Privacy Policy

1. Introduction

Actuate Media, LLC (“UpChat,” “we,” “us,” or “our”) operates the UpChat.io platform, an AI-powered chatbot service that enables businesses to deploy conversational agents on their websites. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our services, including our admin dashboard, embeddable chat widget, and any integrations with third-party platforms.

By creating an account, embedding our widget, or otherwise using UpChat.io, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our services.

Actuate Media, LLC

1111B S Governors Ave, STE 28669

Dover, DE 19904

Email: support@upchat.io

Website: https://upchat.io

2. Information We Collect

We collect information from multiple sources depending on how you interact with our platform:

2.1 Account Information

When you create an UpChat account, we collect your name, email address, password (stored in hashed form), company name, and billing information processed through our payment provider (Stripe).

2.2 Chat Interaction Data

When end users interact with an UpChat widget embedded on a business’s website, we may collect:

Names, email addresses, phone numbers, and other personal data voluntarily provided during chat conversations
Chat message content and conversation history
Lead classification and service inquiry details

2.3 Usage and Technical Data

We automatically collect non-personally identifiable technical data, including:

IP addresses, browser type and version, device information, and operating system
Session duration, page views, and widget interaction patterns
Referring URLs and landing page information

2.4 Attribution and Analytics Data

To help our customers understand the performance of their marketing efforts, our widget may capture:

UTM parameters (source, medium, campaign, term, content)
Advertising click identifiers (such as gclid, msclkid, fbclid, and others) passed through URL parameters
Google Analytics session and client identifiers when present on the host website
First-touch and last-touch referral data

2.5 Cookies and Local Storage

We use cookies and browser local storage to maintain chat sessions, remember user preferences, and support attribution tracking. You can manage cookie preferences through your browser settings.

2.6 Google User Data

If you connect your UpChat account to Google services through our platform, we may access certain data from your Google account as authorized by you during the OAuth consent process. The specific data accessed depends on the permissions (scopes) you grant. See Section 10: Google API Data & Limited Use Disclosure for complete details.

3. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery: To provide, operate, and maintain the UpChat platform, including powering AI chat responses, processing lead captures, and delivering notifications
Service Improvement: To analyze platform performance, identify bugs, improve features, and enhance the user experience
Customer Support: To respond to inquiries, troubleshoot issues, and provide technical assistance
Analytics and Reporting: To provide our business customers with conversation analytics, lead attribution reports, and performance metrics
Account Administration: To manage accounts, process payments, and communicate service updates
Security: To detect, prevent, and respond to fraud, abuse, and security incidents
Legal Compliance: To comply with applicable laws, regulations, and legal processes

We do not use personal data for targeted advertising, personalized advertisements, retargeted advertisements, or interest-based advertising. We do not sell personal data to third parties.

4. AI Processing and Data Handling

UpChat uses artificial intelligence (including large language models provided by third-party AI providers such as OpenAI) to power chatbot conversations. When an end user interacts with an UpChat widget:

The conversation content is processed by our AI systems to generate relevant responses
Conversations may be stored to provide continuity within a session and for quality improvement purposes
We do not use customer conversation data or any Google user data to train, fine-tune, or improve general-purpose AI models. Any AI training activities are limited to improving individual customer chatbot performance using only that customer’s own data, with their knowledge and consent. This commitment applies to all data received from Google APIs and is consistent with the Limited Use requirements described in Section 10.3.

We do not sell, rent, or trade your personal data. We may share information only in the following circumstances:

With Business Customers: Chat interaction data and lead information collected through a business’s UpChat widget is shared with that business customer, as they are the operator of the chatbot on their website
Service Providers: We share data with trusted third-party service providers who assist us in operating our platform (e.g., cloud hosting via AWS, payment processing via Stripe, email delivery via AWS SES). These providers are contractually obligated to protect your data and may only use it to perform services on our behalf
Webhook Integrations: If a business customer configures integrations (such as Zapier webhooks or email notifications), lead and conversation data will be transmitted to those configured third-party services as directed by the customer
Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, including court orders or subpoenas
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users of any change in ownership or control of their personal data
Protection of Rights: We may disclose information to protect the rights, property, or safety of UpChat, our users, or the public

We do not share or transfer personal data to third parties for the purposes of targeted advertising, data brokering, information resale, credit determination, or lending.

6. Data Security

We implement industry-standard security measures to protect your information, including:

Encryption: Data is encrypted in transit (TLS/SSL) and at rest
Authentication: Passwords are hashed using BCrypt. Access tokens use HMAC-SHA256 signed JWTs. Two-factor authentication (2FA) is available for all accounts
Access Controls: Role-based access controls restrict data access to authorized personnel. API endpoints are secured with authentication requirements
Infrastructure: Our platform is hosted on Amazon Web Services (AWS) with security configurations including CORS policies, rate limiting, and XSS prevention
Input Sanitization: User inputs are sanitized using DOMPurify and server-side validation to prevent injection attacks
Secrets Management: Sensitive credentials are managed through AWS Secrets Manager in production environments
OAuth Tokens: Google OAuth refresh and access tokens are encrypted at rest using AES-256-GCM before being persisted. Decryption keys are managed via AWS Secrets Manager and rotated periodically.

While we take extensive measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

7. Data Retention and Deletion

7.1 Retention Periods

Account Data: Retained for the duration of your active account plus 30 days after account closure to allow for reactivation
Chat Conversations: Retained for the duration of the business customer’s active subscription. Customers may delete individual conversations at any time through the admin dashboard
Lead Data: Retained for the duration of the business customer’s active subscription unless deleted sooner by the customer
Usage and Analytics Data: Retained for up to 24 months for performance analysis, after which it is aggregated or deleted
Payment Records: Retained as required by applicable tax and accounting regulations (typically 7 years)

7.2 Deletion

When a retention period expires or upon a valid deletion request, we will delete or securely destroy the applicable data within 30 days. Some data may be retained in encrypted backups for up to 90 days before being permanently purged.

