UniGrat – Privacy Policy

GDPR-Aligned Data Protection Policy

Last updated: March 27, 2026

Version: 2.3

This Privacy Policy explains how UniGrat collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

UniGrat is the Data Controller for your personal data. This means we are responsible for determining how and why your personal data is processed. We are committed to GDPR compliance and protecting your privacy rights.

2. Information We Collect

We collect the following categories of personal data:

  • Identity Data: Name, email address, phone number
  • Account Data: Username, password (encrypted), account preferences
  • Transaction Data: Purchase history, reward transactions, sales reward records
  • Technical Data: IP address, device information, browser type, operating system
  • Usage Data: How you interact with the platform, pages visited, features used
  • Verification Data: Two-factor authentication information, identity verification documents
  • Security Data: 2FA/MFA secrets (encrypted), backup codes (encrypted), session tokens, login history

3. How We Use Your Data

We use your personal data for the following purposes:

  • Platform Operation: To provide, maintain, and improve our services
  • Reward Tracking: To calculate, track, and manage your business-funded rewards and sales rewards
  • Account Management: To verify your identity, manage your account, and provide customer support
  • Fraud Prevention: To detect, prevent, and investigate fraudulent activity
  • Legal Compliance: To comply with legal obligations, tax requirements, and regulatory requests
  • Communication: To send you important updates, notifications, and service-related communications
  • Audit Trail Maintenance: To maintain event-level and transaction-level audit logs for compliance

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: To fulfill our contract with you and provide the services you requested
  • Legal Obligation: To comply with legal and regulatory requirements
  • Legitimate Interests: To operate our business, prevent fraud, and improve our services
  • Consent: Where you have provided explicit consent for specific processing activities

5. Data Sharing & Disclosure

We share your personal data only in the following circumstances:

  • Payment Processors: To process payments and transactions securely
  • Service Providers: With trusted third-party providers who assist in platform operation (hosting, email, analytics)
  • Legal & Compliance: When required by law, court order, or regulatory authority
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)
  • Regulatory Reporting: Where legally required to report payouts or transactions

We do NOT sell your personal data to third parties for marketing or commercial purposes.

6. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of your personal data we hold
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data in certain circumstances (see Account Cancellation below)
  • Right to Restrict Processing: Request limitation of how we process your data
  • Right to Data Portability: Request transfer of your data to another service provider
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent
  • Right to Complain: Lodge a complaint with your local data protection authority

Account Cancellation (Right to Erasure): You may exercise your right to erasure by cancelling your account through the platform settings. This requires: (1) account balance of $10 or less, (2) 2FA enabled and verified, and (3) email confirmation. Upon cancellation, all personal data is permanently deleted and cannot be recovered.

To exercise other rights, please contact us using the contact information provided in this policy.

7. Data Retention

We retain your personal data only for as long as necessary to:

  • Fulfill the purposes for which it was collected
  • Comply with legal, tax, and regulatory obligations
  • Resolve disputes and enforce agreements
  • Maintain accurate transaction and audit records

When data is no longer needed, it will be securely deleted or anonymized in accordance with our data retention policies.

Account Cancellation:

When you cancel your account, all personal data associated with your account is permanently and immediately deleted, including: account information, transaction history, reward balances, network connections, session data, and 2FA credentials. This deletion is irreversible. Anonymized aggregate data may be retained for analytics purposes only.

Automatic account deletion (activity rules):

Accounts that do not meet the platform's activity rules (see Terms & Conditions) are cancelled and data is deleted. Consumer accounts (person): if you do not earn at least one reward within 7 days of registration, your account may be cancelled and deleted; we do not send a warning (we do not have your contact details until you verify for bill pay). Vendor accounts: we do not send a warning for the "14 days to apply for publishing" rule; for the post-publish "earn or reward" rule we may send a warning to your verified email before deletion; if your email is not verified, we delete without notice.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: End-to-end encryption (TLS) for data in transit and at rest
  • Access Controls: Role-based access control and strict authentication mechanisms
  • Monitoring: Continuous monitoring for security threats and vulnerabilities
  • Regular Audits: Security audits and assessments to maintain protection standards
  • Employee Training: Staff training on data protection and security best practices
  • Data Minimisation: We only collect data necessary for our services

9. International Data Transfers

If we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR requirements.

10. Children's Privacy

Our services are intended for users who are 18 years of age or older. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected data from a minor, we will take steps to delete such information promptly.

11. Mandatory Communications

While your account is active, you will receive the following essential communications that cannot be disabled:

  • Weekly Summary Emails: Account activity updates sent every Monday
  • Security Alerts: Login notifications, password changes, 2FA updates, suspicious activity alerts
  • Transaction Notifications: Confirmations and updates about your rewards and payments
  • Service Updates: Important platform changes and policy updates

These communications are necessary for the operation and security of your account. To stop receiving all communications, you must cancel your account (see the Terms & Conditions for account cancellation requirements).

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be notified to you via email or platform notification. The "Last updated" date at the top indicates when this policy was last revised.

13. Contact Us

If you have questions, concerns, or wish to exercise your GDPR rights, please contact us:

UniGrat.com
Registered in the Netherlands · KVK 51556111
Email: support@unigrat.com

Your Consent

By using UniGrat, you consent to the collection and use of your personal data as described in this Privacy Policy. If you do not agree with this policy, please do not use our services.