Your Data, Your Control.

1. Data Controller

Unilink Center MTÜ
Registry code: 80668249
Tallinn, Estonia
Email: info@unilinkcenter.com
Data Protection Officer: Otto Göcmen — info@unilinkcenter.com

2. Data We Collect

2.1 Unilink Platform Website

• Contact form: Name, email, message, user type — to respond to inquiries
• Waitlist form: User type selection — to manage early access
• GrantOS Demo: Grant goal text, organization type, budget — processed in real-time by AI, not stored after session
• Technical data: IP address (anonymized), browser type, pages visited — via Netlify server logs (14-day retention)

2.2 Navigator App

• Crisis data: SOS alerts, evidence files — AES-256 encrypted on device
• Location: Only when SOS is activated, only shared with designated contacts
• No account required: Navigator works without registration

2.3 GrantOS Service

• Organization data: Name, registry code, grant application content
• Usage data: Features used, compliance checks performed

3. Legal Basis (GDPR Art. 6)

• Consent (Art. 6(1)(a)): Waitlist signup, contact form submission
• Contract (Art. 6(1)(b)): Providing GrantOS services to subscribers
• Legitimate interest (Art. 6(1)(f)): Security monitoring, service improvement
• Legal obligation (Art. 6(1)(c)): Estonian accounting and tax requirements

4. Special Category Data (GDPR Art. 9)

Epilepsy AI processes health data (seizure patterns) only with explicit consent. This data is processed on-device using ONNX inference. No health data is transmitted to our servers without user action. Federated learning ensures model improvement without centralizing personal health data.

Navigator may collect data related to crisis situations. This data is encrypted (AES-256) and stored exclusively on the user's device. The user controls all sharing decisions.

5. Children's Data (GDPR Art. 8)

Navigator's Child Mode (ages 8–12) collects minimal interaction data. No personal identifiers are collected from children. Parental/guardian consent is required for account creation for users under 16 years of age, in accordance with Estonian law.

6. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

• Anthropic (Claude API): GrantOS demo queries are processed by Anthropic's API. No personal identifiers are included in API requests.
• Netlify: Hosting provider. Server logs retained for 14 days. Privacy policy →
• Google Workspace: Email processing. Privacy policy →

No data is transferred outside the EU/EEA without adequate safeguards (Standard Contractual Clauses or adequacy decisions).

7. Data Retention

• Contact form data: 12 months, then deleted
• Waitlist data: Until service launch or withdrawal of consent
• GrantOS user data: Duration of subscription + 6 months
• Navigator crisis data: Controlled entirely by user (delete anytime)
• Server logs: 14 days (Netlify automatic)
• Accounting records: 7 years (Estonian Accounting Act)

8. Your Rights (GDPR Art. 15–22)

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data — "right to be forgotten" (Art. 17)
• Restrict processing (Art. 18)
• Data portability — receive data in machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time without affecting prior processing (Art. 7(3))

To exercise any right, email otto@unilinkcenter.com. We respond within 30 days.

9. Security Measures (GDPR Art. 32)

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for sensitive data at rest (Navigator)
• HSTS with preload enabled
• Content Security Policy (CSP) headers
• API keys stored in environment variables, never in source code
• Rate limiting on all API endpoints
• Regular security audits aligned with OWASP Top 10

10. Cookies

This website does not use cookies for tracking or analytics. No third-party tracking scripts are loaded. Netlify may set essential technical cookies for security (DDoS protection). These are strictly necessary and do not require consent under GDPR.

11. Automated Decision-Making (GDPR Art. 22)

GrantOS uses AI (Claude API by Anthropic) to analyze grant compliance and generate recommendations. These are advisory outputs only — no automated decisions are made that produce legal effects. Final decisions rest entirely with the user.

12. EU AI Act Compliance

• GrantOS Evaluator: HIGH RISK — Annex IV documentation in progress
• Epilepsy AI: HIGH RISK — Annex IV + MDR compliance
• Navigator SOS: LIMITED RISK — transparency obligations met
• GrantOS for NGOs: MINIMAL RISK

Full compliance documentation available by 02.08.2026.

13. Complaints

If your data protection rights have been violated:

14. Changes & Governing Law

We may update this policy to reflect changes in practices or legal requirements. Material changes will be communicated via our website. This Privacy Policy is governed by the laws of the Republic of Estonia. Disputes: Harju Maakohus (Tallinn District Court).