Privacy Policy
Last updated: April 2026
1. Who We Are
UpiChat is operated by Pegadis, a sole proprietorship (eenmanszaak) registered in the Netherlands.
Data controller: Pegadis
Address: Keizer Maximiliaanlaan, The Hague, Netherlands
KVK: 99517671
Email: support@upichat.com
We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR, Regulation EU 2016/679) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).
2. What Data We Collect
| Data Category | Specific Data | When Collected |
|---|---|---|
| Account information | Name, email address, phone number, password (hashed) | When you create an account |
| Transaction data | Recipient phone numbers, countries, operators, product type (airtime/data), amounts, payment method, transaction status, timestamps | When you place an order |
| Payment data | Payment method type, last 4 digits of card (if applicable), billing country. Full payment credentials are processed by Stripe, PayPal, Adyen, or Chapa — UpiChat does not store complete card numbers. | When you make a payment |
| Authentication data | Session tokens (HMAC-SHA256 signed cookies), OTP verification records (HMAC-hashed), WebAuthn credential IDs | When you log in |
| Security data | IP address, browser user agent, device fingerprint (for fraud prevention only), security event logs | Automatically during use |
| Communication data | Support emails, feedback you provide | When you contact us |
| Partner data | Sales volume, margins, customer counts (for partner dashboard) | If you join the partner program |
3. Why We Process Your Data (Legal Basis)
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Processing your orders and delivering top-ups | Performance of a contract (Art. 6(1)(b)) |
| Processing payments via third-party gateways | Performance of a contract (Art. 6(1)(b)) |
| Fraud prevention and security monitoring | Legitimate interest (Art. 6(1)(f)) — protecting users and our business from fraud |
| Account management and customer support | Performance of a contract (Art. 6(1)(b)) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f)) — improving service quality |
| Sending transactional notifications | Performance of a contract (Art. 6(1)(b)) |
| Marketing communications (only with your consent) | Consent (Art. 6(1)(a)) |
4. Who We Share Your Data With
We share your personal data only with the following categories of recipients, solely for the purposes described above:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing (cards, iDEAL, Apple Pay, Google Pay) | United States (EU-US Data Privacy Framework certified) |
| PayPal (Europe) S.à r.l. | Payment processing | Luxembourg (EU) |
| Adyen N.V. | Payment processing (Wero, SEPA, Klarna) | Netherlands (EU) |
| Chapa Financial Technologies | Ethiopian payment processing (Telebirr, CBE) | Ethiopia |
| Reloadly, Inc. | Top-up fulfillment and delivery | United States (standard contractual clauses) |
| Sochitel Ltd. | Backup top-up fulfillment | United Kingdom (UK adequacy decision) |
| Twilio, Inc. | SMS/OTP delivery | United States (EU-US Data Privacy Framework certified) |
| Vercel, Inc. | Website hosting | United States (EU-US Data Privacy Framework certified) |
We do not sell your personal data to third parties. We do not share your data with advertisers. We may disclose data to Dutch law enforcement or the FIU-Nederland if required by law or in response to a valid legal request.
5. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). For transfers to the United States, we rely on the EU-US Data Privacy Framework for certified providers (Stripe, Twilio, Vercel) and Standard Contractual Clauses (SCCs) for other providers (Reloadly). For transfers to Ethiopia (Chapa), we apply Standard Contractual Clauses and additional technical safeguards including encryption in transit and at rest. For transfers to the United Kingdom (Sochitel), we rely on the UK adequacy decision.
6. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 12 months after deletion | Contract performance + dispute resolution |
| Transaction records | 7 years from transaction date | Dutch fiscal law (Art. 2:10 BW — 7-year accounting record retention obligation) |
| Security logs and fraud prevention data | 3 years | Fraud investigation and legal claims |
| Marketing consent records | Duration of consent + 12 months | Proof of consent |
| Support communications | 2 years from last contact | Service improvement and dispute resolution |
After the retention period expires, data is deleted or anonymized so it can no longer be linked to you.
7. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Right of access (Art. 15): You can request a copy of all personal data we hold about you. UpiChat provides a self-service data export function in your account settings.
- Right to rectification (Art. 16): You can update your account information at any time through your account settings, or contact us to correct inaccurate data.
- Right to erasure (Art. 17): You can request deletion of your account and personal data. UpiChat provides a self-service account deletion function that anonymizes all personally identifiable information across all relevant database tables. Note: we must retain transaction records for 7 years under Dutch fiscal law, but these records will be anonymized so they cannot be linked back to you.
- Right to restriction of processing (Art. 18): You can request that we restrict the processing of your data in certain circumstances (e.g., while we verify accuracy of disputed data).
- Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format. Our data export function provides this.
- Right to object (Art. 21): You can object to processing based on legitimate interest (including fraud prevention profiling). We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent (Art. 7): Where processing is based on your consent (e.g., marketing), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, email support@upichat.com or use the self-service functions in your account settings. We will respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
8. Cookies
UpiChat uses the following cookies:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| session_token | Authentication (keeps you logged in) | Strictly necessary | Session / 30 days |
| csrf_token | Security (prevents cross-site request forgery) | Strictly necessary | Session |
| cookie_consent | Remembers your cookie preference | Strictly necessary | 12 months |
| locale | Remembers your language preference (EN/NL/AM) | Functional | 12 months |
UpiChat does not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not use Google Analytics. We do not track you across other websites. The cookie consent banner on your first visit allows you to accept or decline non-essential cookies. Strictly necessary cookies cannot be declined as they are required for the service to function.
9. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Hashed passwords (bcrypt) and hashed OTP codes (HMAC-SHA256)
- Signed session cookies (HMAC-SHA256)
- Security headers (HSTS, CSP, X-Content-Type-Options, Permissions-Policy)
- Rate limiting on all API endpoints
- Iron Dome fraud prevention system
Despite these measures, no system is 100% secure. If you become aware of any unauthorized access to your account, please contact us immediately at support@upichat.com.
10. Children
UpiChat is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe a person under 18 has provided us with personal data, please contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users or via a notice on the website. The "Last updated" date at the top reflects the most recent revision.
12. Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl. You may also contact us first at support@upichat.com and we will do our best to resolve your concern.
13. Contact
Pegadis (UpiChat)
Keizer Maximiliaanlaan, The Hague, Netherlands
KVK: 99517671
Privacy inquiries: support@upichat.com
General support: support@upichat.com