This is the privacy statement of UpTo a company registered in the Netherlands (hereinafter referred to as "we", "us", or "our"). Through this document, we provide clear information about the personal data we process of users of our mobile application (both individuals and companies), as well as any other persons with whom we interact in the context of our services.
As a data controller, we value transparency and handle your personal data with the utmost care. We process and protect personal data in accordance with the General Data Protection Regulation (GDPR) and all other applicable privacy laws.
This privacy statement explains:
· What types of personal data we process,
· For what purposes and on what legal grounds,
· With whom data may be shared,
· How long data is retained,
· And what rights you have as a data subject.
We recommend that you read this privacy statement carefully.
If you have any questions after reading this document, feel free to contact us. Our contact details can be found at the bottom of this statement.
How we obtain personal data
When you use our mobile application or interact with our services, you provide us with certain personal data. These are data that can identify you directly or indirectly. We only collect and use personal data that you voluntarily provide to us, or that are clearly provided with the intention of being processed.
We may collect personal data in the following ways:
· When you create an account as an individual or as a company in the UpTo app;
· When you publish, join, or interact with events;
· When you connect with friends or other users via the app;
· When you swipe through events or use the event map;
· When you contact us via email, contact forms, or in-app support;
· When your account is reported, suspended, or moderated;
· When you sign up for our newsletter or receive marketing communication (if applicable);
· When we collect data automatically through the app, such as technical or usage data (see also our Cookie section, published later);
· When your data is submitted to us via third-party authentication providers (e.g., Apple, Google, Facebook login).
We do not obtain personal data from third parties unless:
· You have given consent to such sharing, or
· It is technically necessary for account authentication or service operation.
Types of personal data we process
When you use our app and/or services, we may process the following personal data:
· Identification and contact details: such as your full name, email address, phone number (if provided), and optional profile photo or display name;
· Account and interaction data: information you provide when creating an account or interacting with the app, such as login credentials (securely stored), event participation, friend connections, swiping activity, and content you submit;
· Event data: information related to events you create or attend, including event titles, descriptions, location (map-based), images, dates and times, and your RSVP or interest;
· Communication data: any messages or requests you send via in-app forms, email, or support channels, as well as reports related to moderation or suspension procedures;
· Technical data: including your IP address, device type, operating system, app version, crash data, and usage patterns (e.g. navigation, time spent per screen, tap behavior), which may be collected automatically;
· Marketing and preference data (if applicable): information you provide when signing up for our newsletter or other updates, such as your name and email address, and your consent status for promotional communication.
The exact personal data we process depends on the specific services and functionalities you use within the app. In the following sections, we will further explain how and why we collect these categories of data.
Mandatory data and consequences of non-provision
For certain features and services within the UpTo app, the provision of specific personal data is required. If these data are not provided, we may not be able to offer you access to those features or fulfill your request.
The following are examples of required data and the consequences of not providing them:
· Creating an account: Your name, email address (or social login credentials), and acceptance of our terms and privacy statement are mandatory. Without this information, you will be unable to register or use the app.
· Publishing or joining an event: To create or RSVP to an event, your account must be active and identifiable. If you do not provide a valid account or required event details, the event cannot be published or joined.
· Handling moderation or abuse reports: If you are involved in a reported incident, we may require a response or identification to assess the situation. Without cooperation, your account may remain suspended.
· Using certain technical features of the app: Some app functions rely on access to technical data, such as location or device type. If these are disabled or not shared, certain app functionalities (e.g. location-based event discovery) may be limited.
· Marketing communication (if applicable): Providing your email address and explicit consent is required for receiving newsletters. Without it, we cannot send you promotional updates.
· Age verification (where required): In order to access certain events (for example, 18+ events), you may be required to provide your date of birth or other proof of age. Without this information, we cannot grant access to such events.
We only request data that are strictly necessary for the purpose for which they are collected. Where possible, we offer users the choice to provide data voluntarily.
Special Categories of Personal Data
UpTo does not intentionally collect or process any special categories of personal data within the meaning of Article 9 of the GDPR. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning a person’s sex life or sexual orientation.
We do, however, process age-related data in a limited way, for example:
· To ensure that users meet the minimum registration age of 16 years;
· To verify whether users meet the age requirement of 18 years or older for certain events published on the platform.
If you believe that we have collected personal data of a minor without proper consent, please contact us using the contact details at the end of this privacy statement. We will delete the data concerned as soon as possible.
