Version: 1.0
Last revised: April 2026
Scope: Internal business operations only
DPO contact: dpo@unless.com
Are you a customer looking for the DPA?
This document covers UNLESS's own internal business operations only. If you are a customer or end user looking for the data processing terms that govern the UNLESS platform, those can be found at unless.com/en/platform/dpa/.
1. Purpose and scope
This document records how Rocket Launcher BV (trading as "UNLESS") processes personal data in the course of its own internal business operations, and identifies the third-party processors (sub-processors) engaged for those purposes.
This document is distinct from the UNLESS Platform Data Processing Addendum (the "Platform DPA"), which governs the processing of personal data that customers and their end users submit to the UNLESS platform, published at unless.com/en/platform/dpa/. Where the Platform DPA deals with the GDPR compliance of our customers when using our platform, this register deals with the GDPR compliance of UNLESS as an organisation.
UNLESS acts as data controller for the processing activities described in this document.
2. Definitions
Terms not defined here carry the meaning given to them in the Platform DPA or in the GDPR (2016/679).
- Business Contact Data - name, job title, work email address, work phone number, employer name, and similar professional contact details of individuals at prospect, customer, partner, or supplier organisations.
- Employee Data - personal data relating to UNLESS's own employees, contractors, and freelancers processed in connection with employment or engagement, including payroll data, payment card details, and subscription or invoice records.
- Operational Tool - any software-as-a-service product or cloud platform used by UNLESS to run its own internal operations, as listed in Section 5.
- Prospect Data - Business Contact Data relating to individuals at organisations that are not yet customers of UNLESS.
3. Lawful basis for processing
UNLESS relies on the following lawful bases under GDPR for the processing activities covered by this document:
- Legitimate interests: B2B sales outreach, marketing to business contacts, account management, internal collaboration, and security monitoring. UNLESS has conducted a legitimate interests assessment (LIA) and is satisfied that its interests are not overridden by the data subjects' rights, given the professional context of the data and the availability of opt-out mechanisms.
- Performance of a contract / pre-contractual steps: Processing Employee Data and supplier/partner contact data necessary to administer employment or commercial relationships.
- Compliance with a legal obligation: Retention of financial records and other legally mandated documentation.
UNLESS does not rely on consent as a primary basis for processing Business Contact Data in a B2B context, consistent with the applicable interpretation of the GDPR and ePrivacy rules for B2B communications. Where local law requires it (e.g. for certain electronic marketing channels), the appropriate mechanism is applied.
4. Internal processing activities
| Activity | Data Categories | Data Subjects | Lawful Basis |
|---|---|---|---|
| Sales outreach & CRM | Business Contact Data, communication history | Prospects, leads | Legitimate interests |
| Email & calendar communications | Business Contact Data, message content | Prospects, customers, partners, suppliers | Legitimate interests / Contract |
| Customer success & account management | Business Contact Data, usage context | Customer contacts | Contract / Legitimate interests |
| Internal team collaboration | Employee Data, work content | Employees, contractors | Contract |
| Attendance & whereabouts management | Employee Data (names, work location, office attendance, leave) | Employees | Contract / Legitimate interests |
| AI-assisted workflows (internal) | Business Contact Data, work content processed via AI tools | Employees, prospects, customers | Legitimate interests / Contract |
| Financial administration | Business Contact Data, invoice data | Customers, suppliers | Contract / Legal obligation |
| Payroll & expense management | Employee Data (salaries, bank details, payment cards, reimbursements, payslips) | Employees | Contract / Legal obligation |
| Content management | Employee Data (names, activity), published content | Employees, website visitors | Contract / Legitimate interests |
| Recruitment | CV data, contact details, interview notes | Applicants | Pre-contractual steps / Legitimate interests |
5. Operational sub-processors
UNLESS engages the following third-party processors in connection with its internal business operations. Each has been evaluated for GDPR adequacy. Where data is transferred outside the EEA, Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism is in place.
Note: Sub-processors used exclusively for the UNLESS platform (AWS, Azure, Google Cloud, and so on) are listed in the Platform DPA and are not repeated here, unless they also independently process data arising from UNLESS's own internal operations.
