Privacy Policy
Effective date: 18 June 2026 · Version: 1.0
1. Data controller
Controller: Uplonic (Simon Tivadar)
Registered address: 6400 Kiskunhalas, Felsőőregszőllők 159, Hungary
Registration number: 59443607 · Tax number: 90283015-2-23
Email: info@hafmin.hu · Website: https://uplonic.com
Full provider and data-processor details are available in the Imprint. Appointing a Data Protection Officer (DPO) is not mandatory under GDPR Art. 37, as the activity does not constitute large-scale, regular and systematic monitoring, nor large-scale processing of special-category data.
2. Applicable law
- Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR);
- Hungarian Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.);
- Hungarian Act CVIII of 2001 on Electronic Commerce Services (Ekertv.);
- Hungarian Act C of 2000 on Accounting (retention obligations);
- Hungarian Act C of 2003 on Electronic Communications (regarding cookies).
3. Personal data processed and SaaS-specific data processing
In accordance with the GDPR, we inform you below about the actual data processing practices of Uplonic (available at https://uplonic.com, hereinafter “Uplonic”, the “Application” or the “Service”). Uplonic is a multi-tenant media management dashboard in which each User may create multiple Apps, each connected to the Media API with a separate API key.
3.1. User account creation and operation
Data processed: email address, password (cryptographically hashed by the Media API), JWT authentication token, optional billing data. When signing in with Google, the email address, display name and profile picture provided by Google (no password is processed in that case). To verify the email address and reset the password, we send a single-use confirmation/reset link by email.
Storage: the JWT is held in the browser in an HttpOnly cookie (for the proxy) and in localStorage (for server actions). Any 401 response triggers immediate logout and deletion of the token.
Purpose: provision of the SaaS service and user identification.
Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
3.2. Application (App) and API key management
Data processed: the App name, unique identifier and associated API key.
Purpose: isolation of App-level resources (platforms, videos, schedules, jobs, S3 storage). Requests are authenticated to the Media API using the x-api-key header.
Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
3.3. Social media integration (OAuth tokens)
Data processed: identifiers, profile pictures, display names, access and refresh tokens (and their expiry) for YouTube, Facebook, Instagram, TikTok, Threads, LinkedIn and Pinterest accounts, as well as analytics data related to post performance (e.g. views, likes, shares, reach, watch time, estimated revenue – where returned by the platform’s API).
Purpose: automated content publication on connected platforms on behalf of the User, and measurement of post results.
Legal basis: explicit consent of the data subject during the OAuth flow (GDPR Art. 6(1)(a)) and performance of a contract.
Note: we do not know or store external platform passwords; the connection is made exclusively through official OAuth tokens. The User can revoke access at any time in the platform account settings, which immediately invalidates the token stored with us.
3.4. User-uploaded and AI-generated content
Data processed: uploaded videos, thumbnails, text prompts provided for AI generation, generated videos and associated metadata (title, description, hashtags, size, duration). For the text-to-speech (TTS) feature, the text to be narrated.
Purpose: storage, AI-based video generation using S3-stored templates, voice-over generation, preparation for publication on social media platforms.
Legal basis: performance of a contract.
Note: the text to be narrated is sent to the Microsoft Edge TTS service to produce the voice-over (see Data processors). Uploaded or generated content may contain personal data (e.g. faces, voices); the uploading User is therefore responsible as an independent controller for such content and its lawful processing, with Uplonic acting as a processor in this respect.
3.5. Schedules, jobs and webhook events
Data processed: cron-based scheduling rules, the status of generation and upload jobs, error logs, the content of Media API webhook events (/api/webhooks/media) delivered to the User’s browser via SSE.
Purpose: task automation, real-time status reporting, error diagnostics.
Legal basis: performance of a contract; legitimate interest in fault detection.
3.6. Contact and support requests
Data processed: the name (optional), email address, subject and message provided in the contact form, together with the technical context of the submission (the page URL and interface language). To filter abuse we use a Cloudflare Turnstile bot check and a hidden “honeypot” field.
Purpose: answering requests, customer support and spam filtering.
Legal basis: legitimate interest in handling requests and preventing abuse (GDPR Art. 6(1)(f)), and consent given for contacting us (a).
3.7. Usage statistics (Vercel Analytics)
Data processed: aggregated, cookieless usage events (e.g. page views, login, App creation, starting a video generation, pricing views, subscription steps). These do not create a cross-session identifier linkable to an individual.
Purpose: understanding and improving use of the Service.
Legal basis: legitimate interest in non-identifying, aggregated statistics (GDPR Art. 6(1)(f)).
3.8. Sign-in sessions and security logs
Data processed: the hash of the session refresh token, the IP address, the user agent (browser/device identifier), the time the session was last used, as well as operational and security event logs (EventLog) and error messages.
Purpose: maintaining sign-in, managing active devices, preventing abuse, operation and debugging.
Legal basis: legitimate interest in account and service security (GDPR Art. 6(1)(f)).
3.9. Subscription and billing
Data processed: the Stripe customer ID, subscription status, the chosen plan, currency and billing period. Uplonic does not store card data; payments are processed by Stripe (PCI-DSS).
Purpose: handling fees and subscription management.
Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and legal obligation to retain accounting records (c).
3.10. Notifications
Data processed: in-app, email and webhook notifications (e.g. failed payment, expiring token, schedule outcome, product news) and notification settings.
Purpose: service-related transactional notifications and – with consent – marketing/product-news notifications.
Legal basis: performance of a contract for transactional notifications (GDPR Art. 6(1)(b)); consent for marketing (a).