To request deletion of your data, contact us at support@upchat.io. See Section 8 for full details on your data rights.

8. Your Data Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: You may request a copy of the personal data we hold about you
Correction: You may request correction of any inaccurate or incomplete personal data
Deletion: You may request deletion of your personal data, subject to legal retention obligations
Portability: You may request a machine-readable copy of your data
Restriction: You may request that we limit how we process your data in certain circumstances
Objection: You may object to our processing of your personal data for certain purposes
Opt-Out: You may opt out of marketing communications at any time by following the unsubscribe link in any email or by contacting us

To exercise any of these rights, please contact us at support@upchat.io. We will respond to verified requests within 30 days. We do not charge a fee for processing reasonable requests.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information we collect, use, and disclose
The right to request deletion of your personal information
The right to opt out of the sale of personal information — we do not sell personal information
The right to non-discrimination for exercising your privacy rights

10. Google API Data & Limited Use Disclosure

Important: This section specifically addresses how UpChat handles data received from Google APIs and is provided to comply with Google’s OAuth verification requirements and the Google API Services User Data Policy.

10.1 Google Data We Access

When you connect your Google account to UpChat, we may request access to the following Google user data based on the permissions you authorize during the OAuth consent flow:

Google Analytics 4 (GA4) read-only metadata

(https://www.googleapis.com/auth/analytics.readonly): We list the GA4 accounts, properties, and data streams associated with your Google account so you can select which property UpChat should send chatbot conversion events to. We never modify your analytics configuration and we do not read individual analytics reports.

Google Tag Manager — container editing

(https://www.googleapis.com/auth/tagmanager.edit.containers): We create, modify, and delete tags, triggers, and data-layer variables inside the GTM container you select. We only modify resources prefixed with “UpChat” inside your container’s default workspace and never touch tags, triggers, or variables that we did not create.

Google Tag Manager — version creation

(https://www.googleapis.com/auth/tagmanager.edit.containerversions): We bundle our UpChat tag changes into a new GTM container version so the changes can be published.

Google Tag Manager — publishing

(https://www.googleapis.com/auth/tagmanager.publish): We publish the container version live so the UpChat chatbot widget begins loading on your website.

Basic Profile Information (openid, email, profile):

Your Google account email address, name, and profile picture, used to associate your Google sign-in with your UpChat account.

10.2 How We Use Google Data

Google user data is used solely to provide and improve UpChat’s user-facing features and functionality. Specifically:

To list your GA4 properties and data streams so you can select where to send conversion events
To deploy and update the UpChat widget tag inside your selected GTM container
To display connection status and selected resources within your UpChat admin dashboard

10.3 Limited Use Requirements

UpChat’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In accordance with Google’s Limited Use requirements, we affirm that:

We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising
We do not sell Google user data to third parties
We do not use Google user data for credit determinations or lending purposes
We do not transfer or disclose Google user data to data brokers or information resellers
We do not use Google user data to train or improve general-purpose artificial intelligence or machine learning models
We do not use Google user data to build user profiles for purposes unrelated to the UpChat platform’s functionality
We do not use Google user data to create or enrich databases unrelated to providing UpChat’s services
We do not allow humans to read Google user data unless: (a) we have your affirmative agreement for specific items; (b) doing so is necessary for security purposes (such as investigating abuse); (c) it is necessary to comply with applicable law; or (d) the data is aggregated and used for internal operations in accordance with applicable privacy and other legal requirements.

10.4 Google Data Storage and Security

Google user data, including OAuth refresh and access tokens, is encrypted at rest using AES-256-GCM and transmitted only over TLS 1.2 or higher. Encryption keys are managed via AWS Secrets Manager. Access is restricted to the UpChat services that perform GA4 lookups and GTM deployments on your behalf, and is logged for audit purposes. OAuth tokens are revocable by the user at any time (see Section 10.5).

10.5 Google Data Retention and Deletion

Google user data is retained only for as long as necessary to provide the connected features. You may revoke UpChat’s access to your Google data at any time by:

Disconnecting the Google integration within your UpChat account settings
Removing UpChat’s access through your Google Account permissions page
Contacting us at support@upchat.io to request deletion

Upon revocation or deletion request, we will delete all stored Google user data within 30 days. Upon revocation, our retained tokens immediately become unusable for accessing your Google account because Google invalidates them server-side. We will permanently delete all stored Google user data within 30 days, except for backups, which are purged within 90 days.

We do not share, transfer, or disclose Google user data to any third parties except:

With your explicit consent
As necessary for our service providers to operate the platform on our behalf (subject to contractual data protection obligations)
As required by law or valid legal process

11. Children’s Privacy

UpChat’s services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@upchat.io.

12. International Data Transfers

UpChat is based in the United States. If you access our services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities. By using our services, you consent to such transfers. We take steps to ensure that your data receives adequate protection consistent with this Privacy Policy.

13. Third-Party Links and Services

Our platform may contain links to third-party websites, services, or integrations not operated by UpChat. We are not responsible for the privacy practices of these third parties. We recommend reviewing their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will:

Update the effective date shown at the top of this page (automatic when this document is revised)
Notify registered users via email for significant changes
Post a notice on our website

Your continued use of UpChat after changes are posted constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: