Privacy Policy
Version 2.0.0 · Effective Date: June 16, 2026 · Last Updated: June 16, 2026
1. Introduction
Supload (“we,” “us,” “our”) is a camera app for work, developed by Supload LLC, a Pennsylvania limited liability company. Supload replaces the multi-app juggle — Camera, Photos, Google Drive — with a single workflow: capture, organize into groups, and upload directly to your cloud storage.
This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Supload mobile application (“the App”), the Supload customer portal (“the Portal,” a separate service for managing subscriptions, user allocation, and billing), and the Supload marketing website at sup-load.com (“the Website”).
Our core privacy principle: Your photos and videos go directly from your device to your own cloud storage account (Google Drive, Dropbox, or Microsoft OneDrive). We never store, access, or process your media files on our servers. We collect only the minimum data necessary to provide the service.
By creating a Supload account, you agree to the practices described in this policy. If you do not agree, do not create an account or use the App.
2. Privacy at a Glance
| Question | Answer |
|---|---|
| What do you collect? | Account info only: email, display name, user ID |
| What don’t you collect? | Your photos, videos, ad identifiers, browsing history, contacts, health data, financial data |
| Where do my photos go? | Directly from your device to YOUR cloud storage (Google Drive, Dropbox, or OneDrive) — never sent to our servers |
| Third-party trackers? | None. Zero third-party analytics or advertising SDKs |
| Analytics? | Opt-in only, de-identified, first-party, auto-deleted after 28 days |
| How do I delete everything? | Profile > Account > Delete Account — permanent, immediate, anytime |
3. Information We Collect
3.1 Account Information
When you sign in, we collect the following from your authentication provider (Google, Apple, or your organization’s SSO):
| Data | Purpose | Source |
|---|---|---|
| Email address | Authentication, account identification, profile display | Auth provider (Google Sign-In, Sign in with Apple, or organization SSO via Microsoft Entra ID) |
| Display name | Profile display within the app | Auth provider |
| User ID | Unique account identifier (Supabase UUID) | Generated at sign-up |
| Installation ID | Per-device identifier for session management | Generated on first launch |
| Terms acceptance record | ToS version, Privacy Policy version, timestamp of acceptance, IP address, user agent, and email | Recorded at account creation |
When you link a cloud storage provider (Google Drive, Dropbox, or OneDrive), we receive the account identifier and email address associated with your cloud account through the OAuth authorization flow. This may be different from the email you used to sign in. We use this information solely to establish and manage the connection to your cloud storage.
3.2 Photos and Videos
Supload captures photos and videos using your device’s camera. These files are:
- Stored locally on your device within your local install of the iOS Supload app as temporary groups until you upload or delete them
- Uploaded directly to your linked cloud storage (Google Drive, Dropbox, or OneDrive) when you initiate an upload — runs in the background with checkpoint-based resume
- Deleted from your device once safely uploaded to cloud storage
- Never sent to, stored on, or processed by Supload’s servers
We do not access, view, analyze, scan, or use the content of your photos or videos for any purpose other than facilitating their upload to your chosen cloud storage provider. Our backend stores metadata necessary to operate the service (such as upload status and group structure), but never the content of your media files.
When you use offline mode, Supload caches your cloud storage folder structure (folder names and hierarchy) locally on your device so you can queue uploads without an internet connection. This cached data is stored locally on your device within the App’s private storage, never sent to Supload’s servers, and is deleted when you disable offline mode, unlink the cloud provider, or delete your account. This cache may be refreshed in the background when offline mode is enabled, using iOS background processing to keep your folder structure current.
Supload LLC is not responsible for any loss, corruption, or inaccessibility of content stored locally on your device prior to upload completion. Until an upload is confirmed complete, your content exists only on your device and is solely your responsibility. For more information, see our Terms of Service, Section 5.4.
3.3 Location Data (Optional — You Control This)
If you enable “Content Location” in the App’s settings, Supload records the GPS coordinates where a photo or video is captured and stores them in a private file on your device, within the App’s sandboxed storage. These coordinates power the in-app map, which shows your capture locations — useful for job sites, inspections, and field documentation.
