Privacy Policy
Last updated: April 2, 2026
This Privacy Policy applies to updog.tech and its subdomain console.updog.tech (the "Console"). It describes how Updog ("we", "us", "our") collects, uses, and protects your information when you visit our website, use the Console, or interact with the Updog SDK. Our documentation site (docs.updog.tech) does not collect any personal data.
Updog is operated by Mikhail Kutateladze, based in the United Arab Emirates. For privacy inquiries, contact [email protected].
1. What we collect
1.1 Website visitors (updog.tech)
When you visit our website or documentation, we may collect:
- Analytics data — page views, referral source, device type, and approximate location, collected via Google Analytics. This data is only collected after you consent via our cookie banner.
The website is served through Cloudflare, which may process IP addresses and request metadata as part of its CDN and security services. This processing is governed by Cloudflare's Privacy Policy.
1.2 Console users (console.updog.tech)
When you create an account on the Console, we collect:
- Account information — name, email address, and password (stored as a cryptographic hash, never in plaintext).
- Authentication data — if you sign in with Google, we receive your name, email address, and profile image from Google.
- Session data — IP address and user agent string, stored with your session for security and rate limiting.
- API keys — key names and allowed origin domains that you configure.
- Subscription and billing data — plan tier, billing interval, subscription status, and period dates. All payment card details are handled entirely by Stripe and never stored on our servers. When you view your payment method, card details are fetched directly from Stripe.
1.3 SDK license validation
The Updog SDK is a frontend library that runs entirely in the end user's browser. It does not collect, transmit, or store any spreadsheet data, user content, or personal information. All data processed by the SDK remains in the browser.
The SDK makes a single API call to api.updog.tech to validate the license key. This request transmits:
- The API key (via an HTTP header)
- The requesting domain (via the Origin header)
Our server unavoidably receives the end user's IP address as part of this HTTP request. This IP address is used solely for rate limiting (120 requests per minute per IP) and is not stored beyond transient server logs. No personal data about end users is collected, stored, or processed through this endpoint. The SDK performs license validation entirely client-side where possible; our servers only receive transient validation requests and never access or store any data processed by the SDK in the Client's application.
2. How we use your data
| Purpose | Data used |
|---|---|
| Account creation and authentication | Name, email, password hash, OAuth tokens |
| License validation | API key, requesting domain, IP address |
| Billing and payment processing | Email, Stripe customer ID, subscription details |
| Transactional emails | Name, email, subscription and payment details |
| Security and abuse prevention | IP address, user agent, session data |
| Website analytics | Anonymized browsing data (with consent) |
| Legal and tax compliance | Hashed user ID, invoice amounts, dates |
We do not sell your personal data. We do not use your data for profiling or automated decision-making. We do not send marketing emails — all emails are transactional (account, billing, and subscription notifications).
3. Lawful bases for processing (GDPR)
If you are in the European Economic Area, United Kingdom, or another jurisdiction that requires a lawful basis for processing personal data, we rely on the following:
| Lawful basis | Applies to |
|---|---|
| Contract (Art. 6(1)(b)) | Account management, billing, license validation — necessary to provide the service you signed up for. |
| Legitimate interest (Art. 6(1)(f)) | Security (rate limiting, IP logging, session tracking), abuse prevention, server log retention. Our interest in protecting the service does not override your rights given the minimal data involved. |
| Consent (Art. 6(1)(a)) | Google Analytics cookies on the website. You can withdraw consent at any time via the cookie banner. |
| Legal obligation (Art. 6(1)(c)) | Financial record retention for tax and audit purposes. |
4. Third-party processors
We share personal data with the following service providers, each acting as a data processor on our behalf:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, user ID, payment method details, subscription data | United States |
| Resend | Transactional email delivery | Email address, name, email content | United States |
| Google Analytics | Website usage statistics | IP address, cookies, browsing behavior (with consent only) | United States |
| Google OAuth | Social sign-in | Email, name, profile image | United States |
We do not share your personal data with any other third parties, except where required by law.
5. International data transfers
Our servers are located in Frankfurt, Germany (European Union). Your account data, session data, and subscription data are stored in the EU.
Some of our processors are based in the United States. For these transfers, we rely on:
- EU-U.S. Data Privacy Framework — Stripe and Google are certified participants.
- Standard Contractual Clauses (SCCs) — where the Data Privacy Framework does not apply.
If you are outside the EU, your data is transferred to Frankfurt for processing. By using our service, you acknowledge this transfer.
