Privacy Policy

Last updated: June 2026

WaveOrigin OÜ (“we”, “our”, or “us”) operates the Unmapped platform — including the website www.unmappedgroup.com and the Unmapped mobile application available on iOS and Android (“the app” or “the platform”).

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have under the General Data Protection Regulation (GDPR).

1. Controller

The data controller responsible for your personal data is:

WaveOrigin OÜ

Tööstuse tn 75-71

10416 Tallinn

Estonia

Email: unmapped.network@gmail.com

Phone: +49 155 11338357

We do not have a designated Data Protection Officer. As a small startup operating under the SME exemption (Art. 37(4) GDPR), we are not required to appoint one.

2. Data We Collect

Account and profile data

Name, email address, username
Profile photo (avatar)
Bio, city, country
Skills, interests, and self-reported preferences
Social media links (Instagram, LinkedIn, X/Twitter, GitHub, website)
Account role (Member, Ambassador, Founder)

User-generated content (UGC)

Posts, comments, and project updates you create
Events and projects you submit
Messages sent via direct or group chats
Event discussion messages
Join request messages

Interaction data

Events and projects you join or save
Likes, comments, and reposts on posts
Connections with other users

Technical and device data

IP address (processed by our infrastructure providers)
Browser type and device information
Push notification tokens (if you enable notifications)

Internal analytics data

Platform actions you take (e.g. signing up, viewing events, joining projects, completing your profile)
This data is stored in our internal analytics system, is not shared with third parties, and is not used for advertising

3. How We Use Your Data

Operating and maintaining the Unmapped platform
Creating and managing your account
Enabling community features: chats, events, projects, connections
Sending in-app and push notifications about relevant activity
Improving the platform through internal usage analytics
Processing and reviewing content submissions (events, projects)
Responding to support requests
Ensuring platform safety, detecting fraud, and enforcing community standards

Legal bases (Art. 6(1) GDPR):

Contract performance (Art. 6(1)(b)): account management, platform features, community services
Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, internal analytics, improving the platform
Consent (Art. 6(1)(a)): push notifications, optional marketing communications

4. Push Notifications

If you grant notification permission, we store a push notification token linked to your account. This token is used to send you alerts about messages, join requests, connections, and platform activity.

The legal basis is your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time by:

Adjusting notification settings in your device (iOS: Settings → Notifications → Unmapped; Android: Settings → Apps → Unmapped → Notifications)
Revoking notification permission in your browser settings

Withdrawing consent does not affect past processing and does not impact your use of any other platform features.

5. Cookies and Analytics

We currently do not use analytics cookies or advertising cookies. Our platform uses session-management cookies strictly necessary to keep you logged in. These are required for the platform to function and are not subject to consent requirements under ePrivacy rules.

We collect internal usage analytics (page views, feature interactions) through our own infrastructure. This data is not shared with third parties and is not used for advertising.

If we add third-party analytics or advertising cookies in the future, we will update this policy and implement appropriate consent mechanisms.

6. Data Processors and Third-Party Services

We use the following service providers who process personal data on our behalf. We maintain data processing agreements with each of them as required by Art. 28 GDPR:

Supabase, Inc.

Purpose: Database, authentication, file storage, real-time features

Location: United States (data may be processed in the EU via AWS eu-west-1 depending on project configuration)

Transfer mechanism: Standard Contractual Clauses (SCCs) where applicable

Vercel, Inc.

Purpose: Application hosting, CDN, serverless functions

Location: United States (edge nodes globally)

Transfer mechanism: Standard Contractual Clauses (SCCs)

Web Push Services (browser/OS vendors)

Purpose: Delivery of push notifications

Includes: Apple Push Notification Service (APNs) for iOS, Google Firebase Cloud Messaging (FCM) for Android, and browser-native push services

These services receive only the encrypted notification payload and the push endpoint token

We do not sell your personal data to any third party.

7. Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected. Where we refer to data being anonymized, this means personal identifiers are irreversibly removed or replaced with placeholder values (e.g. “[Deleted User]”). The underlying platform record may remain for operational or legal purposes but can no longer be linked back to you.

