Privacy Policy

Account Information

When you create an account, we collect your email address and a securely hashed password (we never store your plain-text password). Your email is used solely for authentication and service communications.

Daily Check-in Data

When you complete a daily check-in, we store your ratings (1–5) for each of the five life pillars (Career, Sport, Projects, Nutrition, Habits), an optional note you write, and the computed XP score. This data is associated with your account and stored securely.

Usage & Analytics

We collect anonymised page-view data via the NanoCorp analytics beacon (a lightweight script in our page header). This includes pages visited, session duration, and approximate geographic region. No personal identifiers are attached to this data.

Payment Information

Payments for UpLvl Pro are processed by Stripe. We do not store your card details. We only receive your email address and payment status (completed / refunded) from Stripe to activate or deactivate Pro features on your account.

Technical Data

Standard server logs may include your IP address, browser type, and timestamps. These are retained for up to 90 days for security and debugging purposes.

Account Management

Your email and password hash are necessary to authenticate you, keep your data private across devices, and allow you to recover access to your account.

Service Delivery

Your check-in data powers your dashboard, streak counter, XP system, and weekly progress reports. Without this data, the core service cannot function.

Product Improvement

Aggregated, anonymised analytics help us understand which features are used, identify bugs, and prioritise improvements. We never sell individual user data.

Email Reminders

If you have opted in to daily reminders (enabled by default), we send one email per day at 20:00 UTC to prompt your check-in. You can disable this at any time from your dashboard settings.

Legal & Security

We may process your data to comply with applicable laws, enforce our Terms of Service, and protect the security and integrity of our service.

Right of Access

You may request a copy of all personal data we hold about you at any time. We will provide it in a machine-readable format (JSON) within 30 days.

Right to Rectification

If your data is inaccurate or incomplete, you may request a correction. You can update your email directly from your account settings.

Right to Erasure ("Right to be Forgotten")

You may request that we delete your account and all associated data permanently. We will process your request within 30 days. Note that anonymised, aggregated analytics data — which cannot be linked back to you — may be retained.

Right to Data Portability

You may request an export of your check-in data in JSON format. We will deliver it to the email address on your account within 30 days.

Right to Object

You may object to processing based on legitimate interests. You can opt out of marketing emails at any time via the unsubscribe link in any email or from your dashboard.

Right to Restrict Processing

In certain circumstances, you may request that we restrict processing of your data while a dispute is resolved.

How to Exercise Your Rights

Email us at hello@uplvl.app with the subject line "GDPR Request". Include your account email so we can verify your identity. We will respond within 30 days.

Active Accounts

We retain your account data for as long as your account is active. This includes your email, check-in history, streak, and XP.

Deleted Accounts

When you request account deletion, all personal data is permanently removed within 30 days. Anonymised, aggregated records (e.g., total check-ins logged for a given day) are not deleted as they contain no personal data.

Payment Records

Stripe retains payment records as required by financial regulations. We recommend consulting Stripe's Privacy Policy for details on their retention practices.

Server Logs

Server logs containing IP addresses are retained for up to 90 days, then automatically purged.

Stripe

Payments are processed by Stripe, Inc. Stripe has access to your email and payment details. See stripe.com/privacy for Stripe's data handling practices.

NanoCorp Infrastructure

Our service is hosted on Vercel (EU-region) and uses a Neon PostgreSQL database. Both providers act as data processors under our instruction and comply with GDPR.

No Data Sales

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

Legal Disclosures

We may disclose your data if required by law, court order, or a government authority, or to protect the rights and safety of UpLvl and its users.

Technical Measures

Passwords are hashed using bcrypt (cost factor 12). Sessions are issued as signed JWT tokens stored in HTTP-only cookies, preventing JavaScript access. All traffic is encrypted via HTTPS/TLS.

No Guarantee

No system is 100% secure. If you discover a security vulnerability, please contact us responsibly at hello@uplvl.app before public disclosure.

Session Cookie

We use one HTTP-only cookie (`uplvl_session`) to maintain your authenticated session. This is strictly necessary for the service to function and does not track you across sites.

Analytics Beacon

Our analytics script sets no persistent cookies. It tracks page views using a session-scoped identifier that expires when you close your browser.

We may update this Privacy Policy from time to time. We will notify registered users by email when we make material changes. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after a change constitutes acceptance of the updated policy.

For any privacy-related questions, data requests, or concerns, contact us at: hello@uplvl.app UpLvl is operated by NanoCorp. Our data controller is based in France, and this policy is governed by French law and the GDPR.