Consent and Opt-In Policy
Last Updated: March 2025
This Consent and Opt-In Policy (the "Consent Policy" or "Policy") describes how Uonyx, Inc. ("Uonyx", "we", "us", or "our") obtains, records, manages, and honours consent from individuals who interact with the Uonyx platform, website, and associated communications. It also describes the rights of individuals with respect to consent they have given, and the processes Uonyx has implemented to ensure that all consent-based data processing is conducted lawfully, transparently, and in compliance with applicable privacy legislation.
Uonyx is an enterprise cloud-based ERP platform providing services to organisations worldwide. As a data-driven SaaS company, Uonyx is committed to ensuring that individuals retain genuine, meaningful control over how their personal information is used — particularly in contexts where consent is the applicable legal basis for processing.
This Policy supplements and should be read in conjunction with the Uonyx Privacy Policy (https://uonyx.com/legal/privacy), Cookie Policy (https://uonyx.com/legal/cookies), and Data Processing Agreement (https://uonyx.com/legal/dpa). Terms not defined herein have the meaning given in the Privacy Policy.
1. DEFINITIONS
In this Consent Policy, the following terms have the meanings set out below.
| Defined Term | Meaning |
|---|---|
| "Consent" | A freely given, specific, informed, and unambiguous indication of an individual's agreement to the processing of their personal data for one or more specific purposes, expressed by a clear affirmative action. Consent is defined in accordance with Article 4(11) and Article 7 of the GDPR and equivalent provisions under applicable privacy law. |
| "Consent Record" | A documented record maintained by Uonyx capturing the details of consent given by an individual, including the identity of the individual, the date and time of consent, the mechanism through which consent was given, the specific purpose for which consent was given, and the version of the notice presented at the time of consent. |
| "Data Subject" | An identified or identifiable natural person whose personal data is processed by Uonyx. |
| "Opt-In" | An affirmative, freely chosen action taken by an individual to indicate agreement to a specific processing activity, communication type, or use of personal data. Uonyx uses opt-in consent as its default mechanism for all non-essential processing and communications. |
| "Opt-Out" | The act of withdrawing consent or indicating a preference to cease receiving communications or to stop a specific type of processing. Uonyx provides clear and accessible opt-out mechanisms for all consent-based activities. |
| "Processing" | Any operation or set of operations performed on personal data, including collection, storage, use, disclosure, and erasure. |
| "Sensitive Personal Data" | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, or criminal convictions and offences, as defined under Article 9 GDPR and equivalent provisions. |
| "Special Category Data" | Synonymous with Sensitive Personal Data as defined above. |
| "Withdrawal of Consent" | The act by which a Data Subject revokes previously given consent, exercised through any of the mechanisms described in this Policy. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. |
2. SCOPE AND APPLICATION
2.1 Who This Policy Applies To
This Policy applies to all individuals whose personal data is processed by Uonyx on the basis of consent, including:
- Visitors to the Uonyx website at https://uonyx.com and related web properties;
- Individuals who sign up for, access, or use the Uonyx platform, including trial accounts and free-tier users;
- Individuals who subscribe to Uonyx marketing communications, newsletters, product updates, or event invitations;
- Individuals whose data is submitted to the Uonyx platform by a customer organisation, where consent is the applicable legal basis for that processing;
- Individuals who participate in research, surveys, product feedback programmes, or other engagement activities organized by Uonyx; and
- Individuals who interact with Uonyx's AI-powered features where those features require consent for specific data processing activities.
2.2 Consent as One of Several Legal Bases
Uonyx does not rely solely on consent for all processing activities. Uonyx processes personal data under a range of legal bases, including contractual necessity, legitimate interests, and legal obligations, where those bases are appropriate. Consent is used only where it is genuinely the most appropriate legal basis — i.e., where the processing is not necessary for a contract, not required by law, and where Uonyx cannot rely on a compelling legitimate interest. This Policy addresses only those processing activities for which Uonyx relies on consent as the legal basis.
