Privacy policy
How Upvoted collects, uses, and protects personal data, for tenants and voters alike.
Last updated
# 1. Data controller
Ekklo SAS, a French simplified joint-stock company with a share capital of €4, registered with the Paris Trade and Companies Register under number 931 675 706.
Registered office: 229 rue Saint-Honoré, 75001 Paris, France
Contact: [email protected]
Data Protection Officer: Mathys Pomier, [email protected]
# 2. Data we collect
Upvoted distinguishes three categories of data subjects: tenant administrators (paying or free-tier customers), voters (end users who vote or comment on a public roadmap), and visitors of the marketing site upvoted.pro.
Tenant administrators
- Work email address
- Password (stored only as a bcrypt cost-12 hash, never in clear text)
- Workspace name, preferred locale (fr / en)
- Billing data sent to Stripe (name, billing address, EU VAT number for businesses)
- Technical logs: IP address, user-agent, login timestamp (90-day retention)
Voters
- Email address (stored encrypted to allow vote deduplication via
(post_id, voter_email_hash)) - Comment content (plain text, max 2000 chars)
- IP address and user-agent at vote time (anti-abuse only, 30-day retention)
- List of posts the voter has voted for (to enable status-change notifications)
Marketing site visitors
- No tracking cookies are set on the upvoted.pro marketing site
- IP addresses anonymized by Cloudflare for DDoS protection
- Aggregated analytics data via PostHog EU (no cookies, no persistent identifier)
No sensitive categories
Upvoted collects no sensitive data within the meaning of GDPR article 9: no health data, no political opinions, no sexual orientation, no biometric data. The service is designed to collect only the minimum necessary for its operation.
# 3. Purposes
- Service delivery: create and manage accounts, host roadmaps, process votes and comments, send magic verification links.
- Billing: collect subscriptions, issue invoices, handle refunds and EU VAT through Stripe.
- Communication: notify voters of status changes on posts they voted for (opt-out at any time), inform administrators about service evolutions.
- Security and anti-abuse: detect fraudulent votes (mass voting, fake accounts), protect against attacks (DDoS, brute-force).
- Product improvement: aggregate analysis of user journeys to improve the experience (PostHog EU, no persistent cookies).
# 4. Legal bases
Processing relies on the following legal bases (GDPR article 6):
- Contract performance: for all processing necessary to deliver the service (admin accounts, roadmap hosting, votes).
- Consent: for voter sign-up (clicking the "vote" button constitutes explicit consent to receive the magic link and status notifications).
- Legal obligation: for retention of invoices (10 years, French Commercial Code), fraud prevention, response to authority requests.
- Legitimate interest: for anti-abuse processing (rate-limiting, fraudulent vote detection) and aggregated product improvement.
# 5. Retention periods
- Active admin accounts: throughout the subscription duration.
- Deleted admin accounts: full deletion within 30 days of deletion request (GDPR art. 17). Recovery possible during this window.
- Voter data: kept as long as the corresponding post exists on the roadmap. Deletion possible at any time via the "unsubscribe" link in every email.
- Technical logs: 30 days for vote logs, 90 days for admin auth logs.
- Invoices and accounting data: 10 years (legal obligation, French Commercial Code).
- Backups: 30 days, then automatic deletion.
# 6. Recipients & sub-processors
Data is never sold, rented, or exchanged. It is accessible to the following recipients strictly within the scope of the service:
- Stripe Inc. (Ireland, EU), payments, billing, EU VAT calculation.
- Resend (United States, EU region), sending of transactional emails.
- PostHog EU (Germany), product analytics (anonymized, cookieless).
- Cloudflare (United States, EU edge), CDN, DNS, DDoS protection.
- Neon (United States, region eu-central-1), PostgreSQL database hosting.
All our sub-processors have signed a GDPR-compliant Data Processing Agreement (DPA). The current list is available on request at [email protected].
# 7. Data transfers
No user data is transferred outside the European Union as part of the nominal service operation.
Some of our sub-processors are headquartered in the United States (Cloudflare, Neon, Resend) but operate the Upvoted services exclusively from EU regions (mainly Frankfurt). Standard Contractual Clauses (SCC) approved by the European Commission cover any residual administrative interaction with US headquarters.
# 8. Security
See our dedicated security page for full details: encryption, multi-tenant isolation via PostgreSQL Row-Level Security, backups, incident response.
# 9. Your rights
Under the GDPR, you have the following rights over your personal data:
- Right of access: obtain the list of all data concerning you.
- Right of rectification: correct any inaccurate data.
- Right of erasure ("right to be forgotten"): request deletion of your data.
- Right to restriction of processing: suspend certain processing.
- Right to data portability: retrieve your data in a structured format (JSON / CSV).
- Right to object: refuse certain processing (especially legitimate interest).
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
To exercise your rights: [email protected]. We respond within a maximum of 30 days (GDPR art. 12).
If you disagree, you can lodge a complaint with the CNIL: cnil.fr/en/lodging-complaint-cnil.
# 11. Updates
This policy may be amended at any time, particularly to reflect legal or technical developments. The last update date is shown at the top of the page. Substantial changes are notified to administrators by email at least 30 days before they take effect.
The full change history is available on GitHub.
# 12. Contact
Any question relating to this policy, to your data, or to exercise your rights:
- General support: [email protected]
- Data Protection Officer: Mathys Pomier, [email protected]