Unseen — Legal

Privacy Policy — Unseen Dating App

Version: 1.10
Last updated: 20 May 2026
Operated by: UNIPIA Ltd (United Kingdom)

Unseen is operated by UNIPIA Ltd, registered in England and Wales (ICO ZC131686). This policy covers everything we do with your data — including the new approximate-location feature in Discovery (Section 9). Questions? Email dpo@unipia.co.uk.

Changelog

Version	Date	Change
1.10	20 May 2026	Audit-driven reconciliation with the actual moderation pipeline implementation. Section 12 (retention) and Sections 15.1 and 16 (audit log description) corrected: previous wording said the audit log records a "score band" for each automated decision. In fact the implementation persists the raw toxicity score, the moderation signal that produced it (phrase or audio transcript), and the thresholds in effect at decision time. The "band" is an inferred concept (computed at query time by comparing the stored score to the stored thresholds), not a stored field. Wording updated accordingly. No change to the underlying processing, retention period, or user-facing safeguards.
1.9	20 May 2026	Voice memo moderation thresholds tightened toward auto-approval. Section 4 (Voice data) and Section 11.1 (Content moderation) updated to describe the policy as calibrated toward auto-approval for legitimate content, with appeal as the safeguard against false rejections; human review is now described as covering "a small fraction" of submissions rather than implying a meaningful proportion. Section 15 (Automated decision-making) updated accordingly. New rejection-reason taxonomy disclosed publicly in plain English (no speech detected, audio could not be processed, content violation, decision by our moderation team). New audio-quality auto-reject paths ("no speech detected" / "audio could not be processed") documented; the right to human review under UK GDPR Art. 22(3) is reaffirmed to apply to every auto-decision, including these audio-quality rejections.
1.8	20 May 2026	Tier-based voice memo moderation: Section 4 (Voice data), Section 11.1 (Content moderation), and Section 15 (Automated decision-making) updated to describe the three-tier system (auto-approve below low threshold, human review in the middle band, auto-reject above high threshold). Right to human review under UK GDPR Art. 22(3) made explicit and linked to the in-app appeal flow.
1.7	11 May 2026	Token system, conversation starters and other consolidations (see prior issue tracker).

1. Who we are

UNIPIA Ltd ("we", "us", "our") is the data controller for personal data collected through the Unseen dating app ("the app", "Unseen").

We are registered in the United Kingdom. Our ICO registration number is ZC131686.

Data protection contact: dpo@unipia.co.uk

If you have concerns about how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

2. What this policy covers

This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and your rights. It covers all features of the Unseen app including account registration (via Google OAuth, Apple Sign In, or email), profile creation, voice memos, Discovery (browsing profiles), messaging (chat), slot purchases, token purchases, contact blocking, push notifications, user reporting, and account deletion.

3. Data we collect during account registration and onboarding

When you create an Unseen account, we collect the following:

3.1 Authentication data

Data	What we use it for	Legal basis
Email address	To create and secure your account. Used for login, email verification (a 6-digit code sent to confirm your email address), password reset (a secure link sent to reset your password), account deletion confirmation, and important service communications (e.g., inactivity warnings, security alerts). All emails are sent via AWS Simple Email Service (SES) from `noreply@unipia.co.uk`.	Contract performance (Art. 6(1)(b)) — necessary to provide the service.
Name (from Google/Apple sign-in)	Used as your initial display name suggestion during onboarding. You can change it before completing signup.	Contract performance (Art. 6(1)(b)).
Google sub ID / Apple sub ID	A unique identifier provided by Google or Apple that links your Unseen account to your sign-in provider. We do not receive or store your Google or Apple password.	Contract performance (Art. 6(1)(b)) — necessary for account authentication.
JWT session tokens	Stored on your device to keep you logged in. These tokens expire and are refreshed automatically. They are not shared with third parties.	Contract performance (Art. 6(1)(b)).
FCM device token	A technical identifier for your device used to deliver push notifications. This token does not identify you personally — it identifies your device for message delivery.	Legitimate interest (Art. 6(1)(f)) — necessary for timely service notifications. You can disable push notifications in your device settings at any time.

What we do NOT receive from Google or Apple sign-in: We do not receive your password, payment details, contacts, calendar, browsing history, or any data beyond email, name, and a unique account identifier.

3.2 Onboarding profile data (10 steps)

When you complete the onboarding process, we collect the following data across 10 steps:

Step	Data	Required?	What we use it for	Legal basis
1	Username (2-30 characters, checked for toxicity via AWS Comprehend)	Yes	Your display name on the app. Other users see this. Automatically screened for harmful content before it is accepted.	Contract performance (Art. 6(1)(b)).
2	Date of birth (calendar-accurate, used for 18+ verification)	Yes	To verify you are 18 or older (checked server-side) and to display your age to other users. We never show your full date of birth to anyone.	Legal obligation (Art. 6(1)(c)) — age verification. Contract performance (Art. 6(1)(b)) — age displayed on profile.
3	Gender (male, female, non-binary, prefer not to say)	Yes	To create your profile and for the matching and slot allocation system.	Contract performance (Art. 6(1)(b)).
4	Nationality (ISO 3166-1 alpha-2 country code)	No (optional)	Displayed on your profile if you choose to provide it. Not used for matching or filtering.	Consent (Art. 6(1)(a)). You can remove it at any time in Settings.
5	Profile photo (max 5MB, EXIF metadata stripped on upload)	No (optional)	Shown only to people you have mutually matched with. Not used during swiping or Discovery. Not the basis of matching. EXIF data (which may contain GPS coordinates and device information) is automatically removed before storage.	Consent (Art. 6(1)(a)).
6	Occupation (student or worker, plus free-text role — checked for PII and toxicity via AWS Comprehend)	Yes	Displayed on your profile. Free-text role is screened for personal information and harmful content before acceptance.	Contract performance (Art. 6(1)(b)).
7	Hobbies (3 to 8 tags selected from a curated list of approximately 80 options)	Yes	Displayed on your profile and may be used to improve match suggestions.	Contract performance (Art. 6(1)(b)).
8	Voice memo (up to 10 seconds, .m4a format, uploaded to S3, moderated via AWS Transcribe + Comprehend)	Yes	The main way other users discover you. Treated as potentially biometric data — see Section 4 below.	Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)).
9	City and approximate location (city selected from approximately 50 UK cities; optionally an approximate GPS coordinate captured only with your separate permission, truncated to ~11 m precision before storage)	City: yes. GPS: no — optional.	To show you people nearby. We use your city to compute an approximate area centroid for distance matching. If you grant location permission, we use a single coarse GPS reading instead, only while the app is open. We never collect your exact address or postcode. We never run in the background. We never share your location with anyone outside Unseen.	City and centroid derivation: legitimate interest (Art. 6(1)(f)) — see new Section 9 ("Location data") below. GPS: explicit consent (Art. 6(1)(a)) plus PECR Reg. 6 — see new Section 9.
10	Phonebook contacts (SHA-256 hashed on-device using HMAC, E.164-normalised — raw phone numbers NEVER leave your device)	No (optional)	To block mutual contacts from seeing each other on Unseen. See Section 7 below.	Consent (Art. 6(1)(a)) for your data. Legitimate interest (Art. 6(1)(f)) for your contacts' data.