Uonyx does not rely on consent as a catch-all mechanism to justify processing that could more properly be conducted under another legal basis. Where legitimate interests or contractual necessity are the appropriate legal basis, Uonyx uses those bases and discloses them in its Privacy Policy.
3. WHEN UONYX RELIES ON CONSENT
The following table describes the categories of processing activities for which Uonyx currently relies on consent as its legal basis, together with the applicable consent mechanism. This list is not exhaustive and will be updated as Uonyx's processing activities evolve.
| Processing Activity | Legal Basis | Consent Mechanism |
|---|---|---|
| Marketing emails, newsletters, and promotional communications | Consent (Article 6(1)(a) GDPR / CAN-SPAM / CASL) | Opt-in checkbox at sign-up or subscription form; double opt-in where required |
| SMS — Transactional and Security messages (Programme A: OTP, MFA codes, account verification, security alerts) | Consent / Legitimate interests — transactional messages sent under established service relationship; express consent obtained where required by jurisdiction | Unchecked checkbox at phone number entry on account registration, phone settings, or MFA enrollment screens; separate from marketing consent |
| SMS — Marketing and Promotional messages (Programme B: product updates, features, events, offers) | Consent (Article 6(1)(a) GDPR / TCPA / CASL) | Separate unchecked checkbox, independent of Programme A; double opt-in confirmation SMS required for Canadian recipients under CASL; consent not bundled with service terms |
| Non-essential and analytics cookies and tracking technologies | Consent (EU ePrivacy Directive / UK PECR) | Cookie consent banner with granular category selection |
| Advertising and remarketing cookies | Consent (EU ePrivacy Directive / UK PECR) | Cookie consent banner — advertising category opt-in |
| Processing of Sensitive Personal Data (e.g., healthcare module) | Explicit Consent (Article 9(2)(a) GDPR) | Explicit affirmative agreement at point of submission; distinct from general consent |
| AI model outputs used for individualized profiling or decision-making | Consent where legally required (Article 22 GDPR) | In-platform consent prompt prior to enabling AI profiling features |
| Recording of sales, support, or onboarding calls | Consent (varies by jurisdiction) | Verbal or in-app consent notice at the start of any recorded session |
| Use of personal data for product research, surveys, or feedback | Consent | Separate opt-in at time of research invite; not bundled with service terms |
| Sharing of personal data with event sponsors or co-organisers | Consent | Explicit disclosure and opt-in on event registration forms |
| Transfers of personal data to third countries without adequacy | Consent where other mechanisms unavailable | Disclosed at point of data collection with specific transfer destination named |
4. STANDARDS FOR VALID CONSENT
Uonyx's consent practices are designed to meet the highest standards required under applicable law, including the GDPR, UK GDPR, CCPA/CPRA, CASL, CAN-SPAM, the EU ePrivacy Directive, and equivalent global frameworks. Uonyx applies the following requirements to all consent-based processing:
4.1 Freely Given
Consent must be freely given. Uonyx does not make the provision of its core Services conditional on a user's agreement to consent-based processing that is not necessary for those Services. Where Uonyx offers services subject to consent, genuine choice is provided, and refusal or withdrawal of consent does not disadvantage the individual in their access to the core platform functionality for which they have contracted.
Prohibition on consent bundling: Uonyx does not bundle consent for non-essential processing into its Terms of Use or subscription agreements. Consent for marketing, profiling, and optional data uses is always sought separately and distinctly from agreement to the Terms of Service.
4.2 Specific
Consent is obtained for specific, clearly identified purposes. Uonyx does not seek blanket or open-ended consent that would permit processing for any and all purposes. Where Uonyx seeks to process personal data for a new or different purpose that is not compatible with the original consent, fresh consent is sought.
4.3 Informed
At the time consent is sought, Uonyx provides the individual with clear and accessible information about:
- The identity of Uonyx as the data controller;
- The specific purpose or purposes for which consent is being sought;
- The categories of personal data that will be processed;
- Whether personal data will be shared with third parties, and if so, the categories of recipients;
- Whether personal data will be transferred outside the EEA, UK, or other relevant jurisdiction, and the safeguards in place;
- The individual's right to withdraw consent at any time without detriment; and
- A link to the Uonyx Privacy Policy for further information.
4.4 Unambiguous — Affirmative Action Required
Uonyx obtains consent through a clear, affirmative action by the individual. Uonyx does not use:
- Pre-ticked boxes or opt-out mechanisms as a means of obtaining consent;
- Silence, inactivity, or scrolling past a notice as a substitute for consent;
- Dark patterns, misleading interface design, or deceptive techniques to manipulate individuals into consenting; or
- Consent obtained through bundled contractual terms where the consent element is not clearly distinguishable from other terms.
4.5 Granular
Where Uonyx seeks consent for multiple distinct processing activities, consent is obtained separately for each activity. Individuals are not required to consent to all activities as a group; they may provide or withhold consent for each purpose independently.
4.6 Age Verification
Uonyx's Services are directed to business entities and adults. Uonyx does not knowingly seek consent from individuals under the age of 18. In jurisdictions where a lower age of digital consent applies (such as the GDPR default age of 13 in some Member States), Uonyx implements reasonable age verification or parental consent mechanisms where the Services may be accessed by minors. Where Uonyx becomes aware that consent has been given by a minor, that consent will be considered invalid and any personal data collected on that basis will be deleted.
5. HOW UONYX COLLECTS CONSENT
Uonyx uses a range of consent collection mechanisms depending on the channel, context, and applicable legal requirements. All consent mechanisms are designed to be transparent, accessible, and straightforward for the individual.
5.1 Website Sign-Up and Account Registration
When individuals register for a Uonyx account or free trial, the registration form includes clearly labelled, unchecked checkboxes for optional consent-based activities, including marketing communications and optional analytics. Mandatory fields required to create the account are clearly distinguished from optional consent choices. Agreement to the Terms of Use and Privacy Policy is obtained separately from marketing consent.
5.2 Cookie Consent Banner
When individuals visit the Uonyx website, a cookie consent banner is presented that allows the individual to accept, reject, or customise cookie preferences by category. The banner is implemented as follows:
- The banner is clearly visible and not pre-collapsed or hidden;
- Buttons to accept all, reject all, or manage preferences are equally prominent;
- Strictly necessary cookies are pre-selected and cannot be deselected (as they require no consent);
- All other cookie categories (analytics, advertising, functional) are deselected by default and require affirmative selection to activate; and
- Non-essential cookies and tracking scripts are not loaded until affirmative consent has been received.
5.3 Marketing Communications Opt-In
Uonyx sends marketing communications — including emails, newsletters, product announcements, event invitations, and promotional SMS messages — only to individuals who have explicitly opted in to receive such communications. Uonyx operates separate, independent opt-in programmes for email and SMS marketing. Consent to one channel does not constitute consent to the other.
- Email marketing: Opt-in is obtained through unchecked consent checkboxes at account registration or subscription forms, in-platform subscription options, or explicit written consent obtained at events or through direct sales engagements.
- SMS marketing (Programme B): Opt-in is obtained through a separate, unchecked SMS marketing consent checkbox that is presented and stored independently from the transactional SMS consent checkbox (Programme A). These two SMS consent mechanisms are never bundled together or with service terms. For Canadian recipients, a double opt-in confirmation SMS is sent and the individual must reply YES before any marketing messages are delivered, in compliance with CASL.
- Double opt-in: Where required by applicable law — including CASL for Canadian recipients of marketing SMS — a two-step confirmation process is applied before any marketing messages are sent.
All marketing email and SMS communications include a clear and functional opt-out mechanism. Uonyx processes opt-out requests from all marketing channels within ten (10) business days of receipt, and immediately where technically feasible. Full details of the SMS opt-in programmes, consent language, and opt-out mechanisms are set out in the Uonyx SMS and Messaging Communications Terms at https://uonyx.com/legal/sms-terms.