Please note: Event organizers who use our platform to publish or manage events may apply their own age restrictions (for example, 18+ events). In such cases, the organizer may carry out age verification at the event location (for example by checking an ID). This processing takes place under the responsibility of the event organizer, and is subject to their own privacy policy. UpTo does not have access to or store ID documents presented on-site.
Automated Decision-Making and Profiling
UpTo makes use of automated decision-making in specific situations related to the safety, moderation, and functionality of the app. This means that certain decisions may be made without human involvement, based solely on algorithmic processing of personal data. These include:
· Moderation of content: Events or user activity may be automatically flagged or temporarily hidden based on predefined criteria (e.g. inappropriate language, spam-like behavior, or unusual activity).
· Suspension triggers: User accounts may be automatically suspended for review if suspected of violating our community guidelines or terms of service.
· Recommendation and filtering: Based on your preferences, previous swiping behavior, or interactions, the app may automatically prioritize or suggest events that match your profile.
These automated processes are designed to ensure platform integrity, enhance user experience, and detect potential misuse. Wherever relevant, decisions with a significant impact on users are subject to human review or allow for appeal.
If you disagree with an automated decision that affects you significantly, you have the right to request human intervention. Please contact us via the details provided at the end of this privacy statement.
Purposes and Legal Bases for Processing
Purpose
Legal ground
Account registration and login: Creating and maintaining your personal or business account in the UpTo app, including authentication via email, social login (e.g. Google, Apple), and secure password management.
Performance of a contract
Event creation and participation: Enabling you to publish, browse, join, or RSVP to events, and view who of your connections are attending.
Performance of a contract
Social interactions: Managing friend connections and interactions (such as following, viewing mutual events, and activity sharing).
Performance of a contract
Content moderation and policy enforcement: Automatic or manual review of user-generated content and user behavior, including temporary account suspension, removal of content, or response to reports.
Legitimate interest and legal obligation
Event recommendations and user personalization: Suggesting relevant events or content based on your preferences, swiping behavior, and past activity.
Consent and legitimate interest
User support and communication: Responding to your inquiries, complaints, or feedback via email, in-app forms, or support tools.
Performance of a contract and/or
legitimate interest
Sending newsletters and promotional updates: Providing you with promotional content, updates, or event suggestions, if you have
subscribed. You can unsubscribe at any time.
Consent
Technical operation and app optimization: Collecting technical data (e.g.
crash logs, session activity, device type) to improve stability, fix bugs, and enhance performance.
Legitimate interest
Analytics and cessing data subject rights, or resolving legal claims.
Consent (for non-
essential analytics) and/or legitimateinterest
Legal compliance and dispute handling: Storing records, handling requests from authorities, processing data subject rights, or resolving legal
claims.
Legal obligation
Authentication via third parties: Letting users log in using trusted third-
party providers (e.g. Apple, Facebook, Google).
Performance of a
contract
Legitimate Interests
In some cases, we process your personal data based on our legitimate interests as a business, in accordance with Article 6(1)(f) of the GDPR. Whenever we rely on this legal ground, we perform a careful balancing test to ensure that our interests do not override your fundamental rights and freedoms.
Our legitimate interests include the following:
· Ensuring platform integrity and safety: We monitor and moderate content to prevent misuse, spam, or violations of our community guidelines. This protects the quality of the user experience and the safety of all users.
· Handling user reports and enforcement actions: When users report inappropriate events or behavior, we may take action — including suspending accounts — to maintain a respectful and lawful environment.
· Improving the performance and usability of the app: We use technical and behavioral data (e.g. crash reports, navigation patterns) to detect bugs, enhance functionality, and optimize user experience.
· Providing personalized content and recommendations: We tailor event suggestions and content based on your interactions in the app to make the platform more relevant and engaging for you.
· Maintaining customer relationships and support: We store communication history and user actions to ensure consistent and effective support when you contact us.
· Preventing fraud and abuse: We use automated tools to detect suspicious activity that could compromise the integrity of our systems or affect other users.
· Marketing to existing users: If you have used our services before, we may inform you of similar services or updates via direct email (in accordance with applicable laws), unless you opt out.
We always strive to ensure that the impact on your privacy is minimized and proportionate. You have the right to object to any processing based on legitimate interest at any time (see the “Your Rights” section for details).
Sharing of Personal Data with Third Parties and International Transfers
We only share your personal data with third parties when this is necessary for the operation of our platform, when required by law, or when you have given your explicit consent. We ensure that any data shared is limited to what is strictly necessary and that appropriate safeguards are in place.
