Privacy Policy

Effective Date: October 15, 2025
Last Updated: October 15, 2025

1. Introduction

Uranion EMEA Ltd ("we", "us", "our", or "Company") operates the Uranion Cloud platform ("Services"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information and data when you use our Services.

This Privacy Policy applies to all users of the Uranion Cloud platform worldwide, including customers, developers, and visitors to our website. It has been designed to comply with major privacy laws including the EU General Data Protection Regulation (GDPR), UK Data Protection Act 2018 and UK GDPR, California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California Online Privacy Protection Act (CalOPPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws.

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Contact Information and Data Protection Officer

Company Details:
Uranion EMEA Ltd
Email: legal@uranion.cloud
Website: https://uranion.cloud

Privacy Inquiries:
Email: privacy@uranion.cloud
Support: support@uranion.cloud

Data Protection Officer:
Email: privacy@uranion.cloud

US Representative (for CalOPPA/CCPA inquiries):
Email: privacy@uranion.cloud

3. Scope and Applicability

3.1 Who This Policy Applies To

This Privacy Policy applies to:

• EU/EEA Residents: Subject to GDPR protections
• UK Residents: Subject to UK GDPR and Data Protection Act 2018 protections
• California Residents: Subject to CCPA/CPRA and CalOPPA protections
• Virginia Residents: Subject to VCDPA protections
• Colorado Residents: Subject to CPA protections
• Brazil Residents: Subject to LGPD protections
• All Other Users: Subject to applicable local data protection laws

3.2 Legal Basis for Processing (GDPR/UK GDPR/LGPD)

We process personal information based on the following legal grounds:

• Contract Performance: Processing necessary to provide Services and fulfill contractual obligations
• Legitimate Interests: Processing for business operations, security, fraud prevention, and service improvement
• Legal Compliance: Processing required to comply with legal obligations
• Consent: Processing based on explicit consent for marketing communications and optional features
• Vital Interests: Processing necessary to protect vital interests of data subjects

4. Information We Collect

4.1 Categories of Personal Information Collected

We collect the following categories of personal information as required by CCPA/CPRA and other laws:

A. Identifiers and Contact Information

What We Collect:

• Full name, email address, phone number
• Business name and business information
• Billing and shipping address
• Username and encrypted passwords
• IP addresses and device identifiers
• Online identifiers and unique device identifiers

Sources: Directly from you during account registration, from your use of Services, and from third-party authentication providers

Purposes: Account creation and management, service provision, customer support, billing and payment processing, security and fraud prevention

Sharing: Shared with payment processors (Fungies.io), infrastructure providers, and security services

B. Commercial Information

What We Collect:

• Transaction history and purchase records
• Payment information (processed by Fungies.io)
• Subscription tier and service usage
• Billing and invoicing records

Sources: Directly from you and from Fungies.io (payment processor)

Purposes: Transaction processing, billing, subscription management, accounting, and financial reporting

Sharing: Shared with Fungies.io (payment processor), accounting services, and tax authorities as required by law

C. Internet or Network Activity Information

What We Collect:

• Browser type, version, and language
• Operating system information
• Access times, dates, and usage patterns
• Pages viewed and features accessed
• API usage metrics and logs
• Search queries within the Services
• Referring/exit pages and URLs
• Click stream data

Sources: Automatically collected through cookies, log files, and analytics technologies

Purposes: Service provision, performance monitoring, security, fraud prevention, analytics, and service improvement

Sharing: Shared with analytics providers, infrastructure providers, and security monitoring services

D. Geolocation Data

What We Collect:

• IP address-based location (country, region, city)
• Approximate geographic location

Sources: Automatically collected from IP addresses and device information

Purposes: Service provision, fraud prevention, compliance with legal requirements, performance optimization

Sharing: Shared with infrastructure providers and security services

E. Professional or Employment-Related Information

What We Collect:

• Job title and role
• Business information
• Professional contact information
• Business email address

Sources: Directly from you during account registration and profile updates

Purposes: Account management, customer communications, service customization

Sharing: Not shared except with service providers necessary for account management

F. Inferences and Profiling Data

What We Collect:

• User preferences and settings
• Service usage patterns and preferences
• Predicted interests and behaviors based on usage
• Service recommendations

Sources: Derived from your interactions with the Services and usage patterns

Purposes: Service personalization, product recommendations, service improvement

Sharing: Not sold or shared for third-party marketing; used internally for service improvement

