1. Introduction

This Privacy Policy explains how Atom Labs sp. z o.o., a limited liability company incorporated in the Republic of Poland under KRS 0001231623, NIP 6793362013, with its registered office at Na Zjeździe 11 / 5th Floor, 30-527 Kraków, Poland (“Unfollr”, “we”, “us”) collects, uses, shares, and protects your personal data when you use www.unfollr.com and app.unfollr.com (together, the “Service”).

The Service consists of (a) the public website at www.unfollr.com, which provides free X/Twitter tools, calculators, and content without requiring an account, and (b) the web application at app.unfollr.com (the “App”), which currently provides Instagram follower tracking with paid subscription plans, and which will expand to cover X/Twitter in the future.

We are the data controller for personal data processed through the Service within the meaning of the EU General Data Protection Regulation 2016/679 (“GDPR”).

We are committed to protecting your privacy and to keeping the Service’s data footprint as small as practical. Specifically:

We do not sell your personal data.
We do not show third-party advertising on the Service.
We do not perform behavioural profiling for advertising or cross-context tracking.
We do not use your data to train artificial-intelligence or machine-learning models.
We do not collect your Instagram or X/Twitter login credentials, do not scrape those platforms, and do not access your social-media accounts on your behalf. You upload only the data export that you generated yourself from those platforms.

2. Personal Data We Collect

2.1 Data You Provide Directly

Account information (App only): name, email address, profile picture, and authentication identifier obtained when you sign in via Google, Apple, or email-and-password (provided through Firebase Authentication). The public website at www.unfollr.com does not require an account.
Uploaded social-media data (App only): the contents of the ZIP file or other export you upload, which contains your followers list, following list, timestamps, and related metadata. Currently this is your Instagram Data Export; in the future this may also include exports from X/Twitter.
Account preferences (App only): labels for your social handles, the currently active account, viewed-status flags, “spy” targets, and onboarding answers.
Inputs to free tools (website): values you enter into calculators or tools on www.unfollr.com (e.g., character counts, engagement-rate inputs). These are processed in your browser and are not stored on our servers, except where you explicitly save or share a result.
Communications: messages, feedback, and support requests you send to us.

2.2 Data Collected Automatically

Device and usage data: browser type and version, operating system, device type, language, referrer, pages visited, and approximate location derived from IP address (country/region only).
Analytics events: aggregated, privacy-friendly usage events collected through Datafast (such as page views and feature interactions).
Server logs: IP address, timestamps, and request metadata recorded for security, fraud prevention, and debugging.
Cookies and similar technologies: see Section 9.

2.3 Data Collected via Payment Processors

Subscription status and order details: the plan you purchased, billing cycle, renewal date, and a transaction identifier. Payment-card data is collected and stored by Paddle (our merchant of record). We never see your full card number.

3. Legal Bases for Processing (GDPR)

We rely on the following legal bases under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b)) — to provide the Service you requested, including authenticating you, processing your uploads, computing comparisons, and managing your subscription.
Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud and abuse, debug errors, analyse aggregate usage to improve features, and communicate service-related notices. We weigh these interests against your rights and freedoms.
Consent (Art. 6(1)(a)) — for non-essential cookies and analytics where required by law, and for any direct marketing communications. You can withdraw consent at any time.
Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and consumer-protection laws.

Where you upload a social-media data export (currently from Instagram, in the future also from X/Twitter) that contains personal data of third parties (your followers and accounts you follow), we process that data on your behalf as part of providing the App to you. You are responsible for ensuring you have a valid legal basis to process that third-party data.

4. How We Use Your Data

We use personal data to:

Provide, operate, and maintain the website and the App
Parse uploaded social-media data exports (currently Instagram, in the future also X/Twitter) and compute comparison and aggregation results inside the App
Manage your account, plan, and subscription, and process payments through Paddle and RevenueCat
Authenticate you and protect against unauthorised access
Provide customer support and respond to feedback or enquiries
Send service-related notices (security alerts, billing updates, material changes to these Policies) and, with your consent, marketing emails
Analyse aggregate usage to improve the Service, debug issues, and detect abuse
Comply with legal obligations and enforce our Terms of Service

5. How We Share Your Data

We share personal data only as described below. We do not sell your personal data.

5.1 Service Providers (Processors)

We share data with carefully selected processors that help us operate the Service, under appropriate data-processing agreements:

Google LLC / Google Ireland Ltd (Firebase Authentication, Cloud Firestore, Cloud Functions) — authentication, database, and serverless backend.
Paddle.com Market Limited — merchant of record for payments (acts as an independent controller for tax and fraud-prevention purposes).
RevenueCat, Inc. — subscription management.
Vercel, Inc. — application hosting and edge delivery.
Datafast — privacy-friendly product analytics.
Featurebase — feedback and feature-request collection (when you choose to submit feedback).

5.2 Legal and Safety

We may disclose personal data when we reasonably believe disclosure is:

Required by law, regulation, court order, or legal process
Necessary to protect the rights, property, or safety of Unfollr, our users, or others
Necessary to investigate or prevent fraud, abuse, or security incidents

5.3 Business Transfers

If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction, subject to standard confidentiality safeguards. We will notify you of any change in ownership or material change in how your data is used.

6. International Data Transfers

Some of our processors are located outside the European Economic Area (“EEA”), notably in the United States. When we transfer personal data outside the EEA, we rely on appropriate safeguards under Articles 46 and 47 GDPR, including the European Commission’s Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. You can obtain a copy of the safeguards in place by contacting us at the address in Section 14.

7. Data Retention

We retain personal data only for as long as is necessary for the purposes set out in this Policy:

Account and uploaded social-media data: for as long as your account is active. When you delete your account, we delete the associated data within 30 days from active systems, subject to limited backup retention of up to 90 days.
Inactive accounts: if you have not signed in or uploaded new data for 24 consecutive months, we will email you a reminder and, absent a response within 30 days, delete your uploaded snapshots and aggregated profile data. Your account itself remains so you can return — only the audit data is removed.
Snapshots and uploaded export files: we delete the original uploaded file after parsing; structured snapshot data is retained until you delete it or the 24-month inactivity rule triggers.
Payment and tax records: Paddle retains transaction records for the period required by applicable tax law (typically up to 5 years in Poland).
Server logs: up to 90 days, unless required for security or legal investigations.
Analytics events: retained per our analytics provider’s policies (typically up to 24 months in aggregated form).
Support correspondence: up to 24 months after the last interaction.

8. Security

We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encryption in transit (HTTPS/TLS), encryption at rest where supported by our processors, access controls, server-side computation of sensitive results to prevent client-side reverse-engineering, and routine security reviews. No method of transmission or storage is 100 % secure; we cannot guarantee absolute security.

If we become aware of a personal-data breach affecting your data, we will notify the competent supervisory authority and (where required) you, in accordance with Articles 33 and 34 GDPR.

9. Cookies and Similar Technologies

The Service uses a small number of cookies and similar technologies:

Strictly necessary: session cookies set by Firebase Authentication and our backend to keep you signed in and to enforce security.
Functional: preferences such as your selected theme and active Instagram account, stored in localStorage on your device.
Analytics: privacy-friendly counters set by Datafast (no cross-site tracking, no advertising identifiers).

You can control cookies through your browser settings. Disabling strictly-necessary cookies will prevent the Service from functioning correctly.

10. Your Rights (GDPR)

If you are in the EEA, the United Kingdom, or Switzerland, you have the following rights, subject to applicable law:

Access (Art. 15) — obtain a copy of the personal data we hold about you
Rectification (Art. 16) — correct inaccurate or incomplete data
Erasure (Art. 17) — request deletion of your data
Restriction (Art. 18) — restrict processing in certain cases
Data portability (Art. 20) — receive your data in a structured, machine-readable format
Objection (Art. 21) — object to processing based on legitimate interests
Withdraw consent (Art. 7(3)) — at any time, where processing is based on consent
Lodge a complaint (Art. 77) — with your local supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO), uodo.gov.pl.

You can exercise most of these rights directly from your account settings (export, delete account). For other requests, contact us at the address in Section 14. We will respond within one month, with the possibility of extension by up to two further months for complex requests.

11. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request access and deletion, to correct inaccurate information, and to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. To exercise your rights, contact us at the address in Section 14.

12. Children’s Privacy

The Service is not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes, we will provide reasonable advance notice through the Service or by email. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

For privacy-related questions or to exercise your rights, please contact our data-protection point of contact:

Atom Labs sp. z o.o.
Na Zjeździe 11 / 5th Floor, 30-527 Kraków
Poland
KRS: 0001231623 · NIP: 6793362013
Email: hello@unfollr.com
Subject line for GDPR requests: “GDPR Request”