5.4 In-Platform Consent Prompts
For processing activities that require consent within the authenticated Uonyx platform — such as enabling AI-powered profiling features, optional data integrations, or processing of sensitive data through specialist modules — consent is obtained through clearly labelled in-platform prompts or settings. These prompts:
- Describe the processing activity in plain language;
- Require an affirmative action (e.g., clicking an activation button or enabling a toggle) rather than passive acceptance;
- Provide a link to further information in the Privacy Policy; and
- Allow the individual or account administrator to withdraw consent at any time through the platform settings.
5.5 Call and Session Recording Consent
Where Uonyx records customer calls, demos, onboarding sessions, or support interactions, consent is obtained at the start of the session through either: (a) a verbal disclosure and confirmation by the participant; or (b) an automated recording notification and the option to end the call or request that recording be disabled. Recordings are used for quality assurance, training, and — where separately agreed — for the individual's benefit such as providing them with a call summary.
5.6 Research and Survey Participation
Where Uonyx invites individuals to participate in user research, surveys, usability testing, or focus groups, consent is obtained through a separate invitation mechanism that clearly describes the research purpose, how data will be used, how long it will be retained, and whether responses will be anonymized. Participation is always voluntary and non-participation does not affect access to the Services.
6. CONSENT RECORDS AND EVIDENCE
6.1 Record-Keeping Obligation
Uonyx maintains a comprehensive Consent Record for every instance of consent obtained. Uonyx's record-keeping practices are designed to enable Uonyx to demonstrate, at any time, that valid consent was obtained for any given processing activity. This obligation arises under Article 7(1) of the GDPR and equivalent provisions.
6.2 What Uonyx Records
For each consent event, Uonyx records the following information:
- Identity: A unique identifier for the individual (such as a hashed email address or user ID) — not necessarily the individual's full name, to minimise data collection.
- Timestamp: The precise date and time at which consent was given, in UTC.
- Purpose: The specific purpose or purposes for which consent was given, as described in the consent notice presented at that time.
- Mechanism: The consent collection mechanism used (e.g., website sign-up form, cookie banner, in-platform setting, verbal confirmation).
- Notice version: A reference to the version of the Privacy Policy, consent notice, or other information document presented to the individual at the time of consent.
- IP address and device: For web-based consent, the IP address and browser/device information at the time of consent, where technically available and where recording this data is itself proportionate.
- Withdrawal: If and when consent is withdrawn, the timestamp and method of withdrawal.
6.3 Retention of Consent Records
Consent Records are retained for as long as the processing based on that consent continues, plus a further period of not less than three (3) years following the withdrawal of consent or the cessation of the relevant processing activity, to enable Uonyx to respond to enquiries or complaints. Where regulatory investigations or legal proceedings are pending, Consent Records will be retained until those proceedings are concluded.
6.4 Consent Record Availability
Individuals have the right to request information about consents they have given to Uonyx as part of their right of access under applicable data protection law. Uonyx will provide a summary of the Consent Records held in relation to an individual upon a verified access request submitted to privacy@uonyx.com.
7. WITHDRAWING CONSENT
7.1 Right to Withdraw at Any Time
Individuals have the absolute right to withdraw consent at any time, without giving any reason, and without any adverse consequences to their access to the core services for which they have contracted. Uonyx makes withdrawal of consent as easy as providing it.
