Why Untap?

Compare

Features

Pricing

Resources

Book a demo

Start free trial

Book a demo

Start free trial

LAST UPDATED AT: April 17, 2026

Privacy Policy

Untap, Inc.

Last updated: April 17, 2026 Effective date: April 17, 2026


Untap, Inc. ("Untap", "we", "our", or "us") respects your privacy and is committed to processing your personal data lawfully, transparently, and securely. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and the rights available to you.


This policy applies to our websites (untap.tech, untap.us, and any subdomain of these), our platform, and our related services (collectively, the "Services").


If you are located in the European Economic Area (EEA), United Kingdom, California, Saudi Arabia, or the United Arab Emirates, additional region-specific terms apply at the end of this policy.


If you have questions about this policy or your data, contact us at privacy@untap.tech.

1. Who we are and our role

Untap, Inc. is a Delaware C-Corporation with operational offices in Cairo, Egypt (through Untap Egypt). Our registered office address is available on request.


Our role depends on the data involved:


Controller. We act as the controller for: visitor data collected through our marketing websites, account registration data for our customers (the organizations that subscribe to our Services), billing data, marketing contact data, and support interactions.


Processor. We act as the processor for data that our customers upload, collect, or generate through the platform in connection with their innovation programs, competitions, grants, scholarships, hackathons, or talent initiatives. This includes participant submissions, evaluations, judge feedback, and related program data ("Customer Data"). Our customers are the controllers of this Customer Data. Our processing of Customer Data is governed by our Data Processing Agreement (DPA) with each customer.

2. Data we collect

2.1 Data you provide

  • Account data: name, work email, company name, job title, phone number (optional), password.

  • Billing data: billing contact, billing address, VAT/tax ID, payment method details (processed by our payment processor; we do not store full card numbers).

  • Participant data: name, email, and any additional fields the program administrator configures (which may include CV/resume, portfolio, demographic data, educational background, and files uploaded in response to submission forms).

  • Communications: messages you send to our support team, sales team, or through in-app chat.

  • Marketing opt-ins: your email and preferences when you subscribe to newsletters or request content.

2.2 Data we collect automatically

  • Device and connection data: IP address, browser type and version, operating system, device identifiers, time zone, and referring URL.

  • Usage data: pages visited, features used, time spent on pages, clicks, and interactions with our platform.

  • Cookies and similar technologies: see our separate Cookie Policy.

2.3 Data from third parties

  • Enrichment data: publicly available business data (company size, industry, LinkedIn profile URL) obtained from enrichment providers for B2B sales and marketing.

  • Single Sign-On (SSO): if you sign in with Google, Microsoft, or another identity provider, we receive your name, email, and profile photo.

  • Referral data: if you were referred to us, we may receive the referrer's ID and your contact details.

2.4 Sensitive personal data

We do not intentionally collect sensitive categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation, trade union membership, or genetic data) unless a customer explicitly configures their program to collect such data for a legitimate purpose (for example, a scholarship program collecting protected-class demographics for reporting obligations).


Where a customer configures the collection of sensitive data, the customer is the controller and is responsible for obtaining the lawful basis (typically explicit consent) from participants.

3. Why we process your data and our lawful basis

Under GDPR, UK GDPR, Saudi PDPL, and UAE PDPL, we must identify a lawful basis for each processing purpose. Our purposes and bases are:

Purpose Data categories Lawful basis (GDPR / UK GDPR)
Create and operate your account Account data, billing data Performance of a contract (Art. 6(1)(b))
Deliver the Services to customers Account data, Customer Data Performance of a contract (Art. 6(1)(b)); for Customer Data, we act as processor under our DPA
Process payments Billing data Performance of a contract (Art. 6(1)(b)); legal obligation for tax and accounting (Art. 6(1)(c))
Provide customer support Account data, communications Performance of a contract (Art. 6(1)(b)); legitimate interest in supporting users (Art. 6(1)(f))
Send service-related emails (receipts, security alerts, product updates) Account data Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c))
Send marketing emails to prospects Contact data Consent (Art. 6(1)(a)) where required; legitimate interest in promoting our B2B services to business contacts (Art. 6(1)(f))
Improve and secure the platform Usage data, device data Legitimate interest in operating and securing our Services (Art. 6(1)(f))
Prevent fraud and abuse Account data, usage data, device data Legitimate interest in platform security (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))
Analyze aggregated program data to improve insights and benchmarks Aggregated Customer Data (de-identified) Legitimate interest in product improvement (Art. 6(1)(f)), with opt-out available
Comply with legal obligations Any relevant data Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have conducted a balancing test. You can request a summary of that assessment by contacting privacy@untap.tech.

