Do they own your data? Unwrap.ai Privacy Policy Reviewed.
Policy Last Updated: December 3, 2023 (Reviewed 2026)
Entity: Painted Cave, Inc. (dba Unwrap.ai)
Update: Unwrap has informed us that they "offer our SOC2 report on request to anyone, but intentionally don't have it publicly available."
π Enterprise-Readiness Score: Low
| Category | Verdict | Notes |
|---|---|---|
| Model Training Disclosure | β Opt-out (unverifiable) | Vendor says (optional) opt-out via MSA; no public training policy or docs. Request clause text + policy. |
| Third-Party Sharing Clarity | β Opt-out | Vendor says subprocessors + BAAs are in the MSA; no public subprocessors list. Access not given. |
| Compliance Certifications | β οΈ Claimed (unverified) | Vendor claims SOC 2, GDPR, and consent management. Soc 2 Type II shared with us for review, but not accessible publicaly. No requestable area to get HIPAA evidence, GDPR and DPA. |
| Data Residency/Control | β Partial | US & no details on region pinning, VPC/private deployment. Request architecture + controls. |
| Retention Policies | β Acceptable | 12-month cap after account termination (as stated). Request policy excerpt confirming scope. |
| User Rights + Portability | β Standard | CCPA/GDPR rights supported via email (no self-serve UI). Request SLA/turnaround details. |
| Encryption and Security | β οΈ Claimed | AES-256 at rest; TLS 1.2 in transit claimed in "internal docs." No audit shared. Request KMS/rotation details, cipher suites, and most recent pen test. (Prefer TLS 1.3.) |
𧨠Final Recommendation
In our opinion: We believe Enterprise Ready in the world of AI means having public AI Transparency Statements about how and if they use customer data for training, plus publicly available trust portals and resources. Unwrap.ai does not meet our bar for "Enterprise Ready," but other companies may hold themselves to different standards.
Unless they:
- Publish a Data Protection Agreement (DPA)
- Publish an "AI Transparency Statement" about what and if they use customer data for training purposes
- What they use customer data for after cancelation
- Disclose exact subprocessors (publicly)
- Clarify whether and how user data is used for model training in their policies
- Support enterprise opt-outs and hosting control
- Publicly publish certification and third-party audits
...they remain a medium-to-high-risk vendor for enterprise deployment.
β Better Enterprise Alternative
Use BuildBetter.ai instead:
- β SOC 2 Type II, GDPR, HIPAA
- β Custom MSA/DPA
- β No AI training on your data
- β Customer-controlled data and deletion
- β Encrypted, compliant, and transparent
π Key Privacy Risks & Shortcomings for Enterprises
π© 1. Unclear Data Use for AI Model Training
π What the Policy Says:
"We process your information to provide, improve, and administer our Services..."
𧨠Whatβs Missing:
- Nowhere does Unwrap.ai explicitly disclose whether or not your meeting content (e.g., transcriptions or notes) is used to train their AI models.
- No mention of model vendors (e.g., OpenAI, Anthropic), training exclusions, or whether opt-out mechanisms exist.
Enterprise Risk:
- If AI models are involved, lack of clarity = liability. This is especially risky for legal, financial, healthcare, or IP-driven enterprises.
- Contrast this with Granola, which at least discloses anonymized use and provides opt-out for enterprise clients.
Verdict: β Lack of transparency here is a red flag for enterprise adoption.
π© 2. Third-Party Data Sharing Vague and Broad
π What the Policy Says:
"We may share information in specific situations and with specific third parties... including business partners, affiliates..."
𧨠Whatβs Missing:
- No list of specific subprocessors (e.g., cloud providers, AI vendors, analytics platforms).
- No DPA link, no self-audible SOC 2 claims, no clarification on what "business partners" can access or do with user data.
Enterprise Risk:
- This leaves open risk of indirect vendor access to customer data.
- No explicit guardrails on LLM providers' use of data, which is now standard practice for compliance-minded vendors.
Verdict: β οΈ Needs named subprocessors + data use restrictions to be enterprise-acceptable.
π© 3. No Mention of Compliance Certifications
π What the Policy Says:
"We aim to protect your personal information..."
𧨠Whatβs Missing:
- No mention of ISO 27001, GDPR certification, HIPAA, or other privacy/compliance benchmarks.
- No DPA (Data Processing Agreement) link or explanation of controller/processor roles.
Enterprise Risk:
- Without audited controls, there's no proof of security posture.
- Enterprises need assurance, not just intention.
Verdict: β Fails baseline enterprise due diligence for vendor onboarding.
π© 4. No Data Residency Controls or VPC Deployment
π What the Policy Says:
"Your data may be stored in the United States..."
𧨠Whatβs Missing:
- No mention of regional hosting options for EU, UK, or APAC data sovereignty.
- No support for private cloud or customer-controlled VPC deployment.
Enterprise Risk:
- Cross-border data flows may violate regulatory requirements in EU or healthcare jurisdictions.
- No ability to segregate tenant data or restrict residency increases compliance headaches.
Verdict: β Not suitable for regulated global enterprises without regional hosting options.
π© 5. No Consent Automation or Meeting-Specific Controls
π What the Policy Says:
"We do not knowingly collect data from or market to children under 18..."
𧨠Whatβs Missing:
- No built-in meeting participant consent workflows.
- No auditable logging of who saw or agreed to data use.
Enterprise Risk:
- Consent is critical for recorded meeting data. Manual consent places legal burden on users, not platform.
- No mention of automated notices (e.g., Zoom chat bot consent prompts), which some competitors offer.
Verdict: β οΈ No tooling for automated data governance = user error = liability risk.
β Where Unwrap.ai Does Okay
- Simple, readable policy (better than many startups).
- States no sensitive information is collected by default.
- Offers clear California/CCPA compliance statements.
- Retention is capped at 12 months post-account termination.
Disclaimer: This review is based solely on Unwrap.ai's published privacy policy and publicly available information. For formal vetting, always request security documentation, compliance reports, and third-party audit results.