These coordinates are not written into your photo or video files (they are not added to the photo’s EXIF metadata), are not uploaded with your media to your cloud storage, and are never sent to Supload’s servers or included in analytics. They remain on your device.
The App requests “While Using the App” location authorization only (never “Always”). When you disable Content Location, the App stops recording new capture locations immediately.
3.4 Usage Analytics (Opt-In Only — You Control This)
We collect de-identified, aggregated usage analytics to improve the App. These include feature usage patterns, app performance metrics, and error rates.
Analytics are off by default. You must opt in to share analytics data. You can change this at any time in Profile > Privacy > “Share usage analytics.”
How we protect your analytics data when you opt in:
- First-party only. Analytics go exclusively to our own backend (Supabase). We never share them with third-party analytics services.
- PII-stripped before storage. Every analytics event passes through a sanitization filter that blocks an extensive set of PII key patterns (including email, display name, GPS coordinates, IP address, device identifiers, file paths, folder paths, group names, tokens, and secrets) and scans all string values for email patterns, redacting matches automatically.
- Consent is checked before every event. If you have not opted in, no analytics events are sent. No restart required.
- Short-lived. Auto-purged after 28 days (
pg_cron, 03:10 UTC).
We do not use any third-party analytics SDKs.
3.5 Crash Reports
Crash reports include error type and stack trace, app version and build number, device model and iOS version, and error context (non-PII only). Production builds do not log PII. Crash reports are stored for up to 90 days (auto-purged via pg_cron, 03:50 UTC). On account deletion, local crash log files are also deleted from your device.
3.6 Customer Portal and Website
The Supload marketing website (sup-load.com) provides product information, pricing, FAQ, and legal documents. The customer portal (hosted on Cloudflare Pages) uses strictly necessary first-party cookies for authentication and session management; these cookies are required for the portal to function. We do not use advertising, analytics, or tracking cookies on the portal or the website. Cloudflare processes your IP address transiently for routing and security. We do not use Cloudflare’s analytics, advertising, or tracking features.
3.7 Device and Technical Information
We access certain device capabilities for core functionality. Each permission requires your explicit approval through an iOS system prompt before Supload can access it:
| Permission | Purpose | Required? |
|---|---|---|
| Camera | Capture photos and videos | Yes — core functionality |
| Microphone | Record audio with video | Yes — for video capture |
| Photos (Limited or Full Access) | Import existing photos and videos into Supload for organization and upload. With Limited Access, Supload sees only the photos you select. With Full Access, Supload can browse your library and — if you enable it — remove imported originals from your Camera Roll to free up space; Supload keeps its own copy of imported media until your upload to cloud storage completes (see Terms of Service, Section 4.5). Supload only accesses or modifies photos you explicitly select or act on. We do not scan, index, or analyze your broader library. | Optional — only if you import from your existing library |
| Location (While Using the App) | Record capture location for the in-app map (stored on your device only — see Section 3.3) | Optional — controlled in Profile > Privacy > Content Location and in iOS Settings |
| Notifications | Receive upload completion alerts and account notifications | Optional |
| Cellular Data | Upload content over cellular networks | Optional — controlled in iOS Settings |
You can change or revoke any permission at any time in iOS Settings > Supload. Revoking a required permission may limit the App’s functionality. We do not request “Always” location access. “Allow Tracking” is not requested because Supload does not track you (see Section 9).
3.8 Information We Do NOT Collect
We do not collect advertising identifiers (IDFA), browsing history, contacts, health or fitness data, financial or payment card information (Stripe handles payments — we never see your card number), biometric data, call logs or SMS messages, or data from other apps.
3.9 In-App Feedback and Diagnostic Logs (Optional — You Control This)
If you submit feedback through Profile > Send Feedback, we collect your message, category (bug, feature request, or general), app version, device model, and iOS version. You may optionally include your email address for follow-up.
