Back to UploadBerryTerms of Service →
Legal

Privacy Policy

Last updated: 6 March 2026

Overview

UploadBerry (“we”, “us”, or “our”) operates the UploadBerry web application (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the UK GDPR, and any other applicable data protection laws.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

Data Controller

The data controller responsible for your personal data is:

UploadBerry
Email: privacy@uploadberry.com

If you have questions about how your personal data is handled, you may contact us at the address above. We aim to respond to all privacy-related enquiries within 30 days.

Data We Collect

We collect only the data necessary to provide the Service. This falls into three categories:

Account DataRegistered users
  • Email address (used for authentication)
  • Hashed password (we never store plaintext passwords)
  • Account creation timestamp
Microsoft Integration DataWhen you connect OneDrive
  • Microsoft account display name
  • Microsoft account email address
  • OAuth access token and refresh token (encrypted at rest, used solely to interact with your OneDrive on your behalf)
  • OneDrive folder path you designate for uploads
File Request & Upload DataWhen links are used
  • File request metadata: title, description, allowed file types, expiry settings, active/inactive status
  • Uploader-provided information: only the files and filenames submitted — we do not collect uploaders' names, emails, or IP addresses unless you configure email notifications
  • Email addresses of recipients when you send a file request notification
Technical & Log DataAutomatically collected
  • Browser type and version (via standard HTTP headers)
  • Referring URL
  • Timestamps of service interactions
  • Error logs and diagnostic data for bug fixing

We do not collect: payment card data, government IDs, biometric data, health information, or any special category personal data as defined in GDPR Article 9.

File contents: Uploaded files are transferred directly to your Microsoft OneDrive via the Microsoft Graph API. We do not read, store, or index file contents on our servers.

How We Use Your Data

  • Providing the Service: authenticating your account, creating and managing file request links, uploading files to your designated OneDrive folder.
  • Email communications: sending file request invitation emails to recipients you specify, and upload confirmation notifications to you.
  • Service improvements: analysing anonymised usage patterns to improve performance, reliability, and features.
  • Security: detecting and preventing abuse, unauthorised access, and technical errors.
  • Legal compliance: meeting our obligations under applicable law.

We will never sell your personal data to third parties. We will never use your data for advertising purposes or share it with advertising networks.

Data Sharing & Sub-processors

We share your data only with the third-party service providers (“sub-processors”) strictly necessary to operate the Service:

Convex

Backend database and serverless functions

Privacy policy ↗

Location: United States

Data shared: Account data, file request metadata, OAuth tokens (encrypted)

Microsoft (Azure / Microsoft Graph)

OneDrive OAuth and file storage

Privacy policy ↗

Location: European Union / United States (varies by your Microsoft tenant region)

Data shared: OAuth tokens, file uploads

Resend

Transactional email delivery

Privacy policy ↗

Location: United States

Data shared: Recipient email addresses, email content you compose

Vercel (or hosting provider)

Web application hosting and CDN

Privacy policy ↗

Location: United States / EU edge nodes

Data shared: Request logs, IP addresses (ephemeral)

Each sub-processor is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards. We do not disclose your data to any other third parties unless required by law or compelled by a court order — in which case we will notify you unless legally prohibited from doing so.

Cookies & Tracking Technologies

We use a minimal set of cookies, all of which are technically necessary to operate the Service. We do not use advertising cookies, third-party tracking cookies, or any technology that tracks you across other websites.

Cookie namePurposeDurationCategory
__convexAuthMaintains your authenticated session with ConvexSession / 30 daysEssential
__Host-ConvexTokenStores your JWT auth token securely (HttpOnly, Secure)30 daysEssential
XSRF-TOKENCSRF protection for form submissionsSessionEssential

Essential cookies cannot be disabled without breaking the Service. They do not require your consent under the ePrivacy Directive (Cookie Law) because they are strictly necessary.

No analytics cookies: We do not currently use Google Analytics, Mixpanel, or similar analytics platforms that set persistent cookies. If we introduce optional analytics in the future, we will update this policy and implement a proper consent mechanism before setting any non-essential cookies.

Local storage: We may also use browser local storage to persist UI preferences (e.g. sidebar state). This data is not transmitted to our servers and is not considered personal data.

You can manage or delete cookies at any time through your browser settings. Note that disabling essential cookies will prevent you from signing in.

Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

  • Account data: retained for the lifetime of your account. When you delete your account, your account data is permanently erased within 30 days.
  • Microsoft OAuth tokens: revoked and deleted immediately when you disconnect your OneDrive account or delete your UploadBerry account.
  • File request metadata (titles, descriptions, settings): retained while your account is active. Deleted file requests are moved to an archive state and permanently purged after 90 days.
  • Uploaded files: We do not retain uploaded files — they are transferred directly to your OneDrive and never stored on our infrastructure.
  • Email logs: Resend retains delivery logs for up to 30 days per their data retention policy.
  • Technical logs: retained for up to 90 days for debugging and security purposes, then automatically deleted.

If we are required to retain data longer due to a legal obligation or dispute, we will do so only to the extent required and will isolate it from active processing.

International Data Transfers

Some of our sub-processors (Convex, Resend, Vercel) are based in the United States. When we transfer your personal data outside the European Economic Area (EEA) or the UK, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We rely on EU SCCs (2021/914) approved by the European Commission for transfers to US-based processors.
  • Adequacy decisions: Where available, we prefer processors that operate under an adequacy decision or participate in the EU–US Data Privacy Framework.

You can request details of the specific transfer safeguards for each sub-processor by contacting us at privacy@uploadberry.com.

Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR (Articles 15–22):

Right of Access (Art. 15)

You can request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification (Art. 16)

You can ask us to correct inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

You can request deletion of your personal data ('right to be forgotten'), subject to our legal obligations.

Right to Restrict Processing (Art. 18)

You can ask us to restrict how we use your data in certain circumstances.

Right to Data Portability (Art. 20)

You can request your data in a structured, machine-readable format and have it transferred to another controller.

Right to Object (Art. 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on your consent, you can withdraw it at any time without affecting prior processing.

Rights re. Automated Decisions (Art. 22)

We do not make any automated decisions with legal or similarly significant effects on you.

To exercise any of these rights, contact us at privacy@uploadberry.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Most rights can also be exercised directly within your account settings (e.g. updating your email, disconnecting your OneDrive, or deleting your account).

Children's Privacy

The Service is intended for users who are at least 16 years old (or the minimum age required by your country's law to consent to data processing). We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@uploadberry.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our practices. The “Last updated” date at the top of this page will always reflect the date of the most recent revision.

For material changes, we will notify registered users by email or by displaying a prominent notice within the Service at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact & Complaints

For any privacy-related questions, requests, or concerns, please contact us:

UploadBerry — Privacy Enquiries
Email: privacy@uploadberry.com

If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with your local supervisory authority: