Privacy Policy

Upclytics is operated by futuristip Inc. ("we", "us"), a company incorporated in Ontario, Canada. We are the controller of personal data processed in connection with the Upclytics service at upclytics.com.

For any privacy question or to exercise your data-protection rights, write to us at contact@upclytics.com. The same address reaches our internal data-protection contact (we have not appointed a formal Data Protection Officer at this stage; the role is informally held by our founding team and we will appoint a DPO if and when we cross the GDPR thresholds that require one).

Account data. When you create an account we collect your email address, an optional display name, and (if you sign in with a password) a password that is hashed and stored by our authentication provider. We never see your password in plain text.

Contact-form data. When you submit our contact form we collect the name, email, topic, and message you provide, plus the IP address and User-Agent string of the request for fraud prevention.

Server logs. We log basic request metadata — timestamp, URL, response status, IP address, User-Agent — for operating the service, debugging issues, and protecting against abuse. Server logs are retained for 30 days unless required for an active security or legal investigation.

UPC public-record data. The case data, party data, judge data, and decisions surfaced in the product are sourced from public registries (see section 3). They may include personal data of UPC parties, representatives, and judges; we treat that data as already public for the purpose for which it was published — court transparency.

No behavioral tracking. Upclytics does not use third-party analytics, advertising trackers, or cross-site cookies.

We obtain UPC case data from the official Unified Patent Court registry at unifiedpatentcourt.org, which publishes case, decision, party, judge, and representative information as a matter of public court record. Patent metadata is enriched from the European Patent Office's Open Patent Services (EPO OPS) API.

We extract, structure, and aggregate that data; we do not collect personal data about case parties, judges, or representatives beyond what those sources publish.

Account data: performance of the contract you enter into with us when you create an account (Article 6(1)(b) GDPR), and our legitimate interest in operating, securing, and improving the service (Article 6(1)(f) GDPR).

Contact-form data: your consent in submitting the form (Article 6(1)(a) GDPR), and our legitimate interest in responding to inquiries (Article 6(1)(f) GDPR).

Server logs: our legitimate interest in operating, debugging, and securing the service (Article 6(1)(f) GDPR).

UPC public-record data: our legitimate interest in providing analytics over public court information that is already published (Article 6(1)(f) GDPR), balanced against the data subjects' interest in court transparency, which is the very purpose for which the data was published.

Marketing emails: only with your separate, explicit opt-in consent (Article 6(1)(a) GDPR). We do not currently send marketing emails.

We use account data to authenticate you, provide access to the product, and send service-related transactional email (account confirmation, password reset, security notifications, billing notices once we charge for the service). We use contact-form data to respond to your inquiry. We use server logs to operate, secure, and improve the service.

We do not use your account data, your inquiries, or your activity in the product to train machine-learning models, profile you, or sell to third parties.

We share personal data with a small number of carefully selected service providers (subprocessors) who process it on our behalf under written data-processing agreements. The current list is published at /subprocessors and includes our database/authentication provider, our hosting/CDN provider, and our transactional-email provider.

We will notify registered users of material changes to that list at least 30 days before the change takes effect.

We do not sell personal data and we do not share it with third parties for their own marketing.

Some of our subprocessors are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, on the recipient's certification under the EU–US Data Privacy Framework. The /subprocessors page identifies the location and applicable transfer mechanism for each subprocessor.

Account data: for as long as your account is active. If you delete your account, we keep your account record in a deactivated state for 30 days to allow recovery of accidental deletions, then permanently delete it from primary storage. Backups containing the deleted record are overwritten on the normal backup-rotation schedule (no longer than 90 days from deletion).

Contact-form submissions: for up to 24 months from submission, then deleted, unless they relate to an ongoing customer relationship in which case they are kept under the account-data rules above.

Server logs: 30 days, unless retained longer for an active security or legal investigation.

Where we are required by law to retain data longer (for example tax records once we charge for the service), we retain it only for the duration of that legal obligation and only for that purpose.

You have the right to: access the personal data we hold about you; correct inaccurate data (rectification); erase your data (subject to lawful retention obligations); restrict processing; object to processing based on legitimate interest; receive your data in a structured, commonly used, machine-readable format (data portability); and, where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email contact@upclytics.com. We will respond within one calendar month of receipt; if your request is complex we may extend that period by up to two further months and will tell you why.

There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a supervisory authority — typically the data-protection authority in your EU/EEA country of residence, place of work, or place of the alleged infringement. We would appreciate the chance to address your concern first by email, but you do not have to contact us before going to the authority.

We do not subject you to decisions based solely on automated processing — including profiling — that produce legal effects on you or similarly significantly affect you. The aggregations and summaries shown in the product are statistical reporting on public court information; they do not make decisions about individuals.

We use a small set of cookies, all of them strictly necessary or functional. We do not use any analytics, advertising, or third-party tracking cookies, and we therefore do not show a cookie consent banner.

Strictly necessary cookies (no consent required): the Supabase session cookies that keep you signed in (sb-access-token, sb-refresh-token), and the CSRF protection cookies they emit. Without these you cannot use the gated parts of the service.

Functional cookies (no consent required under EU guidance for strict UX preference): the NEXT_LOCALE cookie that remembers whether you prefer the English or German version of the site.

No other cookies are set by upclytics.com.

UPC judges who sit only at French local divisions are anonymized in our display, in line with French judicial-protection conventions, even though the underlying public CMS records use their names. Multi-division judges are shown by name. This is a display choice, not a data-collection choice — the underlying name is in the public CMS record and we re-publish it for non-French-only judges.

Upclytics is a B2B legal-research product not directed at children. We do not knowingly collect personal data from anyone under sixteen years old. If you believe a minor has registered, please write to us and we will delete the account.

We are not currently required to designate an Article 27 representative because our processing of EU residents' personal data is occasional and not on a regular or large scale. We monitor our user base and will appoint a representative once our EU customer base or processing volume crosses the threshold at which Article 27 applies. Until then, all data-protection inquiries from EU residents should go to contact@upclytics.com — we commit to the same response timelines we offer to non-EU contacts.

We follow industry-standard security practices: TLS 1.2+ in transit, encryption at rest for the database, hashed passwords, an audited authentication library (Supabase Auth), and regular dependency updates. No system is perfectly secure. If you discover a vulnerability, please report it confidentially to contact@upclytics.com — we will acknowledge within three business days.

If we materially change this policy, we will notify registered users by email at least 30 days before the change takes effect, and we will update the "last updated" date at the top of this page. Continued use of the service after the change constitutes acceptance of the updated policy.

Controller: futuristip Inc. (Ontario, Canada), operating under the brand Upclytics. Privacy and DPO contact: contact@upclytics.com. For data-subject rights, security disclosures, or any privacy question, write to that address.