Legal · last updated April 24, 2026
Privacy Policy
This Privacy Policy describes how Upkeel Solutions LLC ("Upkeel", "we", "us") collects, uses, and shares information when you use the Upkeel website (upkeel.dev, docs.upkeel.dev) or the Upkeel product (the "Service"). It applies to individuals whose information we process as part of providing the Service.
1. Who we are
Upkeel Solutions LLC is an Indiana limited liability company. For privacy questions contact [email protected].
2. What we collect
Account information
When you create an account we collect your email address, name, and organisation, plus authentication records (sign-in timestamps, device fingerprints) via our identity provider Clerk.
Billing information
If you purchase a paid plan, we collect billing contact details (company name, billing email, country) and Stripe customer/subscription identifiers. We never see your full card number. Payment method data is handled directly by Stripe. We store only a short "last-4 + brand" token returned by Stripe.
Event data (Customer Data)
The core purpose of the Service is to process events your application submits via our SDK or REST API. This Customer Data includes event names, timestamps, correlation IDs, scopes, and any metadata you attach. You control what you send.
Event data may incidentally contain personal information if your application includes it (e.g. a user ID, email address, or IP address in a correlation ID or meta blob). We process this data on your behalf as a processor; you remain the controller. See §7 Data Processing Agreement.
Usage & diagnostic data
We collect standard server logs on the platform, ingest, and worker services: request timestamps, paths, status codes, user-agent strings, approximate geolocation derived from IP, and error traces. Logs are retained for 30 days for security and debugging, then deleted.
Cookies & similar technologies
See §8 below. In short: we use a small number of strictly-necessary first-party cookies for authentication and session management. We do not use third-party tracking or advertising cookies.
3. How we use it
We process information to:
- Provide, operate, and improve the Service.
- Detect missed expectations and deliver alerts to you or your teammates.
- Authenticate users and prevent abuse.
- Communicate with you about service changes, billing, security incidents, and (if you opt in) product updates.
- Comply with legal obligations and enforce our Terms of Service.
- Produce aggregate, de-identified analytics that help us understand how the product is used. These never include personal information.
We do not sell personal information. We do not use Customer Data to train machine-learning models.
4. Who we share it with
We share information only with the service providers we need to run the business (sub-processors), and only to the extent necessary. Current sub-processors:
| Sub-processor | Purpose | Data location |
|---|---|---|
| DigitalOcean | Cloud hosting for platform, ingest, worker, and databases | United States (NYC3) |
| Clerk | Identity & authentication | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email (alerts, billing, account) | United States |
| GitHub | Code hosting, CI/CD, container registry | United States |
| Cloudflare | DNS (for some zones) | Global edge |
We will update this list before adding a new sub-processor that processes Customer Data, and EU customers will receive 30 days' notice via the mechanism specified in their DPA.
We may also share information to comply with legal process, protect rights and safety, or as part of a business transfer (merger, acquisition, sale). In which case your rights under this Policy continue.
5. Data retention
Account data: retained while your account is active plus 90 days after deletion, except where a longer period is required by law (tax records: 7 years).
Customer Data (events): retained for the window your plan specifies (365 days on every paid plan, longer on Enterprise contracts that require it). You can request earlier deletion at any time.
Logs: 30 days.
Aggregated, de-identified analytics: retained indefinitely.
6. Your rights
Depending on where you live you may have rights to:
- Access the personal information we hold about you.
- Correct inaccurate data.
- Delete your data ("right to be forgotten").
- Restrict or object to certain processing.
- Port your data to another provider in a machine-readable format.
- Withdraw consent where processing relies on consent.
- Complain to your supervisory authority (EEA/UK residents: your local Data Protection Authority).
To exercise any right, email [email protected]. We will acknowledge within 2 business days and respond substantively within 30 days. We may need to verify your identity before acting on the request.
Self-serve in the dashboard. Two of the most common requests don't need to wait for an email:
- Export your data: from Settings → Account → Privacy & data you can download a JSON archive of your account, projects, channels, rules, and the most recent 90 days of events. Larger windows are available on request via [email protected].
- Delete your account: also under Settings → Account → Privacy & data. Deletion is staged with a 7-day grace window during which you can cancel; after that we hard-delete the customer record, all associated events, pending expectations, channels, and rules. The Stripe subscription is canceled automatically at the start of the grace period (no further charges). Aggregate, de-identified analytics that cannot re-identify you may persist beyond deletion as noted in §5.
7. Data Processing Agreement (EU / UK)
When you process personal information through the Service, you are typically the data controller and Upkeel is the processor. We will execute our standard DPA on request. Email [email protected]. Our DPA incorporates the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum for cross-border transfers, and lists our current sub-processors (see §4). International data transfers rely on SCCs as the lawful transfer mechanism.
8. Cookies
We use a minimal set of first-party cookies strictly necessary for the Service to function. These do not require consent under GDPR / ePrivacy:
| Cookie | Domain | Purpose | Expiry |
|---|---|---|---|
__clerk_session | .upkeel.dev | Authenticated user session (managed by Clerk) | Rolling; expires on sign-out |
upkeel_session | .upkeel.dev | "Signed-in" flag used by marketing site to show/hide sign-in CTA | Session |
cc_cookie | upkeel.dev | Records your cookie-preferences choice (only set after interaction) | 6 months |
Privacy-preserving analytics. We run a self-hosted instance of Plausible Analytics at analytics.upkeel.dev (a different host from the Service itself). Plausible is cookie-free and does not collect personal data. It counts page views and aggregate events without identifying individuals. No cross-site tracking, no advertising integrations, no data sale. Because Plausible operates without cookies and without personal data, it does not require consent under GDPR / ePrivacy. EEA / UK visitors who want to opt out anyway can flip the "Analytics" toggle in the cookie-preferences modal.
If we ever add analytics or functional cookies that do identify individuals (e.g. session replay), we will request explicit opt-in consent from visitors located in the European Economic Area, UK, and other jurisdictions that require it, via the consent banner.
9. Security
We encrypt data in transit (TLS 1.2+) and at rest (disk-level). Access is restricted to engineers with a need-to-know; every such access is audit-logged. See our Trust & Security page for technical and organisational controls, including our SOC 2 program status.
If a security incident affects your data, we will notify you without undue delay and in accordance with applicable law.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have, email [email protected] and we will delete it.
11. International users
We are based in the United States and our primary infrastructure is in the US. If you access the Service from outside the US, you acknowledge that your information will be transferred to, processed in, and stored in the United States under the safeguards described in §7.
12. Changes to this Policy
We may update this Policy. Material changes will be announced by email to your administrator account and posted here at least 30 days before taking effect. The "last updated" date at the top reflects the current version.
13. Contact
Upkeel Solutions LLC, Indiana, USA.
Data protection contact: [email protected].
Security reports: [email protected].