Privacy Policy

This Privacy Policy explains how upstreem GmbH collects, uses, and protects personal data when you visit upstreem.ai, use the application at app.upstreem.ai, or communicate with us. It applies alongside our Terms of Service and, where upstreem acts as a processor on your behalf, our Data Processing Agreement (“DPA”).

1. Who We Are

upstreem GmbH (“upstreem”, “we”, “us”) operates the upstreem platform at upstreem.ai and app.upstreem.ai, an AI visibility tracking and analytics service.

Controller

upstreem
Langenbergerstr. 3, 45525 Hattingen, Germany
Managing Director: Lukas Götzkes
Email: lukas@upstreem.ai

We have not appointed a Data Protection Officer. For all data-protection inquiries, please contact us at the address above.

2. What Personal Data We Collect

Account and contact data. When you register or contact us, we collect your name, email address, company name, role (optional), and any other information you voluntarily provide. This is necessary to create and manage your account and to respond to your enquiries.

Usage and platform data. While you use the platform, we collect data about your interactions — including features used, workspaces created, and actions taken. We also collect technical logs, IP addresses, browser type, device information, and session data for security and operational purposes.

Customer Content. You can submit prompts, keywords, URLs, competitor names, filters, and other inputs, and receive outputs in return (“Customer Content”). If Customer Content contains personal data, you act as the controller for that data and upstreem acts as a processor on your behalf. That processing is governed by our Terms of Service and DPA rather than by this Privacy Policy.

Payment data. Payments are processed by Stripe. We do not store your full card details. We receive transaction confirmations, invoice information, and billing-related metadata from Stripe.

Communication data. When you email us or we send you transactional emails (via Resend), we process the content of those communications and your email address. When you schedule a meeting with us via Cal.com or attend a call via Zoom, we process the associated contact and meeting data.

Analytics data. We use a privacy-friendly analytics provider to understand how our website and platform are used in aggregate. This does not involve tracking you across other websites or building individual profiles. See Section 7 (Cookies) for details.

Sources of data. We collect personal data directly from you or from your authorized users. We may enrich it with publicly available business-directory information (e.g. company size, industry) for sales and support prioritization. We do not buy personal data from data brokers.

3. Why We Process Your Data (Legal Bases)

Providing the Service, managing your account, billing — Art. 6(1)(b) GDPR, performance of a contract.

Responding to support requests and enquiries — Art. 6(1)(b) GDPR, performance of a contract / pre-contractual measures.

Complying with tax, accounting, and legal obligations — Art. 6(1)(c) GDPR, legal obligation.

Security, fraud prevention, platform integrity — Art. 6(1)(f) GDPR, legitimate interests.

Product analytics and improvement (aggregated, non-identifying) — Art. 6(1)(f) GDPR, legitimate interests.

Direct communications to existing customers about similar products — Art. 6(1)(f) GDPR, legitimate interests (§ 7 (3) UWG, where applicable).

Marketing communications (newsletters, product updates) — Art. 6(1)(a) GDPR, consent.

Cookies and analytics that are not strictly necessary — Art. 6(1)(a) GDPR, consent (§ 25 TTDSG).

Where we rely on legitimate interests, you can object at any time (see Section 8).

4. Service Providers and Processors

We work with the following third-party service providers that may process personal data on our behalf. Each is bound by a data processing agreement under Art. 28 GDPR and, where relevant, appropriate safeguards for international transfers (see Section 5).

Stripe — Payment processing and billing — USA.

Supabase — Database and backend infrastructure — EU.

Bubble.io — Platform hosting and application layer — USA.

Cloudflare — CDN, DDoS protection, DNS — USA / Global.

Resend — Transactional email delivery — USA.

Cal.com — Meeting and calendar scheduling — USA.

Zoom — Video calls and customer meetings — USA.

Google Workspace — Internal email, documents, and collaboration — USA.

Notion — Internal documentation and knowledge base — USA.

Starto — Domain registration — Germany.

We do not sell your personal data, and we do not share it with anyone except as described in this policy or as required by law.

