Privacy policy
Last updated: 11 July 2026 · Applies to upbuild.app and the Upbuild connector service
Upbuild is a hosted MCP (Model Context Protocol) connector that lets you query your own advertising and analytics accounts from AI assistants such as Claude and ChatGPT. This policy explains what we process, why, and what we deliberately do not do. It also serves as the privacy policy for the Upbuild OAuth applications registered with Google and Meta.
Who we are
The data controller is Madtechers SLU (Barcelona, Spain), operating the Uptimal and Upbuild brands. Uptimal FZCO (Dubai, UAE) provides operational support. Contact: [email protected].
What we process, and why
- Identity. Your Google account id, email and basic profile (and, if you link it, your Meta user id) identify your connection, your trial and your subscription. Legal basis: contract performance.
- OAuth tokens. Access and refresh tokens for the platforms you connect are stored encrypted, server-side, in Cloudflare KV. They are never exposed to the AI assistant, to your browser, or to third parties. Legal basis: contract performance.
- Platform data in transit. When you ask a question, the connector fetches the requested data (for example a GA4 report or a Google Ads query) and returns it to your assistant. Responses may be cached briefly to keep conversations fast, then discarded. We do not build a copy of your marketing data.
- Usage metering. We log which tools are called, when, and by which connection (in Cloudflare D1) to enforce trials and subscriptions, prevent abuse and operate the service. Legal basis: contract performance and legitimate interest.
- Billing. Payments are processed by Stripe. We never see or store your full card details. Legal basis: contract performance and legal obligation.
- Contact form. If you submit the form on upbuild.app we store your name, email, company and message to reply to you. Legal basis: consent.
What we deliberately do not do
- We request read-only scopes wherever the platform offers them. The connector cannot modify campaigns, tags, budgets or audiences.
- Your data is never used to train models, ours or anyone else's.
- We never sell or rent personal data or platform data.
- We do not show ads on upbuild.app and we do not run third-party advertising trackers on it.
OAuth scopes we request
Google: Tag Manager (readonly), Analytics (readonly), Display & Video 360, Campaign Manager 360 trafficking and reporting (read use), Google Ads (read use), plus openid, email and profile for sign-in. Meta (optional): ads_read and read_insights only. You can review and revoke access at any time from your Google Account connections or your Meta Business integration settings.
Use of Google user data (Limited Use disclosure)
Upbuild's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only to provide the user-facing features described here: answering the questions you ask through your AI assistant. It is not used for advertising, not sold, and not used to train models.
Subprocessors
| Provider | Purpose |
|---|---|
| Cloudflare | Hosting (Workers), encrypted token storage (KV), usage metering (D1) |
| Sign-in and the Google marketing APIs you connect | |
| Meta Platforms | Optional Meta Ads sign-in and Marketing API |
| Stripe | Subscriptions, checkout and customer portal |
Retention
- Tokens: until you disconnect, revoke access, or your account is deleted.
- Response cache: brief, typically minutes.
- Metering and billing records: as long as needed for the service and for legal and accounting obligations.
- Contact form submissions: until resolved, plus a reasonable follow-up period, unless you ask us to delete them earlier.
Your rights
Under the GDPR and equivalent laws you can request access, rectification, erasure, restriction, portability, and object to processing. Write to [email protected]. You can also lodge a complaint with your supervisory authority (in Spain, the AEPD). Disconnecting the connector and revoking access in Google or Meta immediately invalidates stored tokens; ask us to delete the associated records at any time.
International transfers
Our providers may process data outside the EEA. Where they do, transfers rely on adequacy decisions or standard contractual clauses put in place by those providers.
Changes
We will post any material change to this page and update the date above. Significant changes affecting connected users will also be communicated through the service.