İçeriğe atla

Bu sayfa senin dilinizde henüz mevcut değil — İngilizce sürümü gösteriyor.

Privacy Policy

How Unyo collects, uses, and protects your personal data.

Last updated: 5 May 2026


1. Introduction

1.1. Who we are

Unyo (the "Service", "we", "us", "our") is an AI-powered business assistant platform operated by:

Unyo SASU (Société par Actions Simplifiée Unipersonnelle, French simplified joint-stock company with a single shareholder)

  • Trading name: Unyo
  • SIREN: 104 459 391
  • SIRET (head office): 104 459 391 00017
  • Share capital: 100 EUR
  • APE / NAF code: 5829C — Édition de logiciels applicatifs
  • Registered address: 6 Rue d'Armaillé, 75017 Paris, France
  • Registry: Registre du Commerce et des Sociétés (RCS) Paris
  • Legal representative: Alperen Adil (President)
  • Date of incorporation: 30 April 2026
  • General contact: support@unyo.ai
  • Privacy / Data Protection contact: privacy@unyo.ai

Unyo SASU is the Data Controller for personal data processed through Unyo, as defined under the EU General Data Protection Regulation (GDPR) and equivalent legislation worldwide.

1.2. Scope of this Policy

This Privacy Policy describes how we collect, use, disclose, retain, and protect personal data when you use the Unyo web application (unyo.app), our marketing website (unyo.ai), and any related services.

1.3. Acceptance

By creating an account on Unyo or using the Service in any way, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

1.4. Age requirement

Unyo is strictly for users aged 18 or older. See Section 10 for details on children's privacy.


2. Information We Collect

2.1. Account Information

When you create a Unyo account, we collect:

  • Email address (used as account identifier)
  • First name, last name (optional)
  • Username (optional display name)
  • Password (stored as a one-way bcrypt hash — we never see or store your plaintext password)
  • Language preference, timezone, interface theme

2.2. OAuth Provider Data

Unyo integrates with third-party services via OAuth 2.0. For each integration you connect, we receive access tokens and the minimum data required to operate the integration. The scopes we request are:

ProviderScopesClassificationWhat it lets us do
Google Gmailhttps://www.googleapis.com/auth/gmail.modifyRestrictedRead, compose, send, and manage your Gmail messages and labels on your behalf
Google Calendarhttps://www.googleapis.com/auth/calendarSensitiveFull access to your Google Calendar — read your schedule, create/update/delete events on your explicit confirmation, and auto-create dedicated calendars for Ashley (social media posts schedule) and Maya (email schedule), plus a Company calendar for other agent events
Google Drivehttps://www.googleapis.com/auth/drive.fileNon-sensitiveRead and create files you explicitly select via Google Picker, and save app-generated files (such as briefing documents) into your Drive
Microsoft Outlookopenid, profile, email, offline_access, User.Read, Mail.Read, Mail.ReadWrite, Mail.SendStandardOpenID Connect (openid, profile, email) identifies your Microsoft account at sign-in; offline_access keeps the connection alive without re-prompting you every hour; User.Read returns your Microsoft profile (display name and verified email); Mail.Read and Mail.ReadWrite let Maya read your Inbox and create editable drafts; Mail.Send sends a message only after you explicitly confirm in the Unyo UI
Meta Facebookpages_show_list, pages_manage_posts, pages_read_engagement, read_insights, business_managementStandardList the Facebook Pages you manage, publish and manage posts on them, and read engagement / insights metrics for connected Pages. Requested via a standalone "Facebook Login for Business" flow — no Instagram data is accessed. business_management is included only because Meta's "Manage everything on your Page" use case requires it as a non-removable component; Unyo makes no Business Manager API calls and does not access your business assets, ad accounts, or other businesses — it is never used to read or modify anything beyond the Pages you explicitly connect.
Meta Instagraminstagram_business_basic, instagram_business_content_publish, instagram_business_manage_insightsStandardRead basic profile info (username, follower count, profile picture), publish posts / Reels / carousels to your connected Instagram Business or Creator account, and read post-level insights. Requested via the "Instagram API with Instagram Login" flow — no Facebook Page required.
LinkedInr_liteprofile, w_member_socialStandardRead your basic profile and publish posts on your feed
X (Twitter)tweet.read, tweet.write, users.read, offline.accessStandardRead your handle, read and publish posts
Slackchat:write, channels:readStandardPost messages to channels you select
Trello (Atlassian)read, writeStandardRead and create boards, lists, and cards you own
Notionread_user, read_content, update_content, insert_contentStandardRead and create pages inside the workspace you authorize
Shopifyread_products, read_orders, read_customersStandardRead your store's product catalog, order history, and customer list
Striperead_write (used read-only)StandardLets Blake (Data Analyst) report your connected Stripe account's revenue analytics — payments, balance, and payouts. Requested via Stripe Connect Standard OAuth. Stripe only offers the narrower read_only scope to platforms that obtain its prior approval, so the OAuth grant requests read_write; Unyo's implementation is read-only by construction — it exposes only read operations (get_revenue_summary, list_recent_charges, get_balance, list_payouts) and has no code path that creates a charge, refund, payout, or any write to your Stripe account.