We may share your data with the following categories of recipients:
· Hosting and infrastructure providers: Our app and backend systems are hosted by trusted third-party cloud service providers. These providers process data on our behalf and are bound by data processing agreements.
· Analytics and performance tools: We may use third-party services to monitor app performance, analyze usage patterns, and detect bugs (e.g. crash reporting). Where such tools process data, we ensure they do so securely and, where needed, with consent.
· Email and notification services: To send transactional emails, service updates, or (if applicable) newsletters, we may use external email delivery platforms. These platforms process your name and email address on our behalf.
· Authentication providers: When you choose to log in with a third-party identity provider (e.g. Google, Apple, Facebook), your basic login information is securely exchanged to allow account access. These parties act as independent controllers.
· Moderation and security systems: We may rely on automated systems or service providers to detect misuse, enforce policies, and respond to reported incidents.
· Legal or regulatory authorities: We may disclose data when legally required to do so, for example in response to a court order or government request, or to protect our legal rights.
International Transfers of Personal Data
Some of our service providers may be located outside the European Economic Area (EEA), or may store data on servers located in third countries. Where this is the case, we ensure that such transfers comply with the GDPR and offer an adequate level of data protection.
We rely on one or more of the following safeguards:
· An adequacy decision by the European Commission for the destination country;
· Standard Contractual Clauses (SCCs) adopted by the European Commission;
· Binding Corporate Rules (where applicable);
· Additional technical and organizational measures to ensure data confidentiality.
You may contact us for more information or a copy of the applicable safeguards used in connection with international transfers.
Data Subject Rights
As a user of UpTo and a data subject under the General Data Protection Regulation (GDPR), you have several rights regarding your personal data. You may exercise these rights at any time by contacting us via the contact details at the end of this privacy statement.
Your rights include:
· Right of access: You have the right to request access to the personal data we process about you, including information about how and why we process it.
· Right to rectification: You may request that we correct or update inaccurate or incomplete personal data we hold about you.
· Right to erasure (right to be forgotten): You may request the deletion of your personal data, for example when it is no longer necessary for the purposes for which it was collected or when you withdraw your consent (if applicable).
· Right to restriction of processing: In certain situations, you may request that we temporarily restrict the processing of your data, such as during a dispute about accuracy or pending a legal claim.
· Right to data portability: If we process your data based on consent or a contract and the processing is carried out by automated means, you may request to receive your data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller.
· Right to object: You may object to processing that is based on our legitimate interests. If your objection is valid, we will stop processing the data for that purpose unless we have compelling legitimate grounds to continue.
· Right to withdraw consent: If we process your data based on your consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing prior to the withdrawal.
Third-Party Websites and Social Media Buttons
Our app or website may contain links to external websites or include buttons that redirect you to social media platforms, such as Instagram, Facebook, or TikTok. Please note that this privacy statement does not apply to the data processing practices of those third parties.
Once you leave our platform and access a third-party service, their own privacy policies and terms will apply. We do not control, and are not responsible for, how those third parties handle your personal data. We recommend reviewing their privacy statements before using their services.
Examples include:
· Redirect buttons to UpTo’s official profiles on social media platforms;
· Embedded content or links to events hosted on third-party websites;
· External login providers (e.g. Google, Apple, Facebook) when used to authenticate your account.
By clicking on a third-party link or button, you understand that your personal data may be processed under that party’s responsibility and in accordance with their terms.
