GDPR Policy

Last Updated: November 2, 2025.
Changelog: Added EU Representative contact information as required by GDPR Article 27; implemented tiered response SLAs compliant with GDPR Article 12(3); expanded Section 1.7 with complete subprocessor list and Data Processing Agreement details (GDPR Article 28 compliance).

UnoLock GDPR Compliance Policy

1.1 Introduction

Techsologic Incorporated (Corporation Number 734340-0, headquartered at 150 Elgin Street, 8th Floor, Ottawa, ON K2P 1L4, Canada), provider of the UnoLock platform, including all services, features, applications, and websites (collectively, the "Services"), is committed to complying with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA) and those subject to GDPR. This GDPR Compliance Policy governs the processing of personal data, emphasizing Absolute Anonymity and minimal data collection, as aligned with the UnoLock Terms of Service ("Terms"), Section 9 (Privacy and Anonymity), and the Privacy Policy at https://www.unolock.com/policies. Techsologic Incorporated ("Techsologic," "we," "us," or "our") ensures GDPR compliance while maintaining our zero-knowledge, stateless architecture for all users, including LegacyLink nominees, as defined in Section 3 (Services Overview) of the Terms.

1.2 Scope and Commitment

This policy applies to any personal data processed by Techsologic in connection with the Services for EEA users. UnoLock's zero-knowledge architecture minimizes data collection, collecting no personal identifiable information (PII) unless voluntarily provided for feedback or support, as per Section 9.3 (No PII Collection) of the Terms. Third-party payment processors (e.g., Stripe) handle financial data under their own GDPR-compliant frameworks, as per Section 9.4 (Payment Anonymity) of the Terms. We are committed to protecting user privacy and ensuring GDPR rights are upheld where applicable.

1.3 GDPR Principles

UnoLock's minimal data processing aligns with GDPR principles, tailored to our zero-knowledge model:

Lawfulness, Fairness, and Transparency: Any personal data (e.g., email addresses for support) is processed with user consent, transparently communicated via this policy and the support portal at https://www.unolock.com/support.
Data Minimization: No PII is collected unless voluntarily provided for feedback or support, and only necessary data is processed, as per Section 9.3 of the Terms.
Purpose Limitation: Data is used solely for addressing inquiries, improving services, or complying with legal obligations, as per Section 1.4 (Communication Data Management) of the Privacy Policy.
Accuracy: Users may correct inaccurate data by contacting support@unolock.com.
Storage Limitation: Data is retained only as long as necessary, per the Data Retention Policy at https://www.unolock.com/policies.
Integrity and Confidentiality: Data is protected with AES-256-GCM encryption, TLS 1.3, and post-quantum cryptography, as per Section 6 (Data Security and Encryption) of the Terms.

You must ensure lawful use of the Services, as per Section 5.5 (Compliance with Laws) of the Terms.

1.4 Rights of Data Subjects

EEA users have the following GDPR rights over personal data provided to Techsologic (e.g., via support inquiries):

Access: Request access to your data.
Rectification: Correct inaccurate data.
Erasure: Request deletion, subject to legal retention requirements.
Restriction: Restrict processing in certain cases.
Data Portability: Receive data in a structured, machine-readable format, where feasible.
Objection: Object to processing for specific purposes.

Requests can be made to the Data Protection Officer at support@unolock.com. Due to our zero-knowledge architecture, vault data cannot be accessed or provided, as per Section 9.2 (Zero-Knowledge Architecture) of the Terms.

Responses will be provided according to the following service level agreements (SLAs):

Critical Requests (data breach notification, emergency access): Within 24 hours
High Priority Requests (data subject access, rectification, erasure, restriction, portability, objection): Within 72 hours
Medium Priority Requests (GDPR compliance inquiries, policy questions): Within 7 days
Low Priority Requests (general inquiries, informational requests): Within 14 days

These timeframes comply with GDPR Article 12(3), which requires responses "without undue delay and in any event within one month of receipt of the request." Techsologic commits to exceeding this standard by providing faster responses based on request urgency.

In cases where request complexity requires additional time, we will inform you within the initial response period and provide an estimated completion date, not to exceed 30 days total as permitted by GDPR Article 12(3).

1.5 Data Protection Officer

Techsologic has appointed a Data Protection Officer (DPO) to oversee GDPR compliance and address data privacy concerns. Contact the DPO at:

Email: support@unolock.com
Mail: Techsologic Incorporated, 150 Elgin Street, 8th Floor, Ottawa, ON K2P 1L4, Canada

The DPO ensures protection of any personal data and compliance with GDPR requirements.

1.5.1 EU Representative (GDPR Article 27)

As a Canadian company processing personal data of EU residents, Techsologic Inc. has designated an EU Representative as required by GDPR Article 27. EU residents and data protection authorities may contact our EU Representative regarding GDPR-related matters:

EU Representative Contact Details:
Name: Max Böhm
Address: Winterstrasse 4, 22765 Hamburg, Germany
Email: max@techsologic.com

Our EU Representative can be contacted for any GDPR-related inquiries, including:

Exercising your data subject rights (access, rectification, erasure, restriction, portability)
Filing complaints about our data processing practices
Requesting information about our GDPR compliance procedures
Inquiries from EU data protection authorities

Please note that our EU Representative acts as a contact point for GDPR matters within the European Union and will forward your inquiry to Techsologic Inc. for handling. You may also contact our Data Protection Officer directly at: support@unolock.com

1.6 Data Breaches

In the event of a personal data breach, Techsologic will:

Notify relevant EEA supervisory authorities within 72 hours, as required by GDPR.
Inform affected users promptly via email or https://www.unolock.com/support.html, where feasible, detailing the breach and mitigation steps.
Leverage our zero-knowledge architecture to ensure vault data remains secure, as per Section 6 (Data Security and Encryption) of the Terms.

