Privacy Policy
Legal Entity
InboundLabs Interactive
PO BOX 188, Nassau, DE 19969-0188
United States
Contact (GDPR requests): tim@inboundlabs.co
Last updated: 15.05.2026
Scope
This policy covers:
- Website usage (unyak.me)
- Cookie and analytics tracking
- Account registration and onboarding
- Service delivery (code repository access)
Data We Collect
Website usage
- Page views, referrers, device/browser data
- Collected via analytics cookies only after consent is granted
Account and onboarding
- Name, email address (via GitHub OAuth through Clerk)
- Onboarding questionnaire responses
- Invite code used
Service delivery
- Access to GitHub repositories you explicitly connect
- Code, configuration files, and related content within those repositories
Form submissions
- Contact and company information
- Purpose: sales and marketing communication
Cookies
Analytics cookies are only set after explicit consent. You will be shown a consent banner on first visit. You may withdraw consent at any time by clicking "Cookie settings" in the footer.
No advertising or retargeting cookies are in use.
Data Processors
| Processor | Purpose | Transfer basis |
|---|---|---|
| Lovable (lovable.dev) | UI hosting and infrastructure | EU-US Data Privacy Framework |
| Clerk (clerk.com) | Authentication (GitHub OAuth) | EU-US Data Privacy Framework |
| PostHog (posthog.com) | Product analytics | EU-US Data Privacy Framework |
| Convex (convex.dev) | Backend database and real-time functions | Standard Contractual Clauses |
| Stripe / Inbound Labs (stripe.com) | Payment processing | EU-US Data Privacy Framework |
No data is sold to or shared with advertising networks.
Data Processing & Transfers
Data may be processed in the United States where the processors listed above operate. Transfers outside the EU/EEA are protected by the EU-US Data Privacy Framework (DPF) where the processor is certified, or by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) where DPF certification does not apply.
Legal Basis
| Processing activity | Legal basis |
|---|---|
| Analytics cookies | Consent (GDPR Art. 6(1)(a)) |
| Account creation and authentication | Contract (GDPR Art. 6(1)(b)) |
| Service delivery (repo access) | Contract (GDPR Art. 6(1)(b)) |
| Payment processing | Contract (GDPR Art. 6(1)(b)) |
| Sales and marketing communication | Legitimate interest (GDPR Art. 6(1)(f)) |
| Legal obligations | Legal obligation (GDPR Art. 6(1)(c)) |
Data Retention
| Category | Retention period |
|---|---|
| Account data | Duration of account + 3 years after closure |
| Transaction records | 7 years (US recordkeeping standard) |
| Support and service transcripts | 1 year after engagement close |
| Code snapshots and repository access | 30 days after engagement close, then deleted |
| Analytics data | 12 months rolling |
| Marketing communication records | Until opt-out, then 6 months |
Security
We implement appropriate technical and organisational measures including:
- Encrypted data transmission (TLS)
- Access controls limiting repository access to the assigned engineer only
- Deletion procedures post-engagement
Service Delivery and Data Processor Obligations
When you connect a GitHub repository, Unyak acts as a data processor. A Data Processing Agreement (DPA) is available on request at tim@inboundlabs.co. Engineers assigned to your engagement are bound by confidentiality obligations equivalent to those in the DPA.
Your Rights
You have the right to:
- Access your data
- Correct inaccurate data
- Request deletion
- Restrict or object to processing
- Data portability
- Withdraw consent at any time
Requests: tim@inboundlabs.co — responded to within 30 days.
Supervisory Authority
InboundLabs Interactive is a US-based company primarily serving US customers. If you are located in the EU and have a complaint, you may contact your local data protection authority. A list is available at edpb.europa.eu.