Privacy Policy
Last updated: May 16, 2026
1. Data Controller
The data controller responsible for your personal data is:
UPMAX INC.
44 Bennett Avenue, Long Beach, CA 90803, USA
California-registered corporation
Email: [email protected]
Phone: (562) 203-3232
DPO contact: Not applicable — UPMAX INC. does not meet the threshold requiring a Data Protection Officer under GDPR Art. 37. Privacy enquiries should be sent to the email above.
2. Data We Collect
We collect the following categories of personal data:
- Account data: Name, email address, company name, billing address, payment method (tokenised — we never store raw card numbers).
- Usage data: Pages visited, features used, funnel performance events, IP address, browser type, operating system, referring URL, session duration.
- Lead data (workspace-isolated): Data submitted by your end-customers through funnels you create. This data is isolated per workspace via Row-Level Security and is processed on your behalf as a Data Processor (see DPA).
- Attribution data: Click IDs (gclid, fbclid, ttclid, li_fat_id, msclkid) and UTM parameters captured by our first-party tracking script (
cz-track.js). - Communications: Emails you send to our support or sales team.
- Voice data (optional): Audio recordings and transcripts from voice brief sessions, retained for 90 days and deleted automatically.
3. Legal Basis for Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Service, manage accounts | Art. 6(1)(b) — Performance of a contract |
| Process payments, prevent fraud | Art. 6(1)(b) — Performance of a contract; Art. 6(1)(f) — Legitimate interests |
| Service communications (receipts, security alerts) | Art. 6(1)(b) — Performance of a contract |
| Analytics and product improvement | Art. 6(1)(f) — Legitimate interests |
| Marketing emails (if opted in) | Art. 6(1)(a) — Consent |
| Legal compliance, tax records | Art. 6(1)(c) — Legal obligation |
4. How We Use Your Data
- To create and manage your account and provide the Service.
- To process payments and send billing notices.
- To improve the Service through aggregated, anonymised analytics.
- To send transactional emails (password reset, payment receipts) via Resend.
- To send product updates and marketing communications if you have opted in.
- To detect and prevent fraud, abuse, and security incidents.
- To comply with legal obligations (tax, anti-money laundering, court orders).
We do not sell personal data.
5. Data Sharing and Subprocessors
We share data only with service providers necessary to operate the Service. All subprocessors are bound by GDPR-compliant Data Processing Agreements. See our full list in the Data Processing Addendum.
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA (SCCs) |
| Supabase | Database hosting | AWS us-east-1 (SCCs) |
| Resend | Transactional email | USA (SCCs) |
| Anthropic | AI generation (brief, copy, funnel) | USA (SCCs) |
| OpenAI | AI generation (supporting models, moderation) | USA (SCCs) |
| Railway | Application hosting (site, API, dashboard) | USA (SCCs) |
| Cloudflare | CDN, DNS, DDoS protection | Global (SCCs) |
| Sentry | Error monitoring | USA (SCCs) |
| PostHog | Product analytics | US Cloud (SCCs) |
"SCCs" = EU Standard Contractual Clauses (2021) applied for international transfers.
6. Data Retention
- Account data: Retained for the duration of your account plus 3 years for legal/tax purposes after closure.
- Lead data: Retained as long as your workspace is active or as you configure. Deleted within 30 days of workspace deletion request.
- Usage/analytics data: Aggregated and anonymised after 24 months.
- Voice recordings: Deleted automatically after 90 days.
- Payment records: Retained for 7 years per US tax law.
7. Your Rights
If you are in the EEA, UK, or certain other jurisdictions, you have the following rights:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate data.
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Restriction (Art. 18): Request restriction of processing in certain circumstances.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise any right, email [email protected]. We will respond within 30 days of receiving your request.
You also have the right to lodge a complaint with your supervisory authority. In the UK: ICO. In Ireland: DPC. For California residents (CCPA/CPRA): California Privacy Protection Agency.
8. International Data Transfers
Some of our subprocessors are located outside the EEA. Where personal data is transferred to countries without an adequacy decision, we use the EU Standard Contractual Clauses (Commission Decision 2021/914) as the legal transfer mechanism. A copy is available on request.
9. Cookies and Tracking
We use first-party cookies for authentication, attribution, and analytics.
Our tracking script (cz-track.js) captures click IDs (gclid, fbclid,
ttclid, etc.) for ad attribution. Marketing and analytics cookies are only placed
after you give consent via our cookie banner.
See our full Cookie Policy for a complete list of cookies, purposes, and durations.
10. Security
We implement technical and organisational measures including: TLS encryption in transit, AES-256 encryption at rest, Row-Level Security on all database tables, regular security audits, and access controls limited to authorised personnel.
Despite these measures, no internet transmission is 100% secure. Please report suspected vulnerabilities to [email protected].
11. Changes to This Policy
We may update this policy periodically. Material changes will be notified by email to your registered address at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the current version.
12. Contact and DPO
For privacy questions or to exercise your rights:
UPMAX INC.
44 Bennett Avenue, Long Beach, CA 90803, USA
[email protected]
DPO: N/A — below GDPR Art. 37 threshold.