UptoNova
Start free →
Legal

Privacy Policy

How UptoNova handles your data — GDPR + SOC2-aligned.

Last updated: 2026-05-31

1. Who we are

UptoNova ("we", "us", "the service") provides a multi-tenant SaaS platform for omnichannel customer messaging and AI-powered sales. This policy explains how we collect, use, share, store and protect personal data when you visit our website, sign up for an account, or use the product.

For any privacy question, request, or complaint, write to [email protected]. We respond within 30 days as required by GDPR.

2. What data we collect

Account data

  • Your name, email address, and a hashed password (we never store passwords in plaintext).
  • Billing details — processed exclusively by Stripe; we never see full card numbers.
  • Workspace metadata (tenant name, plan, team roles).

Conversation data

  • Message text, media (images, voice notes, documents), and contact identifiers from any channel you connect (WhatsApp, Instagram, Messenger, Telegram, web widget).
  • Metadata: timestamps, delivery/read receipts, channel of origin, and the conversation transcript history.

Usage data

  • Login timestamps, IP addresses (for security + rate limiting), feature interactions.
  • AI call metadata (tokens consumed, latency, cost) — for billing, quota enforcement, and product analytics.

Cookies

See the Cookies section below.

3. Why we process it (legal bases under GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — to provide the service you signed up for: route messages, run the AI agent, populate your CRM, send invoices.
  • Legitimate interest (Art. 6(1)(f)) — to keep the service secure, detect and prevent fraud, debug errors, and improve product quality. We balance these interests against your rights and only proceed when the impact on you is minimal.
  • Consent (Art. 6(1)(a)) — for optional analytics cookies and marketing emails. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and law-enforcement requirements where applicable.

4. Sub-processors we share data with

We use the following sub-processors strictly to deliver the service. Each is bound by a Data Processing Agreement (DPA) with us:

  • Cloudflare — AI Gateway (LLM proxy + caching), Workers (compute), R2 (object storage for media), DNS, and edge security (DDoS, WAF).
  • Google — Gemini API for AI model inference. Calls are routed through Cloudflare AI Gateway and may be cached at the edge for up to 10 minutes.
  • Stripe — payment processing, invoicing, subscription billing. PCI-DSS Level 1 certified.
  • Meta — WhatsApp Business, Facebook Messenger, and Instagram Direct message delivery on channels you choose to connect.

A current sub-processor list is available on request. We notify customers at least 30 days before adding a new sub-processor that materially changes data flow.

5. Where data is stored

  • Media and bulk objects: Cloudflare R2, in the region you select at workspace creation (EU or US).
  • AI inference: Routed through Cloudflare AI Gateway. Prompts and responses may be cached at the edge for up to 10 minutes to reduce latency and cost; the cache is keyed per-tenant and is never shared across tenants.
  • Conversation database: Tenant-isolated Postgres on EU or US origin per your workspace selection. Row-level security (RLS) plus application-layer tenant guards enforce isolation.

6. Retention

  • Account data — kept for the lifetime of the account plus 30 days after deletion (for invoicing/audit), then permanently erased.
  • Conversation data — configurable per tenant. Default: 13 months. You can shorten this in workspace settings.
  • AI call metadata — 12 months for billing reconciliation and product analytics.
  • Server logs — 30 days, then aggregated and anonymized.
  • Backups — encrypted snapshots retained 30 days for disaster recovery.

7. Your rights under GDPR (Articles 15–22)

  • Access (Art. 15) — request a copy of the personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure / "right to be forgotten" (Art. 17) — request deletion of your data, subject to legal retention requirements.
  • Restriction (Art. 18) — request that we limit processing while a dispute is resolved.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format. Export endpoint coming at /api/v1/me/export; meanwhile, email [email protected].
  • Objection (Art. 21) — object to processing based on legitimate interest.
  • Objection to automated decisions (Art. 22) — request human review of any decision made solely by automated means.

To exercise any right, email [email protected] from the address associated with your account. We respond within 30 days and may extend by 60 days for complex requests.

8. Security

  • Encryption at rest: AES-256-GCM for tenant secrets (channel tokens, API keys) with per-tenant data keys wrapped by a master key held in a KMS.
  • Encryption in transit: TLS 1.2+ on every external connection. HSTS enforced on all public endpoints.
  • OWASP-aligned controls: parameterized SQL, body size limits, CSRF on state-changing forms, rate limiting per tenant + per IP, secure/http-only/same-site cookies.
  • Webhook integrity: every inbound provider webhook signature is verified with a constant-time HMAC compare before parsing.
  • Vulnerability scanning: govulncheck in CI, dependency pinning, minimal third-party surface.
  • Tenant isolation: two independent layers — Postgres row-level security (RLS) AND application-layer tenant filters. A required test proves one tenant cannot read another tenant's data.

9. Breach notification

In the event of a personal data breach, we notify the competent supervisory authority within 72 hours of becoming aware of it, as required by GDPR Art. 33. If the breach is likely to result in a high risk to your rights and freedoms, we also notify affected users without undue delay per GDPR Art. 34.

10. International transfers

When data is transferred outside the European Economic Area (e.g. to US-based sub-processors), we rely on Standard Contractual Clauses (EU SCCs, Commission Decision 2021/914) as the legal mechanism. Where applicable, additional safeguards (encryption, pseudonymisation, access controls) supplement the SCCs.

11. Children

The service is not directed at, intended for, or marketed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact [email protected] and we will delete it promptly.

12. Cookies

  • Session cookie (essential) — keeps you signed in. Required for the product to function.
  • CSRF token (essential) — prevents cross-site request forgery on state-changing forms.
  • Analytics (consent) — privacy-friendly product analytics; loaded only after you accept.

Essential cookies are set on every visit and cannot be disabled without breaking the product. Consent cookies can be revoked at any time via your browser settings.

13. Changes to this policy

We may revise this policy as the service evolves. Material changes will be communicated via email to account owners and via a dashboard banner at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Questions? Email us at [email protected]. We answer every privacy request personally.