Privacy Policy
Last updated: June 12, 2026
1. Who We Are
Unne is currently operated by the Unne project and its founders, based in Finland. We are responsible for the processing of personal data described in this Privacy Policy. Contact: hi@unne.io
2. What Data We Collect
We collect only the data necessary to provide our service:
Account data — when you sign up, we collect your email address and your role selection (artist or venue). We also record whether you have agreed to our Terms of Service and whether you have opted in to marketing emails.
Profile data — depending on your role, you provide your name, a short bio or description, your city, your art type or venue type, and whether you are willing to travel (artists only). You also upload images of your artworks or venue space. Your profile and images are visible to other registered users when they browse the platform, so they can discover you for potential exhibitions.
Messages and communications — when you express interest in an exhibition and message another user, we store the messages you exchange, including any proposed exhibition dates and text you send, so the conversation is delivered to and available for both participants. We also generate in-app notifications about activity on your account (such as new messages or exhibition updates).
Usage data (with your consent) — if you opt in to analytics cookies, we use Google Analytics 4 to collect pseudonymized usage data such as page views, session duration, and general location at country level. This data does not personally identify you.
Anonymous usage data — we use Vercel Analytics to collect anonymous, aggregated usage data such as page views, visitor counts, and traffic sources. Vercel Analytics does not use cookies and does not collect personal identifiers. Visitors are identified by a temporary hash derived from the incoming request, which is automatically discarded after 24 hours. This data cannot be used to identify or re-identify individual users.
Technical data — our hosting infrastructure (Vercel, Supabase) processes your IP address and basic request data to deliver the service. This processing is strictly necessary and does not require consent.
3. Why We Process Your Data (Legal Basis)
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email, role | Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Profile data, images | Enabling the marketplace service | Performance of contract (Art. 6(1)(b)) |
| Messages and notifications | Delivering communications between users and enabling exhibition arrangements | Performance of contract (Art. 6(1)(b)) |
| Terms acceptance date | Demonstrating consent to Terms of Service | Legitimate interest (Art. 6(1)(f)) |
| Marketing email consent | Sending news and updates about our service | Consent (Art. 6(1)(a)) |
| Analytics cookies | Understanding app usage patterns | Consent (Art. 6(1)(a)) via cookie banner |
| Anonymous usage data (Vercel Analytics) | Understanding page views and traffic patterns | Legitimate interest (Art. 6(1)(f)) |
| Technical/server logs | Security, fraud prevention, service delivery | Legitimate interest (Art. 6(1)(f)) |
4. Cookies
Essential cookies — Unne uses a session cookie managed by Supabase to keep you securely logged in. This cookie is strictly necessary for the service to function and does not require your consent. We also store your language preference in a cookie called locale so the interface appears in your chosen language when you return to the service.
| Cookie | Purpose | Expiry |
|---|---|---|
| supabase-auth-token | Maintains secure login session | Until logout or session cleared |
| locale | Stores language preference | Up to 1 year or until deleted |
Analytics cookies — With your explicit opt-in consent via our cookie banner, we use Google Analytics 4, which sets the following cookies:
| Cookie | Purpose | Expiry |
|---|---|---|
| _ga | Distinguishes users across sessions | 2 years |
| _gid | Distinguishes users within a 24-hour period | 24 hours |
These cookies are only set if you click "Accept all" or enable the analytics toggle in the cookie banner. You can change your preference at any time by clicking "Cookie settings" in the footer.
When analytics cookies are denied, Google Analytics operates in consent mode — it sends anonymous, cookieless measurement pings that do not store any data on your device.
Vercel Analytics — Vercel Analytics does not use cookies. It operates without storing any data on your device.
5. Data Sharing and Transfers
Supabase (database and authentication) — processes your account and profile data. Data is stored and processed in the EU (Ireland). Supabase Inc. is US-headquartered; Standard Contractual Clauses (SCCs) apply as an additional safeguard.
Google Analytics (usage analytics, if you consent) — processes anonymized usage data. Google may transfer analytics data to the US for processing. This transfer is protected by Standard Contractual Clauses (SCCs), which are legal safeguards required under EU law. IP anonymization is enabled.
Vercel (hosting and analytics) — serves the application and collects anonymous, aggregated analytics data. Vercel Analytics does not collect personal identifiers, does not use cookies, and cannot identify individual users. Requests from EU users are processed at EU edge locations. Vercel Inc. is US-headquartered; SCCs apply as an additional safeguard. Vercel is certified under the EU-U.S. Data Privacy Framework.
MailerLite (email marketing) — if you opt in to marketing emails, we share your email address, name, role, language preference, and city with MailerLite to send product updates and newsletters. MailerLite processes this data on our behalf. Data is stored in the EU. MailerLite UAB is headquartered in Lithuania (EU), so no international data transfers apply.
Resend (transactional and notification email) — we use Resend to send all of our non-marketing service emails, including your one-time login code, your welcome email, profile-completion reminders, and notifications about activity relevant to you (for example, a new message or an exhibition update). To deliver these emails, we share your email address and the content of the message with Resend. Resend processes this data on our behalf and does not use it for its own purposes. Resend, Inc. is US-headquartered; Standard Contractual Clauses (SCCs) apply as an additional safeguard.
We do not sell your data. We do not share your data with advertisers. We do not use your data for profiling or automated decision-making.
6. Data Retention
| Data | Retention period |
|---|---|
| Account data | Until you delete your account |
| Profile data and images | Until you delete your account |
| Messages and notifications | Until you delete your account |
| Pending consents (pre-registration) | Automatically deleted after account creation or after 30 days if unused |
| Analytics data (Google) | 14 months (Google Analytics default) |
| Anonymous analytics data (Vercel) | Retained in aggregated form only; individual visitor hashes are discarded after 24 hours |
| Marketing subscriber data (MailerLite) | Until you unsubscribe or delete your account |
| Server logs | 30 days |
When you delete your account, your profile data, images, and associated records are permanently removed within 30 days.
7. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data — request a copy of the data we hold about you
- Rectify inaccurate data — update your profile at any time through the app
- Erase your data — request deletion of your account and all associated data
- Restrict processing — ask us to limit how we use your data
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time — for marketing emails (via unsubscribe) or analytics cookies (via cookie settings in the footer)
To exercise any of these rights, contact us at hi@unne.io. We will respond within 30 days.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.
Our lead supervisory authority is the Office of the Data Protection Ombudsman (Finland): https://tietosuoja.fi
8. Data Security
We protect your data using industry-standard measures including encrypted connections (HTTPS/TLS), Row Level Security policies in our database ensuring users can only access their own data, secure authentication via a one-time login code sent to your email (no passwords stored), and access controls limiting who can access production systems.
9. Children
Unne is not intended for users under the age of 18. We do not knowingly collect data from minors.
10. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or an in-app notice. The "Last updated" date at the top indicates the most recent revision.