Privacy Policy
Last updated: 16 May 2026
This Privacy Policy explains how UnbuiltHQ ("UnbuiltHQ", "we", "us") collects, uses, stores, and shares personal information when you visit unbuilthq.com, contact us, work with us as a client, or interact with software and integrations we have built and operate on behalf of our clients.
We are based at Brookeside Villa, Modomo Ede Road, Ile-Ife, Osun State, Nigeria. For any privacy question, write to khaleel@unbuilthq.com.
Short version. We collect the minimum personal data we need to run the studio and to operate the integrations our clients hire us to build. We do not sell personal information. You can ask us at any time to access, correct, or delete the data we hold about you — see the Data Deletion page.
1. Who this policy applies to
This policy covers three distinct groups of people:
- Website visitors — anyone browsing unbuilthq.com.
- Prospects and clients — people and businesses who contact us about engagements or work with us under a signed agreement.
- End users of systems we operate — when a client engages us to build and run an integration (for example, a WhatsApp customer support assistant), the end users of that system may have data processed by us on the client's behalf. In that role we act as a data processor; the client is the data controller. Their privacy notice and lawful basis govern that data; this policy describes our practices as their processor.
2. What we collect
2.1 Information you give us
- Identifiers (name, email address, company, role).
- The contents of messages you send us via the contact form, email, scheduled calls, or messaging platforms.
- Project information shared in the course of an engagement — business details, sample data, credentials needed to build and operate the systems we deliver.
2.2 Information we collect automatically
- Basic technical information about your visit: approximate location (from IP), browser, device type, pages viewed, and referring site, retained for security and aggregate analytics. unbuilthq.com does not load any third-party analytics or advertising trackers by default.
2.3 Information processed on behalf of clients
- When operating a client's integration, we may process the data the client's end users provide — typically names, contact identifiers (such as phone numbers for WhatsApp, social handles for Instagram and TikTok), message contents, and any business-specific information the client's system is designed to handle.
3. How we use it
- To respond to enquiries and provide the services you've asked for.
- To deliver, operate, support, and improve the software and integrations we've been engaged to build.
- To meet legal, accounting, and tax obligations.
- To protect the security and integrity of our website and systems.
We do not use personal information to train artificial-intelligence models, and we do not sell or rent personal information to third parties.
4. Lawful bases (for visitors in the EEA, UK, and equivalent regimes)
We rely on the following lawful bases under the GDPR and equivalent laws:
- Performance of a contract — when you are a client and we need to process your data to deliver the work.
- Legitimate interests — running our website, replying to enquiries, securing our systems, recording essential business operations.
- Consent — where you have explicitly opted in (for example, to receive a follow-up email).
- Legal obligation — when retention or disclosure is required by law.
5. Sub-processors and third parties
We work with a small set of trusted third-party providers to deliver our services. Where appropriate, we have written data-processing agreements in place with each.
| Provider | What it processes | Where |
|---|---|---|
| Google Workspace (email, Drive) | Business correspondence, documents, client files | EU / US |
| Meta Platforms (WhatsApp Business Cloud API, Instagram Graph) | End-user messages on client integrations | EU / US |
| Anthropic (Claude API) | Text we explicitly send for AI processing | US |
| OpenAI | Text we explicitly send for AI processing | US |
| Supabase | Application databases for client integrations | EU / Singapore (chosen per project) |
| Airtable | Operational data for client integrations | US |
| n8n (cloud or self-hosted) | Workflow execution | EU / project-specific |
| Cloudflare | Hosting, DNS, edge security for unbuilthq.com | Global |
| Cal.com | Booking scheduling, where used | EU / US |
Some of these providers are located outside Nigeria, the EEA, or the UK. Where personal data is transferred internationally we rely on safeguards including the provider's standard contractual clauses and equivalent mechanisms.
6. Retention
- Enquiry data: kept for up to 24 months after last contact, then deleted unless a contract is in place.
- Client engagement data: kept for the duration of the engagement and for up to seven years afterwards for tax and accounting purposes.
- End-user data processed on behalf of a client: retained according to that client's documented policy; deleted on the client's instruction or at the end of the engagement, whichever is sooner.
- Server and security logs: retained for up to 90 days.
7. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Have your data deleted (the "right to be forgotten").
- Restrict or object to certain processing.
- Receive your data in a portable, machine-readable format.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with a supervisory authority — in Nigeria the Nigeria Data Protection Commission (NDPC), in the EU your local data-protection authority, in the UK the ICO.
For step-by-step instructions on requesting deletion specifically, see our dedicated Data Deletion page.
If the data we hold about you is held on behalf of one of our clients (for example, because you messaged a WhatsApp number our system runs), please first contact the client whose service you were using — they are the data controller. If you can't reach them or aren't sure who they are, write to us and we will help route your request.
8. Security
We follow industry-standard practices to protect personal information: encryption in transit, least-privilege access to systems, separation of client environments, and regular review of credentials. No system is perfectly secure; if we ever become aware of a breach affecting your personal data we will notify you and the relevant authorities as required by law.
9. Cookies
unbuilthq.com is intentionally light on cookies. We may use a small number of strictly-necessary cookies (for example, to remember preferences inside the site). We do not use advertising or third-party tracking cookies on the marketing site. Cookies inside client integrations are governed by that client's privacy notice.
10. Children
Our website and services are not directed at children under 16 and we do not knowingly collect data from them. If you believe we have, contact us and we will delete it.
11. Changes to this policy
We will update this page when our practices change. The "Last updated" date at the top will always reflect the current version. Material changes that affect existing clients or end users will be communicated directly.
12. Contact
Questions, complaints, or requests can be sent to khaleel@unbuilthq.com or by post to:
UnbuiltHQ
Brookeside Villa, Modomo Ede Road
Ile-Ife, Osun State
Nigeria