The controller is the entity operating the Upflo platform, as identified in the Legal Notice. When a platform user enters information about another person, that user may also act as a separate or joint controller depending on the context; this policy describes the processing carried out by Upflo as operator of the service.

This policy applies to personal data processing carried out on public pages, the authenticated product area, payment flows, admin interfaces, support requests, cookies and technical services associated with Upflo.

• Website visitors and viewers of public pages.
• Sales talents, applicants, account holders and premium subscribers.
• Startup representatives, members, admins and invited teammates.
• Prospects and third parties whose information is entered in relation to a funded appointment or dispute.
• Users sending feedback, reviews or support interactions.
• Admin staff authorised to handle disputes, operations and support requests.

• Identity and contact data: display name, email address, language, avatar, role and active organisation context.
• Talent profile data: biography, headline, experience, location, preferences, skills, LinkedIn URL and onboarding progress.
• Organisation and mission data: startup name, description, website, logo, missions, applications, contracts, signatures and related evidence.
• Messaging and notification data: conversations, messages, notification events, anti-bypass blocking and related logs.
• Appointment and prospect data: date, status, amounts, dispute reason, notes, email, phone number, meeting link, LinkedIn URL and sensitive context notes.
• Payment and subscription data: Stripe identifiers, payment status, refunds, transfers, payout batches, internal ledger entries and premium status.
• Technical and security data: session cookies, context identifiers, IP addresses or user-agent details whenever required for evidence, signatures, fraud prevention or security.
• Support and quality data: feedback titles, messages, page URL, user-agent, locale, active role, error logs and internal product events.

Data mainly comes from information provided directly by users when registering, creating a profile, publishing a mission, sending a message, submitting an appointment or contacting support.

Some data comes from third-party providers chosen by the user or used by Upflo to operate the service, such as authentication providers, payment processors, security services, hosting providers and monitoring tools.

Upflo may also receive data indirectly when a user enters the email address of an invited teammate or the contact details of a prospect in relation to a funded appointment.

Data strictly required to open an account, authenticate, publish a mission, manage a profile, fund an appointment, receive a payout or secure the service is mandatory. Without it, Upflo may be unable to provide all or part of the service.

Some data is optional or enrichment-oriented, for example certain profile presentation fields, some visuals, some feedback fields or certain preferences. Missing optional data may nevertheless reduce the quality of the experience or the visibility of a profile.

Data is accessible, on a need-to-know basis, to authorised Upflo personnel involved in support, operations, moderation, billing, security and administration.

Data may also be shared with subprocessors and technical partners used for hosting, authentication, database and realtime services, payment processing, anti-bot protection, monitoring, rate limiting and technical operation of the service.

• Application hosting and deployment providers.
• Database, authentication and realtime service providers.
• Payment and subscription processors.
• OAuth providers chosen by the user, such as Google or LinkedIn.
• Anti-bot or captcha providers when the feature is enabled.
• Error tracking, observability and rate-limiting services depending on the environment.
• Advisers, auditors, insurers, public authorities and courts when necessary.

Depending on the selected hosting region and the activated technical providers, some data may be processed outside the European Economic Area, especially when global providers are used for hosting, payments, authentication, anti-bot protection, error monitoring or support.

Whenever a transfer outside the EEA occurs, Upflo relies on an appropriate legal mechanism such as an adequacy decision, the European Commission's Standard Contractual Clauses or another recognised safeguard, supplemented where necessary by reasonable additional measures.

Not all data is intended to be public. Upflo applies role-based and workflow-based access controls. Prospect data is separated from the core appointment record to reduce the risk of premature exposure.

Direct contact details of users or prospects are not freely exposed on public pages. Some information may be masked, redacted or delayed until payment or verification conditions are met.

When a user enters the email address of an invited teammate, prospect contact details, a meeting link or any other information about a third party, that user warrants that an appropriate legal basis exists and that the required information has been provided to the third party where the law so requires.

Upflo processes such data in order to perform the service, preserve evidence, prevent fraud, resolve disputes and comply with legal obligations. Where collection is indirect, this policy serves as the general GDPR information notice, subject to the practical individual notice requirements imposed by law.

Subject to the conditions and limits laid down by applicable law, data subjects have a right of access, rectification, erasure, restriction, objection, portability where applicable and, where consent is the legal basis, a right to withdraw that consent.

Requests may be sent to the privacy contact indicated in this policy. Upflo may request reasonable evidence of identity where necessary to protect the data and rights of third parties.

• Primary contact: contact@upflo.fr
• Support contact: contact@upflo.fr
• Supervisory authority in France: CNIL.

As of the update date of this policy, Upflo does not organise decision-making based solely on automated processing that produces legal effects or similarly significant effects within the meaning of Article 22 GDPR.

Where internal indicators, quotas, scores or automatic product rules are used, they mainly serve as operational support, security guardrails or feature-access parameters, combined with human-defined rules and/or administrative review where appropriate.

Upflo implements reasonable and proportionate technical and organisational measures to protect the confidentiality, integrity and availability of data. These measures may include secure authentication, role-based segregation, access limitation, audit logs, separation of sensitive data, secure protocols and administrative controls.

Because no security measure can eliminate all risk, users are also invited to protect their devices, passwords, usage environments and communication channels.

Upflo uses cookies and trackers strictly necessary for service operation, authentication, user-context memorisation, security, anti-bot protection and, where applicable, certain indispensable third-party integrations.

Details on the categories of trackers used, their purposes and the applicable management mechanisms are available in the Cookie Policy.

This policy may be updated to reflect changes to the service, providers, processing activities or legal framework. The last update date appears at the top of the document.

In the event of a material change, Upflo may inform users through the website, by email, by notification or by any other appropriate means.