Privacy Policy

Last updated: May 2, 2026

UPCONFIRM LLC — 5830 E 2nd St, Ste 7000 #30802, Casper, Wyoming 82609, United States. Office: Lotissement Firdaous GH1, Floor 2, Apt 14, Casablanca, Morocco. Phone: +212 663 679 647 — Email: contact@upconfirm.com

UPCONFIRM LLC ("UpConfirm", "we", "our") is committed to protecting the privacy of its users. This policy explains how we collect, use, and protect your personal data when you use our platform for automatic COD order confirmation via WhatsApp.

1. Data Collected

We collect the following data: • Identification information: name, email address, phone number • Order data: products, amounts, delivery addresses, order statuses • WhatsApp and Instagram conversations: messages exchanged between your store and your customers through our platform, including for Instagram the direct-message content and the sender's profile information (username, name, Instagram-scoped ID) • Usage data: pages visited, dashboard actions, IP address, browser type • Billing data: payment information processed by our third-party payment processors

2. Legal Basis for Processing

We process your data on the following bases: • Contract performance: order processing, WhatsApp confirmations, integration with your e-commerce platforms and delivery companies • Consent: marketing communications, analytics cookies • Legitimate interest: fraud prevention, service improvement, customer support

3. Storage and Security

Your data is hosted on servers located in the European Union via Supabase, our infrastructure provider. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We enforce strict role-based access controls (RBAC) and conduct regular security audits.

4. Third-Party Services

We share your data with the following third parties, only to the extent necessary: • Meta / WhatsApp Business API: for sending and receiving WhatsApp confirmation and customer support messages • Meta / Instagram Messaging API: when a merchant connects an Instagram Business account, we receive and send Instagram direct messages to operate the AI assistant • Supabase: database hosting and infrastructure (EU servers) • Stripe: secure payment processing (PCI DSS Level 1 compliant). Stripe collects and processes your payment data in accordance with its own privacy policy (stripe.com/privacy). We never store your full credit card numbers. • Meta Ads / Analytics: if you connect your Meta Ads account for conversion tracking, aggregated performance data may be shared with Meta • Delivery companies: transmission of confirmed order data (based on your integrations)

5. Data Retention

• Account data: retained while your account is active, then 30 days after deletion • Order data: 24 months • WhatsApp conversations: 12 months • Instagram conversations: 12 months • Analytics data: 26 months • Billing data: 7 years (legal requirement)

6. Your Rights

Under GDPR and applicable laws, you have the following rights: • Right of access: obtain a copy of your personal data • Right to rectification: correct inaccurate data • Right to erasure: request deletion of your data • Right to portability: receive your data in a structured format • Right to restriction: restrict the processing of your data • Right to object: object to the processing of your data To exercise these rights, contact us at contact@upconfirm.com. We respond within 30 days.

7. Cookies

We only use analytics cookies to understand how our site is used. We do not use any advertising or third-party tracking cookies. You can disable cookies in your browser settings.

8. Changes

We may update this policy. In case of substantial changes, we will notify you by email. Continued use of the service after notification constitutes acceptance of the changes.

9. WhatsApp Consent (Opt-in)

In accordance with Meta policies and GDPR requirements, WhatsApp messages are only sent to customers who have given their explicit consent. Consent is collected during the checkout process on your online store. Customers can opt out at any time by replying "STOP" to the WhatsApp message or by contacting your store. As an UpConfirm user, you are responsible for ensuring your customers have given their consent to receive WhatsApp messages.

