Skip to content

Privacy Policy

Effective date: 13 March 2026 Last updated: 13 March 2026 Entity: UCCA INC, a Delaware C-Corporation

1. Who We Are

UCCA INC ("UCCA", "we", "us") is a Delaware C-Corporation (File No. 7824354) that operates a legislative compliance engine and associated services. Our principal operations are conducted from Brisbane, Australia.

2. What We Collect

We collect information you provide directly:

  • Contact details — name, email address, mobile phone number, company name
  • Verification data — email confirmation status, phone verification status
  • Interaction records — timestamped ledger of interactions with UCCA services (the Verified Contact Chain)

We collect automatically:

  • Network metadata — IP address, ASN, approximate location (country, city)
  • Device metadata — user agent, device type
  • Request metadata — pages visited, timestamps, Cloudflare Ray ID

3. How We Use It

  • Service delivery — to provide, maintain, and improve our services
  • Verification — to verify your identity and maintain your contact chain
  • Communication — to send you verification codes, receipts, and service notifications
  • Security — to detect and prevent fraud, abuse, and security incidents
  • Compliance — to meet our legal and regulatory obligations

We do not sell personal data. We do not use personal data for advertising. We do not share personal data with third parties for their marketing purposes.

4. Lawful Basis

For contacts subject to GDPR: our lawful basis for processing is legitimate interest (verification and security services) and consent (where explicitly provided).

For all contacts: we process data as necessary to provide the services you have engaged with.

5. Data Retention

  • Contact records — retained for the life of the contact relationship plus 7 years
  • Chain events — retained indefinitely as part of the immutable verification ledger
  • Network metadata — retained for 90 days, then aggregated
  • Verification codes — deleted immediately after use

See the Retention & Deletion Schedule (Trust Level 1) for full detail.

6. Your Rights

You have the right to:

  • Access your data — request a copy of what we hold
  • Rectify inaccurate data
  • Delete your data (subject to legal retention requirements)
  • Port your data in a machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent where consent is the basis for processing

To exercise any right, contact: privacy@ucca.online

7. Cookies

We use first-party cookies only:

  • ucca_ref — contact reference hash for session continuity (no tracking)

We do not use third-party cookies, analytics trackers, or advertising pixels.

8. Sub-processors

We use a limited number of sub-processors to deliver our services. The current list is published at Sub-processor Names.

9. International Transfers

Data may be processed in:

  • United States — Cloudflare infrastructure (edge compute, storage)
  • Australia — UCCA operational base

Cloudflare processes data under their DPA and Standard Contractual Clauses.

10. Security

We implement technical measures including:

  • AES-256-GCM encryption for sensitive data at rest
  • PBKDF2-SHA256 (100,000 iterations) for credential hashing
  • TLS 1.2+ for all data in transit
  • HMAC-SHA256 chained verification for audit integrity

See the Encryption Standards Summary (Trust Level 1) for detail.

11. Contact

Data Controller: UCCA INC Address: 1209 Orange Street, Wilmington, Delaware 19801 Email: privacy@ucca.online

Version History

Version Date Change Author
1.0 2026-03-13 Initial publication UCCA INC