4. How we use Customer Data (our processor role)

When you are a participant in a program hosted on Untap, the organization running the program is the controller of your data. We process your submissions, evaluations, and related data only:

  • To deliver the Services to the customer;

  • Under the written instructions of the customer, as set out in our DPA;

  • To comply with legal obligations that apply to us directly.

We do not sell Customer Data. We do not use Customer Data to train general-purpose AI models. Any AI or machine learning features operate on a per-customer basis, only on that customer's data, and only where the customer has enabled the feature.

5. Automated decision-making and profiling

Untap offers optional AI-assisted features, including:

  • Screening assistance: suggests which submissions may match eligibility criteria configured by the customer.

  • Evaluation support: summarizes long submissions for reviewers.


These features do not make binding decisions about participants. A human reviewer from the customer's team must review and approve any outcome that affects a participant (such as selection, funding, or rejection). Customers are contractually required to ensure human review.


If you are a participant and want to know whether automated tools were involved in processing your submission, contact the program administrator directly or email us at privacy@untap.tech. You have the right to request human review of any decision with significant effects on you (GDPR Art. 22).

6. Who we share data with

We share data only with the following categories of recipients:

We do not sell personal data, as defined under the California Consumer Privacy Act (CCPA) and equivalent laws, and we do not engage in cross-context behavioral advertising using personal data.

6.1 Sub-processors

We engage trusted third parties to deliver the Services (hosting, email delivery, analytics, payments, customer support). A current list of sub-processors is published on our Trust Center at trust.untap.tech and is updated before any new sub-processor is added. Customers with active DPAs receive notice of changes at least 30 days in advance and may object to new sub-processors under the terms of the DPA.

6.2 Customers

If you are a participant, your submission and related data are accessible to the customer running the program (their designated administrators, judges, and reviewers) in line with the program's configuration.

6.3 Legal and regulatory disclosures

We may disclose data if required by law, subpoena, court order, or regulatory request, or where disclosure is necessary to protect our rights, the safety of users, or the integrity of the Services. Where legally permitted, we will notify the affected user or customer before disclosure.

6.4 Business transfers

If Untap is acquired, merged, or reorganized, personal data may be transferred as part of the transaction. Any successor entity will be bound by terms no less protective than this policy, and we will notify affected customers.

6.5 With your consent

Any other sharing requires your explicit consent, which you can withdraw at any time.

7. Data hosting and international data transfers

7.1 Where your data is hosted

Untap hosts Customer Data in regional data centers to support data residency requirements and optimize performance for our customers:

Region Infrastructure provider Customer location
European Union Amazon Web Services (AWS) Default hosting region for all customers, including EEA, UK, and Switzerland
Kingdom of Saudi Arabia Google Cloud Platform Available on request for Saudi customers (typically government and regulated sectors), configured per contract
State of Qatar Google Cloud Platform Available on request for Qatari and regional customers, configured per contract
United States Amazon Web Services (AWS) US customers, global customers who select US residency, and backup locations

Customers can request a specific hosting region in their order form or contract, subject to availability.

7.2 Transfers outside the EEA, UK, and Switzerland

When we transfer personal data from the EEA, UK, or Switzerland to a country outside these regions, we rely on appropriate safeguards:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) for transfers from the EEA;

  • UK International Data Transfer Addendum (IDTA) or UK SCCs for transfers from the UK;

  • Adequacy decisions where available;

  • Supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging).

7.3 Saudi Arabia (PDPL)

Where a Saudi customer requests in-Kingdom hosting, personal data of Saudi residents is hosted in Google Cloud Platform data centers located within the Kingdom of Saudi Arabia. For Saudi customers on our default European hosting, and for any transfer of Saudi personal data outside KSA, we rely on the transfer mechanisms permitted under the Saudi Personal Data Protection Law (PDPL), including SDAIA-approved frameworks and transfer impact assessments.

7.4 United Arab Emirates

For processing of UAE personal data, Customer Data is hosted in our default European Union region (or another region configured by the customer). We rely on the transfer mechanisms permitted under UAE Federal Decree-Law No. 45 of 2021 and the executive regulations issued by the UAE Data Office.

7.5 Qatar and other regional transfers

Where Customer Data is hosted in Qatar at the customer's request, transfers outside Qatar (for example, for global support or disaster recovery) are conducted under appropriate contractual safeguards and in line with Qatari data protection law (Law No. 13 of 2016 on Personal Data Privacy Protection).


You can request a copy of the safeguards we use by emailing privacy@untap.tech.

8. Data retention

We retain personal data only as long as necessary for the purposes described, with the following default periods:

Data category Retention period
Active account data For the duration of the subscription plus 90 days after termination for account recovery, then deleted or anonymized
Billing and invoice records 7 years after the transaction (US and EU tax obligations)
Customer Data (participant submissions, etc.) Retained and deleted per the customer's instructions in the DPA; default is deletion within 90 days of contract termination
Marketing contact data Until you unsubscribe or 3 years after last engagement, whichever is earlier
Support tickets 3 years from ticket closure
Security logs 12 months
Cookies See our Cookie Policy for per-cookie retention
Backups Up to 35 days after primary deletion

Some data may be retained longer if required for legal defense, regulatory compliance, or ongoing legal proceedings.

9. Your rights

Depending on your location, you have some or all of the following rights:

  • Access: request a copy of your personal data.

  • Rectification: correct inaccurate or incomplete data.

  • Erasure: request deletion of your data (subject to legal retention obligations).

  • Restriction: limit how we process your data.

  • Portability: receive your data in a structured, machine-readable format, or request that we transmit it to another controller.

  • Objection: object to processing based on legitimate interests or for direct marketing (marketing objections are always honored).

  • Withdraw consent: where we rely on consent, withdraw it at any time without affecting prior lawful processing.

  • Automated decisions: request human review of decisions made solely by automated means that have significant effects on you.

  • Non-discrimination: exercise these rights without being treated differently in the price or quality of Services.

  • Complaint: lodge a complaint with your local supervisory authority (see Section 13).


How to exercise your rights: email privacy@untap.tech. If you are a participant in a program, we will forward your request to the relevant customer (the controller) within 5 business days and support them in responding.


We will respond within 30 days (GDPR/UK GDPR), 45 days (CCPA/CPRA, extendable by 45 more days), or the period required by your local law. We may request information to verify your identity before fulfilling a request.

10. Security

We implement technical and organizational measures aligned with our ISO/IEC 27001:2022 certification (certificate IS-IA-2026-01-30-02, issued January 30, 2026, valid through January 2029, certified by Insight Assurance), including:


  • Encryption in transit (TLS 1.2+) and at rest (AES-256);
  • Role-based access control and least-privilege access;
  • Multi-factor authentication for all internal systems;
  • Continuous security monitoring and intrusion detection;
  • Regular penetration testing and vulnerability scans;
  • Secure software development lifecycle;
  • Employee security training and background checks;
  • Documented incident response procedures.


We are also pursuing SOC 2 Type II attestation. Additional details are available at trust.untap.tech (or by contacting security@untap.tech).


No system is completely secure. If you believe your account has been compromised or you have identified a vulnerability, contact security@untap.tech.

11. Data breach notification

If we become aware of a personal data breach likely to result in a risk to the rights and freedoms of affected individuals, we will:
  • Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33);
  • Notify affected individuals and customers without undue delay where the breach is likely to result in a high risk;
  • Notify customers (as controllers) in accordance with the terms of the applicable DPA, typically within 48 hours;
  • Provide all information necessary for the customer or individual to assess the incident and fulfill their own obligations.

12. Children's privacy

The Services are intended for business users. Participants in customer programs may be under 18 where the customer has designed the program accordingly (for example, youth scholarships or student hackathons).


We do not knowingly collect data from children under 13 in the United States (COPPA), under 16 in the EEA (GDPR Art. 8, subject to lower thresholds in some Member States), or under 15 in Saudi Arabia without verifiable parental or guardian consent, which is the responsibility of the customer running the program. Customers running programs for minors must obtain the necessary consents and disclose them in the program terms.


