Uptent — Privacy Policy
Effective: 29 October 2025
The protection of your personal data is of particular importance to us.
We process your data exclusively based on applicable legal provisions (GDPR, Austrian Data Protection Act (DSG), Telecommunications Act 2021 (TKG 2021)).
This Privacy Policy informs you about the type, scope, and purposes of the processing of personal data when visiting our website and using our SaaS service Uptent.
1. Controller
Uptent – Felix Raffelsberger
Wilhelminenstraße 123
1160 Vienna, Austria
E-mail: [email protected] (Recommendation: [email protected])
Website: https://uptent.io
2. Scope and Roles
This statement applies to the website, dashboard, and related Uptent functionalities.
Role allocation:
For account, contract, and billing data, Uptent acts as data controller (Art. 4(7) GDPR)
For customer-provided content and measurement data (e.g. monitors, status pages), Uptent acts as a data processor; a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is provided for this purpose
3. Categories of Data Processed
Depending on usage, we process in particular:
- Usage/server data: IP address, date/time, request/header data, user agent, referrer, error logs
- Account/contract data: email, name (optional), organization, billing data, payment status
- Platform-specific data: customer-created websites/monitors/status pages including metadata
- Support/communication data: inquiry content, ticket information, delivery metadata
4. Purposes and Legal Bases
We process personal data only as necessary.
Legal bases (Art. 6(1) GDPR):
- Contract/performance of contractual measures (lit. b): registration, dashboard use, payment processing, support
- Legal obligations (lit. c): tax/accounting retention requirements, reporting obligations
- Legitimate interests (lit. f): operation/security (e.g. fraud/misuse prevention, logging), product improvement (cookie-less analytics)
- Consent (lit. a): only where strictly necessary (e.g. optional convenience/marketing features).
Note: Support/contact requests are generally based on lit. b/f rather than consent.
5. Cookies and Device Access (§165 TKG 2021)
By default, we only use technologies strictly necessary for the service (e.g. login session cookie).
Purpose: session management;
Retention: session duration;
Legal basis: §165(3) TKG 2021 in conjunction with Art. 6(1)(b) GDPR.
Optional cookies/similar technologies (e.g. convenience/marketing/statistics) are used only with your consent (Art. 6(1)(a) GDPR).
Consent can be revoked at any time with future effect.
6. Hosting and Server Logs
Our systems are hosted in data centers within the EU.
When visiting the website/dashboard, server logs are processed for security purposes (e.g. IP address, accessed resources, timestamp, user agent).
Legal basis: Art. 6(1)(f) GDPR (security, error analysis, misuse prevention).
7. Transactional Emails (Resend)
We use Resend for system and transactional emails (e.g. email verification, password reset, notifications).
Transferred data: recipient email, delivery/metadata, subject/content fragments where required.
- Data Processing Agreement in place pursuant to Art. 28 GDPR
- International transfer: Resend is certified under the EU-US Data Privacy Framework (DPF); transfers rely on the adequacy decision under Art. 45 GDPR
Additional safeguards (TLS, need-to-know) are applied
A copy of the relevant safeguards is available upon request.
8. Payment Processing (Stripe)
We use Stripe for payment handling.
Data is transferred to Stripe and processed there for execution of payments, fraud prevention, and legal compliance (e.g. anti-money-laundering).
We do not store full card/account information; Stripe processes them directly.
- Legal bases: Art. 6(1)(b) (contract), Art. 6(1)(f) (fraud prevention), Art. 6(1)(c) (legal obligations)
- Stripe acts partly as data controller (e.g. fraud prevention/compliance) and partly as processor — see Stripe’s Privacy Policy
- International transfer: Stripe (incl. Stripe, Inc., USA) is DPF-certified (Art. 45 GDPR); additionally SCCs (Art. 46 GDPR) and technical/organizational safeguards may apply
- PSD2/SCA: Strong Customer Authentication requirements are followed
9. Web Analytics
We operate self-hosted, cookie-less analytics within the EU.
Collected event data is pseudonymized (e.g. immediate IP truncation/hash without cross-device tracking).
No transfer of analytics/marketing data to third parties.
Legal basis: Art. 6(1)(f) GDPR (interest in stable/safe operations and product improvement).
10. Public Status Pages
When accessing publicly available status pages, access data (IP address, timestamp, user agent) is processed and logged for short fixed periods for operational/security reasons.
Legal basis: Art. 6(1)(f) GDPR.
11. Categories of Recipients
- Hosting/cloud infrastructure (EU)
- Email delivery (Resend, USA – DPF)
- Payment services (Stripe – DPF)
- Legal/tax advisors (AT/EU)
- Authorities/banks as required by law or in case of claim enforcement
12. International Data Transfers
Where data is transferred to third countries, this is based on an adequacy decision (particularly EU-US DPF, Art. 45 GDPR), or on appropriate safeguards (especially Standard Contractual Clauses, Art. 46 GDPR) and additional technical/organizational measures.
Copies available upon request.
13. Storage Periods
- Accounts: until deletion by the user + up to 3 months operational grace period (backups/logs)
- Server/security logs: 14–30 days, then deletion/anonymization (unless longer retention is required for evidence defense)
- Contract/billing records: 7 years (Austrian BAO)
- Support communication: 12–24 months (traceability/quality assurance), unless longer statutory retention applies
14. Rights of Data Subjects
You have — where legally applicable — the following rights:
access, rectification, erasure, restriction of processing, data portability, objection to processing based on Art. 6(1)(e/f) GDPR, and withdrawal of consent with future effect.
To exercise your rights, please contact us using the above details.
15. Obligation to Provide Data and Consequences of Non-Provision
Providing the data necessary for registration, contract performance, and payment is required for using Uptent.
Without this data, the service cannot be provided.
16. No Automated Decision-Making
There is no automated individual decision-making including profiling pursuant to Art. 22 GDPR.
17. Security Measures
We implement appropriate technical and organizational security measures pursuant to Art. 32 GDPR (including TLS encryption, role-based access control, need-to-know principle, regular patches, encrypted backups).
Security measures evolve over time with technical development.
18. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority.
In Austria: Austrian Data Protection Authority (Österreichische Datenschutzbehörde),
Barichgasse 40-42, 1030 Vienna,
Tel. +43 1 52 152-0,
E-Mail: [email protected]
19. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy to reflect legal or technical developments.
The current version is always available on our website.
Note on Translation
This Privacy Policy was originally written in German.
The English translation is provided solely for convenience.
In case of discrepancies, the German version shall prevail.