Privacy Policy

Plain English summary: We collect only what we need to respond to your enquiry and improve our services. We do not sell your data. Ever. You can request deletion of your data at any time by emailing koushik@upbeatstrategy.com.

// Contents

Who We Are
Data We Collect
How We Use Your Data
Legal Basis for Processing
Data Storage & Security
Third Party Services
Data Retention
Your Rights
International Data Transfers
Cookies
Children's Privacy
Changes to This Policy
Contact Us

1. WHO WE ARE

Upbeat Strategy ("we", "us", "our") is an AI automation consultancy that helps small and medium businesses eliminate repetitive tasks through custom AI solutions. We operate globally and serve clients in Bangladesh, the United Kingdom, the United States, and beyond.

Data Controller: K M Kadir Koushik, Upbeat Strategy
Email: koushik@upbeatstrategy.com
Website: https://upbeatstrategy.com

2. DATA WE COLLECT

We collect the following information when you submit our contact form:

Information You Provide Directly

Full name — to address you personally
Business name — to understand your organisation
Email address — to respond to your enquiry
Pain area / challenge — to prepare a relevant response
Message — any additional details you share

Information Collected Automatically

Traffic source — which website or platform referred you (e.g. LinkedIn, Google)
UTM parameters — campaign tracking tags in the URL (e.g. utm_source, utm_medium, utm_campaign)
Submission timestamp — date and time of your enquiry

We do not collect IP addresses, device fingerprints, browsing history, or any sensitive personal data (health, financial, biometric, etc.).

3. HOW WE USE YOUR DATA

We use your data solely for the following purposes:

To respond to your enquiry within 24 hours
To send you an automated acknowledgement email confirming receipt
To understand which marketing channels are driving enquiries (using aggregated UTM data)
To improve our services based on the types of challenges businesses face

We do not use your data for:

Unsolicited marketing or spam
Selling or renting your data to third parties
Automated decision-making or profiling
Any purpose beyond responding to your enquiry

4. LEGAL BASIS FOR PROCESSING

We process your personal data under the following legal bases:

For EU/UK individuals (GDPR)

Legitimate interests (Art. 6(1)(f)) — responding to business enquiries you have initiated
Consent (Art. 6(1)(a)) — by submitting our contact form, you consent to us processing your data to respond to you

For California residents (CCPA)

We collect personal information for legitimate business purposes as disclosed in this policy. We do not sell personal information as defined under the CCPA. California residents have the right to know, delete, and opt out of sale of personal information.

For other jurisdictions

We process data based on your voluntary submission of an enquiry, which constitutes consent under applicable local laws including PDPA (Thailand/Singapore), POPIA (South Africa), and equivalent frameworks in the Middle East and Asia-Pacific regions.

5. DATA STORAGE & SECURITY

Your data is stored in a PostgreSQL database hosted on a private Virtual Private Server (VPS) located in Kuala Lumpur, Malaysia (Hostinger infrastructure). This server is:

Protected by root-level access controls
Accessible only to authorised personnel (the data controller)
Not publicly accessible — no open database ports exposed to the internet
Covered by active malware scanning

Email communications are processed via Google Workspace (Gmail), which is certified under ISO 27001, SOC 2/3, and compliant with GDPR.

Automated workflows are handled by n8n, a self-hosted workflow automation tool running on the same private server. No data is sent to n8n's cloud servers.

Despite our security measures, no system is 100% secure. In the unlikely event of a data breach affecting your rights, we will notify you and relevant authorities within 72 hours as required by GDPR.

6. THIRD PARTY SERVICES

We use the following third-party services that may process your data:

Google Analytics 4 (GA4)

We use Google Analytics 4 to understand how visitors use our website. GA4 only activates if you accept cookies via our consent banner. Data collected is anonymised and IP addresses are never stored in full. Google Privacy Policy →

Google Workspace (Gmail)

Used to send and receive emails. Google processes your email address and email content. Google is GDPR compliant and certified under major security frameworks. Google Privacy Policy →

Netlify

Our website is hosted on Netlify. Netlify may process standard web server logs (which we do not access or store). Netlify Privacy Policy →

Google Fonts

Our website loads fonts from Google Fonts, which may log your IP address as part of the font delivery. This is a standard industry practice. Google Privacy Policy →

We do not share your personal data with any other third parties, advertisers, data brokers, or analytics platforms.

7. DATA RETENTION

We retain your contact form data for 24 months from the date of submission, or until you request deletion — whichever comes first.

This period allows us to:

Follow up on your enquiry if you did not respond to our initial reply
Maintain basic business records as required by applicable law

After 24 months, your data is permanently deleted from our database. You may request earlier deletion at any time — see Your Rights below.

8. YOUR RIGHTS

Depending on your location, you have the following rights regarding your personal data:

✓ Right to Access

Request a copy of all personal data we hold about you.

✓ Right to Deletion

Request permanent deletion of your data from our systems.

✓ Right to Correction

Request correction of any inaccurate data we hold.

✓ Right to Portability

Receive your data in a structured, machine-readable format.

✓ Right to Object

Object to processing of your data for specific purposes.

✓ Right to Withdraw Consent

Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, email us at koushik@upbeatstrategy.com with the subject line "Data Rights Request". We will respond within 30 days.

EU/UK Residents

If you are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA). In the UK this is the ICO (ico.org.uk). In the EU, contact your national DPA.

California Residents (CCPA)

You have the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale (we do not sell data). You will not be discriminated against for exercising these rights.

South African Residents (POPIA)

You have the right to access, correct, and delete your personal information as provided under the Protection of Personal Information Act. Contact us or the Information Regulator of South Africa at inforeg.org.za.

9. INTERNATIONAL DATA TRANSFERS

Your data is stored on a server in Malaysia. When you submit our contact form from the EU, UK, or any other jurisdiction, your data is transferred internationally.

For EU/UK individuals, this transfer is made on the basis of our legitimate interests in responding to your enquiry, combined with appropriate technical safeguards (encrypted storage, access controls). We do not transfer data to countries without adequate protection levels without implementing appropriate safeguards.

Email communications may be routed through Google's global infrastructure, which operates under Google's Binding Corporate Rules and Standard Contractual Clauses approved by the European Commission.

10. COOKIES

Our website uses cookies to understand how visitors use our site. We use Google Analytics 4 (GA4) to collect anonymous usage data including pages visited, time spent on site, country of origin, and device type.

Cookie Consent

When you first visit our website, you will see a cookie consent banner. Google Analytics cookies are only activated if you click "Accept". If you click "Decline", no tracking cookies are set and Google Analytics will not collect any data about your visit.

Your preference is stored for 12 months. You can change your preference at any time by clearing your browser cookies and revisiting the site.

Cookies We Use

_ga — Google Analytics, distinguishes unique users. Expires after 2 years.
_ga_78KLZ2EY91 — Google Analytics, maintains session state. Expires after 2 years.
cookie_consent — Stores your cookie preference (accepted/rejected). Expires after 12 months.

sessionStorage (Not a Cookie)

We also use sessionStorage to remember UTM parameters within your browsing session. This data is stored only in your browser, is automatically deleted when you close your tab, and is never shared with third parties. No consent is required for this usage under GDPR.

Google Analytics Data

If you accept cookies, your anonymised data is processed by Google Analytics. IP addresses are anonymised before storage. Google Privacy Policy →

You can opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-out Browser Add-on →

11. CHILDREN'S PRIVACY

Our services are intended for business professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of our website after changes are posted constitutes acceptance of the updated policy.

13. CONTACT US

For any privacy-related questions, requests, or concerns, please contact our Data Controller directly:

K M Kadir Koushik

Data Controller · Upbeat Strategy

koushik@upbeatstrategy.com

We aim to respond to all privacy requests within 30 days.