Privacy Policy
This Privacy Policy explains how Potato Laboratories, Inc. dba Upriver (“Upriver,” “we,” “us,” or “our”) collects, uses, and shares your personal information when you visit https://upriver.ai or use our services.
By using our Services, you acknowledge that you have read and understood this Privacy Policy.
Effective Date: November 11, 2025
Information We Collect
We collect only what’s needed to operate and improve our services.
- Identifiers: name, email address, IP address, and similar identifiers.
- Professional Information: role, company name, and other business-related details you choose to provide.
- Billing Information: limited billing details necessary to manage subscriptions and payments. Payment processing is handled by our third-party provider; Upriver does not store full payment card numbers.
- Support & Communications: information you share when you contact us, including inquiries, feedback, and other communications.
- Usage Data: information about how you interact with our API, dashboard, and website—such as request activity, feature usage, performance metrics, and analytics.
Information from Third Parties
- SSO providers: if you sign in with Google, GitHub, or similar, we receive basic profile information for authentication.
- Payments: our payment processor shares limited billing event data (for example, successful payments or refunds).
- Vendors and partners: analytics or fraud-prevention data that helps secure accounts and improve performance.
- Publicly available sources: we may process information that is lawfully available on public websites or platforms (for example, social, creator, or community data) to provide cultural or audience insights.
We do not intentionally collect sensitive personal data or knowingly collect data from children under 16.
How We Use Information
We use personal information only when we have a valid reason:
- Provide the Services: authenticate users, operate APIs, process payments, manage accounts, and deliver customer support.
- Improve and secure: monitor performance, debug, develop new features, prevent abuse, and maintain logs.
- Communicate: send service or transactional messages (for example, usage alerts and billing notices). With consent, send product updates or best-practice content—you can unsubscribe anytime.
- Comply with law: meet legal, regulatory, and tax obligations and enforce our terms.
We do not use customer data sent through the API to build advertising profiles or train AI models for unrelated products. Upriver may, however, use aggregated or de-identified data internally to improve service reliability, model accuracy, or system performance.
Legal Bases (EEA and UK)
If you’re located in the European Economic Area or United Kingdom, we process personal data under these bases:
- Contract: to provide the services you request.
- Legitimate interests: to operate, secure, and improve the services (balanced against your rights).
- Consent: for optional analytics or marketing related to Upriver’s own website and user accounts—you can withdraw consent anytime.
- Legal obligation: to comply with applicable laws.
For publicly available data processed by Upriver to generate insights or embeddings, we rely on legitimate interest. Such data may include publicly visible creator, brand, or sponsorship information and is processed only for analytical and contextual purposes consistent with its original public availability and platform terms.
How We Share Information
We share personal information only in limited cases:
- Service providers: trusted vendors who host, process payments, send emails, and provide analytics or support. These providers act under our instructions and may include cloud infrastructure, billing, and security services.
- Integrations: if you connect third-party tools, we share the data necessary to enable them.
- Compliance and safety: when required by law or to protect rights, property, or safety.
- Business transfers: if Upriver merges or is acquired, your data may transfer as part of that transaction.
We do not sell personal data or share it for third-party advertising. A current list of our sub-processors is available upon request at support@upriver.ai.
International Data Transfers
We’re based in the United States and may use service providers in other countries. When transferring data internationally, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards under applicable data-protection laws.
Data Retention and Deletion
We retain personal information only as long as necessary to operate and improve our services or meet legal requirements. When an account is closed or you request deletion, we delete or anonymize personal data within 30 days, unless the law requires us to retain it longer. System logs and encrypted backups are retained for limited periods to support security, reliability, and recovery.
Cookies and Analytics
We use cookies and similar technologies to enable core functionality, improve performance, and protect the platform. You can manage cookies through your browser settings. Where required, we will obtain your consent before using non-essential cookies or analytics tools.
Security
We use industry-standard security measures to protect personal information, including encryption, access controls, and continuous monitoring. We regularly review and improve our security practices to help safeguard your data. You are responsible for maintaining the security of your account credentials and API keys.
Your Rights
Under GDPR (for EEA and UK residents):
- Access, correct, or delete personal data.
- Restrict or object to processing.
- Request data portability.
- Withdraw consent.
- File a complaint with a data-protection authority.
Under CCPA (for California residents):
- Know what personal data we collect and how it’s used.
- Request deletion or correction.
- Opt out of sale or sharing (we don’t sell data).
- Exercise rights without discrimination.
To exercise your rights, email us at support@upriver.ai.
Customer Data Processed Through the API
If you send personal data to our API or dashboard on behalf of your users, you are the data controller and we act as your data processor. We process such data only to provide and secure the services, not for any other purpose. Upon request or account closure, we will delete or return customer data unless legally required to retain it.
A Data Processing Agreement (DPA) consistent with Article 28 of the GDPR is available on request. You can request a copy at support@upriver.ai.
Children’s Privacy
Our services are not intended for individuals under the age of 16, and we do not knowingly collect personal information from them.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we’ll post the new version with an updated date. If changes are significant, we’ll notify you by email or in-product notice. Continued use of the services after an update means you accept the revised policy.
Governing Law
This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law principles. Any disputes relating to this Policy will be resolved exclusively in the state or federal courts located in San Francisco County, California, unless otherwise required by applicable data-protection law.
Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at support@upriver.ai.