OAuth access tokens and refresh tokens are encrypted at rest using PostgreSQL pgcrypto PGP symmetric encryption before being stored.

2.3. Content You Provide

When you use Unyo, you may provide:

  • Chat messages to our AI agents (Maya, Ashley, Tyron, Alex, Riley, Sam, Lucy, Blake, Ema)
  • Brain entries you save to your personal knowledge base (Neural Core): contacts, products, offers, notes, URLs, files
  • Uploaded files: images, PDFs, documents for agents to analyze or attach to outgoing messages
  • Configuration: branding (logo, colors, tagline), signature, automation rules, preferred agent personality

2.4. Derived Information

Unyo generates derived data based on your content to make the service useful, including:

  • AI-generated conversation titles, summaries, classifications
  • Extracted entities (e.g. people, companies, products mentioned in messages)
  • Email classification tags (urgent, promotional, newsletter, etc.)
  • Vector embeddings for semantic search over your Neural Core

This derived data is linked to your account and purged on the same schedule as the source content.

2.5. Technical Data

We automatically collect limited technical data needed to run the Service:

  • IP address (temporarily, for security and rate limiting)
  • Browser type, operating system (user agent string)
  • Session tokens (JWT, stored in browser cookies, expire after session)
  • Geolocation at country-level only (via geolocate-user edge function, for timezone defaults)
  • Error logs and trace IDs (7-day retention)

We do not collect precise location, device fingerprints, or cross-site tracking data.


3. Google Limited Use Policy

3.1. Application

This section governs our use of data obtained from Google APIs (Gmail, Calendar, Drive). Unyo's access to Google user data complies with the Google API Services User Data Policy, including its Limited Use requirements. The English wording of the four Limited Use clauses is reproduced verbatim below, as required by Google.

3.2. Limited Use clauses (verbatim)

(a) Only use access to read, write, modify, or control Gmail message bodies, metadata, headers, and settings to provide a web email client that allows users to compose, send, read, and process emails, and does not transfer this Gmail data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.

(b) Not use this Gmail data for serving advertisements.

(c) Not use this data for any other purpose.

(d) Only transfer this data to others if necessary to provide or improve user-facing features that are prominent in the requesting application's user interface, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.

3.3. No AI training on Google data

Unyo does not use Gmail, Google Calendar, or Google Drive data to train any AI model, including OpenAI models, Anthropic models, Google Gemini, or any other third-party AI. When we process Google user data through these AI providers (for example, to draft an email reply), we do so under enterprise terms that prohibit the provider from training on or retaining the data beyond the immediate response.

3.4. AI provider commitments

AI providerTraining commitmentDefault retention
OpenAI (API, gpt-4.1)No training on API data (OpenAI API default policy)Up to 30 days for abuse monitoring, opt-out available
Anthropic (API, claude-haiku-4-5)No training on API data by defaultNot retained beyond immediate response
Google Gemini (Vertex AI, paid tier, gemini-2.5-flash)No training on data, no retentionNot retained

4. How We Use Your Information

We process your personal data for the following purposes:

4.1. Service provision

  • Powering our AI agents (chat, drafting, scheduling, analysis)
  • Executing integrations on your behalf (sending emails, posting to social networks, creating records in connected apps)
  • Storing your Neural Core for personalized assistance

4.2. AI processing

We send relevant slices of your content to the AI providers listed in Section 3.4 to generate responses, classifications, or summaries. No data is shared with any AI provider beyond what is strictly necessary to complete the immediate task you initiated.

4.3. Account management and support

  • Authenticating your access
  • Sending transactional emails (password reset, security notifications)
  • Responding to support requests and bug reports
  • Detecting and preventing abuse, fraud, and security incidents
  • Complying with legal obligations (subpoenas, tax, accounting)

We rely on the following legal bases under Article 6 GDPR:

  • Contract (Art. 6(1)(b)): to deliver the Service you signed up for
  • Consent (Art. 6(1)(a)): for each OAuth integration you connect; you can withdraw consent by disconnecting the integration in Settings
  • Legitimate interests (Art. 6(1)(f)): for security, abuse prevention, and service improvement
  • Legal obligation (Art. 6(1)(c)): for tax records, legal holds, and regulatory responses

5. AI Processing Disclosure

5.1. AI providers and their roles

ProviderModelUsed for
OpenAI (API)gpt-4.1Agent chat, content generation, intent classification
Anthropic (API)claude-haiku-4-5Specific agents and fallback when OpenAI is unavailable
Google Cloud (Vertex AI, paid tier)gemini-2.5-flashCalendar notifications, Gmail draft generation, inbox classification, email compose assistance

5.2. What we send to AI providers

Only the data necessary for each task is sent, for example:

  • For a chat message: your message + short conversation history + relevant Neural Core snippets
  • For a Gmail draft: the email body or thread you chose + your signature + brand tone
  • For inbox classification: email subject, sender, preview (no attachments sent to AI)

5.3. What we do not do

  • We never train any AI model on your data.
  • We never allow AI providers to train on your data (enforced by their API terms / opt-out).
  • We never sell or share your data with AI providers for purposes other than fulfilling your immediate request.

6. Data Sharing and Subprocessors

We engage each subprocessor under a Data Processing Agreement (DPA) that binds them to GDPR-level data protection obligations. In most cases, the DPA is incorporated by reference into the subprocessor's standard Terms of Service, which we accept when creating our account (a "clickwrap DPA" valid under GDPR Article 28). The table below indicates the form each DPA takes.