6. Data retention
| Data | Retention period |
|---|---|
| Account data (name, email, API keys, subscriptions) | Until you delete your account |
| Session data (IP, user agent) | Until session expires or account deletion |
| OAuth tokens | Until account deletion |
| Email verification tokens | Until used or expired (typically 24 hours) |
| Financial records (hashed user ID, invoice amounts, dates) | 7 years after the transaction, as required by tax law |
| Audit logs (hashed user ID, action type) | Retained permanently for regulatory compliance |
| Server logs | Up to 90 days |
| Google Analytics data | 26 months (Google's default retention) |
7. Account deletion
You can delete your account at any time from the Console. When you delete your account:
- Your user profile, sessions, API keys, OAuth accounts, and subscription records are permanently deleted.
- Your Stripe subscription is canceled and your Stripe customer record is deleted.
- A confirmation email is sent to your address.
- Financial records are retained for 7 years with a hashed (non-reversible) user identifier, as required by tax and accounting law (GDPR Art. 17(3)(b)).
- An audit log entry is created with a hashed user identifier to provide proof of deletion for regulatory compliance.
Once deleted, your account cannot be recovered.
8. Your rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
8.1 European Economic Area and United Kingdom (GDPR / UK GDPR)
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your data (subject to legal retention requirements).
- Restriction — request that we limit processing of your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — withdraw consent for analytics cookies at any time.
- Complaint — lodge a complaint with your local supervisory authority.
8.2 California (CCPA / CPRA)
- Right to know — what personal information we collect, use, and disclose.
- Right to delete — request deletion of your personal information.
- Right to opt-out of sale — we do not sell your personal information.
- Right to non-discrimination — we will not treat you differently for exercising your rights.
8.3 Brazil (LGPD)
- You have the right to access, correct, anonymize, block, or delete unnecessary or excessive data, and to request data portability.
8.4 Other jurisdictions
If you are located in Japan (APPI), Australia (Privacy Act), Canada (PIPEDA), South Africa (POPIA), or another jurisdiction with data protection laws, you may have similar rights. Contact us at [email protected] and we will respond in accordance with applicable law.
To exercise any of these rights, email [email protected]. We will respond within 30 days (or sooner if required by your local law).
9. California residents — additional disclosures (CCPA)
In the preceding 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, IP address | Yes |
| Commercial information | Subscription tier, payment history | Yes |
| Internet activity | Pages visited (via Google Analytics, with consent) | Yes |
| Geolocation | Approximate location from IP address | Yes |
We do not sell or share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.
10. SDK and end users
The Updog SDK is a frontend JavaScript library that processes data entirely within the end user's browser. No spreadsheet data, file contents, or user input ever leaves the browser or is transmitted to our servers.
The only network request the SDK makes is a license validation call to api.updog.tech, which transmits the API key and the requesting domain. Our server receives the end user's IP address as an inherent part of the HTTP connection. This IP address is used for rate limiting and is not stored beyond transient server logs.
If you are a developer integrating the Updog SDK into your application, you are the data controller for your end users' data. We act as an independent controller solely for the limited purpose of license validation. We recommend disclosing the license validation request in your own privacy policy.
The SDK may store a license grant in localStorage on your domain under the key updog_license_grant. This is a signed token used for offline license verification and contains no personal data. The SDK's useLocalStorage option allows you to disable this storage until your end user has given consent.
11. Cookies and tracking
Our use of cookies and similar technologies is described in our Cookie Policy. In summary:
- Strictly necessary cookies — session cookies and payment cookies on the Console. No consent required.
- Analytics cookies — Google Analytics on
updog.tech, set only after consent via our cookie banner.
12. Children
The Console (account creation, billing, API key management) is a business service intended for developers and organizations. We do not knowingly allow children under the age of 16 to create Console accounts.
The Updog SDK runs entirely in the browser and does not collect personal data from end users. We do not restrict who may use applications that embed the SDK — that is determined by the developer who integrates it.
If you believe a child under 16 has created a Console account, contact us at [email protected] and we will delete it promptly.
13. Security
We implement appropriate technical and organizational measures to protect your data, including:
- All connections encrypted via HTTPS/TLS.
- Passwords stored using cryptographic hashing — never in plaintext.
- API key validation responses signed with ECDSA P-256.
- Rate limiting on all endpoints to prevent abuse.
- Financial records use hashed (non-reversible) user identifiers.
- Database hosted in Frankfurt, Germany with access controls.
No system is completely secure. If you discover a security vulnerability, please report it to [email protected].
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes that affect how we process your data, we will notify Console users by email. Continued use of our service after changes constitutes acceptance of the updated policy.
15. Governing law
This Privacy Policy is governed by the laws of the United Arab Emirates, without prejudice to any mandatory data protection laws that apply to you based on your jurisdiction of residence.
16. Contact
For privacy-related inquiries, data subject requests, or complaints:
Mikhail Kutateladze
Email: [email protected]
Website: updog.tech