Last updated: 2026-05-26.
This Privacy Policy explains what personal information Upivia (“we”) collects, how we use it, and your rights.
1. Information we collect. (a) Account data: email, name, hashed password, organization name. (b) Usage data: requests your agents make, costs, audit logs, IP address, browser metadata. (c) Billing data: handled by Stripe; we store only the last four digits of payment instruments.
2. How we use it. To operate the Service, enforce budgets/policies, bill usage, prevent abuse, communicate with you about your account, and improve the product.
3. Sharing. We share data with subprocessors necessary to operate the Service: Stripe (payments), Resend (transactional email), OpenRouter and other AI providers you enable, plus our hosting provider. We do not sell personal data.
4. Retention. Account data is retained while your account is active. Audit logs are retained per your plan (7 / 30 / 90 days). On account deletion, personal data is purged within 30 days unless retention is required by law.
5. Your rights. You may export or delete your account data from Settings → Data Export and Settings → Danger Zone. Residents of the EEA/UK/California have additional rights (access, rectification, erasure, portability, objection). Email privacy@upivia.com to exercise them.
6. Security. Passwords are bcrypt-hashed. Connected-app tokens are encrypted at rest. API keys are stored as SHA-256 hashes. All traffic is TLS.
7. International transfers. Data may be processed in the United States. We rely on Standard Contractual Clauses for transfers from the EEA/UK.
8. Children. The Service is not directed to children under 16; we do not knowingly collect their data.
9. Changes. We will notify you of material changes at least 14 days before they take effect.
Contact: privacy@upivia.com
<!-- TODO: legal review before public launch -->