UnaFonte
Back to home

Data Protection Policy

Effective Date: February 26, 2026

This Data Protection Policy describes how Latent Ventures LLC ("UnaFonte," "we," "us," or "our") protects personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. This policy supplements our Privacy Policy and provides additional detail on the technical and organizational measures we employ to safeguard your information.

1. Data Controller

Latent Ventures LLC is the data controller for personal data processed through the UnaFonte platform. We determine the purposes and means of processing your personal data and are responsible for ensuring compliance with applicable data protection laws.

For government ID verification, Stripe, Inc. acts as an independent data controller. When you submit your government-issued identification for verification, Stripe processes that data under its own privacy policy and data protection practices. UnaFonte receives only the verification result (verified/not verified), your legal name, and country of issuance from Stripe — we do not receive or store copies of your government ID documents.

For data protection inquiries, contact us at: legal@unafonte.com

2. Legal Bases for Processing

We process personal data under the following legal bases as defined by the GDPR:

2.1 Contract Performance

Processing necessary to fulfill our contractual obligations to you:

  • Account creation and management, including username reservation and profile configuration.
  • Identity verification processing, including coordination with Stripe Identity for government ID checks.
  • Payment processing for verification fees, Pro subscriptions, and Trust Request transactions.
  • Providing the core platform services, including the Active Ledger, NOT ME Rules, and public profile pages.

2.2 Legitimate Interest

Processing necessary for our legitimate interests, balanced against your rights and freedoms:

  • Fraud prevention and platform security, including rate limiting and abuse detection.
  • Analytics and platform improvement using anonymized, aggregated usage data.
  • Maintaining audit logs for security and accountability purposes.
  • Bio link verification to confirm ownership of linked social media accounts.
  • DNS record verification to confirm ownership of claimed domains.

2.3 Consent

Processing based on your freely given, specific, informed, and unambiguous consent:

  • Non-essential cookies and analytics tracking, as described in our Cookie Policy.
  • Marketing and product update communications (you may withdraw consent at any time through your notification settings).
  • Publishing your verified identity information on your public profile page.
  • Optional data sharing through the MCP integration and public API endpoints.

2.4 Legal Obligation

Processing necessary to comply with our legal obligations:

  • Retaining financial transaction records as required by tax and accounting regulations.
  • Responding to lawful requests from law enforcement or regulatory authorities.
  • Complying with data subject access requests and other rights under GDPR and CCPA.

3. Data Protection Principles

We adhere to the following core data protection principles in all of our processing activities:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner. Our Privacy Policy and this Data Protection Policy clearly explain what data we collect, why we collect it, and how it is used.
  • Purpose Limitation: We collect personal data only for specified, explicit, and legitimate purposes. Data is not further processed in a manner incompatible with those purposes.
  • Data Minimization: We collect only the personal data that is necessary for the purposes for which it is processed. For example, we receive only verification results and basic identity information from Stripe, not copies of government documents.
  • Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date. Users can update their profile information and preferences at any time through their dashboard.
  • Storage Limitation: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Trust Request media is automatically deleted 30 days after resolution. Expired ledger entries are cleaned up by automated processes.
  • Integrity and Confidentiality: We implement appropriate technical and organizational measures to ensure the security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

4. Technical and Organizational Measures

4.1 Technical Measures

  • All data in transit is encrypted using TLS 1.2 or higher across all platform connections.
  • All data at rest is encrypted using AES-256 encryption in our database and storage systems.
  • API keys are hashed using SHA-256 before storage; raw keys are never persisted and are displayed only once at creation time.
  • User passwords are hashed using bcrypt with appropriate salt rounds through Supabase Auth.
  • Database queries are scoped to the authenticated user's ID to prevent unauthorized data access.
  • Row-Level Security (RLS) policies are enforced at the database level for storage access.
  • Rate limiting is applied to public API endpoints to prevent abuse and denial-of-service attacks.
  • Trust Request media files are stored in private storage buckets with time-limited signed URLs (1 hour expiry) for access.
  • Automated cron jobs handle data lifecycle management, including expiration of stale records and cleanup of media files.

