Privacy Policy

Effective April 22, 2026

Who we are

UPBEAT Growth OS (“UPBEAT”, “we”, “us”) is operated by UPBEAT Growth. We provide an AI-powered marketing platform that helps founders plan, draft, and publish brand-aligned content. This policy explains what data we collect, why, and the choices you have. Questions: hello@upbeatgrowth.com.

What we collect

  • Account data: email address, name, and authentication tokens provided by Supabase Auth.
  • Brand + content data: brand profile inputs, voice samples, uploaded images, generated articles, tasks, keywords, and chat history with Beat.
  • Integration data: when you connect an external service (Google Analytics 4, Google Search Console, WordPress, Klaviyo, Stripe), we receive OAuth tokens or credentials needed to sync data. Tokens are encrypted at rest using AES-256-GCM.
  • Usage + billing: feature usage counts, Stripe subscription status, and request logs for debugging and security.
  • Cookies: session cookies for authentication. We do not use advertising cookies.

How we use it

  • To provide, personalize, and improve the service.
  • To generate content on your behalf via large language model providers (Anthropic Claude).
  • To sync with third-party services you connect (e.g. push published articles to WordPress, pull analytics from GA4, push lists and flows to Klaviyo).
  • To process payments and manage subscriptions via Stripe.
  • To communicate about your account, product updates, and support.

How we share it

We do not sell personal data. We share limited data with the subprocessors needed to run the product:

  • Supabase — database, auth, file storage.
  • Vercel — hosting and serverless compute.
  • Anthropic— language model inference for generated content and Beat chat. Content you generate is processed by Claude under Anthropic’s zero-retention terms where available.
  • Stripe — payment processing.
  • Resend — transactional email.
  • Unsplash — image lookup (only public image URLs are exchanged).
  • Google, WordPress, Klaviyo, Meta — only when you connect these integrations, and only to the scopes you authorize.

Integration-specific notes

Klaviyo. When you connect Klaviyo via OAuth, we store an encrypted access token and refresh token scoped to your account. We read and write only the data needed to run the features you ask for (lists, profiles, flows, events). You can disconnect at any time from Settings; revoking the connection deletes the stored tokens.

Google (GA4 + Search Console). We request read-only scopes to pull performance data surfaced in the Results and SEO agents. You can revoke access from your Google account at any time.

WordPress. We store an encrypted application password you generate in WordPress. It is used only to publish articles to your site on your instruction.

Meta (Facebook, Instagram, Threads). When you connect Meta via Facebook Login, we receive and store encrypted OAuth access tokens scoped to the permissions you grant. We use them only to: (a) list the Facebook Pages, Instagram Business accounts, and Threads profiles you own; (b) publish and schedule posts you author in UPBEAT; and (c) read engagement and insights metrics we display back to you. We do not read your personal timeline, friends list, or private messages. You can disconnect at any time from Settings, or revoke UPBEAT directly in Facebook → Business Integrations. For automated deletion requests initiated from Facebook, see our Data Deletion page. Our use of information received from Meta APIs adheres to the Meta Platform Terms and Developer Policies, including the Limited Use requirements.

How long we keep it

We retain account and content data for as long as your account is active. When you delete your account, we remove or anonymize personal data within 30 days, except where retention is required for legal, tax, or fraud-prevention reasons. Encrypted backups roll off within 90 days.

Your choices

  • Access, correct, export, or delete your data by emailing us.
  • Disconnect integrations at any time from Settings.
  • Opt out of marketing email via the unsubscribe link in any message.
  • EU / UK / California residents have rights under GDPR and CCPA (access, deletion, portability, non-discrimination). We honor verified requests at no cost.

Security

We use TLS in transit, AES-256-GCM for integration credentials at rest, Supabase row-level security for tenant isolation, and least-privilege access for internal systems. No system is perfectly secure; if we learn of a breach affecting your data, we will notify you without undue delay.

Children

UPBEAT Growth OS is not intended for users under 16. We do not knowingly collect data from children.

Changes

We may update this policy. Material changes will be announced by email or in-app at least 14 days before taking effect. The “Effective” date at the top of this page always reflects the current version.

Contact

UPBEAT Growth — hello@upbeatgrowth.com

← Back to home