If you enable “Include Diagnostic Logs” when submitting feedback, Supload attaches on-device logs from your current app session using Apple’s OSLogStore framework. These logs help us diagnose the issue you are reporting. Diagnostic logs may include app state transitions, network request metadata, timestamps, and non-PII context messages written by the App. They do not include the contents of your photos or videos, your cloud storage credentials, or your cloud file contents.
Diagnostic logs are truncated to 100 KB before submission. You can also export logs to a file via Profile > Send Feedback > Export Logs, which generates a .log file you control — Supload does not receive a copy of exported files unless you choose to include them in a feedback submission.
Feedback submissions are accessible to Supload LLC staff for support and product improvement purposes. Feedback submitted without the diagnostic logs toggle enabled is stored without any device logs. If you do not wish to share diagnostic logs, do not enable the toggle. Your feedback is included when you download your data and is deleted when you delete your account (see Sections 7 and 8).
3.10 Information Collected Before Account Creation
You may use the App’s camera, local photo organization, and on-device features before creating an account. Before account creation, Supload does not send any data to our servers. Data collected locally during pre-account use includes: a device-generated installation ID (for session management), crash reports if you opt in (stored locally until uploaded at your election), and iOS permission grants (stored by iOS, not by us). When you create an account, these locally-stored records may be associated with your new account. Until account creation, no personal information is transmitted to Supload’s servers.
4. How We Use Your Information
| Information | Purpose | Legal Basis |
|---|---|---|
| Email and Name | Authentication, profile display | Contract performance |
| User ID and Installation ID | Account management, session handling | Contract performance |
| Cloud provider account details | Cloud storage connection management | Contract performance |
| Terms acceptance record | Version tracking, compliance | Legitimate interest |
| Photos/Videos | Local staging and upload to your cloud | Contract performance |
| Location (optional) | In-app map (stored on your device) | Consent |
| Usage Analytics (opt-in) | App improvement | Consent |
| Crash Reports | Bug fixing, stability | Legitimate interest |
| Device Info | Core functionality | Contract performance |
We do not use your information for advertising, profiling, automated decision-making, selling to third parties, training machine learning models, or cross-app tracking. We do not make any automated decisions that produce legal effects or similarly significant effects on you.
We conduct data protection assessments as required by applicable law.
5. Third-Party Services and Subprocessors
A complete list of subprocessors is published at sup-load.com/subprocessors. For Enterprise customers, we provide at least 30 days’ notice of material changes to our subprocessor list by updating the published list and, where we have the Enterprise administrator’s email on file, by email. Individual users can check the published list at any time.
5.1 Cloud Storage Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Drive | Photo/video upload destination | Your media files (directly from your device to your Google account) |
| Dropbox | Photo/video upload destination | Your media files (directly from your device to your Dropbox account) |
| Microsoft OneDrive | Photo/video upload destination | Your media files (directly from your device to your OneDrive account) |
Supload requests only the permissions needed to let you choose a destination folder and upload to it. For Google Drive, this means reading the names and structure of your folders — so you can choose where to upload and use that folder structure offline — and creating new files and folders. Supload does not read, download, or modify the contents of your existing files. The specific permissions requested are determined by the OAuth scopes displayed during each cloud provider’s authorization screen. If future versions require additional permissions, we will disclose the changes before requesting them.
Google API Services User Data Policy. Supload’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
5.2 Authentication Providers
Google Sign-In, Sign in with Apple, Microsoft, and Organization SSO. Supload uses Microsoft’s MSAL library both for Enterprise single sign-on (via Microsoft Entra ID) and to connect consumer Microsoft OneDrive accounts for cloud storage. For Enterprise customers using directory sync (SCIM 2.0), your identity provider shares user provisioning data (email, display name, group membership, active status) with Supload to manage organization membership. Supload does not share data back to the identity provider beyond deprovisioning confirmations. See Google Privacy Policy, Apple Privacy Policy, Microsoft Privacy Statement.
5.3 Payment Processing
Stripe handles billing for Pro and Enterprise subscriptions, processed through a secure web checkout. We receive subscription status and billing email — never full payment card numbers. Supload does not sell subscriptions through Apple In-App Purchase, and Apple does not process Supload subscription payments. See Stripe Privacy Policy.