4.2 Organizational Measures

  • Access to production systems and databases is restricted to authorized personnel on a need-to-know basis.
  • All sensitive actions are recorded in an immutable audit log for accountability and incident investigation.
  • Third-party service providers are evaluated for their data protection practices and are bound by appropriate data processing agreements.
  • Regular security reviews are conducted to identify and remediate potential vulnerabilities.
  • Incident response procedures are documented and tested to ensure timely and effective handling of data breaches.

5. Data Subject Rights

5.1 GDPR Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:

  • Right of Access: You have the right to request a copy of the personal data we hold about you, along with information about how it is processed.
  • Right to Rectification: You have the right to request correction of inaccurate personal data or completion of incomplete data.
  • Right to Erasure: You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
  • Right to Restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest its accuracy.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
  • Right to Object: You have the right to object to processing of your personal data based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5.2 CCPA Rights

If you are a California resident, you have the following rights under the CCPA:

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and sell, including the specific pieces of personal information we have collected about you.
  • Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.
  • Right to Opt-Out: You have the right to opt out of the sale of your personal information. UnaFonte does not sell personal information to third parties.
  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA rights.

5.3 Exercising Your Rights

To exercise any of your data subject rights, please contact us at legal@unafonte.com. We will verify your identity before processing your request. For GDPR requests, we will respond within 30 days. For CCPA requests, we will respond within 45 days. If additional time is needed, we will notify you of the extension and the reasons for the delay.

6. International Data Transfers

UnaFonte is operated from the United States. If you are accessing our platform from outside the United States, your personal data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international data transfers through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA.
  • Adequacy decisions where the European Commission has determined that a country provides an adequate level of data protection.
  • Additional technical and organizational measures, including encryption and access controls, to supplement transfer safeguards where necessary.

7. Data Breach Response

In the event of a personal data breach, we follow a structured response process:

  • Immediate containment and assessment of the breach to determine its scope, nature, and potential impact on data subjects.
  • Notification to the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals, as required by the GDPR.
  • Notification to affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
  • Documentation of the breach, including its facts, effects, and the remedial actions taken, maintained as part of our internal records.
  • Post-incident review to identify root causes, improve security measures, and update procedures to prevent recurrence.

8. Third-Party Processing

We engage third-party service providers to assist in delivering our platform. Each provider is carefully vetted and bound by data processing agreements that require them to process personal data only on our instructions and in compliance with applicable data protection laws. Our key third-party processors include:

  • Supabase: Database hosting, authentication services, and file storage for Trust Request media.
  • Stripe: Payment processing (verification fees, subscriptions, Trust Request transactions) and identity verification (government ID checks via Stripe Identity).
  • Vercel: Application hosting, serverless functions, and cron job execution.
  • Resend: Transactional email delivery for Trust Request notifications, account alerts, and platform communications.

For wallet verification (Ethereum, Bitcoin, Solana), verification is performed client-side through cryptographic signature checks. No third-party processor is involved in wallet verification, and wallet addresses are stored only with your explicit consent.

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. DPIAs are performed in the following circumstances:

  • When introducing new technologies or processing methods that involve personal data.
  • When processing special categories of data or data relating to criminal convictions and offenses.
  • When conducting large-scale profiling or automated decision-making that may significantly affect individuals.
  • When processing personal data on a large scale, particularly where it involves systematic monitoring of publicly accessible areas.

10. Record of Processing Activities

In accordance with Article 30 of the GDPR, we maintain a comprehensive record of all processing activities carried out under our responsibility. This record includes the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and a description of technical and organizational security measures. This record is available to supervisory authorities upon request.

11. Updates to This Policy

This Data Protection Policy is reviewed annually and updated as necessary to reflect changes in our processing activities, legal requirements, or organizational practices. When material changes are made, we will update the "Effective Date" at the top of this page and notify affected users through the platform where appropriate. We encourage you to review this policy periodically.

12. Contact and Complaints

If you have questions, concerns, or complaints about our data protection practices, please contact us:

Latent Ventures LLC
Email: legal@unafonte.com
Website: unafonte.com

If you are located in the EEA and believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of supervisory authorities is available on the European Data Protection Board website. We encourage you to contact us first so that we may attempt to resolve your concern directly.