G. Sensitive Personal Information

What We Collect:

• Account credentials and authentication data (encrypted)
• Precise geolocation data (only when explicitly provided)

Sources: Directly from you or collected with your explicit consent

Purposes: Authentication, security, fraud prevention, service provision as requested

Sharing: Shared only with essential service providers under strict confidentiality and security requirements

Note: We do not collect or process the following categories of sensitive personal information: Social Security numbers, driver's license numbers, passport numbers, financial account information (processed by Fungies.io), health information, racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, genetic data, biometric data for identification, union membership, or precise geolocation beyond what is necessary for service provision.

4.2 Customer Data

Customer Data includes all content, files, applications, code, and information that customers upload, submit, store, or process through our Services. We act as a data processor (or "service provider" under CCPA) for Customer Data, while our customers act as data controllers.

We process Customer Data solely on customer instructions and in accordance with our Terms of Service. Customers are responsible for ensuring they have appropriate rights and legal bases to process the data they submit to our Services.

4.3 Cookies and Tracking Technologies

We use cookies, web beacons, pixels, local storage, and similar technologies to:

• Essential Cookies: Authenticate users, maintain sessions, and enable core functionality
• Analytics Cookies: Analyze usage patterns, measure performance, and improve Services
• Preference Cookies: Remember user preferences, settings, and configurations
• Security Cookies: Detect and prevent security threats and fraudulent activity

Your Cookie Choices

EU/UK/Brazil Users: You will be presented with a cookie consent banner upon first visit. You can manage your cookie preferences at any time through our cookie settings.

California/Virginia/Colorado Users: You can control cookies through your browser settings. Disabling cookies may affect Service functionality.

Do Not Track Signals (CalOPPA Requirement)

Our Services currently do not respond to "Do Not Track" (DNT) browser signals. However, you can control tracking through cookie settings and browser preferences. We provide opt-out mechanisms for targeted advertising and data sales as required by applicable law.

Third-Party Tracking

Third-party service providers (analytics, infrastructure, security monitoring) may collect information about your online activities over time and across different websites when you use our Services. We have implemented contractual and technical measures to limit third-party data collection to what is necessary for service provision.

5. How We Use Personal Information

5.1 Primary Purposes

We use personal information for the following purposes:

Service Provision and Performance

• Provide, maintain, operate, and improve the Services
• Process transactions and manage accounts
• Authenticate users and maintain security
• Provide technical support and customer service
• Monitor Service performance, uptime, and reliability
• Ensure platform security and prevent unauthorized access
• Enable core functionality including FaaS and containerized execution

Business Operations

• Conduct internal research and development
• Analyze usage patterns and trends
• Perform data analytics and statistical analysis
• Develop new features and services
• Conduct quality assurance and testing

Communications

• Send service-related notifications and updates
• Respond to inquiries and support requests
• Provide account and billing information
• Send security alerts and important notices
• Request feedback and conduct surveys

Legal and Security

• Comply with legal obligations and court orders
• Protect our rights, property, and safety
• Investigate potential violations of Terms of Service
• Detect, prevent, and respond to fraud and security threats
• Respond to law enforcement requests
• Establish, exercise, or defend legal claims

Marketing (With Consent Where Required)

• Send promotional communications about new features
• Provide product updates and announcements
• Share relevant content and resources
• Conduct market research

5.2 Purposes by Jurisdiction

CCPA/CPRA Purposes: Service provision, security, fraud prevention, debugging, internal research, quality assurance, legal compliance

GDPR/UK GDPR Legal Bases: Contract performance, legitimate interests, legal compliance, consent (marketing)

LGPD Legal Bases: Contract execution, legitimate interest, legal obligation, consent (marketing)

VCDPA/CPA Purposes: Service provision, system administration, security, fraud prevention, legal compliance

5.3 Automated Decision-Making and Profiling

We engage in limited automated decision-making for:

• Fraud Detection: Automated systems analyze patterns to identify potentially fraudulent activity
• Security Monitoring: Automated threat detection and response systems
• Service Optimization: Automated resource allocation and performance optimization

EU/UK/Brazil Users: You have the right to opt out of automated decision-making that produces legal or similarly significant effects. Contact us at privacy@uranion.cloud to exercise this right.