5.4 Backend and Infrastructure
Supabase (hosted on AWS US West) — authentication, crash reporting, analytics, session management. See Supabase Privacy Policy. Cloudflare Pages — customer portal and website hosting.
5.5 Email Delivery
Resend — transactional email delivery (notifications, usage digests). Resend processes user email addresses to deliver messages. See Resend Privacy Policy.
5.6 SDK Privacy Manifests
All third-party SDKs have verified Apple Privacy Manifests (PrivacyInfo.xcprivacy). SDKs that access or transmit user data: supabase-swift (backend), gotrue-swift (authentication), GoogleSignIn-iOS (Google sign-in), AppAuth-iOS (OAuth flows), google-api-objectivec-client-for-rest (Google Drive API), gtm-session-fetcher (Google HTTP transport), SwiftyDropbox (Dropbox API), MSAL (Microsoft sign-in and OneDrive), KeychainAccess (secure local storage), swift-crypto (cryptographic operations). Additional utility libraries (swift-concurrency-extras) are listed in the App under Profile > About > Open Source Licenses. We update this list before adding new SDKs.
6. Data Storage and Security
6.1 On Your Device
| Data | Storage | Protection |
|---|---|---|
| Cloud OAuth tokens (Google / Dropbox / OneDrive) | iOS Keychain (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, not synchronized to other devices) | Hardware-encrypted; never sent to Supload’s servers |
| App preferences | UserDefaults (no PII) | Sandboxed |
| Photos/videos | App Documents directory (temporary — deleted after upload) | Sandboxed in the App’s private storage. To let uploads finish in the background while your device is locked, staged media uses a Data Protection class that keeps it accessible after your device’s first unlock (rather than the strictest class, which would lock it whenever the screen locks) |
| Cloud folder cache (offline mode) | App’s private storage (local only) | Sandboxed; deleted when offline mode is disabled, the cloud provider is unlinked, or the account is deleted |
6.2 On Our Backend (Supabase / AWS US West)
| Data | Protection | Retention |
|---|---|---|
| Account info | Row Level Security (RLS), encrypted at rest | Until account deletion |
| Usage analytics | RLS, PII-stripped, encrypted at rest | 28 days (auto-purged daily) |
| Crash reports | RLS, encrypted at rest | 90 days (auto-purged daily) |
| Session tokens | Encrypted, Supabase Auth managed | Session duration |
Row Level Security policies are applied to tables containing user data. The iOS app uses only the Supabase anon key (not service_role), so RLS cannot be bypassed from the client.
6.3 Security Measures
All network communication uses HTTPS/TLS (ATS fully enabled, no exceptions). Cloud OAuth tokens are stored in the iOS Keychain with hardware encryption and afterFirstUnlockThisDeviceOnly access control, are not synchronized to other devices, and are never stored on Supload’s servers. PII sanitization is applied to all analytics. Secrets are managed through secure build processes and are never stored in source code. Production builds do not log PII.
Supload staff may access account information (email, organization membership, audit logs) for support, compliance, and operational purposes. Staff access is role-based and limited to organization-level data. Staff cannot access your photos, videos, cloud provider credentials, crash reports, or usage analytics.
Supload LLC implements commercially reasonable security measures but does not guarantee absolute security. No method of electronic transmission or storage is completely secure. You are responsible for maintaining the security of your device, authentication credentials, and cloud storage accounts. Supload LLC is not responsible for unauthorized access resulting from compromised device security, weak or reused passwords on third-party services, or security incidents at your cloud storage provider.