Legal basis: Article 7(3) GDPR provides that the Data Subject shall have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
7.2 Withdrawal Mechanisms
The following table describes the specific withdrawal mechanisms available for each type of consent-based processing:
| Consent Type | How to Withdraw | Processing Time |
|---|---|---|
| Marketing emails and newsletters | Click the unsubscribe link in any marketing email, or email privacy@uonyx.com | Within 10 business days; immediately where technically feasible |
| SMS — Transactional and Security (Programme A) | Reply STOP-A to opt out of security messages only; or reply STOP to opt out of all Uonyx SMS; or disable SMS in account settings (Settings > Security > Phone) | Immediately at carrier level upon receipt of keyword |
| SMS — Marketing and Promotional (Programme B) | Reply STOP-B to opt out of marketing SMS only; or reply STOP for all; or use the unsubscribe link in any marketing SMS (https://uonyx.com/sms-unsubscribe); or disable in account settings (Settings > Notifications > SMS Marketing); or email privacy@uonyx.com | Immediately at carrier level; account settings effective immediately |
| Cookies (analytics, advertising) | Click 'Cookie Settings' in the website footer and update preferences | Immediately upon saving updated preferences |
| In-platform AI profiling features | Toggle off in platform Settings > Privacy & Data Controls | Immediately upon saving; processing ceases for future data |
| Call and session recording | Request at start of call that recording be disabled | Immediately; recording will not commence or will be stopped |
| Research and survey participation | Notify the research contact named in the invitation | Data excluded from analysis before final processing |
| General consent — all purposes | Email privacy@uonyx.com with the subject 'Withdrawal of Consent' | Acknowledged within 5 business days; processed within 30 days |
7.3 Effect of Withdrawal
When consent is withdrawn, Uonyx will:
- Cease the relevant processing activity as soon as technically and operationally feasible, and in any event within the timeframe stated above;
- Update the Consent Record to record the withdrawal, including the date, time, and method;
- Retain personal data already collected under the withdrawn consent only where there is another legal basis for continued retention — for example, where retention is required by law, or where the data forms part of a contract or support record; and
- Where no further legal basis exists for retaining the personal data collected under the withdrawn consent, delete or anonymize that data in accordance with the Uonyx Data Deletion Policy at https://uonyx.com/legal/deletion.
7.4 No Retroactive Effect
Withdrawal of consent does not affect the lawfulness of any processing carried out by Uonyx before the consent was withdrawn. Uonyx will not attempt to recover, reverse, or nullify any processing activity that was conducted while valid consent was in place.
8. SENSITIVE PERSONAL DATA AND EXPLICIT CONSENT
8.1 Enhanced Standard for Sensitive Data
Where Uonyx processes Sensitive Personal Data — including data relating to health, biometrics, racial or ethnic origin, religious beliefs, or other special categories as defined under applicable law — Uonyx applies an enhanced consent standard. Explicit consent is required: a clear, unambiguous, affirmative statement (not merely a checkbox) specifically acknowledging the sensitive nature of the data and agreeing to its processing.
8.2 Contexts Where Sensitive Data May Be Processed
Uonyx's platform includes specialist modules — including the Healthcare, HR and Payroll, and Lending modules — through which customers may upload and process Sensitive Personal Data relating to their own employees, patients, or clients. In these contexts:
- Uonyx acts as a data processor on behalf of the customer;
- The customer is the data controller and is responsible for ensuring that explicit consent has been obtained from the relevant individuals, where consent is the applicable legal basis;
- Uonyx does not independently solicit or process Sensitive Personal Data from data subjects; and
- Where Uonyx as data controller requires explicit consent for sensitive processing (for example, where a Uonyx employee or candidate provides health information for HR purposes), a specific and clearly worded explicit consent statement will be presented.
8.3 No Use of Sensitive Data for Secondary Purposes
Uonyx does not use Sensitive Personal Data processed on behalf of a customer for any purpose other than delivering the Services requested by that customer. Sensitive Personal Data is never used to train AI models, for advertising, for profiling, or for any secondary purpose without the explicit written consent of both the customer (as data controller) and the affected data subjects.
9. CONSENT IN THE BUSINESS-TO-BUSINESS CONTEXT
9.1 Uonyx's Dual Role
Uonyx operates in two distinct capacities that affect how consent obligations apply:
- As a data controller: Uonyx determines the purposes and means of processing personal data collected through the Uonyx website, marketing activities, account management, and Uonyx's own business operations. This Policy applies directly to these activities.