California/Virginia/Colorado Users: You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not currently engage in such profiling.

6. How We Share Personal Information

6.1 Categories of Third Parties

We share personal information with the following categories of third parties:

Service Providers and Processors

Payment Processing:

• Fungies.io - Acts as merchant of record and payment processor
• Purpose: Process payments, manage subscriptions, handle refunds
• Data Shared: Name, email, billing address, transaction information
• Location: EU/US with adequacy mechanisms

Cloud Infrastructure:

• Infrastructure Providers - Cloud hosting, compute, storage, and networking
• Purpose: Host Services, store data, provide infrastructure
• Data Shared: All data necessary for service provision including Customer Data
• Location: Primarily EU data centers, with international transfers protected by SCCs

Analytics and Monitoring:

• Analytics Providers - Usage analytics and performance monitoring
• Purpose: Analyze usage, monitor performance, improve Services
• Data Shared: Usage data, technical information, aggregated metrics
• Safeguards: Data processing agreements, pseudonymization where possible

Security Services:

• Security Providers - Threat detection, security monitoring, incident response
• Purpose: Detect threats, prevent fraud, ensure security
• Data Shared: Log data, IP addresses, security-related information
• Safeguards: Data processing agreements, encryption

Communication Services:

• Email Delivery - Transactional and marketing email delivery
• Support Platforms - Customer support and ticketing systems
• Purpose: Deliver communications, provide customer support
• Data Shared: Email address, name, communication content

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of the transaction. We will:

• Provide notice before personal information is transferred and becomes subject to different privacy practices
• Ensure acquiring party commits to protecting personal information consistent with this Privacy Policy
• Provide choices regarding the transfer where required by law

Legal Requirements and Public Authorities

We may disclose personal information when required by law or when we believe disclosure is necessary to:

• Comply with legal processes, court orders, or government requests
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of our company, users, or others
• Investigate potential violations or security incidents
• Respond to claims or legal proceedings
• Comply with national security or law enforcement requirements

California Users: We do not disclose personal information to third parties for their direct marketing purposes without your consent.

With Your Consent

We may share information for other purposes with your explicit consent or at your direction.

6.2 Sale and Sharing of Personal Information (CCPA/CPRA)

Do We "Sell" Personal Information? No. We do not sell personal information as defined by CCPA/CPRA. We do not exchange personal information for monetary compensation.

Do We "Share" Personal Information for Cross-Context Behavioral Advertising? No. We do not share personal information for cross-context behavioral advertising or targeted advertising as defined by CCPA/CPRA.

We do not sell or share the personal information of consumers under 16 years of age.

6.3 International Data Transfers

For EU/EEA Users (GDPR)

Personal information may be transferred to and processed in countries outside the European Economic Area, including Ireland (primary location), United States, and other countries where our service providers operate.

Transfer Safeguards:

• European Commission adequacy decisions (for transfers to adequate countries)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Additional technical and organizational measures (encryption, access controls)

We will inform you of the primary data storage location upon request.

For UK Users (UK GDPR)

The UK has adequacy status from the EU (extended until December 27, 2025). Data transfers from the UK follow similar safeguards to those used for EU transfers, including UK-approved SCCs and adequacy decisions made by the UK government.

For Brazil Users (LGPD)

International transfers of personal data from Brazil are conducted in accordance with ANPD Resolution No. 19 using:

• Standard Contractual Clauses approved by ANPD (mandatory as of August 23, 2025)
• Adequacy decisions by Brazilian authorities
• Binding Corporate Rules
• Specific contractual clauses with additional safeguards

For California/Virginia/Colorado Users

We implement reasonable security measures for international data transfers and comply with applicable state law requirements regarding cross-border data transfers.

7. Data Security

7.1 Security Measures

We implement comprehensive security measures to protect personal information:

Encryption

• Data in Transit: TLS 1.3/SSL encryption for all data transmission
• Data at Rest: AES-256 encryption for stored data
• Database Encryption: Encrypted databases with secure key management
• Backup Encryption: All backups encrypted with separate encryption keys

Access Controls

• Multi-factor authentication (MFA) for administrative access
• Role-based access control (RBAC) and principle of least privilege
• Regular access reviews and automated deprovisioning
• Segregation of duties for sensitive operations
• Secure password policies and credential management

