Privacy Policy

This Privacy Policy explains how Subtilprofit Unipessoal Lda ("Unvios", "we", "us") collects, uses, stores, and protects personal data when you use Unvios (the "Platform"), including our website, mobile experiences, and related services. We are committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Portuguese Law no. 58/2019, and other applicable data protection rules.

By using Unvios you acknowledge that you have read this Policy. If you do not agree, please do not use the Platform. For any privacy question or request, contact our Data Protection contact at privacy@unvios.com.

The data controller responsible for your personal data is:

• Subtilprofit Unipessoal Lda
• Email (privacy): privacy@unvios.com
• Email (support): support@unvios.com
• Jurisdiction: Portugal

We do not currently appoint a Data Protection Officer unless required by law; privacy enquiries are handled by the contact above.

• Visitors browsing listings without an account.
• Registered users (buyers and sellers).
• Individuals contacting support or responding to surveys.
• Payment counterparties whose data appears in transaction records (e.g. billing metadata via Stripe).

Unvios is not intended for anyone under 18 years of age. We do not knowingly collect data from children.

We process personal data only where we have a valid legal basis under GDPR:

• Performance of a contract — creating your account, publishing listings, processing purchases, operating escrow authorisation, and delivering support related to your orders.
• Legitimate interests — securing the Platform, preventing fraud, improving features, enforcing Terms, and defending legal claims, balanced against your rights.
• Legal obligation — tax, accounting, anti-money laundering where applicable, and responses to lawful authority requests.
• Consent — optional analytics cookies and any future marketing communications, which you may withdraw at any time without affecting core service use.

When you upload a photo to create a listing, the image is sent to Cloudflare Workers AI (vision models) to generate structured listing data. Processing occurs to perform the service you request. Images are processed for identification and pricing assistance, not for facial recognition of individuals. Do not upload photos containing unnecessary personal data (IDs, documents, home addresses in backgrounds). We retain listing images according to our retention schedule below.

We share data only as necessary with:

• Stripe Payments Europe Ltd. — payment processing, fraud screening, and payouts (Privacy: stripe.com/privacy).
• Supabase / hosting partners — authentication and database infrastructure.
• Cloudflare, Inc. — CDN, Workers hosting, Workers AI inference, and security.
• Professional advisers — lawyers, accountants, insurers, under confidentiality.
• Authorities — when required by law or to protect rights, safety, and integrity of the Platform.

We do not sell your personal data. We do not share it with third parties for their independent marketing without your consent.

Some providers may process data outside the European Economic Area (e.g. United States). Where required, we rely on adequacy decisions, Standard Contractual Clauses, or other GDPR Chapter V mechanisms. You may request more information about safeguards by emailing privacy@unvios.com.

• Account data — while your account is active and up to 3 years after closure unless longer retention is required.
• Transaction and invoice data — typically 7 years for accounting and tax compliance in Portugal.
• Listing photos — while the listing is live and a reasonable period after removal for dispute handling.
• Support tickets — up to 3 years from resolution.
• Server logs — generally up to 90 days unless needed for security investigations.
• Cookie consent records — up to 13 months or as required by regulator guidance.

Subject to conditions in law, you have the right to:

• Access — obtain confirmation and a copy of your data.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion when no longer necessary or consent is withdrawn (subject to legal exceptions).
• Restriction — limit processing in certain circumstances.
• Portability — receive data you provided in a structured, machine-readable format where processing is contract-based and automated.
• Object — to processing based on legitimate interests, including profiling where applicable.
• Withdraw consent — for consent-based processing at any time.
• Lodge a complaint — with the Comissão Nacional de Proteção de Dados (CNPD) at cnpd.pt.

To exercise rights, email privacy@unvios.com with sufficient detail to identify you. We respond within one month, extendable by two further months where complex. We may request proof of identity.

• HTTPS encryption for data in transit.
• Access controls and least-privilege for internal systems.
• PCI-DSS scope minimisation — card data handled by Stripe.
• Monitoring, rate limiting on AI endpoints, and authentication requirements for sensitive actions.

No online service is completely secure. If you believe your account is compromised, contact support@unvios.com immediately and change your password.

Listing approval uses automated AI and rule-based checks (e.g. minimum price €80, category whitelist). This may produce legal or similarly significant effects (rejecting a listing). You may request human review by contacting support@unvios.com with your listing details. We will reconsider using the same policy criteria.

We do not send promotional email without consent. Transactional emails (receipts, security alerts, dispute updates) are part of the service. If we introduce newsletters, we will ask for opt-in separately.

We may update this Policy to reflect legal, technical, or business changes. The "Last updated" date at the top of the page will change. Material changes will be notified via the Platform or email where appropriate. Continued use after the effective date means you accept the updated Policy.