Data Policy

Plain English on what we collect, why, and where it goes.

Last updated: May 25, 2026

This Data Policy describes the data Unycorn.io (the "Service") collects, how we use it, who processes it on our behalf, and how long we keep it. It applies to everyone who interacts with the Service — anonymous visitors, registered users, and paying customers.

It complements, and should be read alongside, our Privacy Policy, Terms of Service, GDPR Notice, and Data Processing Agreement, all linked in the footer. Where this document and the Privacy Policy overlap, the Privacy Policy governs the broader legal framing while this page explains the practical mechanics.

1. Introduction

Unycorn is an AI-powered startup-idea validator. To analyze the ideas you submit and return useful reports, we collect a limited set of personal and usage data and rely on a handful of third-party services to operate. This policy sets out exactly what that means in practice, so you can make an informed decision before and while using the Service.

2. Data We Collect

Depending on how you use the Service, we may collect the following categories of data:

  • Account data — your email address, your name (if provided when you sign in with Google), and a securely hashed password (using bcrypt) when you register with email and password.
  • Authentication data — session tokens issued during sign-in, one-time magic-link verification tokens, and the Google OAuth identifier associated with your account when you sign in with Google.
  • Subscription & billing data — your Stripe customer identifier, your current plan, and billing status. Full payment-card details are stored by Stripe, our payment processor, and are not stored by Unycorn.
  • Product usage data — the startup ideas you submit to the validator, the reports we generate from them, the credits you consume, and your interactions with features of the Service.
  • Derived & enrichment data — signals we compute from publicly available sources (such as Product Hunt, GitHub, Wikipedia, and search APIs) and store alongside competitor records and supporting evidence used to enrich your reports.
  • Technical data — your IP address, user agent, and basic request logs kept for security and abuse prevention, along with the result of the Cloudflare Turnstile challenge presented during signup.

3. How We Use Your Data

We use the data described above to:

  • Provide and operate the idea-validation product, including its analyze, deep, and deep-plus tiers.
  • Authenticate users and manage subscriptions and billing.
  • Send transactional email — verification messages, magic links, and billing notifications — via Resend.
  • Improve product quality, where aggregated and anonymized signals from reports may inform engine tuning.
  • Prevent abuse and keep the Service secure, including through Cloudflare Turnstile and rate limiting.

We do not sell your personal data, and we do not use the idea text you submit to train third-party foundation models. Idea text is sent to our active large language model (LLM) provider only to generate your report, as described in the next section.

4. Where Your Data Is Processed (Subprocessors)

We rely on a small number of third-party services ("subprocessors") to run the Service. The list below is provided for transparency rather than as a contractual commitment, and describes what each provider does:

  • Vercel — application hosting and edge delivery.
  • Neon — Postgres database hosting.
  • Sanity — a historical content management system that is being phased out; no new user-generated data is written to it.
  • Stripe — payment processing.
  • Resend — transactional email delivery.
  • Google — OAuth sign-in, only if you choose to sign in with Google.
  • Cloudflare — Turnstile bot and abuse mitigation.
  • Deepseek and/or xAI (Grok) — LLM providers used to generate reports. Prompts containing your idea text are sent to the active LLM provider for inference.
  • SearchAPI.io / Serper.dev / SerpApi — web search and Google Trends data sources used to enrich reports.

The active LLM and search providers can change over time. The current selection is documented in our deployment configuration, and this list will be updated to reflect material changes.

5. Data Retention

We keep data only for as long as it serves the purposes described in this policy:

  • Account records are retained while your account is active and for a reasonable period after a deletion request, where we are required to keep them for legal or billing reasons.
  • Generated reports are retained so you can revisit them; you can request their deletion at any time.
  • Trends and keyword observations may be retained in aggregate form for up to 365 days to reduce redundant calls to third-party search and trends APIs.
  • Server logs are retained for a short operational window — typically around 30 days — for security and troubleshooting.

6. Your Rights

You can access, correct, export, and request deletion of your personal data. You can also withdraw consent and close your account at any time.

For EU/EEA-specific rights, see our GDPR Notice and Data Processing Agreement. Our Privacy Policy sets out the broader policy and legal bases for processing.

To exercise any of these rights, email us at info@unycorn.io.

7. Security

We protect data in transit with TLS, store passwords as bcrypt hashes, and apply least-privilege access to the production database. Secrets are held in our deployment platform's encrypted environment store, and we use Cloudflare Turnstile together with rate limiting to defend against automated abuse. No system is perfectly secure; in the event of a breach affecting your data, we will notify affected users as required by applicable law.

8. International Transfers

Because our subprocessors operate globally, your data may be processed in jurisdictions outside your home country. Where applicable, we rely on standard contractual mechanisms to safeguard such transfers.

9. Children

The Service is not directed at users under 16, and we do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us so we can remove it.

10. Changes to This Policy

We may update this document from time to time. The "Last updated" date at the top reflects the most recent revision. Where changes are material, we will communicate them by email or through an in-app notice.

11. Contact

For any questions about this Data Policy or how we handle your data, contact:

Email: info@unycorn.io

Company: Flow Lab EU OÜ

Or reach us via our contact page.

Explore Collections

Curated sets of validated startup ideas, grouped by theme.