Infrastructure Security

• Network security with next-generation firewalls
• Intrusion detection and prevention systems (IDS/IPS)
• Distributed denial-of-service (DDoS) protection
• Regular security assessments and penetration testing
• Vulnerability scanning and patch management
• Security monitoring and incident response procedures
• Container security and image scanning
• Secure development lifecycle practices

Organizational Measures

• Security awareness training for all employees
• Background checks for personnel with data access
• Confidentiality agreements and data protection obligations
• Incident response and disaster recovery plans
• Regular backup and recovery testing
• Third-party security audits and certifications
• Data protection impact assessments for high-risk processing

7.2 Data Breach Notification

In the event of a data breach involving personal information, we will:

EU/UK Users:

• Notify supervisory authorities within 72 hours of becoming aware (GDPR/UK GDPR requirement)
• Notify affected individuals without undue delay if high risk to rights and freedoms
• Provide detailed information about nature, scope, and consequences of the breach
• Describe measures taken and to be taken to address the breach

California Users:

• Notify affected individuals in the most expedient time possible without unreasonable delay
• Provide notice to the California Attorney General if breach affects more than 500 California residents
• Include information required by California Civil Code § 1798.82

Virginia/Colorado Users:

• Notify affected individuals without unreasonable delay as required by state breach notification laws

Brazil Users:

• Notify ANPD and affected data subjects within a reasonable timeframe
• Provide details of breach, security measures, risks, and remedial actions

All Users:

• Take immediate steps to contain and mitigate the breach
• Cooperate with regulatory authorities
• Implement measures to prevent future incidents
• Provide recommendations to protect affected individuals

8. Data Retention and Deletion

8.1 Retention Criteria

We determine retention periods based on:

• Duration necessary to fulfill stated purposes
• Legal, regulatory, and compliance requirements
• Statute of limitations for potential legal claims
• Operational and business needs
• Industry standards and best practices

8.2 Data Deletion Process

Customer-Requested Deletion

When you request deletion of personal information:

1. Immediate Action (Day 1-30): Data marked for deletion, access restricted
2. Logical Deletion (Day 30-60): Data removed from active production systems
3. Backup Deletion (Day 60-180): Data removed from backup systems through backup rotation
4. Confirmation: Deletion confirmation provided upon request

Automatic Deletion Upon Service Termination

Upon termination of Services:

1. Retrieval Period (Days 1-30): Customer can export and retrieve Customer Data
2. Soft Deletion (Days 30-60): Data marked for deletion and isolated
3. Logical Deletion (Days 60-90): Data removed from active systems
4. Complete Deletion (Days 90-180): Data completely removed from all systems including backups

8.3 Exceptions to Deletion

Certain information may be retained longer when required by:

• Applicable laws and regulations
• Legal holds and litigation requirements
• Financial and tax compliance obligations
• Resolution of disputes and enforcement of agreements
• Fraud prevention and security purposes

8.4 Anonymization and Aggregation

We may retain anonymized or aggregated data indefinitely for:

• Statistical analysis and research
• Service improvement and development
• Business intelligence and reporting

Anonymized data cannot reasonably be used to identify individuals and is not subject to data protection laws.

9. Your Privacy Rights

9.1 Rights Under GDPR and UK GDPR (EU/EEA/UK Residents)

You have the following rights:

Right of Access (Article 15)

• Request confirmation of whether we process your personal data
• Obtain a copy of your personal data
• Receive information about processing purposes, categories, and recipients

Right to Rectification (Article 16)

• Correct inaccurate personal information
• Complete incomplete personal information

Right to Erasure / "Right to be Forgotten" (Article 17)

• Request deletion of personal information when:
  • No longer necessary for original purposes
  • You withdraw consent (where consent is the legal basis)
  • You object and no overriding legitimate grounds exist
  • Processing is unlawful
  • Required by legal obligation

Right to Restriction of Processing (Article 18)

• Restrict processing when:
  • You contest accuracy of data
  • Processing is unlawful but you oppose deletion
  • We no longer need data but you need it for legal claims
  • You object to processing pending verification of legitimate grounds

Right to Data Portability (Article 20)

• Receive personal data in structured, commonly used, machine-readable format
• Transmit data to another controller without hindrance
• Request direct transmission to another controller where technically feasible

Right to Object (Article 21)

• Object to processing based on legitimate interests or for direct marketing
• Object to automated decision-making and profiling