- As a data processor: When enterprise customers use the Uonyx platform to manage their own business data — including employee records, client data, and other operational data — Uonyx processes that data on behalf of the customer under the instructions set out in the applicable Data Processing Agreement. In this capacity, the customer is the data controller and is responsible for the lawfulness of its processing, including obtaining any consent required from its own employees, clients, or other individuals.
9.2 Customer Responsibility for Consent
Customers who use the Uonyx platform to process personal data are solely responsible for:
- Determining whether consent is the appropriate legal basis for any given processing activity undertaken within their Uonyx account;
- Obtaining, recording, and managing consent from their own employees, clients, patients, or other data subjects in accordance with applicable law;
- Ensuring that consent obtained from data subjects is valid, informed, specific, and freely given;
- Maintaining consent records and making them available to data subjects and regulators upon request; and
- Promptly notifying Uonyx where a data subject's withdrawal of consent requires the deletion or restriction of data held within the Uonyx platform, so that Uonyx can give effect to the request as data processor.
9.3 No Consent Required from Uonyx for B2B Processing
Where a customer processes personal data through the Uonyx platform as data controller, Uonyx does not require the customer's employees or data subjects to separately consent to Uonyx's processing. Uonyx's processing in this context is governed by the Data Processing Agreement and does not require a direct consent relationship between Uonyx and the individual.
10. CONSENT FOR AI AND AUTOMATED PROCESSING
10.1 AI Features and Consent
The Uonyx platform includes AI-powered features and automation capabilities designed to support business operations, predictive analytics, and workflow optimization. Where these features involve processing activities that require consent — in particular, where they involve individual profiling or automated decision-making with legal or similarly significant effects — Uonyx obtains the appropriate consent before enabling those features.
10.2 No Automated Decisions Without Consent or Other Lawful Basis
Uonyx does not make solely automated decisions that produce legal effects concerning individuals, or decisions that significantly affect individuals, without a lawful basis under Article 22 of the GDPR or equivalent provisions. Where consent is used as the basis for such processing, it will be obtained as explicit consent through a clearly worded in-platform prompt before the relevant feature is activated.
10.3 AI Training — Prohibition Without Consent
Uonyx does not use Customer Data or personal data submitted to the platform to train shared or third-party AI or machine learning models without the prior explicit written consent of the relevant customer and, where required by applicable law, the consent of the affected individuals. Uonyx's AI features are developed using aggregated and anonymized data that cannot be attributed to any individual or customer.
10.4 Customer Consent for AI Processing of Employee Data
Where a customer enables AI features within the Uonyx platform that involve processing personal data relating to the customer's own employees — such as AI-driven HR analytics, workforce planning tools, or performance monitoring features — the customer is responsible for ensuring that appropriate consent or other lawful basis has been obtained from those employees before enabling such features. Uonyx provides in-platform notices and documentation to assist customers in fulfilling this obligation.
11. CHILDREN'S CONSENT AND AGE RESTRICTIONS
Uonyx's Services are designed for business use by organisations and adult individuals. Uonyx does not knowingly collect personal data from individuals under the age of 18, and does not knowingly seek or process consent from minors.
Under the GDPR, where consent is used as the legal basis for processing personal data of children in connection with information society services, Member State law specifies the minimum age of consent (ranging from 13 to 16 years). Uonyx implements the following safeguards:
- The Uonyx website and platform are not directed to individuals under the age of 18;
- Account registration requires confirmation that the individual is at least 18 years of age;
- Uonyx does not knowingly process children's personal data for marketing, profiling, or AI-powered analysis; and
- Where Uonyx becomes aware that personal data has been collected from a minor, it will take prompt steps to delete that data and invalidate any consent given by the minor.
If you believe that Uonyx has inadvertently collected personal data from a minor, please contact privacy@uonyx.com immediately.
12. CONSENT UNDER U.S. PRIVACY LAW
12.1 Opt-In Default for Sale and Sharing
Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and similar laws in other U.S. states, Uonyx only activates cookies, tracking technologies, or data practices that may constitute the "sale" or "sharing" of personal information — or that process personal information for targeted advertising — where the individual has affirmatively opted in through Uonyx's consent mechanisms. By default, these activities are disabled.
