Skip to content
GoDesk
LEGAL · PRIVACY

Privacy Policy

How upDevTeam LTD (the company behind GoDesk) collects, uses, and protects personal data when you visit godeskflow.com, sign up for an account, or use the GoDesk remote desktop client. Written for the GDPR, the UK GDPR, and the California Consumer Privacy Act.

Last updated: 2026-05-06
TL;DR

We try to collect the minimum data we need to run the service. End-to-end encrypted session content (your screen, keystrokes, files transferred) is never visible to us — our relay servers only see encrypted packets.

If you live in the EU, the EEA, the UK, Switzerland, or California, the rights described below apply to you. To exercise any of them, write to info@godeskflow.com — we will respond within 30 days.

Contents
  1. 01Who is responsible for your data
  2. 02What data we collect
  3. 03Why we use your data
  4. 04Lawful basis for processing
  5. 05Who we share data with
  6. 06International data transfers
  7. 07How long we keep your data
  8. 08Your rights
  9. 09Notice for California residents (CCPA / CPRA)
  10. 10Security
  11. 11Children
  12. 12Automated decisions
  13. 13Personal data breaches
  14. 14Changes to this policy
  15. 15How to contact us

01Who is responsible for your data

The data controller for personal data described in this policy is upDevTeam LTD, a company registered in the Republic of Cyprus. The controller's contact details are:

Company name
upDevTeam LTD
Registration no.
HE 438173
VAT no.
10438173A
Registered office
Republic of Cyprus (full address available from the Cyprus Department of Registrar of Companies and Intellectual Property)
Email
info@godeskflow.com
Telephone
+357 95964531
Data Protection contact
info@godeskflow.com

We have not appointed an EU Article 27 representative because we are established inside the EU. If you write to info@godeskflow.com we will route your request to the right person internally.

02What data we collect

We collect the following categories of personal data:

  • Account data. Email address, hashed password (or magic-link / OTP login if used), display name, and the timestamps of account creation and last login.
  • Service telemetry. Public peer IDs of devices you connect with, session start and end timestamps, total bytes relayed, and the IP address you connected from. We need these to enforce relay quotas, debug connectivity, and ban abusive IDs.
  • Billing data. When paid plans are live, billing name, address, VAT number, and the last 4 digits / expiry / brand of the payment card. The full card number is collected and stored only by Stripe — we never see it.
  • Support correspondence. Anything you write to us at info@godeskflow.com or through the help form, including any attachments you choose to send.
  • Website analytics. If you opt in to analytics on the cookie banner, Google Analytics 4 (property G-L1D5Z114P2) records page views, referrer, approximate (IP-truncated) location, a pseudonymous client identifier, and conversion events: select_plan (which paid plan you clicked on /pricing), download_click (which platform you downloaded from /download), and purchase (which subscription you completed via Stripe). Stripe's payment processing is governed by Stripe's own privacy policy. If you decline analytics, none of these events fire.

We do not knowingly collect special-category data (race, health, biometrics, political views, religion, sexual orientation). Do not put such data into peer names, machine names, or support tickets.

03Why we use your data

We process the data above for the following purposes only:

  • Operating the service: routing connections, authenticating you, applying quota and abuse limits.
  • Customer support: replying to questions, debugging issues you report, and improving documentation.
  • Billing and accounting: charging you for paid plans, issuing invoices, complying with Cyprus tax law.
  • Security and abuse prevention: detecting credential stuffing, banning abusive peer IDs, investigating violations of the Acceptable Use Policy.
  • Service improvement: aggregated and anonymised usage statistics that inform what we build next.
  • Legal obligations: responding to lawful court orders, retaining records required by law (e.g. invoices for 7 years under Cypriot tax law).

04Lawful basis for processing

Under GDPR Article 6, we rely on the following lawful bases:

Contract
Most processing related to running your account and delivering the service is necessary to perform the contract you have with us (Article 6(1)(b)).
Legitimate interest
Anti-abuse, server log retention, and basic product analytics fall under our legitimate interest in operating a secure service (Article 6(1)(f)). We have balanced this against your rights and consider it proportionate.
Consent
Optional analytics cookies, marketing emails, and any other optional processing rely on the consent you give via the cookie banner or the relevant opt-in (Article 6(1)(a)). You can withdraw consent at any time without affecting prior processing.
Legal obligation
Tax, accounting, and statutory record-keeping rely on Article 6(1)(c).

05Who we share data with

We do not sell your personal data. We share it only with the following sub-processors, each bound by a written data-processing agreement:

Supabase, Inc.
Account database, magic-link auth, telemetry storage. Hosted in the EU (eu-west-1, Frankfurt). United States parent — see international transfers below.
Hetzner Online GmbH
Compute and bandwidth for our relay and web infrastructure. Data stays in Hetzner's Cyprus and Falkenstein (Germany) regions.
Cloudflare, Inc.
DNS, CDN, and DDoS mitigation for godeskflow.com. Cloudflare may briefly process IP addresses and request metadata at edge points worldwide.
Google LLC (GA4)
Optional website analytics (only if you accept the cookie banner).
Stripe Payments Europe
Card processing for paid plans, when launched. Stripe acts as an independent controller for fraud-prevention purposes.

We may also share data with our auditors, tax advisers, and legal counsel under strict confidentiality, and with law-enforcement authorities where compelled by a valid order issued under Cypriot or EU law.

06International data transfers

Personal data is hosted in the European Economic Area (Hetzner Cyprus and Germany; Supabase Frankfurt). Some sub-processors are established outside the EEA — most notably the US parent companies of Supabase, Stripe, Cloudflare, and Google. When personal data is transferred to such recipients, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.

If you would like a copy of the relevant SCCs or transfer impact assessments, write to info@godeskflow.com.

07How long we keep your data

We delete personal data when it is no longer needed for the purpose it was collected for, applying the schedule below. If you delete your account, we permanently erase or anonymise the corresponding data, except where law requires us to retain it (e.g. invoices).

Account data
Until you delete the account, plus 30 days of soft-delete buffer for accidental-deletion recovery.
Session telemetry
90 days, then aggregated into anonymous monthly counters.
Server access logs
30 days for routine logs; up to 12 months where we are actively investigating an abuse incident.
Invoices and tax records
7 years from the end of the financial year, as required by Cypriot tax law.
Support tickets
24 months after the last activity in the ticket.

08Your rights

If GDPR, UK GDPR, or comparable EEA law applies to you, you have the following rights with respect to your personal data:

  • Right of access. Ask for a copy of the personal data we hold about you and information about how we use it.
  • Right to rectification. Ask us to correct inaccurate or incomplete data.
  • Right to erasure. Ask us to delete your data, subject to exceptions for legal-obligation retention and pending legal claims.
  • Right to restrict processing. Ask us to stop using your data while we resolve a complaint or accuracy dispute.
  • Right to data portability. Ask for a machine-readable export of the data you provided to us, in JSON format.
  • Right to object. Object to processing based on our legitimate interest, including any direct-marketing emails.
  • Right to withdraw consent. Where processing relies on consent, you may withdraw it at any time without affecting earlier processing.

To exercise any of these rights, write to info@godeskflow.com. We will reply within 30 days. We may need to verify your identity before acting on a request.

If you believe we are mishandling your data, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, or with the supervisory authority of your country of residence.

09Notice for California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to opt out of any 'sale' or 'sharing' of personal information. We do not sell or share personal information for cross-context behavioural advertising.

We treat verifiable consumer requests under the CCPA on a non-discriminatory basis: exercising your rights will not affect the level of service or pricing you receive.

To submit a CCPA request, email info@godeskflow.com. You may also designate an authorised agent in writing to act on your behalf.

10Security

We protect personal data with administrative, technical, and organisational measures appropriate to the risk: encryption in transit (TLS 1.3), encryption at rest for backups, role-based access control with least-privilege defaults, audit logging, mandatory two-factor authentication for staff, and an annual review of access rights.

End-to-end encrypted session content is never available to us in plaintext. See the Security Practices page for detailed cryptographic information.

11Children

GoDesk is not directed at children under 16 and we do not knowingly collect personal data from children. If you believe a child has created an account, contact info@godeskflow.com and we will delete the account promptly.

12Automated decisions

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects. Anti-abuse systems may temporarily flag suspicious traffic, but a human reviews any account suspension before it becomes final.

13Personal data breaches

If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Commissioner for Personal Data Protection within 72 hours and inform affected users without undue delay, in line with GDPR Articles 33 and 34.

14Changes to this policy

We may update this policy to reflect product or legal changes. Material changes are announced by email (where we have your address) and on this page at least 30 days before they take effect, except where the change is required by law to take effect sooner.

15How to contact us

For privacy questions or to exercise any right, write to info@godeskflow.com. For general questions about the company, write to info@godeskflow.com.

Postal mail can be sent to the registered office of upDevTeam LTD (HE 438173) in the Republic of Cyprus.

This policy is provided in good faith but does not constitute legal advice. If a translated version conflicts with the English version, the English version controls.