4. Source of data
The source of the data is the data subject (data provided at registration and during use) and – following the User’s explicit connection action – the APIs of the connected social platforms (tokens and statistical data).
5. Data transfers and sharing
To ensure smooth operation we use the following third-party service providers (data processors):
- Vercel Inc.: running and serving the web interface.
- Hetzner Online GmbH: server hosting and S3-compatible object storage for the self-hosted Media API (EU – Germany/Finland).
- Self-hosted Media API: persistent storage of user accounts, Apps, OAuth tokens, schedules and jobs.
- S3-compatible object storage: storage of videos, thumbnails and AI templates.
- Stripe Payments Europe, Ltd.: processing of card payments, subscriptions and the storage add-on (Stripe Checkout and Customer Portal). We do not store or see card data.
- Resend (resend.com): delivery of transactional and notification emails (e.g. email verification, password reset).
- Microsoft Corporation (Edge TTS): generating the voice-over (text-to-speech) from the provided text.
- Cloudflare, Inc.: bot-filtering of the contact form (Turnstile).
- Google Ireland Ltd.: authentication for “Sign in with Google” (Google Identity Services).
- Vercel Inc. (Vercel Analytics): aggregated, cookieless usage statistics.
- Social platforms: Google (YouTube), Meta (Facebook, Instagram, Threads), TikTok, LinkedIn (Microsoft), Pinterest – content to be published by the User and the identifiers required for authentication are forwarded to the chosen platforms in accordance with their own privacy policies.
We do not sell personal data and do not transfer it to third parties beyond the cases listed above, unless required by law or a competent authority/court order.
6. Transfers to third countries
Some processors (e.g. Stripe, Resend, Microsoft, Google, Cloudflare, Pinterest) also process data in the United States or other third countries. The lawfulness of such transfers is ensured by the European Commission’s Standard Contractual Clauses (SCC) and/or certification under the EU–US Data Privacy Framework (DPF), where the provider is certified. A copy of the appropriate safeguards is available on request at info@hafmin.hu.
7. Data security
- Passwords are never stored in plaintext, only with secure hashing (bcrypt).
- API keys and refresh tokens are stored hashed / access-restricted; the full API key is shown only once, at generation.
- Data is transmitted with TLS/HTTPS encryption.
- Role-based access control, session revocation, IP and user-agent logging against abuse.
- Multi-tenant isolation: every resource is bound to an App, with no cross-access.
- Honeypot, captcha and IP-based rate limiting on public forms.
In the event of a data breach, we notify the supervisory authority within 72 hours under GDPR Art. 33–34 and – in case of high risk – the data subjects.
8. Data retention
Data relating to user accounts, Apps, schedules and OAuth tokens is retained for the duration of the account. Upon account deletion, data is permanently erased within 30 days, except for data whose retention is required by law (e.g. invoices – 8 years under accounting legislation). When a social account is disconnected, the tokens stored with us are immediately invalidated/deleted. Sessions are retained until their expiry / revocation, security event logs for a maximum of 12 months, job error logs for a maximum of 90 days, and support requests for a maximum of 24 months after closure.
9. Data subject rights and complaints
You have the right to information and access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection to processing based on legitimate interest, and to withdraw consent at any time (this does not affect the lawfulness of processing before withdrawal). Disconnecting a social account results in the immediate revocation of the tokens.
You can submit your request at info@hafmin.hu; we will fulfil it within 1 month at the latest (extendable by +2 months in justified cases). If you believe your rights have been violated, please contact us first. You may also lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH, 1055 Budapest, Falk Miksa utca 9–11., ugyfelszolgalat@naih.hu, www.naih.hu), or with the supervisory authority in your country, and you may seek a judicial remedy.
10. Google API Services – Limited Use
Uplonic’s use of information received from Google APIs (including YouTube account access) adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use data received from Google solely to provide the features requested by the User (uploading videos to the User’s YouTube channel and statistics on the User’s own content).
- We do not transfer Google user data to third parties except as necessary to provide the features above, with the User’s explicit consent, or as required by law.
- We do not use Google user data for advertising purposes.
- No humans access Google user data except: (a) with the User’s explicit consent, (b) for security purposes (e.g. investigating abuse), (c) to comply with a legal obligation, or (d) in aggregated, anonymized form for internal operations.
The YouTube features use the YouTube API Services; their use is also governed by the YouTube Terms of Service and the Google Privacy Policy. You can revoke connected access at any time in your Google security settings (security.google.com/settings/security/permissions).
11. Platform-specific compliance (LinkedIn, Pinterest)
LinkedIn: Uplonic uses the LinkedIn API based on the User’s explicit authorization, solely to publish content on behalf of the User and to retrieve the User’s own organization/page statistics, in accordance with the LinkedIn API Terms of Use. Access can be revoked in the LinkedIn account settings.
Pinterest: Uplonic uses the Pinterest API based on the User’s authorization to create pins and retrieve the User’s own statistics, in accordance with the Pinterest Developer Guidelines. Access can be revoked in the Pinterest account settings.
12. Children’s data
The Service is not directed at persons under the age of 16, and we do not knowingly collect data from them. If we become aware that we are processing the data of a person under 16, we will delete it without delay.
13. Automated decision-making
Uplonic does not use solely automated decision-making or profiling that would produce legal effects concerning the data subject or similarly significantly affect them (GDPR Art. 22).
14. Amendments to this notice
The controller reserves the right to amend this notice. We will inform Users of changes through the Service and/or by email. The version in force at any given time is available at https://uplonic.com/legal/privacy.
