Privacy Policy

1. Controller

The controller responsible for the data processing on this website is:

1.1. Our Role as Controller and Processor

upspawn software UG (haftungsbeschränkt) acts as the Data Controller for the personal data you provide to us, such as your account information. For any personal data contained within the files you upload for processing, you are the Data Controller, and we act as a Data Processor on your behalf. We process this data only on your instructions to provide the Service.

2. Data we collect

We collect and process the following categories of data:

2.1 Account and Contact Data

• Name and email address (for account creation and communication)
• Payment information (processed securely through Stripe)
• Account preferences and settings

2.2 Content and Usage Data

• Uploaded files and their metadata (names, sizes, types)
• File processing requests and AI-generated suggestions
• Usage patterns and feature interactions
• Access logs and timestamps

2.3 Technical Data

• IP address and device information
• Browser type, version, and language settings
• Operating system and screen resolution
• Cookies and similar tracking technologies (see Section 5)

2.4 Advertising and Marketing Data (with consent)

• Page views and user interaction patterns
• Conversion events and purchase behavior
• Cross-device identifiers and tracking cookies
• Remarketing audiences and advertising preferences
• Hashed email addresses for advertising matching
• Custom event data (file uploads, feature usage, checkout actions)

2.5 Dropbox Integration Data (if connected)

• Dropbox account ID and, where provided, account email and display name
• Selected Dropbox folder paths and related configuration (e.g., templates, language)
• File metadata within watched folders (names, paths, sizes)
• Temporary access to file content for renaming; temporary copies are deleted after processing
• Audit logs containing original and suggested filenames (no file contents)

2.6 Social Sign‑In Data (Google, Microsoft, X/Twitter)

• If you choose to sign in with a third‑party provider such as Google, Microsoft, or X/Twitter, we receive your account identifier and basic profile data (e.g., name and email) from that provider to create or authenticate your account on renamed.to.
• We do not receive your password from those providers. Authentication is handled by the provider and our identity service.

3. Purpose of processing

We process your data for the following purposes:

3.1 Essential Services

• Provision of file renaming and AI-powered suggestions
• Account management and authentication
• File storage and retrieval
• Payment processing and billing
• Customer support and technical assistance

3.2 Security and Compliance

• Fraud prevention and security monitoring
• Compliance with legal obligations
• Protection of our systems and users

3.3 Marketing and Advertising (with consent)

• Digital advertising and remarketing campaigns
• Conversion tracking and optimization
• Audience building for targeted advertising
• Cross-device tracking and personalization
• Marketing performance measurement

3.4 Improvement and Analytics (with consent)

• Service analytics and performance monitoring
• User experience optimization
• Product development and feature enhancement

3.5 Dropbox Integration (optional)

• Provide optional file renaming within your Dropbox in folders you select
• List files in watched folders, generate a suggested filename using AI, and move the file
• Process file contents transiently only for renaming; we do not retain file contents
• Store only the information needed to maintain the connection (encrypted tokens), settings, and audit logs

3.6 Social Sign‑In

• Microsoft Account – Optional sign‑in method. Data processed: name, email, and provider user ID for account creation and authentication.
• Google and X/Twitter – Same as above.
• You can disconnect a social login by changing your sign‑in method in account settings or contacting support.

4. Legal basis

We process your personal data on the basis of the following legal grounds according to Art. 6 GDPR:

• Art. 6 para. 1 lit. b GDPR – performance of a contract or steps prior to entering into a contract (account services, file processing)
• Art. 6 para. 1 lit. f GDPR – legitimate interests (security, fraud prevention, service improvement)
• Art. 6 para. 1 lit. a GDPR – your consent (analytics, advertising tracking, marketing communications, remarketing)
• Art. 6 para. 1 lit. c GDPR – compliance with a legal obligation (tax records, data retention requirements)

5. Cookies & tracking technologies

5.1 Essential Cookies (Always Active)

These cookies are essential for the website to function and cannot be disabled:

