upfyp logoupfypGet Started

Privacy Policy

Last updated: February 4, 2026

This Privacy Policy explains how NOMIS IT, a French EURL (single-member limited liability company), collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) when you use the upfyp service.

1. Data Controller

The data controller responsible for your personal data is:

  • Company: NOMIS IT (NIT)
  • Legal Form: EURL (Single-member limited liability company)
  • Share Capital: €1,000
  • Registration: RCS Lille Métropole 921 726 170
  • Address: 2T rue d'Anchin, 59242 Templeuve-en-Pévèle, France
  • Email: [email protected]
  • Managing Director: Simon BRIENNE

2. Data We Collect

We collect the following personal data:

2.1 Data You Provide Directly

  • Account Information: Email address, name (if provided via Google OAuth)
  • Instagram URLs: Public post and profile URLs you submit for campaigns
  • Payment Information: Billing details processed securely through Stripe (we do not store your card numbers)

2.2 Data Collected Automatically

  • Usage Data: Campaign activity, service usage, quota consumption
  • Technical Data: IP address, browser type, device information
  • Session Data: Authentication tokens stored in cookies

This data may be collected directly or through our partner tools and service providers.

3. How We Use Your Data

Your personal data is used to:

  • Provide and maintain the upfyp service
  • Process your Instagram engagement campaigns
  • Manage your subscription and process payments
  • Send service-related notifications and updates
  • Respond to your inquiries and support requests
  • Improve our services and develop new features
  • Detect and prevent fraud, abuse, or unauthorized use
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our services to you (Article 6(1)(b) GDPR)
  • Legitimate Interests: Service improvement, fraud prevention, security measures (Article 6(1)(f) GDPR)
  • Legal Obligations: Tax records, regulatory compliance (Article 6(1)(c) GDPR)
  • Consent: Marketing communications, where applicable (Article 6(1)(a) GDPR)

5. Data Sharing with Third Parties

Your personal data is never sold or rented. We may share data with trusted service providers solely for service delivery:

5.1 Payment Processing

5.2 Infrastructure & Hosting

  • Cloudflare, Inc. - CDN, DNS, and security services (USA)
  • Google Cloud Platform - Cloud computing (USA)
  • OVHcloud - Virtual private server (France)
  • Supabase, Inc. - Database and authentication (Singapore/EU)

5.3 Service Providers

We use third-party providers to deliver engagement services. These providers receive only the public Instagram URLs you submit and do not receive any personal data such as your name or email. These providers include:

  • Peakerr - Social media marketing services
  • BulkFollows - Social media marketing services

5.4 Legal Requirements

We may disclose data if required by law or to comply with legal proceedings, court orders, or government requests.

6. International Data Transfers

We strive to keep your data within the European Union. However, some of our service providers are located in countries outside the EEA, including the United States and Singapore.

When data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all third-party providers
  • Verification that providers comply with equivalent data protection standards

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure:

  • Encryption in transit (TLS/SSL) and at rest
  • Secure authentication with Supabase Auth
  • Row-level security policies in our database
  • Regular security assessments and monitoring
  • Access controls limited to authorized personnel

However, no internet transmission is 100% secure. You acknowledge that you provide your data at your own risk.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

  • Account Data: Duration of your account plus 3 years after deletion
  • Transaction Records: 10 years (French legal requirement for tax purposes)
  • Campaign Data: 1 year after campaign completion
  • Analytics Data: 26 months
  • Free Trial Records: Indefinitely (email hashes only, to prevent abuse)

After retention periods expire, data is either deleted or anonymized. Deletion and anonymization are irreversible.

9. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit processing of your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time
  • Right to Lodge a Complaint: File a complaint with the French data protection authority (CNIL)

To exercise any of these rights, contact us at [email protected]. We will respond within one (1) month.

10. Cookies

upfyp uses only essential cookies necessary for the service:

  • Authentication Cookies: To keep you logged in
  • Session Cookies: To maintain your session state
  • Security Cookies: To prevent fraud and protect your account

These cookies are strictly necessary for the service to function and cannot be disabled. We do not use tracking or advertising cookies.

11. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top
  • Notify users with registered email addresses at least 15 days before the changes take effect
  • Post the new policy on this page

If you disagree with the updated terms, you may delete your account. Continued use after changes constitutes acceptance.

13. Contact & Complaints

For questions about this Privacy Policy or to exercise your rights:

  • Email: [email protected]
  • Address: NOMIS IT, 2T rue d'Anchin, 59242 Templeuve-en-Pévèle, France

You also have the right to lodge a complaint with the French data protection authority:

  • CNIL (Commission Nationale de l'Informatique et des Libertés)
  • Website: www.cnil.fr

Related Documents

← Back to Home