SubprocessorRolePrimary locationDPA form
Supabase (Supabase Inc. / Supabase EU)PostgreSQL database, authentication, file storage, edge functionsEU (Paris / Frankfurt region)DPA in place (Supabase DPA, available on request)
Vercel (Vercel Inc.)Frontend hosting (CDN + serverless edge)US (global CDN)DPA in place (Vercel DPA)
OpenAI (OpenAI LLC)AI model inference (gpt-4.1)USDPA in place (OpenAI API Data Processing Addendum)
Anthropic (Anthropic PBC)AI model inference (claude-haiku-4-5)USDPA in place (Anthropic Commercial Terms with data processing provisions)
Google Cloud (Google LLC, Vertex AI)AI model inference (gemini-2.5-flash paid tier)US / EU (data residency configurable)DPA in place (Google Cloud Data Processing Addendum)
Google Workspace APIs (Google LLC)Gmail / Calendar / Drive integration when you connectUSGoverned by Google API Services User Data Policy (includes DPA provisions)
Microsoft (Microsoft Corporation)Outlook integration when you connectUS / EUGoverned by Microsoft Online Services DPA (auto-applicable)
Meta Platforms (Meta Platforms Inc.)Facebook / Instagram integration when you connectUSGoverned by Meta Platform Terms and Developer Data Policies
LinkedIn (LinkedIn Corporation, Microsoft subsidiary)LinkedIn integration when you connectUSGoverned by LinkedIn API Terms of Use
X Corp.X (Twitter) integration when you connectUSGoverned by X Developer Agreement and Policy
Slack Technologies (Slack Technologies LLC, Salesforce subsidiary)Slack integration when you connectUSGoverned by Slack API Terms of Service
Atlassian (Atlassian Pty Ltd)Trello integration when you connectUSGoverned by Atlassian Customer Agreement
Notion (Notion Labs Inc.)Notion integration when you connectUSGoverned by Notion API Terms of Use
Shopify (Shopify Inc.)Shopify integration when you connectCanada / USGoverned by Shopify Partner Program Agreement
Serper (Serper.dev)Web image search — receives only the agent-generated search query (no account data, no Google user data, no personal identifiers)USGoverned by Serper Terms of Service
Tavily (Tavily Inc.)Web search fallback — receives only the agent-generated search query (no account data, no Google user data, no personal identifiers)USGoverned by Tavily Terms of Service
LiveKit (LiveKit Inc., LiveKit Cloud)Real-time voice transport (WebRTC) — carries the call audio and control messages while you are in a voice conversationUSGoverned by LiveKit Terms of Service (DPA provisions)
Deepgram (Deepgram Inc.)Speech-to-text — transcribes your spoken audio into text during a voice callUSGoverned by Deepgram Terms of Service (DPA provisions)
ElevenLabs (ElevenLabs Inc.)Text-to-speech — synthesizes the assistant's reply into spoken audio (per-agent voice) during a voice callUSGoverned by ElevenLabs Terms of Service (DPA provisions)
Inworld (Inworld AI, Inc.)Text-to-speech (alternative voice engine) — synthesizes the assistant's reply into spoken audio during a voice callUSGoverned by Inworld Terms of Service (DPA available on the paid tiers)
Railway (Railway Corp.)Hosts the voice agent worker and a self-hosted run-or-skip classification model (Qwen); the classifier receives only your last message, the assistant's reply, and the agent id — no tokens, no stored dataUSGoverned by Railway Terms of Service
Stripe (Stripe Inc.)(a) Payment processing — will be activated when paid plans launch; (b) revenue-analytics integration when you connect your own Stripe account (Stripe Connect OAuth; grant read_write as Stripe gates the narrower read_only scope, but Unyo performs read operations only) so Blake can report your sales/balance/payoutsUS / EUDPA in place (Stripe Services Agreement with DPA provisions)
E2B (E2B Inc.)Ephemeral code-execution sandboxes — runs short agent-generated Python for data computation and image compositing. Receives only the code and the business data strictly needed for the computation (rows/images you asked to analyse); never OAuth tokens or credentials (blocked technically), never Gmail/Drive/Calendar content. Sandboxes are internet-disabled, single-task, and permanently destroyed after each run. SOC 2 Type II; hosted on Google Cloud (US)USGoverned by E2B Terms of Service (DPA available via the E2B trust center)

6.1. Analytics

We currently use no marketing or product analytics tools. We may introduce Google Analytics on unyo.ai (the marketing site only) in the future, together with a GDPR-compliant cookie consent banner. This Policy will be updated accordingly before any such rollout.

6.2. No sale of personal data

We do not sell personal data to third parties, as that term is defined under the California Consumer Privacy Act (CCPA), the Virginia CDPA, or any equivalent legislation.

6.3. International transfers

Transfers of personal data from the EU/EEA to subprocessors located outside the EU/EEA are governed by:

  • The EU-US Data Privacy Framework (where the subprocessor is certified) and/or
  • The Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914), or
  • Equivalent safeguards approved by the competent authority.

Countries where your data may be processed: France, EU/EEA, United States, Canada.

6.4. Voice mode

When you use voice mode, your spoken audio is streamed to Deepgram for real-time transcription, and the assistant's reply is sent to ElevenLabs to be synthesized into speech (each agent has its own voice). LiveKit provides the underlying real-time transport, and the voice worker — together with a lightweight run-or-skip classifier (a self-hosted model) — runs on Railway. These services process voice-conversation content solely to operate the voice feature, under the DPA form indicated in the table above. Voice transcripts are stored in your account like any other conversation and are subject to the retention and deletion rules in Sections 7 and 8.