3.3 Email communications

We send transactional emails to the email address you provide during registration. These emails are necessary for the operation of your account and are not marketing communications. All emails are sent via AWS Simple Email Service (SES) from noreply@unipia.co.uk.

Email type	When sent	What it contains	Data retention
Email verification code	When you sign up with an email address, or when you request a new verification code.	A 6-digit verification code. The code expires after 10 minutes.	Verification tokens are stored in our database until used or expired. Failed attempt counts are tracked to prevent brute-force attacks (maximum 5 attempts per code). Expired and used tokens are retained for audit purposes and deleted during periodic cleanup.
Password reset link	When you request a password reset via the "Forgot password" flow.	A secure, single-use link containing a cryptographically generated token (384-bit entropy). The link expires after 1 hour.	Reset tokens are stored in our database until used or expired. Each token can only be used once. When a password is successfully reset, all existing login sessions are invalidated for your security.
Account deletion confirmation	When you request account deletion via the web form.	Confirmation that your deletion request has been received and that your data will be permanently removed in accordance with our retention policy.	No additional data is stored beyond the email send event in application logs (with your email address redacted).

Rate limiting: To prevent abuse, email verification code resends are limited to 3 per hour per account. Password reset requests are limited to 3 per hour per account. These limits protect both you and our systems.

What we do NOT include in emails: We never include your password, full profile data, other users' information, or any sensitive personal data in email communications. Email subject lines do not contain personal information.

Legal basis: Contract performance (Art. 6(1)(b)) — these emails are necessary for account security and service operation.

4. Voice data

We take your voice data seriously because it may be considered biometric data under UK data protection law. We take the conservative position and treat voice data as special category data under UK GDPR Art. 9.

What we collect: A short audio recording (up to 10 seconds, .m4a format) of you reading a phrase you have written.

Why: Your voice recording is the main way other Unseen users get to know you. It replaces photos as the primary way people decide whether to connect.

Who hears it: Other Unseen users hear your voice recording when browsing profiles in Discovery. Audio is delivered via CloudFront signed URLs that expire after one hour.

Moderation (calibrated toward auto-approval): Your voice recording is automatically transcribed using AWS Transcribe and the resulting text is checked for harmful content using AWS Comprehend. The written phrase is checked the same way. We combine both signals into a single toxicity score (we take the higher of the two) and route the memo through one of three outcomes:

Clear (the vast majority of submissions): Your memo is published immediately. You receive a push notification confirming it is live. Our policy is deliberately calibrated toward this path so that legitimate content goes live without delay; the in-app appeal route (described below) is the safeguard against any false rejection.
Uncertain (a small fraction of submissions): Your memo is held for human review by an Unseen moderator before it is published or rejected.
High-confidence violation (a small fraction): Your memo is automatically rejected. You receive a push notification telling you it was rejected and that you can appeal.

In addition, we perform a small set of audio-quality checks that can also lead to an automatic rejection — these reflect a technical inability to process your recording, not a judgment about you or what you said:

If our speech-to-text service returns no words at all (silent recording, microphone failure, or only background noise), the memo is automatically rejected as "no speech detected".
If our speech-to-text service returns fewer than two words for a recording longer than three seconds, the memo is rejected as "no speech detected" for the same reason.
If our speech-to-text service fails to process the recording entirely (file corruption, unsupported encoding), the memo is rejected as "audio could not be processed".

Your right to appeal applies to every automatic rejection, including the audio-quality rejections above. Our speech-to-text service may misfire on strong accents, dialects, very quiet recordings or non-English speech, so a human moderator will personally review your memo if you appeal.

The exact toxicity thresholds are set internally and can be adjusted by Unseen administrators based on accuracy data. Every automated decision (publish or reject) is written to an internal audit log so we can demonstrate accountability under UK GDPR Art. 5(2). The transcript itself is processed in memory only and is deleted immediately after the check — it is NOT stored or persisted in any database or log (this is a requirement of our Data Protection Impact Assessment). The specific toxicity labels or categories that triggered a content-based decision are not revealed to you or stored — only a generic outcome is recorded.

Rejection reason taxonomy (plain English). When a memo is rejected, you will be told the general reason. We use four categories:

What you see	What it means
No speech detected	Our speech-to-text service could not pick out any words (or fewer than two words in a longer recording). Usually a quiet recording, microphone problem, or background noise only.
Audio could not be processed	Our speech-to-text service was unable to process the file at all (e.g. file corruption).
Content violation	The automated moderation system identified content above our auto-reject threshold for harmful content.
Decision by our moderation team	A human moderator reviewed your memo (either from the middle review band or following a report) and decided it did not meet our community guidelines.

You can appeal any rejection, regardless of reason. See Section 15 below for full detail of your right to human review under UK GDPR Art. 22(3).

Your right to human review. Because the automated decision (publishing your memo or refusing to publish it) affects your ability to participate in Discovery, we treat it as a decision that may significantly affect you within the meaning of UK GDPR Art. 22. You always have the right to a human review. If your memo is automatically rejected — for any reason, including "no speech detected" or "audio could not be processed" — the rejection notification includes an in-app "Appeal" option that opens the voice memo appeal flow (Settings > Voice memo > Appeal, or directly from the rejection notification). When you appeal, an Unseen moderator personally reviews your memo and the original automated decision. This is your right under UK GDPR Art. 22(3) (right to obtain human intervention and to contest the decision). The appeal route works for every auto-decision and for memos rejected by a human moderator out of the middle review band. See also Section 15 (Automated decision-making).

Storage: Your recording is stored securely in the UK (AWS eu-west-2, London). It is encrypted at rest using dedicated encryption keys (AWS KMS) and served over encrypted connections via CloudFront signed URLs that expire after one hour.

Your control: You can re-record, delete, or export your voice memo at any time from Settings. If you delete your account, your recording is tagged for S3 lifecycle deletion and removed within 24 hours.

Consent: We ask for your explicit consent before you record. You can withdraw consent at any time by deleting your voice memo in Settings. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

For full details, see our Data Protection Impact Assessment (available on request).

