At Unless, we store different types of data with tailored security levels and location controls, fully compliant with GDPR, the EU AI Act, and other regulations. While our system operates globally, all personal data is securely stored within the EU at the highest security standards.
Non-personal data
To ensure fast global service, all functional data is served from DynamoDB, Amazon Web Services’ high-performance database. This data does not include personal information.
DynamoDB supports live operations only, storing necessary configurations for each customer. By default, data is distributed across Europe, the western US, and an additional cluster in the eastern US.
AI data
Training data
By keeping training data outside the LLM, our system supports real-time data management in line with GDPR requirements for transparency and control.
Our Retrieval-Augmented Generation (RAG) platform stores data externally, applying user-level access control to comply with the EU AI Act and GDPR’s principles of data minimization. This structure limits data access to essential user groups only, reducing risk and supporting secure, purpose-driven processing.
Training data is stored securely in the EU within a Postgres database, where it is pseudonymized or anonymized by default. Additional measures, like PII stripping and tokenization, ensure data security while preserving relevant context.
User prompt data
If personally identifiable information (PII) submitted by an end user message unintentionally enters downstream services, it can be challenging to locate and delete. To prevent this, our PII filters remove such data from user prompts using a machine learning model, ensuring it’s discarded promptly.
Intentionally provided data (for example in an AI-generated form) is stored in a structured, obfuscated form in a secure DynamoDB table within the EU, preserving user context safely.
Personal data during AI inference
When personal context is relevant to the AI, PII in prompts can’t simply be removed; instead, it’s obfuscated using tokenization.
Here’s how it works: the system identifies and de-identifies sensitive information, passing only a non-sensitive version of the prompt to the model. The response is then re-identified before being sent back to the user. This keeps PII entirely out of the model’s reach, removing the AI from the compliance loop.
Despite this, we ensure that only EU-hosted AI models, aligned with EU legislation, are used.
Conversations
Historical conversations between our AI and end users are stored solely for analysis in secure S3 buckets within the EU. These files adhere to our retention policy.
End user identifiers
The Identify API enables personalization and machine empathy for logged-in users, under the condition of a legitimate interest under GDPR. Identifiable data (such as email and name) is stored securely in a separate DynamoDB table in Europe.
Customers can add their own visitor traits, for instance, through CRM integrations like HubSpot. Below is an example of possible traits.
Pseudonymized segmentation data
Unless offers a consent API for audience segmentation, enabling users to allow cookie-based tracking of their end users. After consent, any of such data may be stored for the purpose of analysis - exclusively in Europe in a secure, pseudonymized format using Redshift.
Page visit data
With consent, the following page visit data points may be stored in a pseudonymized way. Without consent, data may only used during the page load and is not stored at all.
| Data point | Stored | Available for segmentation |
|---|---|---|
| Domain | Yes | Yes |
| Event name | Yes | Yes |
| Landing page | Yes | Yes |
| Referer | Yes | Yes |
| Returning visitor | Yes | Yes |
| Path | Yes | Yes |
| Browser | Yes | Yes |
| Browser language | Yes | Yes |
| Isdesktop | Yes | Yes |
| Ismobile | Yes | Yes |
| Istablet | Yes | Yes |
| Os | Yes | Yes |
| Viewsize | Yes | Yes |
| City | Yes | Yes |
| Countrycode | Yes | Yes |
| Countryname | Yes | Yes |
| Currency | Yes | Yes |
| Hemisphere | Yes | No |
| Latitude | Yes | No |
| Longitude | Yes | No |
| Regioncode | Yes | Yes |
| Regionname | Yes | No |
| Timezone | Yes | No |
| Traderegion | Yes | Yes |
| Zipcode | Yes | Yes |
| Hash | Yes | Yes |
| Querystring parameter | Yes | Yes |
| Utm_Campaign | Yes | Yes |
| Utm_Content | Yes | Yes |
| Utm_Medium | Yes | Yes |
| Utm_Source | Yes | Yes |
| Utm_Term | Yes | Yes |
| Duration | Yes | Yes |
| Number of pageviews | Yes | Yes |
| Date | Yes | Yes |
| Day | Yes | No |
| Day of week | Yes | Yes |
| Hour | Yes | No |
| Minute | Yes | No |
| Month | Yes | No |
| Time | Yes | Yes |
| Time of day | Yes | No |
| Time of year | Yes | No |
| Year | Yes | No |
Session data after consent
On a session level and after consent only, we may track the following.
| Data point | Stored | Available for segmentation |
|---|---|---|
| Returning visitor? | Yes | No |
| Did the visitor bounce? | Yes | No |
| Session interval | Yes | No |
| Number of pages in session | Yes | No |
| Total session duration | Yes | No |
