Privacy Policy

This policy explains what data Unpacked (unpacked.fyi) collects, why, and how we handle it. We comply with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

Data controller: Colin Fitzpatrick. Contact: hello@unpacked.fyi

What we collect

Information you provide

• Google account data: When you sign in via Google OAuth, we receive your name, email address, and profile photo. We do not receive your Google password.
• Profile information: Bio, social links (Twitter/X, LinkedIn, Medium) that you add in your settings.
• Articles and content: Questions you ask, articles generated, refinements you make, images you upload.
• Feedback: Votes, comments, and feedback you submit on articles.
• Applications: If you apply to the Founding Creators programme, your application reason.

Information collected automatically

• Usage data: Pages visited, articles viewed, features used, timestamps.
• Device information: Browser type, operating system, screen size.
• IP address: Used for rate limiting and basic geographic context. We do not use IP addresses for tracking or advertising.
• Cookies and local storage: We only use strictly necessary cookies required for authentication and core functionality. These do not require consent under applicable law. We use localStorage for UI preferences (e.g. dismissed prompts, voting state). We do not use tracking cookies or third-party advertising cookies.

Legal basis for processing

We process personal data under the following legal bases:

• Contract: to provide the service you signed up for
• Legitimate interests: to improve and secure the platform
• Legal obligations: where required by law
• Consent: where applicable (e.g. optional communications)

How we use your data

• To provide the service: Generate articles, manage your account, enforce rate limits and tier allowances.
• To improve the platform: Understand which features are used, identify bugs, improve article quality.
• To communicate with you: Service notifications, responses to your feedback, updates about your account or the platform.
• To display your content: Show your published articles on the platform, attribute them to your profile.

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties for their marketing purposes.

Third-party services

We use the following third-party services to operate the platform:

Supabase — Database, authentication, file storage. Receives account data, articles, uploaded images.

Vercel — Hosting. Receives server logs, IP addresses.

Google OAuth — Sign-in. Receives authentication tokens. We don't store your Google password.

Brave Search — Article research. Receives search queries, not linked to your identity.

Google Gemini — Article writing and fact-checking. Receives article content, not linked to your identity.

Anthropic (Claude) — Article planning and editorial review. Receives article content, not linked to your identity.

OpenAI — Fact-check arbitration. Receives article content, not linked to your identity.

Pexels and Unsplash — Image sourcing. Receives image search queries, not linked to your identity.

Stripe — Payment processing (when available). Receives payment details, handled entirely by Stripe. We don't store card numbers.

We do not intentionally include personal identifiers (such as your name or email) when sending content to AI providers unless required for service functionality.

International data transfers

Some of our service providers are located outside the European Economic Area (EEA). Where data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms approved by the European Commission.

Your rights (GDPR)

If you are in the EU/EEA, you have the right to:

• Access your personal data — request a copy of what we hold
• Rectify inaccurate data — update your profile in settings or contact us
• Delete your data — you can delete your account, which removes your profile data. Articles you've published can be set to private or deleted individually.
• Export your data — request a machine-readable copy of your data
• Restrict processing — request we limit how we use your data
• Object to processing — object to specific uses of your data
• Withdraw consent — where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, contact us at hello@unpacked.fyi. We will respond within 30 days.

Data retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Articles: Retained while your account is active. You can delete individual articles at any time. Published articles that have been shared externally may persist in search engine caches after deletion — we cannot control third-party caches.
• Usage logs: Retained for 12 months, then automatically deleted.
• API usage logs: Retained for 12 months for cost tracking, then automatically deleted. These contain token counts and costs, not personal data.

Data security

We use industry-standard security measures including encrypted connections (HTTPS), secure authentication (OAuth 2.0), server-side API keys, and row-level security on our database. However, no system is perfectly secure, and we cannot guarantee absolute security.

Children

Unpacked is not intended for users under 16. We do not knowingly collect data from children under 16. If we learn we have collected data from a child under 16, we will delete it promptly.

Changes to this policy

We may update this policy. We'll notify registered users of material changes via email. The “last updated” date at the top will always reflect the current version.

Contact

For privacy questions or to exercise your rights: hello@unpacked.fyi

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Ireland, this is the Data Protection Commission (www.dataprotection.ie).