5. Discovery data

When you use the Discovery feature (browsing and swiping on other users' profiles), we collect the following:

Data	What we use it for	Legal basis
Swipe history (which profiles you swiped left or right on)	To prevent showing you the same profile twice, and to create matches when two users both swipe right on each other.	Contract performance (Art. 6(1)(b)) — necessary for the matching feature to work.
Match records	To connect you with users you have mutually selected. A match is created when the first message is sent after mutual interest.	Contract performance (Art. 6(1)(b)).
Filter selections (gender filter, age range filter)	To show you profiles that match your preferences in Discovery. Filter preferences are stored for your convenience.	Contract performance (Art. 6(1)(b)).

What other users see about you in Discovery: Your username, age (not full date of birth), gender, nationality (if provided), occupation, hobbies, city, and your voice memo (phrase text and audio recording). Your profile photo is NOT shown in Discovery — it is only visible to mutual matches.

Contact blocking in Discovery: If you have imported your contacts (see Section 7), users whose hashed phone numbers match your contacts are automatically excluded from your Discovery feed, and you are excluded from theirs. This blocking is bidirectional.

User blocking in Discovery: If you block another user, neither of you will see each other in Discovery or be able to message each other. Blocking is bidirectional.

What we do NOT do with swipe data: We do not sell swipe data. We do not share your individual swipe decisions with other users (a user does not know you swiped left on them). We do not use swipe data for advertising.

6. Messaging (chat) data

When you use Unseen's messaging feature, we collect and process the following:

Data	What we use it for	Legal basis
Message content (text messages between matched users)	To deliver your messages to the recipient and display conversation history.	Contract performance (Art. 6(1)(b)) — necessary for the messaging feature.
Message metadata (timestamp, sender ID, recipient ID, read status)	To display messages in the correct order, show delivery and read indicators.	Contract performance (Art. 6(1)(b)).
First-message action (which user initiated a chat)	Sending a first message to a match consumes one of your daily message slots and one message token (see Section 8). We track this to enforce both the slot system and the token system. A match is created when the first message is sent.	Contract performance (Art. 6(1)(b)).

Who can see your messages: Only you and the person you are messaging. Messages are stored on our servers so they can be delivered when the recipient opens the app.

Admin access to messages: Unseen staff do not routinely access message content. Message content may only be accessed if: (a) required by a court order or law enforcement request, or (b) a specific message is the subject of a user report (see Section 10, User reports). Admin access to any personal data is logged in our audit system.

Message retention: All messages are automatically deleted 30 days after they are sent. This is enforced by an automated daily scheduled job that runs at 3:00 AM. Once deleted, messages cannot be recovered.

Canned messages: We provide a list of curated conversation starters you can use as first messages. These are not personalised — they are the same for all users. Selecting a canned message is optional.

7. Contact blocking

What happens: If you choose to import contacts, the Unseen app reads the phone numbers from your device, normalises them to E.164 international format, then scrambles them using a one-way cryptographic process (SHA-256 HMAC hashing) entirely on your device. Only the scrambled (hashed) versions are sent to our server. We then compare these against other users' hashed registered numbers. If there is a match, both of you are automatically hidden from each other in Discovery.

Your actual phone numbers never leave your device. We cannot reverse the hashing process. We cannot and do not see raw phone numbers.

Why we process your contacts' data: Your contacts have not signed up to Unseen, but we process scrambled versions of their phone numbers to protect both your privacy and theirs. If someone you know joins Unseen, neither of you will see the other. We believe this is in everyone's interest. We rely on legitimate interest (Art. 6(1)(f)) for this processing of contacts' data.

We do not: Contact, message, or send marketing to anyone in your contact list. Build a social graph or profile of your contacts. Store raw phone numbers at any point. Share contact data with third parties.

If you are not an Unseen user but believe your phone number has been processed: You can contact us at dpo@unipia.co.uk to request deletion of any data derived from your phone number. We will process your request within one month (Art. 12(3)).

8. Slot system, token system, and purchase data

Unseen uses two systems to manage how many new conversations you can start: a "slot" system (daily inbox capacity) and a "token" system (conversation initiation permits). You need both an available slot and an available token to send a first message to a match.

8.1 Daily slot allocation

Data	What we use it for	Legal basis
Slot balance (how many slots you have remaining today)	To enforce the daily messaging limit. Slots reset at your local midnight.	Contract performance (Art. 6(1)(b)).
Slot usage history (when you used each slot)	To prevent double-spending of slots and to reset correctly at midnight.	Contract performance (Art. 6(1)(b)).
Gender-based allocation	Your daily slot allocation depends on your selected gender. Male users receive 3 daily slots; Female, Non-binary, and Prefer-not-to-say users receive 6 daily slots. This allocation is under review — see note below.	Contract performance (Art. 6(1)(b)).

Note on gender-based allocation: We are aware that different slot allocations by gender raise questions under the Equality Act 2010. We are taking legal advice on this feature and it may change. The current allocation is intended as a positive action measure (Equality Act 2010 s.158) to address documented disparities in dating app usage patterns.

8.2 Weekly token allocation

In addition to daily slots, Unseen provides you with message tokens. Tokens are required alongside slots to send a first message.

Data	What we use it for	Legal basis
Token balance (free tokens remaining, purchased tokens remaining)	To enforce the token system. We track free and purchased tokens separately to ensure free tokens are consumed first.	Contract performance (Art. 6(1)(b)).
Token usage history (when each token was consumed and against which match)	To prevent double-spending of tokens and to calculate weekly resets correctly.	Contract performance (Art. 6(1)(b)).
Weekly reset timestamp (last_reset_at)	To reset your free token allocation each week. Free tokens reset every Monday at midnight UTC.	Contract performance (Art. 6(1)(b)).

Token allocation: Every user receives 3 free message tokens per week, regardless of gender. Free tokens reset every Monday at midnight UTC. Unused free tokens do not carry over — they are replaced by the new weekly allocation. Purchased tokens do not expire and are not affected by the weekly reset.

Token vs slot difference: Unlike the slot system, token allocation is the same for all users regardless of gender. The token system does not use gender-based differentiation.

Consumption order: When you send a first message, one slot and one token are consumed. Free tokens are always consumed before purchased tokens.

8.3 Purchase data (slots and tokens)

You can buy additional message slots and message tokens through in-app purchases (Apple IAP on iOS, Google Play Billing on Android). Stripe or other direct payment methods are NOT used for in-app digital purchases — this is required by Apple and Google store policies.

Data	What we use it for	Legal basis
Slot purchase records (product ID, timestamp, slot quantity purchased, price paid)	To credit your account with purchased slots and to handle refunds.	Contract performance (Art. 6(1)(b)).
Token purchase records (product ID, product name, timestamp, token quantity added, price paid, platform)	To credit your account with purchased tokens and to handle refunds.	Contract performance (Art. 6(1)(b)).
Transaction ID (from Apple or Google)	To verify the purchase was legitimate (server-side receipt validation) and to process refunds if needed. Applies to both slot and token purchases.	Contract performance (Art. 6(1)(b)).
Refund status (for token purchases)	To track whether a token purchase has been refunded and to remove the corresponding tokens from your account.	Contract performance (Art. 6(1)(b)).