Right to Withdraw Consent (Article 7)

• Withdraw consent at any time where processing is based on consent
• Withdrawal does not affect lawfulness of prior processing

Right to Lodge a Complaint

• File complaints with supervisory authorities in your jurisdiction
• EU Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en
• UK Supervisory Authority: Information Commissioner's Office (ICO) - https://ico.org.uk

9.2 Rights Under CCPA/CPRA (California Residents)

You have the following rights:

Right to Know (CCPA § 1798.100, CPRA § 1798.110)

• Categories of personal information collected
• Categories of sources from which information is collected
• Business or commercial purposes for collection
• Categories of third parties with whom we share information
• Specific pieces of personal information collected about you

Right to Delete (CCPA § 1798.105)

• Request deletion of personal information we collected from you
• Subject to exceptions for legal obligations, fraud prevention, and legitimate business needs

Right to Correct (CPRA § 1798.106)

• Request correction of inaccurate personal information

Right to Opt-Out of Sale/Sharing (CCPA § 1798.120, CPRA § 1798.121)

• Opt out of sale of personal information
• Opt out of sharing for cross-context behavioral advertising
• Note: We do not sell or share personal information as defined by CCPA/CPRA

Right to Limit Use of Sensitive Personal Information (CPRA § 1798.121)

• Limit use of sensitive personal information to permitted purposes
• We do not use sensitive personal information beyond permitted purposes

Right to Opt-Out of Automated Decision-Making (CPRA § 1798.137)

• Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects

Right to Non-Discrimination (CCPA § 1798.125)

• Not be discriminated against for exercising CCPA/CPRA rights
• We will not deny goods or services, charge different prices, provide different quality, or suggest such differential treatment

Authorized Agent

• Designate authorized agent to submit requests on your behalf
• Authorized agent must provide proof of authorization

9.3 Rights Under VCDPA (Virginia Residents)

You have the following rights:

Right to Access

• Confirm whether we are processing your personal data
• Access your personal data

Right to Correction

• Correct inaccuracies in your personal data

Right to Deletion

• Delete personal data provided by or obtained about you

Right to Data Portability

• Obtain copy of personal data in portable, readily usable format

Right to Opt-Out

• Opt out of targeted advertising
• Opt out of sale of personal data
• Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects

Right to Appeal

• Appeal our decision regarding your rights request within a reasonable period

9.4 Rights Under CPA (Colorado Residents)

You have the following rights:

Right to Access

• Confirm whether we are processing your personal data
• Access your personal data

Right to Correction

• Correct inaccuracies in your personal data

Right to Deletion

• Delete personal data concerning you

Right to Data Portability

• Obtain copy of personal data in portable, readily usable format

Right to Opt-Out

• Opt out of targeted advertising
• Opt out of sale of personal data
• Opt out of certain profiling

9.5 Rights Under LGPD (Brazil Residents)

You have the following rights (Lei 13.709/2018, Articles 17-18):

Right to Confirmation and Access

• Confirmation of processing of personal data
• Access to personal data

Right to Correction

• Correction of incomplete, inaccurate, or outdated data

Right to Anonymization, Blocking, or Deletion

• Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data

Right to Portability

• Portability of data to another service provider

Right to Information

• Information about public and private entities with which data has been shared
• Information about possibility of denying consent and consequences

Right to Revoke Consent

• Revoke consent at any time

Right to Object

• Object to processing when not compliant with law

Right to Petition

• Petition ANPD regarding your data

9.6 How to Exercise Your Rights

To exercise any of the above rights:

Primary Method: Submit request via privacy@uranion.cloud

Alternative Methods:

• Customer portal: https://uranion.cloud/privacy-requests
• Written request to: Uranion EMEA Ltd, [Address], Attention: Privacy Team
• Phone: [Phone Number] (toll-free for California residents as required by CCPA)

Information Required:

• Your name and email address
• Description of the request and right you wish to exercise
• Sufficient information to verify your identity (may include additional verification steps)
• For California residents using authorized agents: Proof of authorization

Response Timeline:

• GDPR/UK GDPR: 30 days (extendable by 2 additional months for complex requests)
• CCPA/CPRA: 45 days (extendable by additional 45 days with notice)
• VCDPA/CPA: 45 days (extendable by additional 45 days with notice)
• LGPD: Immediately for confirmation; reasonable timeframe for other requests

No Fee: We do not charge a fee for requests unless they are manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable fee or refuse the request.