Techsologic is not liable for breaches due to user actions, as per Section 10 (Limitations of Liability) of the Terms.

1.7 Third-Party Processors (Subprocessors)

Techsologic engages the following GDPR-compliant subprocessors to provide the Services:

Infrastructure & Hosting

Amazon Web Services (AWS)

Services: S3 storage, Lambda compute, CloudWatch monitoring, Route 53 DNS, CloudFront CDN, CodePipeline build system
Locations: AWS S3 buckets across ca-central-1 (Canada), us-east-1 (United States), ap-southeast-2 (Australia), sa-east-1 (Brazil), ap-northeast-1 (Japan), me-central-1 (United Arab Emirates), il-central-1 (Israel), eu-central-1 (Germany), eu-north-1 (Sweden), eu-south-2 (Spain), eu-west-3 (France), ap-northeast-2 (South Korea), ap-south-1 (India), eu-west-1 (Ireland), eu-central-2 (Switzerland), and eu-west-2 (United Kingdom), with multi-region access points replicating across us-east-1↔ap-south-1, us-east-1↔eu-west-1, eu-west-1↔ap-southeast-2, ap-south-1↔eu-west-1, us-east-1↔ap-southeast-2, and ap-south-1↔ap-southeast-2.
Data Processing Agreement: AWS GDPR Data Processing Addendum in place
Standard Contractual Clauses: AWS implements Standard Contractual Clauses (SCCs) for EEA data transfers
Purpose: Infrastructure hosting, encrypted vault storage, system monitoring, content delivery
Website: aws.amazon.com/compliance/gdpr-center

Google Workspace

Services: Email hosting (support@unolock.com)
Location: United States (distributed infrastructure)
Data Processing Agreement: Google Workspace GDPR Data Processing Terms in place
Standard Contractual Clauses: Google implements SCCs for EEA data transfers
Purpose: Email communication for voluntary support inquiries only (not linked to vaults)
Website: cloud.google.com/privacy/gdpr

Payment Processing

Stripe, Inc.

Services: Credit card payment processing
Location: United States and Ireland
Data Processing Agreement: Stripe Data Processing Addendum with Standard Contractual Clauses
Purpose: Processing subscription payments (completely isolated from vault data via payment anonymity system)
Website: stripe.com/legal/dpa

Bitcoin Network

Services: Cryptocurrency payment processing
Location: Decentralized public blockchain
Data Processing Agreement: Not applicable (decentralized network, no data processor)
Purpose: Alternative payment method with enhanced anonymity
Note: Bitcoin transactions are processed on a decentralized public ledger without a central data controller

Important Notes About Subprocessors

Zero-Knowledge Isolation: All subprocessor data processing is completely isolated from vault contents. Due to our zero-knowledge architecture, subprocessors cannot access encrypted vault data, even if they wanted to. Vault encryption occurs client-side before any data reaches our infrastructure.

Payment Anonymity: Payment processors (Stripe, Bitcoin Network) cannot identify which vault a payment is associated with, as per Section 9.4 (Payment Anonymity) of the Terms. Payment data is isolated from vault data through our payment anonymity system.

Email Communication: Google Workspace only processes email sent voluntarily to support@unolock.com. This communication is separate from vault access and usage, as per Section 1.4 (Communication Data Management) of the Privacy Policy.

Data Processing Agreements: All subprocessors listed above maintain GDPR-compliant Data Processing Agreements (DPAs) covering:

Standard Contractual Clauses (SCCs) for data transfers outside the EEA
Security measures and breach notification obligations under GDPR Article 33
Subprocessor rights and obligations under GDPR Article 28
Confidentiality requirements and data protection safeguards

Changes to Subprocessors: We will notify users 30 days in advance before engaging new subprocessors or making material changes to existing subprocessor arrangements, as required by GDPR Article 28(2). Notifications will be posted at https://www.unolock.com/support.html. Continued use of the Services after the notification period constitutes acceptance of the new subprocessor.

Subprocessor Transparency: You may view our complete, up-to-date subprocessor list at any time by reviewing this section. We maintain transparency about all third-party processors handling any aspect of the Services.

User Responsibilities: You must comply with third-party processor policies when interacting with their services (e.g., Stripe's terms when making payments), as per Section 5.6 (User Responsibilities) of the Terms.

Note: Affiliate program payments (Trolley, PayPal) are governed by separate Affiliate Terms and do not process user vault data or personal information from UnoLock users.

1.8 Data Transfers

Personal data provided to Techsologic (e.g., support emails) may be transferred outside the EEA (e.g., to Canada), where adequate protection is ensured under PIPEDA, recognized by the EU as equivalent. Vault data remains encrypted and inaccessible, as per Section 9.2 of the Terms, ensuring GDPR-compliant transfers.

1.9 Policy Modifications

Techsologic may revise this policy, as per Section 14 (Modifications to Terms) of the Terms. Material changes will be notified via https://www.unolock.com/support.html with 30 days' notice, where feasible. Continued use constitutes acceptance, as per Section 14.5 of the Terms.

1.10 Contact Information

For GDPR-related inquiries or to exercise your rights, contact:

Mail: Techsologic Incorporated, 150 Elgin Street, 8th Floor, Ottawa, ON K2P 1L4, Canada
Email: support@unolock.com
Security Reports: https://www.unolock.com/support.html
Support Portal: https://www.unolock.com/support.html