Token product IDs and pricing: Token Bundle (5 tokens, GBP 3.49), Token Pack (3 tokens, GBP 2.49), Single Token (1 token, GBP 0.99). These are consumable one-time purchases, not subscriptions.

What we do NOT see: We do not receive or store your payment card details, bank account information, billing address, or any financial information. All payment processing is handled entirely by Apple or Google. Their privacy policies apply to the payment transaction itself. UNIPIA Ltd never sees your card or payment details.

Refund processing: If you request a refund through Apple or Google, they notify us via webhook. We then remove the purchased slots or tokens from your account as appropriate. See our Refund Policy for full details.

9. Location data

We use approximate location data to power the distance filter on the Discovery feed. This section explains what we collect, how we use it, and your rights — in plain English.

9.1 What we collect, and how

There are two ways we get your approximate location, depending on what you choose:

Path	What we store	When
City centroid (default; works without any permission)	The geographic centre of the UK city you selected during onboarding (latitude and longitude, ~1.1 km precision floor — about the size of a city neighbourhood).	When you sign up, derived from your city selection. Updated only if you change your city.
Approximate GPS (optional; needs your permission)	A single coarse GPS reading from your device, truncated to about 11 metres precision before storage (we cut off the extra digits — we do not store the precise reading). Stored together with a flag indicating it is GPS-derived, the time you sent it, and the version of the consent text you accepted.	When you grant location permission during onboarding (or later in Settings, if we add that toggle). Refreshed at most once every seven days, only while the app is open.

We never collect:

Your exact address or postcode.
A continuous trail of where you have been (no location history).
Your location when the app is closed or in the background.
IP-based geolocation as a substitute for either path above.
Any reverse-resolved place names (no "Tesco Camden" — coordinates are stored as numbers only).

9.2 What other users see

Other Unseen users never see your coordinates and never see an exact distance to you. They see only one of the following bucket labels alongside your profile in Discovery:

"within 1 km"
"within 3 km"
"within 10 km"
"within 30 km"
"30 km+"
(no label, if either side has not provided coordinates)

We chose buckets specifically so that no one can use Unseen to triangulate where you are.

9.3 Why we process this data (lawful basis)

We use a hybrid lawful basis under UK GDPR Article 6:

City centroid: legitimate interest (Art. 6(1)(f)). The centroid is a derivation of the city you already gave us when you signed up. Mapping a city you declared into approximate coordinates so we can compute distance buckets is something a reasonable user would expect us to do, and we have assessed the privacy impact and concluded it is proportionate. You have the right to object at any time (see §9.6 below). Our Legitimate Interests Assessment is on file and available on request from dpo@unipia.co.uk.
Approximate GPS: explicit consent (Art. 6(1)(a)), combined with consent for storage / access of information on your device under regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 (PECR). We capture your consent through a clear in-app explainer screen with two equally weighted choices ("Allow location" and "Use my city instead"), and through your device's own permission prompt. We record the version of the consent text you accepted, the time you accepted, and the version of the app you were using.

9.4 What we do not use it for

We do not use your location data:

For analytics. No location field appears in any analytics event we send anywhere.
For advertising. We do not advertise on Unseen and we do not share location with ad networks.
For training any AI or matching model.
To send you push notifications about who is near you. We never send a push that contains a location. (We may say "you have a new match", but never "someone is 200 m away".)
To build any kind of social graph or profile beyond match candidate generation.
To share with anyone outside Unseen — not with data brokers, not with third-party SDKs, not with any other party except as required by law.

These restrictions are commitments, not aspirations: changing any of them requires a new privacy-policy version, a new DPIA, and (for the GPS branch) fresh consent.

9.5 How long we keep it

We keep your coordinates only as long as your account is active.

If you turn off location in your phone Settings (or use the in-app revocation), we replace your stored GPS coordinates with your selected city's centroid within a minute. We do not keep a copy of the previous, more precise reading.
If you delete your location data via the app's "Delete my location data" option, we set your coordinates to nothing (null) within seconds. After this, you will not appear on other users' distance-filtered Discovery feeds, and your own distance filter will be ignored.
If you delete your account, we delete your coordinates as part of the standard account-deletion erasure within 24 hours.
Backups follow our standard 90-day backup-purge cycle.

9.6 Your rights specific to location data

In addition to the rights listed in Section 18 ("Your rights") of this policy:

Withdraw consent for GPS (UK GDPR Art. 7(3)). Turn off location permission in your phone Settings. The app detects the change on next launch and tells our server to drop your GPS reading and use your city centroid instead. You can also do this in-app from Settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
Object to centroid processing (UK GDPR Art. 21). You can object to us processing the city-centroid coordinates (the legitimate-interest branch) at any time. The simplest way is the in-app "Delete my location data" control, which clears coordinates entirely and excludes you from distance-filtered Discovery results. You can also email dpo@unipia.co.uk. We will not challenge your objection — we will honour it.
Erase your location data (UK GDPR Art. 17). Same control as above ("Delete my location data") clears coordinates without deleting your account.
Be told what we have (UK GDPR Art. 15). On request, we will tell you the coordinates we have stored, the source (gps / city_centroid / unknown), the time of the most recent update, and (where applicable) the version of consent you accepted.
No automated decision-making (UK GDPR Art. 22). The distance bucket is shown to other users — it does not make any decision that has legal or similarly significant effects on you. Distance is a filter, not a sorter, and it does not block matches; matches still depend on mutual user choice.

9.7 Anti-stalking and safety measures

We have built the location feature with stalking risk in mind:

Bucketed display only (no exact distance ever leaves our servers to clients).
No "online now" indicator and no "user is now closer" notifications.
Rate limiting of how often the app can send a fresh location reading (at most once per minute server-side; at most once per seven days client-initiated).
No location history table — we keep your current coordinates only, never a trail.
Contact-blocking (see Section 7) blocks anyone in your phonebook (or with you in their phonebook) from seeing each other on Unseen, regardless of location.
Block dissolves match — if you block someone, they are removed from your Discovery and you from theirs immediately.

For more detail, see our Data Protection Impact Assessment for the location feature, available on request from dpo@unipia.co.uk.

9.8 Children

Unseen is for adults (18+). We do not knowingly collect any data — including location — from anyone under 18. See Section 17 for our age policy.

9.9 Where the city centroid data comes from

Our city centroid reference data is derived from the Ordnance Survey Open Names dataset, used under the Open Government Licence v3.0. As required by that licence:

Contains OS data © Crown copyright and database right 2024.

