1. Introduction
Unheadless ("Unheadless," "we," "us," or "our"), operates the Unheadless platform at app.unheadless.com. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use our Service.
By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, and organization name. If you are invited to join an existing organization, we collect your name and email address.
2.2 Billing Information
Payment processing is handled by Stripe, Inc. We do not directly store your credit card numbers or banking information. Stripe collects and processes your payment data in accordance with their own privacy policy. We receive and store only transaction identifiers and subscription status from Stripe.
2.3 CMS Data
When you connect a CMS repository, we access your content metadata using API keys that you provide. While some CMS API keys may carry write permissions, Unheadless uses all keys solely for read operations — no write functions are ever executed. Content metadata is stored for the duration of your active subscription to power queries, reports, and content inventory features. We do not store full content body data (e.g., rich text slices). Unheadless is a read-only platform and never writes, modifies, or deletes your CMS content.
2.4 Usage Data
We collect information about how you use the Service, including pages visited, features used, queries executed, report configurations, and timestamps. This data helps us improve the Service and provide support.
2.5 Technical Data
We collect IP addresses transiently for rate limiting and abuse prevention. This data is held in ephemeral memory and is not persisted to our database. Our hosting provider (Vercel) may collect standard server logs including IP addresses, user agents, and request metadata as part of its infrastructure — see Vercel's privacy policy for details.
2.6 Communications
When you contact our support team or communicate with us via email, we retain those communications to provide support and improve our Service.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Authenticate your identity and manage your account
- Process billing and manage subscriptions
- Deliver scheduled reports and notifications
- Respond to support requests and inquiries
- Monitor and improve the performance, security, and reliability of the Service
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Send service-related communications (e.g., maintenance notices, security alerts)
We do not use your data for advertising, sell your data to third parties, or share it with advertisers.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:
- Contract Performance: Processing necessary to provide the Service you have subscribed to (account management, CMS data access, report generation, billing)
- Legitimate Interests: Service improvement, security monitoring, fraud prevention, and analytics — balanced against your rights and expectations
- Consent: Where we rely on consent (e.g., optional marketing communications), you may withdraw consent at any time
- Legal Obligations: Processing necessary to comply with applicable laws, regulations, or legal proceedings
5. Cookies
Unheadless uses only strictly necessary cookies required for the application to function. We do not use analytics, advertising, or tracking cookies.
All 8 cookies we set are first-party, strictly necessary cookies used for authentication, CSRF protection, and core application functionality. Because they are strictly necessary, no consent banner is required under the EU ePrivacy Directive.
For a complete list of cookies, their purposes, and durations, please see our Cookie Policy.
6. Data Sharing & Third-Party Processors
We share your data only with the third-party service providers necessary to operate the Service. We do not sell your personal data. Our current subprocessors are:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting and edge network | USA |
| Neon Inc. | PostgreSQL database hosting | AWS US West 2, Oregon, USA |
| Stripe Inc. | Payment processing and subscription management | USA |
| Resend Inc. | Transactional and scheduled report email delivery | USA |
Note on CMS data: When you connect a CMS (e.g., Prismic), we access your content through API keys you provide. The CMS provider is your data controller for that content — our access is limited to read-only operations on your behalf.
We will notify you of any material changes to our subprocessor list by email at least 30 days before the change takes effect.
7. Data Retention
- Active accounts: Your data is retained for as long as your account is active and the Service is provided
- Cancelled accounts: Account data is permanently deleted upon cancellation
- CMS content metadata: Stored for the duration of your active subscription to power queries and reports. Permanently deleted upon account cancellation
- Audit logs: Administrative and security audit logs are retained for 12 months
- Billing records: Transaction records are retained as required by applicable tax and accounting laws
8. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit: All data is transmitted over TLS 1.3 encrypted connections
- Encryption at rest: Database data is encrypted at rest using AES-256 encryption (provided by Neon PostgreSQL)
- Password security: Passwords are hashed using bcrypt with appropriate work factors
- Access controls: Role-based access control (Owner, Admin, Member) with multi-tenant data isolation
- Audit logging: All administrative actions are logged and auditable
- CSRF protection: Cross-site request forgery protection on all state-changing operations
While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@unheadless.com.
9. Your Rights Under GDPR
If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data (subject to legal retention obligations)
- Right to Restriction: Request that we limit processing of your data in certain circumstances
- Right to Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Where processing is based on consent, withdraw at any time
- Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority
To exercise any of these rights, contact us at privacy@unheadless.com. We will respond within 30 days.
10. Your Rights Under CCPA/CPRA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
To exercise your rights, contact privacy@unheadless.com.
11. International Data Transfers
Your data is stored and processed in the United States, specifically in the AWS US West 2 region (Oregon) via our database provider, Neon. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States.
For users in the EEA, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate safeguards for international data transfers. A copy of our SCCs is available upon request.
12. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@unheadless.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via the email address associated with your account. The "Last updated" date at the top of this page indicates when the policy was most recently revised.
Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.
14. Contact Us
For questions about this Privacy Policy or your data:
- Privacy inquiries: privacy@unheadless.com
- General support: support@unheadless.com
- Security issues: security@unheadless.com
- Entity: Unheadless