5. International Data Transfers

Several of our service providers are based in or process data in the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely, in the following order of priority, on:

1. An adequacy decision of the European Commission pursuant to Art. 45 GDPR — in particular the EU–U.S. Data Privacy Framework (“DPF”) for processors that are currently certified under the DPF;

2. EU Standard Contractual Clauses (“SCCs”) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, combined with additional technical and organisational measures where necessary.

You can request a summary of the applicable transfer mechanism and of our transfer impact assessment for any processor by contacting us at support@upstreem.ai.

6. How Long We Keep Your Data

We keep personal data only as long as necessary for the purposes described above or as required by law. The most important retention periods are:

Account data (profile, credentials, team membership) — For the life of the account, then deleted or anonymized within 90 days after termination (see Terms of Service, Section 18).

Billing and invoicing data, accounting records — 10 years from the end of the calendar year in which the document was issued (§ 147 AO, § 257 HGB).

Tax-relevant correspondence — 6 years (§ 147 AO).

Technical access logs, security logs — Up to 90 days, unless needed for security incident follow-up.

Support emails and tickets — Up to 3 years after the last interaction.

Meeting / call metadata (Cal.com, Zoom) — Up to 12 months, unless linked to an ongoing customer relationship.

Customer Content (prompts, outputs, analytics results) — For the life of the account and as set out in the Terms of Service / DPA; exported or deleted on termination.

Aggregated / anonymized analytics — Indefinitely (no longer qualifies as personal data).

Marketing-consent records — Until consent is withdrawn, plus 3 years for evidentiary purposes.

Where longer retention is required by law (e.g. tax law), we restrict the data from active use and delete it as soon as the retention obligation expires.

7. Cookies and Analytics

We use a small number of cookies to make the platform work and to understand how it is used. We do not use advertising cookies and we do not track you across other websites.

Strictly necessary. These cookies are required for authentication, session management, and security. They are set on the basis of § 25 (2) TTDSG and do not require consent.

Analytics (opt-in). We use a privacy-friendly analytics provider (no fingerprinting, no cross-site tracking, data processed in the EU where possible). Analytics cookies and comparable technologies are only set with your consent, which you can withdraw at any time via our cookie settings.

You can also configure your browser to block or delete cookies at any time. Disabling strictly necessary cookies will affect core platform functionality.

8. Your Rights

Under the GDPR, you have the following rights with respect to your personal data. To exercise any of them, contact us at lukas@upstreem.ai We will respond within one month, extendable by up to two further months where the request is complex, in accordance with Art. 12 (3) GDPR.

Access (Art. 15) — Request a copy of the personal data we hold about you.

Rectification (Art. 16) — Ask us to correct inaccurate or incomplete data.

Erasure (Art. 17) — Request deletion of your data where there is no legal ground for continued processing.

Restriction (Art. 18) — Ask us to restrict processing of your data in certain circumstances.

Portability (Art. 20) — Receive your data in a structured, machine-readable format.

Objection (Art. 21) — Object to processing based on legitimate interests or for direct marketing.

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

9. Automated Decision-Making

We do not use fully automated decision-making within the meaning of Art. 22 GDPR, i.e. automated decisions that produce legal or similarly significant effects for you. The analytics and suggestions generated by the Service are informational; any decision based on them is made by you.

10. Minors

The Service is a B2B platform and is not directed at, or intended for use by, persons under the age of 16. We do not knowingly collect personal data from persons under 16. If you believe we have inadvertently done so, please contact us at lukas@upstreem.ai and we will delete the data.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a data-protection supervisory authority at any time. The supervisory authority responsible for upstreem GmbH is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestr. 2–4, 40213 Düsseldorf, Germany
www.ldi.nrw.de

You may also contact the supervisory authority in your country of residence or place of work.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice in the platform before the change takes effect. The date at the top of this page always reflects the most recent version. If you do not agree with a material change, you may terminate your subscription under the Terms of Service.

13. Contact

For any questions about this Privacy Policy or to exercise your rights:

upstreem
Langenbergerstr. 3
45525 Hattingen
Germany

lukas@upstreem.ai
upstreem.ai