Data Retention Periods
Category of Data
Retention Period
Purpose /
Justification
Account data (e.g. name, email, login credentials, profile info)
Until you delete your account or after 24 months of inactivity
To enable access and usage of the app
Event-related data (e.g. created events, RSVPs, participation history)
12 months after the event has taken place, unless deleted earlier
For user history, moderation records, or repeated use
Suspension or moderation data
Up to 2 years after the incident or suspension
For complaint handling, audit trails, and abuse prevention
Communication data (e.g. messages to support or via contact forms)
2 years after last contact
For service continuity and documentation
Newsletter subscription data (e.g. name and email address)
Until you unsubscribe or withdraw your consent
To send relevant updates and promotional messages
Technical and analytics data (e.g. IP address, device, usage logs)
Max. 26 months, unless otherwise specified in the Cookie Policy
For performance monitoring, analytics, and user experience
Legal and financial records
(if applicable)
7 years
To comply with statutory regulations and/or tax and
bookkeeping obligations
Age verification data (for age-restricted events)
Deleted immediately after verification, or retained for max. 30 days if linked to a moderation or access dispute
To comply with (legal) age restrictions (16+/18+) and protect
minors
Newsletters, Push Notifications, and Commercial Communication
We may occasionally send promotional communications to keep you informed and engaged with UpTo’s services and community. These may include:
· Newsletters about upcoming or trending events
· Announcements about new features or partnerships
· Personalized tips or event suggestions based on your interests or past behavior
· Community guidelines or important platform updates We may contact you via:
· Email (if you have subscribed or are an existing user)
· Push notifications (if enabled in your device settings)
· In-app messages (such as banners or pop-ups while using the app) We rely on the following legal grounds:
· Consent: For newsletters or push notifications if you actively opt in
· Legitimate interest: To inform existing users about similar services or events You can manage your preferences at any time via:
· The unsubscribe link in emails
· Your device settings for push notifications
· The notification or marketing settings within your user account in the app
We may collect aggregated statistics such as open rates, click behavior, or interaction with in-app messages. This helps us improve the relevance of our communications but is not used for profiling unless you have explicitly agreed.
You can opt out or withdraw your consent at any time without affecting the lawfulness of prior communication.
Security Measures
We take the protection of your personal data seriously. UpTo implements appropriate technical and organizational measures to ensure that your data is safeguarded against unauthorized access, loss, misuse, or disclosure.
Our security measures include, but are not limited to:
· Secure data transmission: All communication between your device and our servers is encrypted using HTTPS and SSL/TLS protocols.
· Authentication and access control: User accounts are protected with hashed passwords and optional two-factor authentication (2FA) where supported. Internal access to data is restricted to authorized personnel only.
· Data minimization and role-based access: We limit data access and processing to what is strictly necessary, both within our team and among any third-party service providers
· Regular software updates and vulnerability checks: We actively monitor our systems for threats and apply patches and updates promptly to prevent exploitation.
· Anonymization and pseudonymization: Where possible, we anonymize or pseudonymize personal data for analytics or testing purposes to reduce privacy risks.
· Monitoring and logging: Access to sensitive data is logged, and suspicious activity is monitored to detect and respond to potential security incidents.
· Data breach protocols: In the unlikely event of a personal data breach, we will act swiftly to contain the incident, notify the supervisory authority where required, and inform affected users without undue delay.
Despite our efforts, no system can be 100% secure. We encourage users to use strong passwords and keep their devices protected. If you believe your data has been compromised, please contact us immediately using the contact details below.
Specific Processing Activities
In addition to standard data processing, UpTo engages in the following special types of processing activities:
1. AI-based content moderation
User-generated content (such as event descriptions, images, and usernames) may be automatically reviewed by algorithmic systems to detect spam, inappropriate language, or violations of community guidelines. These systems are trained on predefined rules and datasets and may involve automated flagging or temporary suspension of content or accounts.
We strive to ensure these processes are fair, non-discriminatory, and subject to human oversight. You may always contact us to dispute an automated moderation decision (see “Your Rights”).
2. Event access registration
For certain physical events published via the UpTo platform, registration and attendance tracking may take place. This may include:
· Scanning of QR codes at the entrance;
· Logging of check-in/check-out times;
· Linking attendance data to your UpTo account.
This data is processed to:
· Enable access control and event capacity management;
· Provide users with attendance history;
· Support event organizers in managing participants.
Data collected in this context is not used for profiling beyond operational purposes and is subject to standard retention and access safeguards.
If future processing activities involve more intrusive technologies (e.g. biometric access, surveillance footage), we will update this statement and conduct a data protection impact assessment where required.
Changes to this Privacy Notice
This privacy statement was last updated on 01/09/2025.
We reserve the right to amend or supplement this privacy statement at any time, for example in response to:
· Changes in legislation or regulatory guidance;
· Updates to our app functionalities or services;
· Adjustments in our data processing activities (e.g. the introduction of new features or external tools).
When we make significant changes, we will notify you through appropriate channels — such as in-app notifications, email, or a notice on our website — and request renewed consent where legally required.
We recommend reviewing this privacy statement regularly so that you remain informed about how we handle your personal data.
Questions, Complaints, and Contact Details
If you have any questions about this privacy statement or the way we process your personal data, please contact us. We are happy to assist you.
If you believe that we have not handled your personal data properly, or if you are not satisfied with our response to a request or complaint, you have the right to lodge a complaint with the Dutch Data Protection Authority