Privacy Policy
Last Updated: July 5, 2026
GDPR COMPLIANCE: Upskrol fully complies with the General Data Protection Regulation (GDPR) (EU) 2016/679. This privacy policy explains how we collect, use, and protect your personal data.
1. Data We Collect
We collect the following categories of personal data:
| Category | Data Types | Purpose | Legal Basis |
| Account Data | Email address, username, encrypted password, profile picture, bio | Create and manage your account, authenticate you, display your profile | Contract performance (Art. 6(1)(b)) |
| User Content | Videos, comments, likes, saved videos, watch history | Provide core app functionality, personalize feed, enable social interactions | Contract performance (Art. 6(1)(b)) |
| Device Information | IP address, device type, operating system, browser type, app version | Security, fraud prevention, analytics, app optimization | Legitimate interest (Art. 6(1)(f)) |
| Usage Data | Video views, watch time, interactions, session duration | Improve recommendations, understand user behavior, analytics | Legitimate interest (Art. 6(1)(f)) |
| Camera/Media (optional) | Photos, videos from camera roll | Upload content to the platform | Consent (Art. 6(1)(a)) |
2. How We Collect Data
- Directly from you: When you create an account, upload content, comment, or update your profile
- Automatically: Through cookies, log files, and analytics tools when you use our app or website
- Third-party services: When you sign in via Google or Apple (we receive your email and name with your consent)
3. How We Use Your Data
- Provide the Service: Host and display your content, manage your account, enable social features
- Personalization: Recommend videos, curate your feed, show relevant content
- Security: Detect and prevent fraud, abuse, and security incidents
- Enforcement: Enforce our Terms of Service and Community Guidelines (including copyright strike tracking)
- Analytics: Improve app performance, understand user behavior, fix bugs
- Legal Compliance: Respond to legal requests, comply with DMCA takedown notices, GDPR requests
4. Data Retention
- Account data: Until you delete your account or request erasure
- User content (videos, comments): Until you delete them or your account is terminated
- Moderation logs (strikes, suspensions, bans): Retained for 3 years after account deletion for legal compliance
- IP addresses and device logs: 12 months for security purposes
- Deleted accounts: Data anonymized after 30 days, except for legal retention requirements
5. Data Sharing
- Cloud Service Providers: Hosting and storage (AWS, Cloudinary) - Videos, images, user data
- Analytics Providers: App analytics and performance monitoring - Usage data, device info (anonymized)
- Moderation Services: Content moderation (OpenAI, Rekognition) - Video content, comments, captions
- Legal/Government Authorities: Compliance with court orders, DMCA notices, legal requests - As required by law
We do NOT sell your personal data to third parties.
6. International Data Transfers
- EU Standard Contractual Clauses (SCCs) with our service providers
- Data Processing Agreements (DPAs) with all third-party processors
- GDPR-compliant data transfer mechanisms
7. Your Rights (GDPR & CCPA)
For EU Residents (GDPR):
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure ("Right to be Forgotten"): Request deletion of your data
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent for optional data collection
- Right to Lodge a Complaint: File a complaint with the Dutch Data Protection Authority
For California Residents (CCPA):
- Right to Know: Request disclosure of data collected and shared
- Right to Delete: Request deletion of personal data
- Right to Opt-Out: Opt-out of data sales (we do not sell data)
- Right to Non-Discrimination: Equal service regardless of rights exercised
How to Exercise Your Rights:
Email privacy@upskrol.com with your full name and username, the right you wish to exercise, and any specific data requests. We respond within 30 days (GDPR requirement).
8. Data Security
- Encryption: Passwords hashed with bcrypt, data encrypted at rest and in transit (TLS 1.3)
- Access Control: Strict role-based access to user data
- Monitoring: Security logging and intrusion detection
- Regular Audits: Security assessments and vulnerability scans
9. Cookies and Tracking
- Essential cookies: Authentication, security, app functionality (cannot be disabled)
- Analytics cookies: Understand usage patterns (can be disabled in settings)
- Preference cookies: Remember your preferences
10. Children's Privacy
Upskrol is intended for users aged 16 and older. We do not knowingly collect data from children under 16. If we discover a user under 16, we will delete their account and all associated data.
11. Account Deletion
- In-app: Settings → Account → Delete Account
- Email request: Send request to privacy@upskrol.com
12. Contact Information
Privacy Questions: privacy@upskrol.com
GDPR/CCPA Requests: privacy@upskrol.com
This privacy policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679, the California Consumer Privacy Act (CCPA), and Dutch privacy law.