12.2 No Sale of Personal Information
Uonyx does not sell personal information as that term is defined under the CCPA/CPRA. Uonyx shares personal data with service providers and sub-processors solely for the purpose of delivering the Services, under written agreements that prohibit those parties from selling or using the data for their own commercial purposes.
12.3 Opt-Out Rights
California residents and residents of other U.S. states with applicable privacy laws may opt out of the sharing of their personal information for cross-context behavioral advertising using:
- The cookie preference settings in Uonyx's cookie consent banner;
- The Global Privacy Control (GPC) browser signal, which Uonyx honors as a valid opt-out where required by applicable law; or
- A written request to privacy@uonyx.com.
Exercising opt-out rights does not affect the individual's ability to use the Uonyx Services. Uonyx will not discriminate against individuals for exercising their U.S. state privacy rights.
12.4 Sensitive Personal Information — Right to Limit
Under the CPRA and equivalent state laws, individuals have the right to direct Uonyx to limit its use of their sensitive personal information to purposes necessary to provide the Services. Where Uonyx uses sensitive personal information for any additional purpose, explicit opt-in consent is obtained. Individuals may submit a request to limit the use of sensitive personal information by contacting privacy@uonyx.com.
13. THIRD-PARTY INTEGRATIONS AND CONSENT
13.1 Third-Party Data Flows Triggered by Consent
Where an individual's consent triggers the sharing of their personal data with a third party — for example, where a user enables an integration with a third-party application, or where event registration data is shared with a sponsor — Uonyx discloses the identity or category of the third-party recipient as part of the consent notice, so that the individual understands who will receive their data.
13.2 User-Enabled Integrations
When an Authorised User enables a third-party integration through the Uonyx platform, that user provides an affirmative authorization for data to flow to the connected third-party service. Uonyx treats this authorization as consent from the account administrator for the integration. Authorised Users and account administrators are responsible for reviewing the privacy policies of third-party services before enabling integrations.
13.3 Third-Party Consent Obligations
Third-party service providers and sub-processors engaged by Uonyx are contractually required to: process personal data only for the purposes for which it was shared; not use personal data for their own marketing, profiling, or training purposes without independent consent; implement appropriate security measures; and comply with applicable data protection law. A current list of Uonyx's sub-processors is available at https://uonyx.com/legal/subprocessors.
14. CONSENT ACROSS GLOBAL JURISDICTIONS
Uonyx serves customers and users globally and applies the highest applicable consent standard based on the individual's jurisdiction. The following table summarises Uonyx's approach to consent under the primary regulatory frameworks relevant to its customer base.
| Jurisdiction / Framework | Consent Standard | Uonyx Approach |
|---|---|---|
| GDPR (EU) | Freely given, specific, informed, unambiguous; affirmative action required; burden of proof on controller | Opt-in only; no pre-ticked boxes; consent recorded with full audit trail |
| UK GDPR | Same standard as EU GDPR | Identical approach; separate consent mechanisms for UK users where required |
| Swiss revFADP | Consent required for processing of sensitive data; otherwise lawfulness assessed similarly to GDPR | GDPR-standard consent applied for Swiss users |
| CCPA/CPRA (California) | Opt-in required for sale/sharing of personal data; right to opt-out of targeted advertising; right to limit sensitive PI use | Cookie consent banner default-off for advertising; GPC honored |
| CASL (Canada) | Express consent required for all commercial electronic messages including email and SMS; double opt-in strongly recommended and applied by Uonyx | Double opt-in applied for both marketing emails and marketing SMS (Programme B) to Canadian recipients; SMS double opt-in requires the recipient to reply YES to a confirmation message before any marketing SMS is delivered |
| CAN-SPAM (United States) | Opt-out model permitted; unsubscribe mechanism required in all commercial emails | Opt-in default plus functional unsubscribe in all marketing emails |
| ePrivacy Directive (EU/EEA) | Prior consent required for non-essential cookies and electronic marketing to individuals | Cookie banner; no analytics/advertising scripts loaded before consent |
| LGPD (Brazil) | Consent must be free, informed, and unambiguous; specific to purpose | GDPR-standard consent applied for Brazilian users |
Where multiple frameworks apply to a single individual — for example, a California-based employee of an EU-headquartered company — Uonyx applies the most protective standard applicable.