Upon account deletion, access is revoked immediately and personal identifiers across all data categories are anonymized within 30 days.

Account and profile data

Retained while your account is active. Anonymized within 30 days of account deletion — name, email, username, bio, avatar, location, social links, and preferences are replaced with placeholder values.

Authentication credentials

Access revoked immediately upon account deletion. Personal identifiers anonymized within 30 days.

Posts, comments, and discussions

Retained as part of community history. Author identity anonymized within 30 days of account deletion; content is attributed to a deleted account rather than removed from shared context.

Chat and event messages

Message content replaced with a placeholder and your identity removed within 30 days of account deletion. Anonymized message records are retained for platform integrity, safety, and dispute handling.

Events and projects you created

Retained as platform history. Creator identity anonymized within 30 days of account deletion.

Join requests and applications

Retained in anonymized form for safety, abuse prevention, and operational records. Your identity anonymized within 30 days of account deletion.

Reports and moderation records

Retained for up to 24 months after resolution for abuse prevention, dispute handling, and legal compliance. Retained longer if required by applicable law or for active legal claims.

Suspended and deleted account records

Anonymized records retained for up to 24 months for platform safety, abuse prevention, and fraud prevention. Retained longer if required for active legal claims or by applicable law.

In-app notifications

Anonymized or deleted within 30 days of account deletion. For active accounts, notifications older than 12 months are periodically anonymized.

Push notification tokens

Deleted immediately when you disable push notifications or when your account is deleted.

Internal analytics data

Behavioral event data linked to your account is deleted upon account deletion. Aggregated anonymized platform metrics (e.g. total signups per month) are retained indefinitely as they cannot be linked to you.

Support communications

Retained for up to 24 months from our last contact, or longer if legally required.

Technical and security logs

Retained for up to 12 months by our infrastructure providers. Retained longer if required for active security investigations.

Financial and tax records

If payment processing is introduced, statutory retention periods apply — currently 7 years under Estonian commercial law.

Backup copies

Automated backup snapshots may contain data for a technical window of up to 30 days, after which they are permanently purged. Anonymization applied to live systems is reflected in backups within this window.

8. Account Deletion

You can permanently delete your account at any time from within the app:

Dashboard → Profile → Delete Account

Your access is revoked immediately upon confirmation. Your personal data is anonymized as described in Section 7. This action cannot be undone.

Events, projects, messages, reports, and shared community records may be retained in anonymized form where required for platform integrity, legal obligations, safety, abuse prevention, or dispute handling.
Backup copies may persist for up to 30 days in automated backup snapshots, after which they are permanently purged.
Deletion does not guarantee refunds for prior paid activities.

Alternatively, contact us at unmapped.network@gmail.com to request account deletion by email.

9. Your Rights

Under GDPR, you have the following rights:

Right of access (Art. 15): request a copy of your personal data
Right to rectification (Art. 16): correct inaccurate or incomplete data (via your profile settings)
Right to erasure (Art. 17): delete your account and personal data (via the in-app delete function)
Right to restriction (Art. 18): request that we restrict processing of your data
Right to data portability (Art. 20): receive your data in a machine-readable format
Right to object (Art. 21): object to processing based on legitimate interests
Right to withdraw consent (Art. 7): withdraw consent for notifications at any time without affecting prior processing

To exercise any of these rights, contact:

unmapped.network@gmail.com

We will respond within 30 days.

Supervisory authority: You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI): www.aki.ee, Tatari 39, 10134 Tallinn, Estonia.

10. Children

Unmapped is intended for users aged 18 and over. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, we will delete their account. If you believe a minor has created an account, please contact us at unmapped.network@gmail.com.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on users (Art. 22 GDPR).

12. Data Security

We implement appropriate technical and organizational measures to protect personal data, including encrypted data storage, authentication via Supabase Auth, HTTPS-only communication, and access controls. No system is completely secure; in the event of a data breach, we will notify affected users and the relevant supervisory authority as required by Art. 33–34 GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be published at this URL. For material changes, we will notify registered users via email or in-app notification.