Verification: We will verify your identity before processing requests to protect your privacy and security. Verification requirements may include:

• Matching information you provide with information we have on file
• Requiring you to log into your account
• Additional verification for sensitive requests
• For authorized agents: Proof of authorization

Appeals (VCDPA/CPA): If we deny your request, you have the right to appeal. We will provide information about the appeals process in our response.

10. Children's Privacy

Our Services are not intended for children under 18 years of age (or under 16 years of age for EU/UK users, or under 13 years for US users where COPPA applies). We do not knowingly collect personal information from children.

If we discover we have collected information from a child under the applicable age threshold, we will delete it immediately. If you believe we have collected information from a child, please contact us at privacy@uranion.cloud.

Note: Account creation requires users to represent that they meet the minimum age requirement.

11. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services not operated by us. This Privacy Policy does not apply to third-party practices.

We are not responsible for the privacy practices, policies, or content of third parties. We encourage you to review the privacy policies of any third-party services before providing personal information.

Integration with Third-Party Services: If you choose to integrate third-party services with our platform (e.g., authentication providers, monitoring tools), those integrations are governed by the third party's privacy policy and terms of service.

12. Marketing and Communications

12.1 Marketing Preferences

With your consent (where required by law), we may send marketing communications about:

• New features and product updates
• Relevant content and resources
• Special offers and promotions
• Industry news and insights
• Surveys and feedback requests

12.2 Opt-Out Rights

Email Marketing:

• Click "unsubscribe" link in any marketing email
• Update preferences in your account settings
• Email us at privacy@uranion.cloud

SMS Marketing (if applicable):

• Reply "STOP" to any SMS message
• Contact us at privacy@uranion.cloud

Note: You cannot opt out of transactional or service-related communications (e.g., security alerts, billing notices, important service updates) that are necessary for service provision.

12.3 Do Not Sell My Personal Information / Opt-Out Preference Signals

California Residents:

• We do not sell personal information as defined by CCPA/CPRA
• We honor Global Privacy Control (GPC) signals as opt-out preference signals
• If we change our practices, we will provide opt-out mechanisms as required by law

Virginia/Colorado Residents:

• We do not sell personal information
• We do not engage in targeted advertising
• If our practices change, we will provide appropriate opt-out mechanisms

13. Privacy Impact Assessments and Risk Management

13.1 When We Conduct Assessments (GDPR/UK GDPR/CPRA/VCDPA/CPA/LGPD)

We conduct Data Protection Impact Assessments (DPIAs) or Privacy Impact Assessments for processing activities that present high risks, including:

• Processing sensitive personal information
• Large-scale profiling or automated decision-making
• Processing for targeted advertising purposes
• Sale or sharing of personal data (if applicable)
• Processing that may result in high risk to rights and freedoms
• Systematic monitoring of publicly accessible areas
• Processing of special categories of data
• Transfers to third countries without adequacy decisions

13.2 Assessment Components

Our assessments identify:

• Nature, scope, context, and purposes of processing
• Necessity and proportionality of processing
• Risks to rights and freedoms of individuals
• Measures to address and mitigate risks
• Safeguards and security measures

14. California-Specific Disclosures

14.1 CalOPPA Requirements

This Privacy Policy satisfies California Online Privacy Protection Act (CalOPPA) requirements by disclosing:

• Categories of personally identifiable information collected (Section 4)
• Categories of third parties with whom we may share information (Section 6)
• Process for reviewing and requesting changes to information (Section 9)
• Process for notifying consumers of material changes (Section 17)
• Effective date of this Privacy Policy (at top of document)

14.2 California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes.

Disclosure: We do not disclose personal information to third parties for their direct marketing purposes.

14.3 CCPA/CPRA Metrics (Annual Disclosure)

As required by CCPA regulations, we will disclose the following metrics in our annual report:

• Number of requests to know received, complied with, and denied
• Number of requests to delete received, complied with, and denied
• Number of requests to correct received, complied with, and denied (CPRA)
• Number of requests to opt-out received and complied with
• Median number of days to respond to requests

These metrics will be made available upon request or published annually on our website.

14.4 Financial Incentives

We do not offer financial incentives or price or service differences in exchange for the retention, sale, or sharing of personal information.

