uw.upwatcher

Privacy Policy

Last updated · 2026-05-12

This Privacy Policy describes how Upwatcher (“we”, “us”) collects, uses, and protects information when you use the Upwatcher web application and related services (collectively, the “Service”). By creating an account or otherwise using the Service, you agree to the practices described here.

Who we are

Upwatcher is operated by Danylo Vyslotskyi, an individual based in Lviv, Ukraine. For the purposes of the EU/UK General Data Protection Regulation, this individual is the data controller of personal data processed through the Service. Contact: hello@upwatcher.io.

1. What we collect

Account data

  • Email address — used as your login identifier and for transactional email (verification, password reset, magic link).
  • Display name — optional, shown in the app UI only.
  • Password hash — Argon2id hash if you sign up with a password. We never see, store, or transmit the plaintext password.
  • Google account identifier — if you sign in with Google, we store your Google subject id and email; we do not receive your Google password.

Service data

  • Profile — skills, hourly rate, experience level, and bio you enter. Used by LLM-based features such as job match scoring and proposal drafting.
  • Watchers — keyword, schedule, notification rules, and the channel target you configure (Telegram chat id, Discord webhook URL, or Slack webhook URL).
  • Job listings & activity — public Upwork job postings the Service surfaces to you and your interactions with them (bookmarks, proposal drafts, statuses).

Operational data

  • Server logs (request URL, status, timestamps, IP address) retained for security and debugging.
  • Authentication cookies — see Cookies below.

2. How we use it

  • To operate the Service — match you with relevant jobs, deliver notifications, render dashboards, generate reports.
  • To authenticate you and protect your account (rate-limiting, brute-force lockout).
  • To send you transactional email related to the Service. We do not send marketing email without your consent.
  • To investigate abuse, fraud, or violations of our Terms.

3. Legal basis (GDPR)

Where the GDPR or UK GDPR applies to you, we rely on the following legal bases for processing your personal data:

  • Performance of a contract (Art. 6(1)(b)) — to provide the core Service after you create an account: authentication, watchers, notifications, dashboards, LLM-assisted features you actively use.
  • Legitimate interests (Art. 6(1)(f)) — to keep the Service secure and abuse-free (rate-limiting, IP-based logging, fraud investigation). Our interest is operating a working, non-abused product; we balance this against your privacy interests.
  • Consent (Art. 6(1)(a)) — only where we explicitly ask for it (e.g., if we ever introduce optional marketing communications). You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable law (e.g., responding to a lawful order).

4. Third parties & subprocessors

The Service relies on a small number of vendors. These providers act as our processors and only receive what is needed to do their job:

  • MiniMax (large language model provider) — receives job descriptions and your profile fields when you use LLM-backed features (job match scoring, proposal drafts, profile optimizer, market reports, job summaries). Free-plan accounts do not trigger LLM calls.
  • Resend — sends transactional email on our behalf. Receives your email address and the message body.
  • Google — only if you choose “Sign in with Google”.
  • Telegram, Discord, Slack — only if you configure a watcher to deliver notifications there. The webhook URL or chat id you provide is used to send messages to a channel you control.

We do not sell your personal data. We do not train AI models on your data ourselves. Inputs sent to MiniMax are processed by MiniMax under its own data-use terms; please consult their policy if you want to understand how a third-party LLM provider handles API inputs on its side.

5. International data transfers

We operate from Ukraine. Some of our subprocessors are based outside the European Economic Area:

  • Resend, Google, Telegram, Discord, and Slack are based in the United States.
  • MiniMax operates from Asia (Singapore / China, depending on the API endpoint).

Where the GDPR applies, we rely on appropriate safeguards for cross-border transfers — typically the European Commission’s Standard Contractual Clauses or equivalent contractual protections offered by each provider. You may request a copy of the relevant safeguard by emailing us.

6. Cookies

We use only first-party, strictly necessary cookies. We do not use third-party advertising or analytics cookies, and we do not need a cookie consent banner because none of our cookies require consent under GDPR.

  • uw_session — the signed session token that keeps you logged in. HttpOnly, SameSite=Lax, marked Secure in production.
  • session — a short-lived, signed cookie used only during the “Sign in with Google” flow to carry OAuth state. HttpOnly, SameSite=Lax.

7. Data retention

  • Account data is kept until you delete your account.
  • Watcher and job-history data is kept while your account is active so the Service can show you trends over time.
  • Server logs are typically rotated within 30 days.
  • On account deletion, your account, profile, watchers, bookmarks, proposals, and notification history are removed from the live database. Residual copies in backups roll off as backups expire.

8. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA, and similar laws), you have the right to access, correct, port, restrict, or delete the personal data we hold about you, and to object to processing. To exercise any of these rights, including account deletion, use the in-app controls under Settings → Account or contact us at the address below. We will respond within the timeframe required by applicable law.

If you are in the EU, the UK, or another jurisdiction with a data protection authority, you also have the right to lodge a complaint with your local supervisory authority. For users in Ukraine, the relevant authority is the Ukrainian Parliament Commissioner for Human Rights (Ombudsman).

9. Security

We use industry-standard practices: passwords hashed with Argon2id, TLS in transit, server-side SSRF and input validation, single-use email tokens, and defense-in-depth checks on paid features. No system is perfectly secure; if you believe you have found a vulnerability, please contact us responsibly.

10. Children

The Service is not directed to children. It is not intended for use by anyone under 16 (under GDPR) or under 13 (under the U.S. Children’s Online Privacy Protection Act). Do not create an account if you are below those ages.

11. Changes

We may update this Policy. Material changes will be communicated by email or in-app banner before they take effect. Continued use of the Service after the effective date constitutes acceptance.

12. Contact

Questions, requests, or complaints about this Policy: hello@upwatcher.io. Postal correspondence may be addressed to Danylo Vyslotskyi, Lviv, Ukraine.