• Authentication cookies – Keep you logged in to your account
• Security cookies – Protect against fraud and unauthorized access
• Preference cookies – Remember your settings and choices

5.2 Analytics Cookies (Optional)

With your consent, we use analytics services to understand how our service is used:

• PostHog – Privacy-focused analytics to improve user experience
• Usage tracking – Anonymous data about feature usage and performance

5.3 Advertising Cookies (Optional)

With your consent, we use advertising technologies to deliver relevant ads and measure their effectiveness:

• Meta (Facebook) Pixel – Tracks page views, conversions, and user interactions for targeted advertising and remarketing
• _fbp cookie – Facebook browser pixel cookie for cross-device tracking and ad personalization
• fr cookie – Facebook cookie for advertising purposes and user identification
• Conversion tracking – Monitors purchases, registrations, and key user actions
• Audience building – Creates custom audiences for targeted advertising campaigns

5.4 Cookie Management

You can manage your cookie preferences at any time through our cookie banner or by contacting us. Disabling analytics or advertising cookies will not affect the core functionality of our service, but may limit personalization and targeted content.

6. Third-party services & data processors

We work with carefully selected third‑party providers to deliver our services. Where providers act as our processors, they are bound by data processing agreements according to Art. 28 GDPR. Certain authentication providers (e.g., Microsoft, Google, X/Twitter) act as independent controllersfor their identity platforms.

6.1 Essential Service Providers

6.2 Optional Analytics Services

6.3 Advertising Services

7. International data transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure adequate protection for your data when it is transferred to these countries. We have verified that our partners provide a level of data protection equivalent to that in the EU, and all transfers are based on appropriate safeguards:

• EU Standard Contractual Clauses (SCCs): We have entered into SCCs with our non-EEA partners to ensure your data is handled in compliance with GDPR.
• Supplementary Measures: We conduct Transfer Impact Assessments (TIAs) and ensure that technical and organizational measures (like encryption) are in place to protect your data from foreign government access.
• Adequacy decisions by the European Commission
• Approved certification mechanisms
• Binding corporate rules where applicable

8. Data retention

We retain personal data only as long as necessary:

• Account data: Until account deletion plus 30 days for security
• Files: As long as stored by you, plus 30 days after deletion
• Payment data: 10 years for tax compliance (processed by Polar)
• Analytics data: 25 months maximum (anonymized)
• Advertising data: Up to 2 years for campaign optimization, or until consent is withdrawn
• Facebook Pixel data: Retained according to Meta's data retention policies (up to 2 years)
• Support communications: 3 years for service improvement
• Dropbox integration data: Connection settings and encrypted tokens retained until you disconnect. Temporary processing files are deleted after processing. Audit logs may retain original/suggested filenames for service quality and security.

9. Your rights under GDPR

You have the following rights:

To exercise these rights, contact us at support@renamed.to. We will respond within 30 days.

10. Your Rights for US Residents (CCPA/CPRA)

If you are a resident of California or another US state with applicable privacy laws, you may have additional rights, including:

• Right to Know: You can request to know what personal information we collect, use, disclose, and sell.
• Right to Delete: You can request the deletion of your personal information.
• Right to Opt-Out of Sale/Sharing: You have the right to opt-out of the "sale" or "sharing" of your personal information. We do not sell your personal data. However, our use of advertising cookies may be considered "sharing" under California law. You can opt-out by managing your preferences in our cookie banner.
• Right to Correct: You can request to correct inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, please contact us at support@renamed.to with the subject line "US Privacy Rights Request".

11. Data security

We implement appropriate technical and organizational measures:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication
• Employee training on data protection
• Incident response procedures

12. Contact & data protection officer

For questions about this Privacy Policy, data protection, or to exercise your rights:

13. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email or through our service. Continued use after changes constitutes acceptance of the updated policy.