7. Data Retention

We retain data only for as long as needed to deliver the Service or to comply with our legal obligations. The following schedules are enforced automatically by a daily retention cron (run_retention_purge):

Data typeRetentionMechanism
Chat conversations + messages (all agents)90 days after last activityAutomatic daily purge via chat_conversations.updated_at
Cached emails (Gmail / Outlook local cache)30 days after cache creationAutomatic daily purge
Technical logs (MCP debug, cron execution history)7 daysAutomatic daily purge
Neural Core entries (contacts, brain entries, folders, files)Until account deletionPurged only on explicit user action or account deletion
Uploaded files in Storage (chat attachments, email attachments, brain files, offer images, brand logos, signatures, social media assets)Until account deletionPurged only on explicit user action or account deletion
OAuth access and refresh tokensUntil integration disconnect or account deletionPurged immediately on disconnect
Account data (profile, settings, preferences)Until account deletionPurged within 30 days of a deletion request; most is deleted immediately
Audit logs (retention_log)365 daysSelf-pruning
Billing and accounting records (once paid plans launch)Retention imposed by French law (generally 10 years for invoicing)Archived beyond normal retention

7.1. Account deletion

You can delete your account at any time from Settings → Account → Delete my account. Our delete-account flow:

  1. Revokes OAuth tokens at the 7 providers that offer a revocation endpoint (Google Gmail, Google Drive/Calendar services, Meta, X, Slack, Shopify).
  2. Deletes all user-scoped rows across 72 database tables via a single atomic SQL function (admin_purge_user_rows).
  3. Purges all your files across the 8 user-scoped Storage buckets.
  4. Deletes your authentication record.
  5. For providers without a programmatic revocation endpoint (Microsoft Outlook, LinkedIn, Trello, Notion), the final confirmation screen gives you a direct link to each provider's dashboard so you can revoke manually.

All deletions complete within 30 days of the deletion request; in practice the entire flow runs in under 10 seconds.

7.2. Per-integration disconnect

You can disconnect any single OAuth integration at any time from Settings → Integrations without deleting your account. When you disconnect an integration:

  1. Your OAuth tokens for that integration are purged from Unyo's database immediately — Unyo loses all ability to call the provider's APIs on your behalf.
  2. Cached data local to that integration (for example cached Gmail/Outlook email metadata for a disconnected mailbox) is purged on its normal schedule.
  3. The OAuth grant at the provider's side is not programmatically revoked for per-integration disconnects. This is intentional: Unyo uses a single OAuth client per provider, so revoking one service's token at the provider would invalidate the grant for every other service you have connected with the same provider (e.g. disconnecting Gmail would also revoke Drive and Calendar).

If you want to fully revoke Unyo's access at the provider side after a per-integration disconnect, you can do so at any time from the provider's own account settings:

The Account deletion flow (§7.1) always revokes at the provider side for the seven providers that support it, so no manual step is needed if you delete your account.


8. Your Rights

Depending on your location, you may have the following rights. To exercise any right, email privacy@unyo.ai with a brief description of your request and proof of identity (so we do not disclose data to impostors).

8.1. GDPR rights (EU/EEA, UK, Switzerland)

Under Articles 15–22 GDPR, you have the right to:

  • Access (Art. 15) — Obtain a copy of the personal data we hold about you.
  • Rectification (Art. 16) — Correct inaccurate or incomplete data.
  • Erasure / "Right to be forgotten" (Art. 17) — Delete your data (most easily done via the in-app Delete my account flow; see Section 7.1).
  • Restriction (Art. 18) — Limit how we process your data.
  • Portability (Art. 20) — Receive your personal data in a commonly used, machine-readable format. To request an export, email privacy@unyo.ai. We will provide your data in a standard format (such as JSON or CSV) within 30 days of the verified request. We are working on a self-service data export feature in the app Settings, which will supersede the email-based process above once available.
  • Object (Art. 21) — Object to processing based on legitimate interests.
  • Withdraw consent (Art. 7) — Disconnect any OAuth integration at any time from Settings → Integrations.
  • Lodge a complaint with your national data protection authority. For France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés), https://www.cnil.fr/.

8.2. CCPA / CPRA rights (California residents)

  • Right to know what personal information we collect and for what purpose
  • Right to delete personal information
  • Right to opt-out of sale (we do not sell personal data)
  • Right to non-discrimination for exercising your rights

8.3. LGPD rights (Brazilian residents)

Equivalent rights under the Lei Geral de Proteção de Dados (Law No. 13.709/2018), including access, correction, anonymization, blocking, deletion, portability, and withdrawal of consent.

8.4. Response times

We respond to verified requests within 30 days. Complex requests may require up to 60 additional days, in which case we will inform you of the extension.


