sessions | 2 years |
| _gid | Distinguishes users within a 24-hour period | 24 hours |
These cookies are only set if you click "Accept all" or enable the analytics toggle in the cookie banner. You can change your preference at any time by clicking "Cookie settings" in the footer.
When analytics cookies are denied, Google Analytics operates in consent mode — it sends anonymous, cookieless measurement pings that do not store any data on your device.
Vercel Analytics does not use cookies. It operates without storing any data on your device.
5. Data Sharing and Transfers
Supabase (database and authentication) — processes your account and profile data. Data is stored and processed in the EU (Ireland). Supabase Inc. is US-headquartered; Standard Contractual Clauses (SCCs) apply as an additional safeguard.
Google Analytics (usage analytics, if you consent) — processes anonymized usage data. Google may transfer analytics data to the US for processing. This transfer is protected by Standard Contractual Clauses (SCCs), which are legal safeguards required under EU law. IP anonymization is enabled.
Vercel (hosting and analytics) — serves the application and collects anonymous, aggregated analytics data. Vercel Analytics does not collect personal identifiers, does not use cookies, and cannot identify individual users. Requests from EU users are processed at EU edge locations. Vercel Inc. is US-headquartered; SCCs apply as an additional safeguard. Vercel is certified under the EU-U.S. Data Privacy Framework.
MailerLite (email marketing) — if you opt in to marketing emails, we share your email address, name, role, language preference, and city with MailerLite to send product updates and newsletters. MailerLite processes this data on our behalf. Data is stored in the EU. MailerLite UAB is headquartered in Lithuania (EU), so no international data transfers apply.
We do not sell your data. We do not share your data with advertisers. We do not use your data for profiling or automated decision-making.
6. Data Retention
| Data | Retention period |
|---|---|
| Account data | Until you delete your account |
| Profile data and images | Until you delete your account |
| Pending consents (pre-registration) | Automatically deleted after account creation or after 30 days if unused |
| Analytics data (Google) | 14 months (Google Analytics default) |
| Anonymous analytics data (Vercel) | Retained in aggregated form only; individual visitor hashes are discarded after 24 hours |
| Marketing subscriber data (MailerLite) | Until you unsubscribe or delete your account |
| Server logs | 30 days |
When you delete your account, your profile data, images, and associated records are permanently removed within 30 days.
7. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data — request a copy of the data we hold about you
- Rectify inaccurate data — update your profile at any time through the app
- Erase your data — request deletion of your account and all associated data
- Restrict processing — ask us to limit how we use your data
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time — for marketing emails (via unsubscribe) or analytics cookies (via cookie settings in the footer)
To exercise any of these rights, contact us at hi@unne.io. We will respond within 30 days.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.
Our lead supervisory authority is the Office of the Data Protection Ombudsman (Finland): https://tietosuoja.fi
8. Data Security
We protect your data using industry-standard measures including encrypted connections (HTTPS/TLS), Row Level Security policies in our database ensuring users can only access their own data, secure authentication via magic link (no passwords stored), and access controls limiting who can access production systems.
9. Children
Unne is not intended for users under the age of 18. We do not knowingly collect data from minors.
10. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or an in-app notice. The "Last updated" date at the top indicates the most recent revision.