7. Data Retention and Deletion
7.1 Retention Schedule
| Data | Retention | Deletion |
|---|---|---|
| Account info | Until account deletion | Cascades to all tables |
| Terms acceptance record | 3 years after account deletion | Retained for legal claims defense; auto-deleted after 3 years (pg_cron, monthly) |
| Usage analytics | 28 days | Auto-purge (pg_cron, 03:10 UTC) |
| Crash reports | 90 days | Auto-purge (pg_cron, 03:50 UTC) |
| Audit trail | 1 year | Auto-purged after 1 year (pg_cron, 04:00 UTC). Entries record actions taken under your account and retain the acting user’s identifier as part of our security and compliance records; they are not anonymized on account deletion (see Section 7.2) |
| Local photos/videos | Until uploaded or manually deleted | Auto-deleted after confirmed upload; manual deletion in-app |
| Cloud uploads | Managed by you | Via your cloud provider |
| Cloud OAuth tokens | Session duration | Cleared on sign-out or deletion |
| Local crash logs | Until account deletion | Deleted from Documents/CrashLogs/ |
| Inactive Free accounts | 12 months of inactivity | Subject to deletion with reasonable email notice (see Terms of Service, Section 18.3) |
| Feedback submissions | Until account deletion | Deleted with account via cascade |
No personal data is retained indefinitely.
7.2 Account Deletion
Profile > Account > Delete Account (double confirmation).
Server-side: An Edge Function cascades deletion to your user data tables — analytics, crash reports, upload history, group metadata, feedback submissions, and session records. The terms acceptance record (ToS version, Privacy Policy version, timestamp, and email) is retained for three (3) years for legal claims defense, then permanently deleted. Audit trail entries that record actions taken under your account retain the acting user’s identifier (they are not anonymized) and are kept as part of our security and compliance records until the organization is deleted or the 1-year audit-trail retention period expires, whichever comes first. We rely on our legitimate interest in security, fraud prevention, and maintaining accurate compliance records as the basis for this limited, time-bound retention. All other account data is permanently deleted. If any table deletion fails due to a technical error, we will identify and remove the residual data promptly upon detection.
Device-side: All files from Documents and Caches cleared, all app-specific UserDefaults keys removed, all Keychain items deleted, local crash logs deleted.
Not affected: Files already in your cloud storage. You manage those directly.
8. Your Privacy Rights
8.1 All Users
- See your data. Photos are in your cloud. Account info is in your profile.
- Download your data. Profile > Account > Download My Data. You will receive a copy of all account information Supload stores about you, including your profile, organization memberships, cloud service connections, terms acceptance records, usage analytics (if opted in), crash reports, feedback submissions, and audit trail entries associated with your actions. OAuth tokens and information privileged for another party (such as another organization member’s data) are excluded for security.
- Delete everything. Profile > Account > Delete Account.
- Turn on/off analytics. Profile > Privacy > “Share usage analytics.” Immediate.
- Control location. Profile > Privacy > “Content location.” Immediate.
- Unlink cloud services. Profile > Cloud Services.
8.2 United States Residents
If you live in a US state with a comprehensive privacy law — including but not limited to California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia — you have rights to access, delete, correct, and port your data, and to opt out of sale or targeted advertising.
We do not sell your personal data. We do not share your personal data for targeted advertising. We do not share your personal data with data brokers, ad networks, or any third party for commercial purposes. There is no sale or sharing to opt out of. For details on our tracking practices, see Section 9.
Universal Opt-Out Mechanisms. We recognize Global Privacy Control (GPC) and similar opt-out preference signals as valid requests to opt out of sale or sharing. Because we do not sell or share personal data for targeted advertising, there is no sale or sharing to opt out of — regardless of whether you use GPC.
For CCPA/CPRA: Categories collected are identifiers, internet activity (opt-in analytics only), geolocation (optional, stored on your device only), and audio/visual information (on your device and cloud only). We do not sell personal information or share it for cross-context behavioral advertising. In the twelve months preceding the effective date of this Privacy Policy, Supload LLC has not sold or shared any personal information.
Sensitive Personal Information. Under CCPA/CPRA, ‘sensitive personal information’ includes categories such as precise geolocation and biometric data. Supload records precise geolocation only if you enable Content Location, and only in a private file on your device that powers the in-app map — it is not written into your photos, not uploaded with your media, and not transmitted to or stored by Supload. We do not use sensitive personal information to infer characteristics about you.
California Shine the Light Law. California residents may request information about our disclosure of personal information to third parties for those third parties’ direct marketing purposes. Supload does not share personal information with third parties for their direct marketing purposes.