9. Data Security

We implement industry-standard technical and organizational measures to protect your data, including:

9.1. Encryption

  • At rest: OAuth access tokens and refresh tokens are encrypted using PostgreSQL pgcrypto PGP symmetric encryption before being stored.
  • In transit: All traffic to and from Unyo uses TLS 1.2 or higher.

9.2. Access control

  • Row-Level Security (RLS) policies on every user-scoped table. A user can never read another user's data.
  • SECURITY DEFINER functions gate all privileged operations (token decryption, user purge, admin actions).
  • Multi-Factor Authentication (MFA) on all administrator accounts (Supabase, Google Cloud, Vercel).

9.3. Audit and monitoring

  • Source code is version-controlled on GitHub with branch protection on main.
  • Database changes go through reviewed SQL migrations.
  • Edge function deployments are logged and versioned.
  • Storage and database access is logged by Supabase.

9.4. Limitations

No online service can be made perfectly secure. We use reasonable, industry-standard measures, but we cannot guarantee the absolute security of your data. If we become aware of a personal data breach affecting you, we will notify you without undue delay and, where required, notify the CNIL within 72 hours in accordance with Article 33 GDPR.


10. Children's Privacy

Unyo is intended for users aged 18 or older. We do not knowingly collect personal data from children under 18.

10.1. Parental action

If you are a parent or guardian and believe your child has provided personal data to Unyo, please contact privacy@unyo.ai. We will verify the claim and delete the data within 30 days.

10.2. Age verification

We rely on your representation at sign-up that you are at least 18. We reserve the right to request proof of age if there is reasonable doubt. Accounts identified as belonging to minors are deleted immediately.

10.3. Applicable laws

This Section addresses obligations under the Children's Online Privacy Protection Act (COPPA) in the United States, the UK Age-Appropriate Design Code, and the age-based provisions of the GDPR (Art. 8).


11. International Data Transfers

Unyo is operated from France (EU/EEA). Some subprocessors are located outside the EU/EEA; see Section 6 for the full list and the legal safeguards that apply. Your data may be processed in the following countries: France, other EU/EEA member states, United Kingdom, United States, Canada.

We do not transfer personal data to jurisdictions without adequate protection unless one of the following safeguards is in place: an adequacy decision, Standard Contractual Clauses (SCCs), or the EU-US Data Privacy Framework (for certified US recipients).


12. Cookies and Tracking

12.1. Web application (unyo.app)

We use strictly necessary cookies only to maintain your authenticated session. These cookies cannot be disabled without breaking the Service.

12.2. Marketing website (unyo.ai)

The marketing website currently does not set analytics, advertising, or tracking cookies. If we introduce analytics (e.g. Google Analytics) in the future, we will:

  1. Display a GDPR-compliant cookie consent banner.
  2. Load analytics only after you have given explicit consent.
  3. Honor opt-out choices across sessions.

12.3. No third-party advertising

Unyo does not serve third-party advertising on any of its properties. We do not use tracking pixels or cross-site tracking technologies.


13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or in applicable law.

13.1. Notification

For material changes (e.g. a new category of data, a new subprocessor with broader access, a change to retention), we will notify affected users by email sent to the address on your account, at least 30 days before the change takes effect.

13.2. Non-material changes

For clarifications, typography, or minor wording improvements, we will update the "Last updated" date at the top of this document without individual notice.

13.3. Continued use

Continued use of Unyo after a change takes effect constitutes acceptance of the updated Policy. If you do not agree, you may delete your account at any time (see Section 7.1).


14. Contact

For any question, concern, or request relating to this Privacy Policy or your personal data:

  • General support: support@unyo.ai
  • Privacy and Data Protection: privacy@unyo.ai
  • Postal address: Unyo SASU, 6 Rue d'Armaillé, 75017 Paris, France
  • SIREN: 104 459 391
  • SIRET (head office): 104 459 391 00017
  • RCS: Paris

If you are in the EU/EEA and are not satisfied with our response, you may lodge a complaint with your national data protection authority. For France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL), https://www.cnil.fr/.


This Privacy Policy is published at https://unyo.ai/policies/privacy and governs the use of Unyo on and after 5 May 2026.