Privacy Policy.
At UnaFortis, we are committed to protecting the privacy, security, and integrity of all personal data we process for our business operations. We design our systems and services according to the principles of privacy by design, data minimization, and purpose limitation, and maintain governance practices that are aligned with the EU GDPR, NIS2, DORA, and Whistleblowing Directive, and relevant ISO/IEC standards including 27001, 27701 and 42001. Our website does not display a cookie banner as we do not collect, track or store any personal data from you when you visit us online.
This Privacy Policy explains how and why we process personal data, and the privacy rights individuals can exercise towards.
Personal Data for Our Business Operations.
Our personal data processing is limited to those categories required to deliver our services, manage our partner network, and operate our business:
- Professional contact information (e.g., name, role, business email, business phone number)
- Organizational details (e.g., employer, department, responsibilities)
- Communications data (e.g., business emails, meeting notes, support requests)
- Contractual and commercial information (e.g., agreements, service records, partner interactions)
- Compliance‑related information where required by law or regulation.
We do not process special categories of personal data unless legally required.
Legal Basis for Processing.
We only process personal data where a lawful basis exists under the GDPR, including:
Legitimate Interest. After conducting assessments to ensure our interests do not override the rights and freedoms of individuals, we process personal data for:
- Managing and supporting our partner network
- Delivering and improving our AI‑Guidance Systems and related services
- Ensuring the security, integrity, and resilience of our systems
- Conducting business communications and relationship management
- Meeting corporate governance, audit, and risk‑management obligations.
Contractual Necessity. We process personal data required to enter into, perform, or administer contracts with customers, partners, and suppliers.
Legal Obligations. We process personal data where required to comply with applicable laws, regulations, and supervisory requirements.
How We Use Personal Data.
We only use personal data for clearly defined business purposes, including:
- Providing, maintaining, and supporting UnaFortis products and services
- Managing partner relationships and commercial engagements
- Conducting due diligence, risk assessments, and compliance activities
- Ensuring system security, auditability, and operational integrity
- Managing financial, administrative, and contractual processes
- Responding to enquiries, support requests, and communications
We do not use personal data for automated decision‑making that produces legal or similarly significant effects.
Data Sharing and Disclosure.
We do not sell or trade personal data. To comply with our legal obligations, we may share personal data with:
- Trusted service providers who support our operations (e.g., secure hosting, communications, compliance tooling)
- Professional advisers (e.g., legal, audit, regulatory)
- Regulators or authorities where required by law
- Partner organisations where necessary to deliver contracted services
All third parties are subject to strict confidentiality, security, and data processing obligations.
International Data Transfers.
Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including transfer impact assessments, Standard Contractual Clauses (SCCs), Adequacy Decisions, and additional technical and organizational measures, as necessary.
Data Retention.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:
- Contractual and commercial obligations
- Legal and regulatory requirements
- Audit, compliance, and risk‑management needs
Retention periods are defined in our internal data‑retention schedule.
Data Security.
We maintain a comprehensive security and governance framework aligned with:
- ISO/IEC 27001 (Information Security Management)
- ISO/IEC 27701 (Privacy Information Management)
- ISO/IEC 42001 (AI Management)
- ISO 37001 (Anti‑Bribery Management)
- GDPR, NIS2 and DORA requirements
Our information security controls to protect the confidentiality, integrity and availability of personal data include:
- Encryption in transit and at rest
- Access control and least‑privilege principles
- Continuous monitoring and incident response
- Secure development and deployment practices
- Vendor and supply‑chain risk management
Your Privacy Rights.
You have the following rights towards us under EU GDPR:
- Right of Access. You can request confirmation of whether we process your personal data and an explanation of how and why we process this data.
- Right to Rectification. You can ask us to correct or update any personal data that is inaccurate, incomplete, or outdated.
- Right to Erasure. You can request the deletion of your personal data where there is no longer a lawful basis for us to retain or process it.
- Right to Restriction of Processing. You can ask us to limit the use of your personal data in specific circumstances.
- Right to Data Portability. You can request a copy of your personal data in a structured, commonly used, machine‑readable format.
- Right to Object. You can object to our processing of your personal data unless we can demonstrate compelling grounds that override your rights.
You can exercise your privacy rights towards us through our security and compliance channel: Concerns@UnaFortis.com