The Ordnance Survey did not receive any of your data. We loaded their public dataset once when we built the feature and use it as a static lookup table — no runtime dependency, no transfer of your data to OS.

10. Push notifications

We use Firebase Cloud Messaging (FCM) to send push notifications to your device. Notifications are service notifications only — we do not send marketing via push notifications. Types of notification include:

New match alerts
New message alerts
Slot purchase confirmations
Token purchase confirmations
Voice memo moderation results (approved or rejected — generic message only, no specific reason shown on lock screen)
Report acknowledgments
Service announcements (such as scheduled maintenance, new features, policy changes, or safety notices)

What data is involved: Your FCM device token (see Section 3.1) and a short notification payload. Notification payloads contain only the minimum data needed to display the notification (e.g., "You have a new match" — not the match's full profile). Moderation rejection notifications use a generic message and do not reveal the specific reason for rejection on your lock screen.

Service announcements: Occasionally, we may send you a push notification about important service updates (such as scheduled maintenance, new features, policy changes, or safety notices). These are not marketing — they relate directly to the operation of the service you are using. They are sent under legitimate interest (Art. 6(1)(f)) because they help you use the service effectively. You can still disable all push notifications in your device settings at any time.

Your control: You can disable push notifications at any time in your device settings (iOS Settings or Android Settings). You can also control notification categories within the app's Settings if available.

Legal basis: Legitimate interest (Art. 6(1)(f)). Push notifications about your account activity (matches, messages, moderation, purchases) and service announcements are necessary for the service to function effectively. They are not marketing communications. If we ever send promotional or marketing notifications (such as offers, discounts, or invitations to purchase), we will obtain your separate, specific consent first, in compliance with the UK Privacy and Electronic Communications Regulations 2003 (PECR).

11. Trust and safety

11.1 Content moderation

We use automated moderation to keep Unseen safe. The level of automation depends on the content type:

Voice memos (calibrated toward auto-approval): Both the audio (via AWS Transcribe and AWS Comprehend) and the written phrase are scored for toxicity. The higher of the two scores routes the memo into one of three outcomes:
- Clear (the vast majority of submissions): the memo is auto-approved and published immediately. Our moderation policy is deliberately calibrated toward this outcome so that legitimate content is not held up; the in-app appeal route is the safeguard against any false rejection.
- Middle band (a small fraction): the memo is held for human review by an Unseen moderator before publication or rejection.
- High-confidence violation (a small fraction): the memo is auto-rejected.
In addition, audio-quality auto-reject paths apply where our speech-to-text service returns no usable transcript (no speech detected) or fails entirely (audio could not be processed). These are framed as technical rejections, not content judgments. See Section 4 for the full rejection-reason taxonomy in plain English.

Every automated outcome (approve or reject) is written to an internal audit log. The transcript is processed in memory only and is NOT persisted. Rejection reasons stored are limited to the four categories disclosed in Section 4 — no specific toxicity labels are revealed to users or stored in your profile record. If your memo is auto-rejected for any reason — including "no speech detected" or "audio could not be processed" — you can appeal and a human moderator will review the decision (see Section 4 and Section 15). The thresholds that decide the three tiers can be adjusted by Unseen administrators based on accuracy data; any material change is logged.
Usernames: Checked for toxicity via AWS Comprehend before acceptance.
Occupation free text: Checked for PII (personal information leakage) and toxicity via AWS Comprehend before acceptance.
Free-text phrases (voice memo text): User-generated content subject to moderation under UK Online Safety Act 2023 illegal content duties; processed as part of the voice memo flow above.

11.2 User reporting

You can report another user if you believe their behaviour or content violates our community guidelines, these Terms, or applicable law. Reports can be made from several places in the app, including Discovery, chat, and profile screens.

Report categories: You can report for the following reasons: harassment, fake profile, spam, inappropriate content, underage user, threatening behaviour, hate speech, inappropriate username, inappropriate quote, inappropriate message, fake photo, scam, or other.

What we collect when you report:

Data	Purpose	Legal basis
Report category (selected from the list above)	To classify the report and determine appropriate action.	Legitimate interest (Art. 6(1)(f)) — platform safety.
Free-text explanation (optional, provided by you)	To understand the context of the report.	Legitimate interest (Art. 6(1)(f)).
Source screen (where you made the report — e.g., Discovery, chat, profile)	To understand the context in which the reported behaviour occurred.	Legitimate interest (Art. 6(1)(f)).
Evidence type (e.g., message snapshot, username snapshot, quote snapshot, photo reference)	To identify the type of content being reported.	Legitimate interest (Art. 6(1)(f)).
Evidence snapshot (a captured copy of the reported content — e.g., the message text, the username, or the profile quote at the time of reporting; up to 5,000 characters)	To preserve evidence of the reported content for moderation review. Because chat messages are automatically deleted after 30 days, we capture a snapshot of the relevant message at the time of the report so that our moderation team can review the report even if the original message has been deleted.	Legitimate interest (Art. 6(1)(f)) — necessary to investigate reports effectively and comply with UK Online Safety Act 2023 duties.
Photo reference (a reference to the reported profile photo, if applicable)	To allow moderators to review the reported photo.	Legitimate interest (Art. 6(1)(f)).
Your user ID and the reported user's ID	To identify the parties involved and prevent duplicate reports.	Legitimate interest (Art. 6(1)(f)).
Timestamp	To record when the report was made.	Legitimate interest (Art. 6(1)(f)).

Severity classification: Reports are automatically classified by severity to ensure that the most serious reports (such as those involving underage users, threats, or hate speech) are reviewed as a priority. This classification is used for internal triage only and does not affect your rights.

How we handle reports: Reports are reviewed by our moderation team. Based on the review, we may take one or more of the following actions against the reported user:

Warning: The user is warned about the behaviour.
Username reset: The user's username is replaced with a random placeholder. The previous username is removed.
Quote removal: The user's profile quote is removed.
Photo removal: The user's profile photo is deleted from our storage.
Temporary mute: The user is prevented from sending messages for a fixed period (24 hours, 7 days, or 30 days).
Account suspension or ban: The user's account is temporarily suspended or permanently terminated.
Dismiss: The report is closed without action if it does not warrant intervention.

Impact on your data: If an enforcement action is taken against you (such as a username reset, quote removal, or photo removal), the affected content is deleted from our systems. You will be notified of the action taken. A record of the enforcement action is retained as part of the report record (see retention below).

Evidence retention: Report data, including any evidence snapshots captured at the time of reporting, is retained for the duration of the report lifecycle plus 12 months after resolution, or longer if required by law enforcement or legal proceedings. After the retention period, report data is deleted.