9b. Instagram & Meta Platform Data

UpConfirm operates an AI assistant that can respond to messages sent to a merchant's connected Instagram Business account. This section explains what data we obtain through Meta's platforms and how we handle it, and applies in addition to the rest of this Privacy Policy. • Connection: a merchant may connect their Instagram Business or Creator account through Meta's official login flow. This grants UpConfirm access to the Instagram Messaging API using the instagram_business_basic and instagram_business_manage_messages permissions. Access is granted by the merchant and can be revoked by them at any time from their Instagram or Meta account settings. • Data we collect through Instagram: when a customer sends a direct message to a connected merchant's Instagram account, we receive and process the content of the direct messages exchanged in that conversation (text, and any attachments such as images or voice messages the customer sends), the sender's Instagram-scoped identifier, username and profile name as provided by Meta, and message metadata such as timestamps and message identifiers. We do not access a customer's Instagram followers, posts, media library, or any Instagram data unrelated to the direct-message conversation with the connected merchant. • Why we collect it: this data is used solely to operate the messaging functionality of our service — to let the merchant's AI assistant read incoming direct messages, generate and send relevant replies, confirm and process orders, provide customer support, and hand the conversation over to a human agent on the merchant's team when needed. We do not use Instagram data for advertising, profiling for third parties, or any purpose unrelated to providing this messaging service. • Limited use: our access to, use, transfer, and storage of data obtained through Meta's platforms complies with Meta's Limited Use requirements. We use this data only to provide and improve the messaging features described above, and we retain it only as long as necessary for those purposes. • No sale or sharing with data brokers: we do not sell, license, rent, or otherwise transfer data obtained through Meta's platforms to any data broker, advertising network, or data-monetization platform. Instagram data is shared only with the infrastructure and AI sub-processors strictly necessary to operate the service (our hosting and database provider Supabase, and the AI model providers that generate replies), and only for that purpose. • Retention: Instagram conversation content is retained for up to 12 months, after which it is deleted or anonymized. We delete it sooner when the merchant disconnects their Instagram account or upon a valid deletion request. Access tokens are stored securely and removed when the account is disconnected. • Requesting deletion: you can request deletion of the data we hold about you at any time by emailing contact@upconfirm.com with the subject "Data Deletion Request", and we will process your request without undue delay. You can also revoke UpConfirm's access at any time from Instagram Settings → Apps and websites, or Facebook Settings → Business Integrations, then select UpConfirm and remove it. When you remove the app or submit a request, we delete the associated Instagram integration and conversation data from our systems. • Compliance with Meta terms: our processing of data obtained through Instagram and other Meta platforms complies with the Meta Platform Terms and the Meta Developer Policies.

10. Google API Services User Data

UpConfirm's Google Sheets integration uses Google OAuth 2.0 to let you export your confirmed orders to a Google Sheet of your choice. This section describes our handling of data obtained from Google API Services. • OAuth scopes requested: – https://www.googleapis.com/auth/spreadsheets — read/write access to the Google Sheets you authorize, used to append (append-only) your confirmed orders and to validate that the tabs you configure exist – https://www.googleapis.com/auth/userinfo.email — to retrieve the email address of the connected Google account, solely to identify the connection and display it in your dashboard • Google data we collect and store: – The email address of the Google account you connect – An OAuth refresh_token allowing UpConfirm to write to the Sheet you designated – The ID and URL of the Google Sheet you provide, along with the target tab names • How we store this data: – The refresh_token is encrypted at rest in our Supabase database using pgp_sym_encrypt (symmetric encryption with a server-held key) – Access to the decrypted token is strictly limited to dedicated server-side RPCs running in an authenticated context – Data is hosted on Supabase servers located in the European Union, with TLS 1.2+ encryption in transit • How we use this data: – Append (append-only) rows for your confirmed orders to the Google Sheet you designated – List the Sheet's tab names only during configuration, to verify that a target tab exists before saving – Two separate tabs may be configured per brand: one for AI-confirmed orders, one for manual confirmations • What we never do: – We never read the contents of existing cells in your Sheets – We never modify or delete existing rows or tabs – We never delete a Google Sheet – We never share your Google data with any third party, ad provider, or third-party AI model – We never use your Google data to serve advertising or perform profiling • How to revoke access at any time: – From your UpConfirm dashboard → Integrations → Google Sheets → "Disconnect" button, which immediately removes the encrypted refresh_token from our database – From your Google Account → Security → Third-party apps with account access → revoke UpConfirm

11. Compliance with the Google API Services User Data Policy & Limited Use

UpConfirm's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, with respect to data obtained through the Google Sheets and Google OAuth scopes: • We limit our use of this data to providing or improving the user-facing Google Sheets export functionality available in the UpConfirm dashboard. • We do not transfer this data to third parties, except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user's explicit consent. • We do not use this data for advertising purposes, including retargeting, personalized, or interest-based advertising. • We do not allow humans to read this data, unless: (a) we have your explicit consent, (b) it is necessary for security purposes (e.g. investigating abuse), (c) to comply with applicable law, or (d) the data is aggregated and used for internal operations. If we change our use of Google data in a way that deviates from this policy, we will update this Privacy Policy and request renewed OAuth consent where required.

12. Changes

We may update this policy. In case of substantial changes, we will notify you by email. Continued use of the service after notification constitutes acceptance of the changes.

13. Contact

For any questions regarding the protection of your data: Email: contact@upconfirm.com Phone: +212 663 679 647 UPCONFIRM LLC — 5830 E 2nd St, Ste 7000 #30802, Casper, Wyoming 82609, United States Office: Lotissement Firdaous GH1, Floor 2, Apt 14, Casablanca, Morocco