Right to Appeal. If we deny a privacy rights request, we will explain why and provide instructions for how to appeal the decision. You may submit an appeal by emailing privacy@sup-load.com with the subject line “Privacy Rights Appeal.” We will respond to appeals within the timeframe required by applicable state law.
8.3 European Economic Area — GDPR
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), object to processing (Art. 21), withdrawal of consent through App settings, not be subject to automated decision-making (Art. 22), and lodge a complaint with your local supervisory authority (Art. 77).
We do not make any automated decisions that produce legal effects or similarly significant effects on you.
Data Controller: Supload LLC, 502 W 7th ST, STE 100, Erie, PA 16502 · Privacy Contact: privacy@sup-load.com · Legal Bases: Contract performance; Consent; Legitimate interest; Legal obligation.
8.4 Canadian Residents — PIPEDA
Access, correction, and consent withdrawal. Contact privacy@sup-load.com.
8.5 Exercising Your Rights
Contact privacy@sup-load.com. Response within 30 days. No fee. We may verify your identity before fulfilling a privacy rights request by matching the information you provide with the account information we have on file. We will not fulfill requests that we cannot reasonably verify. You may designate an authorized agent to submit a privacy request on your behalf. We may require the agent to provide written authorization from you and may verify your identity directly.
9. Tracking and Advertising
Supload does not track you across other apps or websites. No IDFA, no ads, no ad networks, no data brokers, no third-party cross-app analytics, no cross-context behavioral advertising, no device fingerprinting, no SKAdNetwork. NSPrivacyTracking = false. No ATT prompt because there is no tracking.
We also honor Do Not Track (DNT) browser signals. Because we do not track users across websites or apps, DNT signals do not change our data practices.
10. Age Requirement
Supload is designed for working professionals. You must be at least 18 years old to create an account. During account creation, you must check a box confirming you are 18 or older, as stated in our Terms of Service.
We do not knowingly collect personal information from anyone under 18. If we learn that a user is under 18, we will promptly delete their account and all associated data. If you believe a user under 18 has created an account, contact privacy@sup-load.com.
App Store Age Signals. Several states have enacted App Store Accountability Acts imposing age verification and parental consent obligations on app stores and app developers. Effective dates for developer requirements include: Utah (in effect since May 6, 2026); Louisiana, July 1, 2026; California (Digital Age Assurance Act), January 1, 2027. Texas’s similar law was originally scheduled to take effect January 1, 2026, but its enforcement has been affected by a federal court challenge. Additional states have enacted or proposed similar laws. When Apple provides us with an age category signal indicating a user is under 18, we will restrict account creation consistent with applicable state law.
11. Enterprise and Organization Accounts
Your administrator may manage cloud policies, require SSO, and access aggregated analytics (not individual photos). Organizations own the organizational data (group structures, team configurations, aggregated analytics). Individual users’ photos remain their own — uploaded to their personal cloud storage (Google Drive, Dropbox, or OneDrive), not accessible to administrators through the App.
Each organization’s data is logically separated through Row Level Security policies. No organization can access another organization’s data through the App or customer portal.
11.1 Data Processing Agreements
A standard Data Processing Agreement (DPA) is available for Enterprise customers upon request. The DPA documents the roles, responsibilities, and obligations of each party regarding the processing of personal data. To request a DPA, contact legal@sup-load.com.
12. On-Device Processing and AI Features
All processing happens on your device: capture (AVFoundation), encoding, thumbnail generation, night mode, red-eye reduction, QR code scanning, text recognition, document detection, and caching. Version 1.0 includes on-device features powered by Apple system frameworks (AVFoundation, Vision). These process data entirely on your device and never send content to external servers.
Future on-device intelligence features (scene detection, OCR enhancements, document scanning improvements) will use Apple’s Core ML and Vision frameworks exclusively, process entirely on-device, never train on your content, and be disclosed before release with at least 30 days’ notice.