11.3 User blocking

You can block any user. Blocking is bidirectional — once you block someone, neither of you will see each other in Discovery or be able to message each other.

11.4 Contact blocking

See Section 7 above. Contact blocking uses HMAC-SHA-256 hashed phone numbers to ensure mutual contacts on Unseen never see each other.

Legal basis for trust and safety processing: Legitimate interest (Art. 6(1)(f)) — to maintain a safe platform and to investigate reports effectively. Legal obligation (Art. 6(1)(c)) — compliance with UK Online Safety Act 2023. Contract performance (Art. 6(1)(b)) — for blocking feature.

12. How long we keep your data

Data	Retention period	What triggers deletion
Username, gender, occupation, hobbies	Lifetime of your account	Account deletion (PII cleared within 24 hours) or 12 months of inactivity
Date of birth	Lifetime of your account	Account deletion (within 24 hours)
Email address, auth provider IDs (Google sub ID, Apple sub ID)	Lifetime of your account	Account deletion (within 24 hours)
Nationality	Until you remove it, or account deletion	You can remove it any time in Settings
Profile photo	Until you remove it, or account deletion	Removed from S3 storage within 24 hours of deletion. EXIF metadata is never stored.
Voice memo (.m4a audio file)	Until you re-record, delete it, or delete your account	Immediate replacement on re-record; S3 lifecycle deletion within 24 hours on account deletion; 12-month inactivity cleanup
Voice memo transcripts	NOT stored — processed in memory only	Deleted immediately after moderation check
Voice memo moderation audit entries (decision, the toxicity score for that decision, which moderation signal produced the score, the thresholds in effect at the time, model version, rejection reason category where applicable, timestamp)	24 months (admin audit log retention)	Automatic deletion after retention period
Contact hashes (HMAC-SHA-256)	Until you withdraw consent or delete your account	Deleted within 24 hours
City	Lifetime of your account	Account deletion (within 24 hours)
Approximate location coordinates (`latitude`, `longitude`, source, last-update time)	Lifetime of your account, unless you revoke or delete sooner. GPS-derived coordinates are replaced with city centroid within one minute of permission revocation. The "Delete my location data" control clears coordinates within seconds.	Account deletion (within 24 hours), GPS revocation (within one minute), explicit deletion (within seconds), 12-month inactivity cleanup.
Consent records for location (consent version, grant time, withdrawal time, app version)	3 years after account deletion (Art. 7(1) accountability evidence)	Automatic deletion after the retention period.
Swipe history	Lifetime of your account	Account deletion (within 24 hours)
Match records	Until one party unmatches or deletes account	Account deletion (within 24 hours)
Chat messages	30 days from date sent	Automatic daily deletion job at 3:00 AM. Once deleted, messages cannot be recovered.
Message metadata	30 days from date sent	Deleted with message content
Slot balance and usage	Daily (resets at midnight); lifetime purchase records retained for account lifetime	Account deletion
Token balance and usage	Weekly (free tokens reset every Monday at midnight UTC); purchased token balance retained for account lifetime	Account deletion (within 24 hours). Free token balances are reset weekly; purchased token balances persist until consumed or account deletion.
Token purchase records	Lifetime of your account (needed for refund handling)	Account deletion. Financial records may be retained for 6 years from the date of the transaction (Limitation Act 1980 s.5), or such longer period as required by applicable tax legislation.
Token refund records	6 years from the date of the transaction or refund decision (Limitation Act 1980 s.5; HMRC record-keeping)	Automatic deletion after 6 years.
Purchase records (slots)	Lifetime of your account (needed for refund handling)	Account deletion. Financial records may be retained for 6 years from the date of the transaction (Limitation Act 1980 s.5), or such longer period as required by applicable tax legislation.
Refund records (transaction ID, refund reason, correspondence, waiver confirmation)	6 years from the date of the transaction or refund decision (Limitation Act 1980 s.5; HMRC record-keeping)	Automatic deletion after 6 years. Waiver confirmation records survive account deletion (UK GDPR Art. 17(3)(b)). See Refund Policy Section 10 for details.
FCM device tokens	Until you log out, uninstall, or delete your account	Token refreshed automatically by device. Stale tokens removed.
Report data (including evidence snapshots)	Report lifecycle + 12 months after resolution, or as required by law enforcement	May be retained longer if part of an ongoing investigation or legal proceedings
Email verification tokens	Until used or expired (10 minutes), then retained for audit	Account deletion clears all tokens
Password reset tokens	Until used or expired (1 hour), then retained for audit	Account deletion clears all tokens
Consent records	3 years after account deletion	Required to prove we had your permission
Moderation results (generic rejection reason category)	Lifetime of the content they relate to	Deleted when associated content is deleted
Admin audit logs	24 months	Required for accountability under UK GDPR Art. 5(2)
Admin notification records	24 months	Deleted after retention period expires
Backup copies	Purged within 90 days of account deletion	Automated backup lifecycle policy

Account deletion process: When you delete your account, we perform a soft-delete (setting a deleted_at timestamp). Your PII is cleared (name, FCM token). Your profile data, conversation starter answers, hobby tags, contact hashes, swipe history, matches, blocks, message slots, and token balances are permanently deleted. Your voice memos and profile photos are tagged for S3 lifecycle deletion and removed within 24 hours. All active login sessions and refresh tokens are revoked. If you request deletion via the web form, you will receive a confirmation email. This complies with UK GDPR Art. 17 (right to erasure). Backup copies containing your data are purged within 90 days through our automated backup lifecycle policy.

Inactivity policy: If you do not log in for 11 months, we will send you an email warning that your data will be deleted in 30 days. If you do not log in within that 30-day period, we will delete your account and all associated data.

13. Who we share your data with

Recipient	What they receive	Why	Safeguards
Other Unseen users	Your username, age (not full DOB), gender, nationality (if provided), occupation, hobbies, city, voice memo (phrase text and audio), and an approximate distance bucket (such as "within 3 km"). Other users never see your coordinates or an exact distance. Profile photo only after mutual match. Messages only to your chat partner.	To provide the dating service.	Data is displayed only within the app. Users cannot bulk-export other users' data.
Amazon Web Services (AWS)	All data listed above is stored on AWS infrastructure in the UK (eu-west-2, London). AWS Transcribe and Comprehend process voice memos and text for moderation. AWS S3 stores voice memos and profile photos. AWS KMS provides encryption keys. AWS Simple Email Service (SES) sends transactional emails (verification codes, password reset links, account deletion confirmations) — SES receives only the recipient email address and email content.	Cloud hosting, storage, automated content moderation, and transactional email delivery.	AWS Data Processing Addendum in place. All processing in UK (eu-west-2). We have opted out of AWS using your data to improve their AI services.
Google (Firebase Cloud Messaging)	FCM device tokens and notification payloads.	To deliver push notifications.	Google Cloud Data Processing Addendum. FCM tokens do not contain profile data. Notification payloads contain minimal information.
Apple / Google (payments)	Payment transaction data for in-app slot and token purchases. They do not receive your profile data.	To process slot and token purchases via Apple IAP / Google Play Billing.	Subject to Apple's / Google's privacy policies. We do not receive or store payment card details.
Google / Apple (authentication)	Authentication tokens during sign-in. They know you use Unseen if you sign in with their service.	To verify your identity during login.	Standard OAuth 2.0 / Sign In with Apple protocols. We receive minimal data (see Section 3.1).

Business transfers: If UNIPIA Ltd is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the successor entity as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

We do not sell your data to anyone. We do not use your data for advertising. We do not share your data with data brokers. We do not share your data with any party not listed above.

Law enforcement: We may disclose your data if required to do so by law, court order, or regulatory authority. If we receive such a request, we will comply only to the extent legally required and will notify you unless prohibited from doing so.

14. International transfers

All your data is stored and processed in the United Kingdom (AWS eu-west-2, London). We do not intentionally transfer your data outside the UK.

Firebase Cloud Messaging (FCM): FCM is operated by Google. While the FCM service infrastructure may process device tokens outside the UK, the data involved (device tokens and short notification text) is minimal and does not include your profile information. Google's Data Processing Addendum and Standard Contractual Clauses apply.

If we make any other changes to international data transfers in the future, we will update this policy and ensure appropriate safeguards (such as UK adequacy decisions or international data transfer agreements) are in place.

15. Automated decision-making

We use automated systems to moderate user-generated content (voice memos, usernames, and occupation text). Some of these decisions are taken without immediate human involvement, but you always have the right to a human review on request.

15.1 Voice memos (automated decision, calibrated toward auto-approval)

When you upload a voice memo, we score it for toxicity using two automated signals:

Audio signal: AWS Transcribe converts your recording to text; AWS Comprehend scores that text for toxicity.
Text signal: The written phrase is scored for toxicity by AWS Comprehend.

We take the higher of the two scores and apply two thresholds. Our policy is deliberately calibrated toward auto-approval for legitimate content, with the in-app appeal route as the safeguard against any false rejection:

Score band	Outcome	Human involvement
Below the lower threshold (clear) — the vast majority of submissions	Auto-approve. Your memo is published to Discovery immediately.	No initial human review. Human review available on request via the appeal flow.
Between the two thresholds (uncertain) — a small fraction of submissions	Held for human review. An Unseen moderator personally reviews the memo before it is published or rejected.	Human review before any decision is taken.
Above the upper threshold (high-confidence violation) — a small fraction	Auto-reject. Your memo is not published. You receive a push notification telling you it was rejected and explaining how to appeal.	No initial human review. Human review available on request via the appeal flow.

In addition to the toxicity-based outcomes above, we apply a small number of audio-quality auto-reject paths. These reflect a technical inability to process your recording, not a judgment about you or what you said:

No speech detected: our speech-to-text service returned no words at all, or fewer than two words in a recording longer than three seconds.
Audio could not be processed: our speech-to-text service failed to process the file entirely.

These audio-quality outcomes are not substantive evaluations of you or your speech; they are technical responses to inputs we cannot read. Even so, we apply the same Art. 22(3) safeguards as a courtesy and as a backstop against false rejections (for example, our speech-to-text service may misfire on strong accents or non-English speech). You can appeal every audio-quality rejection in exactly the same way as a content rejection, and a human moderator will personally review the memo.

Rejection reason categories (disclosed to you). We tell you the general category of any rejection. The four categories are:

Category (plain English)	Internal label	What it covers
No speech detected	`NO_SPEECH_DETECTED`	Empty or near-empty transcript (technical)
Audio could not be processed	`AUDIO_UNPROCESSABLE`	Speech-to-text service failed (technical)
Content violation	`CONTENT_VIOLATION`	Toxicity score above the auto-reject threshold
Decision by our moderation team	`ADMIN_DECISION`	A human moderator decided not to publish (middle band or following a report)

We do not disclose the specific toxicity labels or numeric score that triggered a content-based rejection.

Why we treat these as decisions covered by UK GDPR Art. 22. A decision to publish or refuse to publish your voice memo can affect your ability to use the core matching feature of Unseen. We take the conservative position that this can amount to a decision with a significant effect on you, and we therefore apply Art. 22 safeguards in full to both the auto-approve and the auto-reject paths. We extend the same safeguards to the audio-quality auto-reject paths as a backstop, even though those decisions are technical in nature (our internal analysis is that "no speech detected" and "audio could not be processed" do not amount to evaluations of you within the meaning of Art. 22(1), but the appeal route remains open in every case).

Safeguards we apply (Art. 22(3)):

Right to human intervention — every auto-decision. If your memo is auto-rejected (for any reason, including "no speech detected" and "audio could not be processed"), the rejection notification contains a one-tap "Appeal" link that opens the in-app voice memo appeal flow (also reachable from Settings > Voice memo > Appeal). An Unseen moderator personally reviews the memo and the original automated decision. If you believe an auto-approved memo of yours should have been reviewed, or if you want to contest any aspect of the automated handling, you can also request human review by emailing legal@unipia.co.uk.
Right to contest the decision. When you appeal, you can record a short explanation telling us why you think the decision was wrong. The moderator considers this before deciding.
Right to express your point of view. The appeal form lets you provide additional context (e.g. "this is a regional accent, not slurred speech"; "the phrase is the title of a book"; "the recording is quiet because I was in a library").
Audit log. Every automated decision (auto-approve, auto-reject including audio-quality auto-reject) is recorded in our internal audit log with the decision itself, the toxicity score that produced the decision (where applicable), which moderation signal produced that score (phrase text or audio transcript), the thresholds in effect at decision time, the model version used, the rejection reason category, and the timestamp. This lets us demonstrate accountability under UK GDPR Art. 5(2) and lets a moderator reviewing an appeal see how the automated decision was reached. (The "band" — clear / uncertain / high-confidence violation — is not stored as a separate field; it is an inferred concept, derived by comparing the stored score to the stored thresholds.)
Configurable thresholds with change control. The two toxicity thresholds can be tuned by Unseen administrators based on accuracy data. Threshold changes are logged. The current policy is deliberately calibrated toward auto-approval; any material change is reflected in a Privacy Policy update.
Limited disclosure of reasons. You are told the general category of rejection (the four categories above); the specific toxicity labels or numeric score that triggered a content-based decision are not shown to you or other users, to prevent gaming of the moderation system.
Monitoring of error rates. We track the rate of successful appeals against auto-rejections (false-positive rate) and the rate at which user reports are upheld against previously auto-approved content (false-negative rate). These metrics drive threshold review.
Special category data handled separately. Because voice may be biometric (UK GDPR Art. 9), we additionally rely on your explicit consent under Art. 9(2)(a) for processing voice data; the Art. 22(3) safeguards above apply on top of that consent.

15.2 Other automated checks (not tier-based)

Usernames: Checked against AWS Comprehend for toxicity at registration. Rejected usernames must be changed before signup completes; you can pick a different one.
Occupation text: Checked for PII leakage and toxicity via AWS Comprehend before acceptance.
Report severity classification: When you submit a report, it is automatically classified by severity (critical, high, medium, or low) to prioritise moderation review. This classification determines the order in which reports are reviewed, not the outcome. All reports are reviewed by a human moderator. This classification does not produce legal effects or similarly significantly affect you within the meaning of UK GDPR Art. 22.

15.3 Your rights (summary)

Under UK GDPR Art. 22, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. For Unseen specifically:

You will be told the general outcome (approved or rejected) and, where rejected, one of the four rejection reason categories listed above. Specific toxicity labels or scores are not disclosed.
You can re-record or re-submit your content at any time.
You can request a human review by appealing in-app (one tap from the rejection notification) or by emailing legal@unipia.co.uk. We will respond within one month (Art. 12(3)). This right applies to every auto-decision, including the audio-quality rejections.

16. Admin panel and audit logging

UNIPIA Ltd operates an admin panel for platform management. The following safeguards apply:

PII masking: Personal data is masked by default in the admin panel. Any reveal of PII by an admin requires an audit log entry recording who accessed what data and when.
No routine message access: Admin staff do not have routine access to message content. Message content is accessed only in response to a user report or a legal obligation (court order or law enforcement request).
Audit trail: All admin actions are logged and retained for 24 months for accountability under UK GDPR Art. 5(2). This includes moderation actions such as username resets, quote removals, photo removals, temporary mutes, warnings, and bans. Automated voice memo moderation decisions are also logged: every auto-approve and auto-reject decision (including audio-quality auto-rejects) records the decision itself, the toxicity score that produced it (where applicable), which moderation signal produced that score (phrase text or audio transcript), the thresholds in effect at decision time, the model version, the rejection reason category, and the timestamp, alongside any subsequent human appeal outcome.
Admin notifications: When the admin team sends service announcements via push notification, the notification title, body text, target audience category (all users, paid users, or free users), recipient count, and timestamp are recorded. Individual recipient identities are not stored in the notification record.

17. Children

Unseen is for adults aged 18 and over only. We do not knowingly collect data from anyone under 18. We verify your age at registration by requiring your date of birth, which is checked server-side with calendar-accurate validation. If we discover that a user is under 18, we will delete their account and all associated data immediately.

Note on age assurance: We are monitoring Ofcom guidance under Part 5 of the UK Online Safety Act 2023 regarding highly effective age assurance for services accessible to adults. Our age verification measures may be enhanced in future to comply with any requirements issued by Ofcom.

The location feature does not change our 18+ policy: coordinates are only collected after the existing 18+ check at signup. We continue to monitor Ofcom guidance under Part 5 of the UK Online Safety Act 2023 regarding highly effective age assurance, and we will tighten controls in line with that guidance.

18. Your rights

Under UK GDPR, you have the following rights:

Right	What it means	How to exercise it
Access (Art. 15)	Get a copy of all data we hold about you.	Settings > Privacy > Request my data, or email dpo@unipia.co.uk. We will respond within one month.
Rectification (Art. 16)	Correct inaccurate data.	Edit your profile in the app, or contact us.
Erasure (Art. 17)	Delete your data.	Settings > Account > Delete account. One tap to find, full deletion within 24 hours. Your data is erased from all systems including S3 storage.
Restriction (Art. 18)	Ask us to pause processing.	Contact us at dpo@unipia.co.uk.
Portability (Art. 20)	Get your data in a portable format.	Settings > Privacy > Export my data. Includes your voice memo as .m4a, profile data as JSON.
Object (Art. 21)	Object to processing based on legitimate interest.	Contact us at dpo@unipia.co.uk. We will review and respond within one month.
Human review of automated decisions (Art. 22(3))	Obtain human review of any automated voice memo decision (including audio-quality auto-rejects), contest the decision, and express your point of view.	One-tap "Appeal" from the rejection notification, or Settings > Voice memo > Appeal, or email `legal@unipia.co.uk`. See Section 15.
Withdraw consent (Art. 7(3))	Take back any consent you have given.	In-app controls for each consent (voice memo, contacts, photo, nationality). Withdrawal does not affect the lawfulness of processing before withdrawal.
Complain	Raise concerns with the regulator.	Contact the ICO at ico.org.uk or call 0303 123 1113.
Location-specific controls	Withdraw GPS consent, object to centroid processing, or delete all your location data without deleting your account.	Settings > Privacy > Location data, or contact `dpo@unipia.co.uk`. See Section 9.6 above.

Account deletion: You can delete your account from Settings > Account > Delete Account. This option is always one tap away (compliant with Apple App Store guideline 5.1.1(v)). Deletion removes all your data within 24 hours, including voice memos and profile photos from cloud storage. This action cannot be undone.

19. Security

We protect your data using the following measures:

All data is stored in the UK (AWS eu-west-2, London) on dedicated infrastructure.
Voice memos are encrypted at rest using dedicated encryption keys (AWS KMS).
Profile photos have EXIF metadata stripped before storage.
All other stored data is encrypted at rest (AWS RDS encryption).
All data in transit is encrypted using TLS.
Voice memos and profile photos are served via CloudFront signed URLs that expire after one hour.
Access to our servers is restricted and monitored.
Admin access to PII is logged in an audit trail.
We use separate, dedicated infrastructure — your data is not mixed with any other service.
Voice memo transcripts are never persisted — processed in memory only and discarded.

No system is 100% secure. If we become aware of a data breach that poses a risk to your rights, we will notify the ICO within 72 hours and notify you without undue delay, as required by UK GDPR Art. 33/34.

20. Cookie notice

The Unseen web preview site (unseen.unipia.co.uk) may use cookies. For details, see our Cookie Notice.

The Unseen app itself does not use cookies. It uses standard device storage for session tokens (see Section 3.1).

21. Changes to this policy

We may update this policy from time to time. If we make material changes (changes that affect your rights or how we use your data), we will notify you in the app before the changes take effect. The date at the top of this policy shows when it was last updated.

22. Contact us

If you have any questions about this privacy policy or how we handle your data:

Data Protection Officer: dpo@unipia.co.uk
Legal enquiries: legal@unipia.co.uk
Post: UNIPIA Ltd, registered in England and Wales

We aim to respond to all enquiries within one month.