Privacy Policy
1. Who we are
uxply.app (hereinafter "Company", "we", "us") is a data controller within the meaning of GDPR and equivalent laws in other jurisdictions.
Contact details:
Email: privacy@uxply.app
Postal address for written requests: hello@uxply.app
Security incidents: security@uxply.app
2. Data we collect
2.1 Data you provide to us
- Account data: email address, hashed password upon registration.
- Uploaded materials: screenshots and interface images (deleted from servers immediately after analysis is complete).
- Analysis context: text information about screen goal, metric, and audience (stored as part of the report).
- Support requests: content of email correspondence.
2.2 Automatically collected data
- Technical data: IP address, browser and OS type, screen resolution, referrer, request timestamps.
- Usage data: pages you visit, features you use, session duration.
- Cookies and similar technologies: see section 7 and our Cookie Policy.
2.3 Data we do not collect
We do not collect or process special categories of personal data (health data, racial or ethnic origin, biometric data, criminal records, etc.) within the meaning of Art. 9 GDPR and their equivalents in other legislation.
3. Purposes and legal bases for processing
| Purpose | Legal basis (GDPR) | Equivalent (CCPA / LGPD / other) |
|---|---|---|
| Account registration and management | Performance of contract (Art. 6(1)(b)) | Necessary for contract / contratual |
| Provision of UX analysis service | Performance of contract (Art. 6(1)(b)) | Necessary for contract |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) | Legitimate interest / interesse legítimo |
| Product improvement (aggregated analytics) | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
| Marketing communications | Consent (Art. 6(1)(a)) | Consent / opt-in |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | Compliance / obrigação legal |
Where processing is based on legitimate interest, you have the right to object (see section 9).
4. Data retention periods
- Uploaded images: deleted immediately after analysis is complete (usually within a few minutes).
- Account data and reports: retained until account deletion by the user, plus 30 days for backups.
- Technical logs: up to 90 days.
- Financial and payment records: at least 7 years in accordance with tax law requirements, or as required by applicable law.
- Support correspondence: 2 years from the last request.
5. Sharing data with third parties
We do not sell, rent, or disclose personal data to third parties for commercial purposes. We may share data with the following categories of recipients:
- Cloud infrastructure providers: servers for data storage and request processing.
- Analysis technology providers: uploaded images may be passed to authorized automated data analysis service providers solely for the purpose of delivering the Service. Information about specific technology partners is provided upon a reasonable written request. All providers are bound by contractual data protection obligations and do not use your data for other purposes.
- Payment processors: for payment processing; payment details (card numbers, etc.) are not passed to us.
- Analytics services: aggregated, anonymized data.
- Government authorities: upon a lawful request or court order.
All third parties are bound by data processing agreements (DPA) guaranteeing a level of protection no less than GDPR requirements.
6. International data transfers
Our servers are located with cloud infrastructure providers. When transferring personal data outside the EEA / UK / Switzerland, we use the following protection mechanisms:
- Standard Contractual Clauses (SCC) of the European Commission.
- Adequacy decisions where applicable.
- Binding Corporate Rules (BCR) where available.
Brazil residents: transfers are made on the basis of Art. 33 LGPD (contractual safeguards). Japan residents: transfers comply with Art. 24 APPI. California residents: we do not "sell" or "share for cross-context behavioral advertising" personal data within the meaning of CCPA/CPRA.
7. Cookies
We use the following categories of cookies:
| Type | Purpose | Duration | Basis |
|---|---|---|---|
| Essential | Authentication, session security | Session / 30 days | Necessary for contract |
| Functional | Remembering user preferences | 1 year | Legitimate interest |
| Analytics | Aggregated traffic statistics | Up to 2 years | Consent |
You can manage cookies via the banner on the site, browser settings, or by contacting us. A full list of cookies is available in our Cookie Policy. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.
8. Data security
We apply technical and organizational data protection measures, including:
- Data encryption in transit (TLS 1.2+) and at rest (AES-256).
- Password hashing (bcrypt).
- Access control on a least-privilege basis.
- Regular backups and recovery testing.
- Security monitoring and logging.
In the event of a personal data breach that may result in risks to data subjects, we will notify the supervisory authority within 72 hours (GDPR, Art. 33) and affected individuals without undue delay.
9. Your rights
Depending on your jurisdiction, you have the following rights:
| Right | GDPR | CCPA | LGPD | Other |
|---|---|---|---|---|
| Access to data | ✓ | ✓ | ✓ | ✓ |
| Rectification | ✓ | — | ✓ | ✓ |
| Erasure ("right to be forgotten") | ✓ | ✓ | ✓ | ✓ |
| Restriction of processing | ✓ | — | ✓ | — |
| Data portability | ✓ | ✓ | ✓ | — |
| Objection to processing | ✓ | ✓ | ✓ | — |
| Withdrawal of consent | ✓ | ✓ | ✓ | ✓ |
| Opt-out of sale/sharing of data | — | ✓ | — | — |
| Lodge a complaint with supervisory authority | ✓ | ✓ | ✓ | ✓ |
To exercise any of these rights, contact us at privacy@uxply.app. We will respond within 30 days (GDPR), 45 days (CCPA), or the deadline set by another applicable law. Identity verification may be required before fulfilling a request.
EU/EEA residents: you may file a complaint with the data protection supervisory authority in your country (list: edpb.europa.eu).
UK residents: ICO — ico.org.uk.
California residents: you may authorize an agent to submit a request on your behalf.
10. Children
The Service is not intended for individuals under 16 years of age (or the applicable minimum age under your country's laws: 13 in the USA, 16 in the EU by default). We do not intentionally collect children's data. If you believe a child's data has been provided to us, please contact us and we will delete it promptly.
11. Links to third-party resources
Our Service may contain links to third-party websites. This Policy does not cover their activities. We recommend reviewing the privacy policies of those resources.
12. Policy changes
We reserve the right to update this Policy. For material changes, we will notify you by email or through a notice in the Service at least 30 days before the changes take effect. Continued use of the Service after the changes take effect constitutes your acceptance of the updated Policy.
13. Contact
For all questions regarding this Privacy Policy, contact us at:
Email: privacy@uxply.app
General inquiries: hello@uxply.app
This document is for informational purposes only and does not constitute legal advice. For specific jurisdictions, consultation with a qualified attorney is recommended.