Back to UpflagUpflag

Privacy Policy

Last updated: 2026-02-16

1. Introduction

Upflag ("the Service") is operated by Christopher Terhune-Testa ("we," "us," "our") based in California, USA. This policy explains what data we collect, why, and what we do with it.

We collect the minimum data needed to provide the Service. We don't sell your data. We don't run ads.

2. Data We Collect

Data you provide:

  • Account information: Email address, name (via Better Auth authentication).
  • Billing information: Payment details are collected and processed by Stripe. We store your Stripe customer ID and subscription status — we never see or store your full card number.
  • Status page content: Page names, descriptions, incident updates, and other content you create.
  • Monitor configurations: URLs you choose to monitor, check intervals, alert preferences.
  • Subscriber emails: Email addresses of people who subscribe to your status pages.

Data collected automatically:

  • Usage data: Pages visited, features used, actions taken within the dashboard.
  • Monitor check results: HTTP status codes, response times, uptime/downtime records for your monitored URLs.
  • Log data: IP address, browser type, operating system, referring URLs, timestamps. Standard server logs.

Data we do NOT collect:

  • We don't track you across other websites.
  • We don't collect sensitive personal data (health, financial, biometric, etc.).
  • We don't knowingly collect data from anyone under 18.

3. How We Use Your Data

DataPurpose
Email + nameAccount management, service communications
Payment info (via Stripe)Process subscriptions, handle billing
Monitor URLs + check resultsProvide monitoring service, display on status pages
Subscriber emailsSend incident notifications on your behalf
Usage dataImprove the Service, fix bugs, understand feature usage
Log dataSecurity, debugging, abuse prevention

We do not use your data for advertising, profiling, or selling to third parties.

4. Third-Party Services

These services process some of your data as part of providing the Service:

ServiceData SharedPurposePrivacy Policy
StripeEmail, payment details, billing addressPayment processingstripe.com/privacy
CloudflareIP address, request logsApplication hostingcloudflare.com/privacypolicy
NeonAll application data (encrypted)Database hosting (US)neon.tech/privacy-policy
ResendSubscriber emails, notification contentEmail deliveryresend.com/legal/privacy-policy

We vet third-party services before integrating them and only share the minimum data necessary.

5. Data Storage & Security

  • Your data is stored in the United States (Neon database on AWS, Cloudflare Workers hosting).
  • Data is encrypted in transit (TLS/HTTPS) and at rest (database encryption).
  • Access to production systems is limited to the service operator.
  • We use Better Auth for authentication — passwords are securely hashed and stored in our database.

6. Data Retention

  • Active accounts: Data is retained as long as your account is active.
  • After cancellation: Your data is retained for 30 days, then permanently deleted.
  • Monitor check history: Retained per your plan (7 days free, 90 days Starter, 1 year Pro). Older data is automatically deleted.
  • Subscriber emails: Deleted when the subscriber unsubscribes or when the associated status page is deleted.
  • Logs: Server logs are retained for 30 days.

7. Your Rights

You have the right to:

  • Access: Request a copy of your data. Email support@upflag.io.
  • Correction: Update your account information at any time in your dashboard.
  • Deletion: Request deletion of your account and all associated data. Email support@upflag.io. We will process deletion requests within 30 days.
  • Data portability: Request your data in a machine-readable format (JSON).
  • Object: Object to specific processing activities by contacting us.

8. GDPR (European Users)

If you are in the European Economic Area (EEA), UK, or Switzerland:

Legal basis for processing:

  • Contract: Processing necessary to provide the Service you signed up for (monitoring, status pages, notifications).
  • Legitimate interest: Usage analytics to improve the Service, security measures, abuse prevention.
  • Consent: Marketing communications (you can opt out at any time).

Your additional rights:

  • Right to be forgotten: Request complete deletion of your data.
  • Right to restrict processing: Limit how we use your data while we address a concern.
  • Right to data portability: Receive your data in a portable format.
  • Right to object: Object to processing based on legitimate interest.
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

Data transfers: Your data is stored in the US. We rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable for lawful data transfers.

Contact for GDPR requests: support@upflag.io. We will respond within 30 days.

9. CCPA (California Residents)

If you are a California resident:

  • Categories of personal information collected: Identifiers (name, email), commercial information (billing), internet activity (usage data, logs).
  • We do not sell personal information. We have never sold personal information and have no plans to.
  • We do not share personal information for cross-context behavioral advertising.
  • Right to know: You can request details about the personal information we've collected.
  • Right to delete: You can request deletion of your personal information.
  • Right to opt out: Not applicable — we don't sell data.
  • Non-discrimination: We won't discriminate against you for exercising your CCPA rights.

To exercise your rights, email support@upflag.io.

10. Cookies

We use minimal cookies:

  • Authentication cookies (Better Auth): Required to keep you logged in. Essential — cannot be disabled.
  • Session cookies: Track your active session. Expire when you close your browser.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

11. Children's Privacy

The Service is not intended for anyone under 18. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The "Last updated" date at the top will always reflect the current version.

13. Contact

For privacy questions or data requests: