Upsell Buddy
Start free
Legal

Privacy Policy

Last updated: May 3, 2026

This Privacy Policy explains how Upsell Buddy ("Upsell Buddy", "we", "us", "our") collects, uses, shares, and protects personal data when you use our marketing site at upsellbuddy.com, our dashboard at app.upsellbuddy.com, our embeddable widget, and our APIs (collectively, the Service). It applies to merchants who sign up for the Service and to visitors whose conversations the Service processes on a merchant's behalf.

Who we are

Upsell Buddy is operated by [Company legal name], a private company licensed by the Dubai Multi Commodities Centre (DMCC), license number [DMCC license number], registered office [unit / tower], Dubai, United Arab Emirates. We act as a data controller for our marketing site visitors, dashboard accounts, and operational telemetry, and as a data processor on behalf of our merchants for visitor conversation data routed through their agents.

Privacy enquiries: [email protected].

Data we collect

  • Account data — name, work email, phone, business name and address, and billing details you provide on sign up or in your dashboard profile.
  • Configuration data — agent personality settings, knowledge sources you upload, products, FAQs, modules, third-party integrations, and policies.
  • Conversation data — visitor messages, agent replies, and signed-identity flags when an integration provides them. We do not require visitors to sign in to chat unless you configure your agent to require it.
  • Operational telemetry — request logs, error reports, AI token usage, latency, and uptime metrics. We redact obvious personal fields before storage where it is practical.
  • Cookies and analytics — strictly necessary cookies for authentication and session preference; PostHog product analytics that fire only after you accept the consent banner; no third-party advertising or cross-site tracking cookies.

Lawful bases

We process personal data on the lawful bases set out in Article 5 of UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the UAE PDPL) and, for data subjects in the European Economic Area or the United Kingdom, the equivalent bases in Article 6 of the GDPR / UK GDPR:

  • Performance of a contract — providing the Service to merchants who have signed up.
  • Legitimate interests — keeping the Service secure, preventing abuse, improving our product, and conducting limited analytics on aggregate usage.
  • Consent — for non-essential cookies, marketing communications, and any optional features that require it. You can withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation — to meet tax, accounting, anti-fraud, and other regulatory requirements.

How we use your data

We use personal data to operate, secure, and improve the Service. That includes routing conversations between visitors and your agent, improving our retrieval and ranking models, generating per-merchant analytics, billing on usage, and meeting legal obligations.

We do not sell personal data. We do not allow third-party foundation-model providers to train their models on customer conversation content; our enterprise contracts with model providers contain explicit no-training terms for content we send on your behalf.

Sharing and sub-processors

We share personal data with a limited set of vetted vendors who help us run the Service. Categories include cloud infrastructure, payment processing, transactional email, vector storage, large-language-model inference, and observability tooling. Each sub-processor is bound by confidentiality and security obligations at least as protective as this policy.

A current list of sub-processors, and our Data Processing Agreement (DPA) for merchants who require one, are available on request — email [email protected].

International transfers

We are based in the UAE but personal data may be stored or processed in other jurisdictions where our sub-processors operate, including the United States and the European Union. Where personal data is transferred outside the UAE, EEA, or UK, we rely on adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms under the UAE PDPL and applicable foreign laws.

Retention

We keep account data and configuration data for as long as your account is active. Conversation data is retained until you delete it from the dashboard or close your account. Backups are purged within thirty (30) days of deletion. Billing, tax, and legal records are retained for the period required by UAE law.

Cookies

Our marketing site uses strictly necessary cookies and, after consent, PostHog product analytics. We do not use advertising cookies. You can withdraw cookie consent at any time by clearing the consent banner state in your browser; you can also block cookies through your browser settings without losing access to public pages.

Your rights

Subject to local law, you have the right to access the personal data we hold about you, to request correction or deletion, to object to or restrict processing, to portability of data you provided to us, and to withdraw consent. Residents of California may exercise rights under the CCPA / CPRA, including the right to know, delete, correct, and opt out of "selling" or "sharing" personal information — although we do not sell or share personal information as those terms are defined. Residents of the UAE may exercise rights under the UAE PDPL; residents of the EEA / UK may exercise rights under the GDPR / UK GDPR.

Most rights can be exercised from the dashboard. Otherwise, email [email protected] and we will respond to verified requests within thirty (30) days. You also have the right to lodge a complaint with the UAE Data Office or your local supervisory authority.

Automated processing and AI

The Service uses large-language-model inference to generate agent responses and to retrieve relevant knowledge. We design the Service so that material decisions about end customers — for example, refund approvals or account holds — are not taken solely by the model without merchant configuration and oversight. Where automated decisioning is in scope, you may request human review by contacting the merchant or, in respect of our own processing of your data, by contacting us.

Security

We use TLS 1.2+ in transit, encryption at rest, role-based access control, audit logging, signed webhooks, per-role secret rotation, and vendor security review before onboarding new sub-processors. No system is perfectly secure; if we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority within seventy-two (72) hours where required by law.

Children

The Service is intended for businesses and is not directed to individuals under eighteen (18). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. If changes are material we will notify active accounts by email and update the date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact

Questions, requests, or complaints: [email protected]. Postal address: [Company legal name], DMCC, [unit / tower], Dubai, United Arab Emirates.