15. INDIVIDUAL RIGHTS IN RELATION TO CONSENT
In addition to the right to withdraw consent described in Section 7, individuals whose personal data is processed by Uonyx on the basis of consent have the following rights under applicable data protection law:
15.1 Right to Access Consent Information
Individuals may request confirmation of: (a) whether Uonyx holds any Consent Records relating to them; (b) the purposes for which consent was given; (c) the date and mechanism through which consent was given; and (d) any third parties to whom data was disclosed on the basis of that consent. Requests should be submitted to privacy@uonyx.com.
15.2 Right to Correct Inaccurate Consent Records
Where an individual believes that a Consent Record held by Uonyx is inaccurate — for example, where consent is incorrectly recorded as given when no consent was provided — the individual may request correction by contacting privacy@uonyx.com. Uonyx will investigate the claim and correct any inaccurate records within thirty (30) days.
15.3 Right to Erasure Following Withdrawal
Following withdrawal of consent, where no other legal basis exists for continued processing, individuals may request erasure of personal data collected on the basis of the withdrawn consent. Requests for erasure are processed in accordance with the Uonyx Data Deletion Policy at https://uonyx.com/legal/deletion.
15.4 Right to Complain
If an individual believes that Uonyx has not complied with applicable consent requirements, they have the right to lodge a complaint with the relevant supervisory authority in their jurisdiction, including:
- The Information Commissioner's Office (ICO) in the United Kingdom: https://ico.org.uk
- The Irish Data Protection Commission (DPC): https://www.dataprotection.ie
- The applicable EU Member State supervisory authority via the European Data Protection Board: https://edpb.europa.eu
- The California Privacy Protection Agency (CPPA) for California-resident matters: https://cppa.ca.gov
Individuals are also encouraged to contact Uonyx directly at privacy@uonyx.com in the first instance, as Uonyx will seek to resolve any consent-related concern promptly and without the need for regulatory intervention.
16. UPDATES TO THIS CONSENT POLICY
Uonyx reviews and updates this Consent Policy periodically to reflect changes in applicable law, regulatory guidance, Uonyx's processing activities, or industry best practice. When material changes are made, Uonyx will:
- Publish the updated Policy at https://uonyx.com/legal/consent with a revised effective date;
- Post a notice on the Uonyx website and, where appropriate, within the platform;
- Where a change affects existing consent-based processing in a material way — for example, where a new purpose is added for which fresh consent is required — Uonyx will seek fresh consent from affected individuals before commencing the new processing;
- Notify users by email of material changes where Uonyx has a direct contact relationship with the individual; and
- Maintain an accessible version history of previous versions of this Policy.
Your continued use of the Uonyx Services after the effective date of any update to this Policy constitutes acceptance of the updated terms, save that where fresh consent is required for new processing activities, such processing will not commence until fresh consent is obtained.
17. CONTACT INFORMATION
For all questions, concerns, or requests relating to this Consent Policy or to the exercise of your rights in relation to consent, please contact Uonyx using the details below:
| Contact | Details |
|---|---|
| Privacy / Consent Enquiries | privacy@uonyx.com |
| Data Subject Rights Requests | privacy@uonyx.com |
| Legal Notices | legal@uonyx.com |
| Security Concerns | security@uonyx.com |
| Consent Policy URL | https://uonyx.com/legal/consent |
| Privacy Policy | https://uonyx.com/legal/privacy |
| Cookie Policy | https://uonyx.com/legal/cookies |
| DPA | https://uonyx.com/legal/dpa |
| Postal Address | Uonyx, 7421 Edinger Avenue, Huntington Beach, California 92647, United States |