If you believe a child's data has been provided to us without appropriate consent, email privacy@untap.tech and we will promptly delete it.

13. Regional provisions

13.1 European Economic Area and Switzerland
  • Controller: Untap, Inc. (for data where we are the controller).
  • EU Representative (GDPR Art. 27): Untap is in the process of appointing an EU Representative. In the interim, data subjects in the EEA may contact us directly at privacy@untap.tech for all matters related to the processing of their personal data, and we will respond within the timeframes required by the GDPR.
  • Supervisory authority: You may lodge a complaint with any EEA Data Protection Authority, typically the one in your country of residence. A list is available at edpb.europa.eu.
13.2 United Kingdom
  • UK Representative (UK GDPR Art. 27): Untap is in the process of appointing a UK Representative. In the interim, data subjects in the UK may contact us directly at privacy@untap.tech for all matters related to the processing of their personal data.
  • Supervisory authority: Information Commissioner's Office (ICO), ico.org.uk.
13.3 California (CCPA / CPRA)
Categories of personal information collected in the past 12 months: identifiers (name, email, IP address), commercial information (billing), internet activity (usage data), professional information (job title, company), inferences (segments for B2B marketing). Full detail is in Section 2.
Category (CCPA) Examples Collected
Identifiers Name, email, IP address, account ID Yes
Customer records (Cal. Civ. Code §1798.80) Billing address, phone number Yes
Protected classifications Age, gender (only if submitted in program context) If submitted
Commercial information Products purchased, subscription history Yes
Internet or network activity Browsing, usage, interactions with our platform Yes
Geolocation data Approximate (IP-based) location Yes
Audio, electronic, visual information Files uploaded to submissions (video, images, documents) If submitted
Professional or employment information Job title, company, work history Yes
Education information Submitted by participants in education programs If submitted
Inferences B2B targeting segments Limited
Sensitive personal information Account credentials (for security) For auth only
  • Sources: directly from you, from your device, from your employer (our customer), from enrichment providers, from referrers.
  • Business or commercial purpose: as described in Section 3.
  • Categories of recipients: sub-processors, customers, legal authorities (see Section 6).
  • Sale or sharing: we do not sell or share personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information: we do not use sensitive personal information for any purpose beyond what is permitted by Cal. Civ. Code §1798.121 without consent. A "Do Not Sell or Share My Personal Information" link is available in our website footer and is set to no-sale/no-share by default.
  • Shine the Light (Cal. Civ. Code §1798.83): we do not share personal information with third parties for their direct marketing purposes.
  • Authorized agents: you may designate an authorized agent to submit requests. We will require proof of authorization.
13.4 Saudi Arabia (PDPL)
  • Data Controller Representative in KSA: Untap is in the process of appointing a representative in the Kingdom of Saudi Arabia. In the interim, data subjects in KSA may contact us directly at privacy@untap.tech.
  • Supervisory authority: Saudi Data and Artificial Intelligence Authority (SDAIA), sdaia.gov.sa.
  • Data transfers: conducted in line with PDPL Article 29 and SDAIA's transfer regulations, using approved transfer mechanisms and risk assessments.
13.5 United Arab Emirates (PDPL)
  • Supervisory authority: UAE Data Office (for federal PDPL) or the relevant free zone regulator (DIFC Commissioner of Data Protection, ADGM Office of Data Protection) where applicable.
  • Data transfers: conducted in line with UAE Federal Decree-Law No. 45 of 2021 and any applicable free zone regulations.
13.6 Egypt
  • We operate Untap Egypt in Giza and comply with Egyptian Personal Data Protection Law No. 151 of 2020 for processing of personal data of data subjects located in Egypt.

14. Changes to this policy

We may update this policy to reflect changes in our Services or legal obligations. The "Last updated" date at the top reflects the most recent revision. For material changes, we will notify you at least 30 days before the change takes effect via email (for registered users) and an in-product notice. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

15. Contact us

For any privacy-related inquiry, request, or complaint:
If you do not receive a satisfactory response within 30 days, you may escalate to your local supervisory authority (see Section 13).