15. State-Specific Information

15.1 Virginia Residents (VCDPA)

• Enforcement: Virginia Attorney General
• Cure Period: 30 days to cure violations before enforcement action
• Data Protection Assessments: Required for high-risk processing
• Appeals: Right to appeal denial of privacy rights requests

15.2 Colorado Residents (CPA)

• Enforcement: Colorado Attorney General and District Attorneys
• Universal Opt-Out: We honor universal opt-out mechanisms
• Data Protection Assessments: Required for high-risk processing including targeted advertising, profiling, and sensitive data processing
• Purpose Specification: We specify express purposes for data collection

15.3 Brazil Residents (LGPD)

• Supervisory Authority: Brazilian National Data Protection Authority (ANPD)
• Data Subject Rights: Comprehensive rights similar to GDPR
• International Transfers: Conducted using ANPD-approved mechanisms including SCCs
• Legal Bases: Consent, legitimate interest, contract execution, legal obligation
• Sensitive Data: Requires specific consent or legal authorization

16. Supervisory Authorities and Complaints

16.1 EU/EEA Supervisory Authorities

You have the right to lodge complaints with your local supervisory authority. Find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

16.2 UK Supervisory Authority

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF
Website: https://ico.org.uk
Helpline: 0303 123 1113

16.3 Brazil Supervisory Authority

Autoridade Nacional de Proteção de Dados (ANPD)
Website: https://www.gov.br/anpd
Email: atendimento@anpd.gov.br

16.4 US State Enforcement

California: California Privacy Protection Agency (CPPA) - https://cppa.ca.gov
Virginia: Virginia Attorney General - https://www.oag.state.va.us
Colorado: Colorado Attorney General - https://coag.gov

17. Changes to This Privacy Policy

17.1 Updates and Modifications

We may update this Privacy Policy from time to time to reflect:

• Changes in applicable laws or regulations
• Changes to our data practices or Services
• New features or functionality
• Feedback from users or regulators
• Industry best practices

17.2 Notification of Changes

We will notify you of material changes through:

• Email notification to your registered email address
• In-service notification through the customer dashboard
• Website notice at https://uranion.cloud/privacy
• Updated "Last Updated" date at the top of this Policy

17.3 Effective Date of Changes

Changes become effective:

• 30 days after notification for material changes
• Immediately for changes required by law or addressing urgent security concerns
• Immediately for non-substantive clarifications or administrative updates

17.4 Continued Use

Your continued use of the Services after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, discontinue use and contact us to close your account.

17.5 Material Changes Definition

Material changes include:

• Changes to categories of personal information collected
• New purposes for processing personal information
• Changes to third parties with whom we share information
• Changes to your rights or how to exercise them
• Changes to data retention periods
• Changes to security practices

18. Additional Jurisdiction-Specific Information

18.1 Residents of Other US States

If you reside in a US state with comprehensive privacy legislation not specifically addressed in this Policy, you may have rights similar to those described above. Contact us at privacy@uranion.cloud for information about rights available to you.

18.2 Residents of Other Countries

We comply with applicable data protection laws in all jurisdictions where we operate. If you reside outside the EU/UK/US/Brazil, contact us at privacy@uranion.cloud for information about your privacy rights under local law.

18.3 Cross-Border Data Transfers

We implement appropriate safeguards for international data transfers as required by applicable laws, including:

• EU Standard Contractual Clauses
• UK International Data Transfer Agreement/Addendum
• Brazil ANPD Standard Contractual Clauses
• Adequacy decisions
• Binding Corporate Rules
• Additional technical and organizational measures

19. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

General Privacy Inquiries:
Email: privacy@uranion.cloud
Support: support@uranion.cloud

Data Protection Officer:
Email: privacy@uranion.cloud

Privacy Rights Requests:
Email: privacy@uranion.cloud

California Residents (CalOPPA/CCPA):
Email: privacy@uranion.cloud

Mailing Address:
Uranion EMEA Ltd
71-75 Shelton Street
Covent Garden London - WC2H 9JQ
United Kingdom

Response Time: We aim to respond to all inquiries within 5 business days and will fully respond to rights requests within the timeframes specified by applicable law.

This Privacy Policy was last updated on October 15, 2025 and is effective immediately.

By using the Services, you acknowledge that you have read, understood, and agree to this Privacy Policy.

© 2026 Uranion EMEA Ltd. All rights reserved