Legal

Privacy Policy

Effective Date: 31 March 2026

This Privacy Policy explains how Upscale (KVK: 74008587), registered in the Netherlands, handles your personal information when you use the Cashy platform, website (cashy.one), and related services. In this document, "we", "our", and "us" refer to Upscale, operating the Cashy product.

We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Who We Are

Upscale is the data controller for all personal information collected through the Cashy platform.

  • Registered Address: Poortland 66, 1046 BD Amsterdam, Netherlands
  • KVK: 74008587
  • Email: danielporyadin@outlook.com
  • Phone: +31 6 54 67 74 74
  • Website: cashy.one

What Information We Collect

When You Create an Account

We collect your email address, password (stored in hashed form), and optionally your name. Account creation and authentication are handled by Clerk, our identity provider.

When You Set Up Your Business Profile

You may provide your company name, a description of your business, details about the services you offer, pricing information, and FAQ content. This information is used to configure the AI and tailor its responses to match your business.

When You Use the Platform

Once you connect your Instagram account, the platform processes and stores Direct Messages (both text and voice) exchanged between you and your leads. This includes message content, sender details, timestamps, lead information (Instagram usernames, pipeline stages, tags), meeting bookings, notes left by your team, and usage analytics such as the number of leads processed, conversion rates, and AI token consumption.

When You Pay

All payments are handled by Stripe. We never store credit card numbers, CVVs, or other sensitive payment details on our servers. The only payment-related data we keep is your Stripe customer ID, subscription plan, and current payment status.

Why We Process Your Data

We use your personal information for the following purposes and on the following legal grounds:

  • To provide the service you signed up for (contractual necessity) — running the AI appointment setter, qualifying leads, handling objections, scheduling meetings, sending follow-ups, and displaying analytics in your dashboard.
  • To train AI on your communication style (contractual necessity) — ensuring the AI writes in your voice and follows your sales methodology.
  • To send team notifications (contractual necessity) — alerting team members via Slack when conversations need human attention.
  • To process your payments (contractual necessity) — managing subscriptions and billing through Stripe.
  • To improve and secure the platform (legitimate interest) — monitoring performance, preventing abuse, and fixing issues.
  • To comply with legal obligations (legal obligation) — meeting tax, audit, or regulatory requirements.
  • To connect your Instagram account (consent) — accessing your DMs through Meta's API based on your explicit authorization.

How Long We Keep Your Data

We keep chat data and lead information for as long as your account is active. If your account becomes inactive, all data is automatically deleted after 90 days.

Billing records and analytics are kept only as long as needed for tax, audit, and compliance purposes.

When you disconnect your Instagram or Facebook account, all data originating from Meta is permanently deleted through Meta's Data Deletion Callback. Nothing from Meta remains in our systems after disconnection.

You can also request deletion of your data at any time by emailing danielporyadin@outlook.com. We process deletion requests within 30 days.

Where Your Data Is Stored

Our application runs on Railway, hosted in the EU-West region (Amsterdam, Netherlands). Our database is managed by Supabase (PostgreSQL), also located in the EU (eu-west-1 region).

All core data is stored within the European Union. Where third-party services transfer data outside the EU (for example, to servers in the United States), such transfers rely on Standard Contractual Clauses or other safeguards required by the GDPR.

Services We Share Data With

To run the platform, we rely on a number of third-party providers. Each one may process your data according to their own privacy policy:

  • Clerk — account authentication and session management
  • OpenAI — AI-powered text and voice message processing
  • ElevenLabs — AI voice response generation
  • Meta (Instagram API) — access to Direct Messages
  • Slack — delivering team notifications
  • Tavily — researching publicly available company information
  • Calendly — scheduling meetings with qualified leads
  • Stripe — processing payments
  • Cloudflare — content delivery, DDoS protection, and security
  • Railway — hosting our application servers
  • Supabase — managing our database

We do not sell, rent, or trade your personal data to anyone.

Cookies

The Cashy application does not set its own cookies. The only cookies that may appear come from Clerk, our authentication provider, and are used strictly for session management. We do not use advertising or tracking cookies.

How We Protect Your Data

  • All traffic between your browser and our servers is encrypted using TLS/HTTPS.
  • Cloudflare provides an additional layer of security and DDoS protection.
  • Access to internal systems is restricted based on roles and responsibilities.
  • We log and monitor access to sensitive data and infrastructure.

No system is 100% secure, but we take commercially reasonable steps to protect your information.

Your Rights Under the GDPR

As a user, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data (subject to legal retention requirements).
  • Restriction — ask us to temporarily stop processing your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — revoke any consent you previously gave, at any time.

To exercise any of these rights, contact us at danielporyadin@outlook.com. We respond within the timeframes set by the GDPR.

If you believe your rights have been violated, you may file a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

Age Requirement

Cashy is intended for business use by adults. You must be at least 18 years old to use the platform. We do not knowingly collect data from anyone under 18. If we discover that we have, we will delete it immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the platform or by email and update the effective date at the top of this page.

Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights:

  • Upscale
  • Poortland 66, 1046 BD Amsterdam, Netherlands
  • KVK: 74008587
  • Email: danielporyadin@outlook.com
  • Phone: +31 6 54 67 74 74