13. International Data Transfers
Account info, crash reports, and analytics are stored on Supabase (AWS US West). For EEA users, transfers use Standard Contractual Clauses and Supabase’s data processing agreements. Supload has assessed the risks of transferring personal data to the United States and has determined that the combination of Standard Contractual Clauses, encryption at rest and in transit, and the security measures described in Section 6 provides adequate protection. Transfer Impact Assessments are available to Enterprise customers upon request. Photos and videos transfer directly to your cloud provider.
14. Data Breach Notification
14.1 Definition
A “security breach” means an incident in which account data (email, display name, user ID, or other personal information) is accessed, acquired, or disclosed by an unauthorized party.
14.2 Notification to Users
We will notify affected users as soon as practicable after discovering a security breach, and no later than any deadline required by applicable state breach notification law. Where GDPR applies, we will notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
Notification will be sent to the email address associated with your account and, when feasible, through an in-app notification.
Supload LLC’s notification obligations apply only to data that Supload LLC stores on its servers (account information, analytics, crash reports). Because Supload does not store, access, or process your photos or videos, Supload LLC has no obligation to notify you of security incidents at your cloud storage provider (Google Drive, Dropbox, or OneDrive) or authentication provider (Google, Apple, Microsoft). You should monitor security notifications from those providers directly.
14.3 Notification to Authorities
Where GDPR applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. We will comply with all applicable state breach notification laws, including any requirements to notify state attorneys general, consumer reporting agencies, or affected individuals, and any requirements to provide credit monitoring services.
14.4 What We Provide
Breach notifications will include: a description of the nature of the breach, the types of data involved, the likely consequences, the measures taken or proposed to address the breach, and contact information for questions.
15. Business Transfers
If Supload LLC is acquired by or merged with another company, or if we sell substantially all of our assets, your account data may be transferred to the successor entity as part of that transaction. We will use commercially reasonable efforts to notify users of any such transfer and of any material changes to this Privacy Policy that result. Until a new privacy policy takes effect, the successor entity will be bound by the commitments in this Privacy Policy. You may delete your account at any time. In the event of bankruptcy or receivership, we will use reasonable efforts to ensure any successor entity adheres to the commitments in this Privacy Policy.
16. Law Enforcement Requests
Supload LLC discloses account data to law enforcement only where we reasonably believe we are legally required to do so. We evaluate each request for legal validity, scope, and jurisdiction, including compliance with the Stored Communications Act (18 U.S.C. § 2701 et seq.) and other applicable law. We may challenge overbroad or legally deficient requests. Our policy is to notify affected users before disclosure unless we are prohibited from doing so by law or we reasonably believe notice would create a risk of harm. We produce only the minimum data responsive to a valid request. Contact legal@sup-load.com for questions.
17. Marketing Communications
You may opt out of marketing at any time via unsubscribe link or by contacting us. We process opt-outs within 10 business days. We never send marketing to users who have not opted in or who have opted out.
18. Changes to This Policy
Material changes: we update the “Last Updated” date, provide in-app notification at least 30 days before changes take effect, and note what changed in the Version History.
19. App Store Privacy Label
| Category | Details |
|---|---|
| Data Used to Track You | None |
| Data Linked to You | Email, Name, User ID |
| Data Not Linked to You | Product Interaction (opt-in analytics) |
| Data Not Collected | Photos/Videos (processed on-device, uploaded directly to your cloud storage — never sent to Supload servers), Precise Location (optional Content Location feature; recorded only in a private on-device file for the in-app map — never written into your photos, never uploaded, never sent to our servers) |
Note: This label must be kept consistent with the App’s Privacy Manifest (PrivacyInfo.xcprivacy), which Apple cross-checks at submission. Verify both against Apple’s current App Store privacy label categories before submission. Because Supload does not store, transmit, or process photos/videos or precise location on its servers, they qualify as “Data Not Collected” under Apple’s framework.
20. Contact
Privacy: privacy@sup-load.com · General: info@sup-load.com · Legal / Law Enforcement / DPA Requests: legal@sup-load.com · Website: https://sup-load.com · Mail: Supload LLC, 502 W 7th ST, STE 100, Erie, PA 16502, United States