5.1 Communication & productivity
| Sub-Processor | Purpose | Data Processed | Location / Transfer Basis |
|---|---|---|---|
| Google Workspace | Email (Gmail), calendar, documents, and internal collaboration | Employee Data, Business Contact Data, message content | EU data region |
| Slack | Internal team messaging and notifications | Employee Data, work content | EU data region |
| Anthropic (Claude for Work) | AI-assisted drafting, research, and internal workflow automation | Employee Data | USA - SCCs; DPA under Commercial Terms |
| Team Today | Hybrid work attendance management | Employee Data (names, work location, office/remote status, leave) | UK - SCCs |
5.2 Sales & marketing
| Sub-Processor | Purpose | Data Processed | Location / Transfer Basis |
|---|---|---|---|
| HubSpot | CRM, marketing automation, and customer communications | Business Contact Data, communication history, deal data | EU data region |
5.3 Payroll, expenses & finance
| Sub-Processor | Purpose | Data Processed | Location / Transfer Basis |
|---|---|---|---|
| NMBRS | Payroll processing and interactive payslips | Employee Data (salaries, tax data, bank details, payslip records) | EU data region |
| Moss | Corporate card management, employee expense reimbursements, and invoice processing | Employee Data (names, email addresses, payment card data, expense claims, invoices) | EU data region |
5.4 Engineering & development
| Sub-Processor | Purpose | Data Processed | Location / Transfer Basis |
|---|---|---|---|
| GitLab | Source code management, CI/CD pipelines, and issue tracking | Employee Data (names, activity, assignments) | USA - SCCs |
5.5 Design
| Sub-Processor | Purpose | Data Processed | Location / Transfer Basis |
|---|---|---|---|
| Figma | Product and interface design collaboration | Employee Data (names, activity) | USA - SCCs + EU-US DPF |
5.6 Content management
| Sub-Processor | Purpose | Data Processed | Location / Transfer Basis |
|---|---|---|---|
| Contentful | Content management system for website and product content | Employee Data (names, email addresses, activity); published content | USA - SCCs |
6. Data subject rights
Individuals whose personal data is processed under this document have the following rights under the GDPR, subject to applicable exemptions:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17) - subject to retention obligations
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) - where processing is based on contract or consent
- Right to object (Art. 21) - particularly relevant for processing based on legitimate interests
Requests should be directed to dpo@unless.com. UNLESS will respond within one calendar month. Where processing is based on legitimate interests, UNLESS will carry out a balancing assessment upon receipt of an objection.
For Prospect Data processed on the basis of legitimate interests: UNLESS provides a clear opt-out mechanism in all outbound commercial communications. Opt-outs are honoured promptly and individuals are added to a suppression list to prevent re-contact.
7. Data retention
UNLESS retains personal data only for as long as necessary for the purposes described in Section 4, subject to the following guidelines:
- Prospect Data: retained for up to 24 months from last meaningful interaction, or until an opt-out is received.
- Customer Business Contact Data: retained for the duration of the customer relationship and up to 5 years thereafter, to meet legal and contractual obligations.
- Employee Data: retained in accordance with Dutch employment law and applicable HR obligations. Payroll and financial records are retained for 7 years to comply with Dutch tax and accounting law.
- AI-processed content (e.g. via Claude): Anthropic does not retain prompt data for training under Commercial Terms. UNLESS does not intentionally store raw AI conversation logs beyond the session, unless captured in a connected operational tool (e.g. a note saved to HubSpot).
Retention schedules are reviewed annually by the DPO.
8. Technical and organisational measures
UNLESS implements appropriate technical and organisational measures to protect personal data processed under this document, including:
- Access controls: role-based access to operational tools; use of SSO and MFA where available.
- Vendor due diligence: all sub-processors are reviewed for security posture and GDPR compliance prior to onboarding.
- AI usage guidelines: employees are trained not to input unnecessary personal data into AI tools. Sensitive or special-category data must not be submitted to AI-assisted workflows.
- Breach response: any breach involving operational data is assessed and, where required, notified to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours.
9. Sub-processor changes
UNLESS will update this document when adding or replacing sub-processors for internal operational purposes. Unlike the Platform DPA, this document does not require customer notification of changes to internally-scoped sub-processors, unless those changes affect the processing of customer or end-user data.
Changes that affect the Platform DPA sub-processor list will continue to be handled under the process described in that document.
10. Governance and review
- This document is owned by the DPO (dpo@unless.com) and reviewed at least annually, or following a material change to operational tooling.
- The DPO maintains a full Records of Processing Activities (RoPA) of which this document forms a part.
- Questions about this document or data subject rights requests should be directed to dpo@unless.com.
