Legal Document
Privacy Policy
Last updated: 27 March 2026
Plain-language summary: Floatup collects only what it needs to run the service, never sells your data, stores everything encrypted on enterprise-grade global infrastructure, and you can export or delete your data at any time.
1Who We Are
Floatup is a project and task management platform operated by SNG Advisers. Our data controller contact is: legal@sngadvisers.com.
2What Data We Collect
Account data: Your name, email address, and password (bcrypt-hashed — never stored in plaintext).
Organisation data: Tasks, projects, clients, time logs, comments, and file attachments you create. This data belongs to you.
Usage data: Aggregated, anonymised page views and error logs used to improve the product.
Payment data: Processed by our payment processor. We receive only a transaction confirmation and last-four-digit reference — never full card numbers.
Organisation data: Tasks, projects, clients, time logs, comments, and file attachments you create. This data belongs to you.
Usage data: Aggregated, anonymised page views and error logs used to improve the product.
Payment data: Processed by our payment processor. We receive only a transaction confirmation and last-four-digit reference — never full card numbers.
3How We Use Your Data
We use your data solely to provide, maintain, and improve Floatup — including sending transactional notifications, processing payments, and preventing abuse.
We do not use your data to train AI models, serve advertisements, or sell to third parties under any circumstances.
We do not use your data to train AI models, serve advertisements, or sell to third parties under any circumstances.
4Data Storage & Security
All data is stored on Supabase infrastructure hosted on AWS. Storage region depends on your plan — US/EU regions available on paid plans.
Encryption at rest: AES-256 on all database volumes.
Encryption in transit: TLS 1.2+ enforced on all connections. HTTP redirects to HTTPS automatically.
Authentication: Passwords hashed with bcrypt. Sessions use signed JWTs with short expiry.
Row-level security: Every query is filtered by organisation ID at the database level — one org can never access another's data even if an application bug were to occur.
File attachments: Stored in private storage buckets, never publicly accessible — served only via signed, time-limited URLs.
Encryption at rest: AES-256 on all database volumes.
Encryption in transit: TLS 1.2+ enforced on all connections. HTTP redirects to HTTPS automatically.
Authentication: Passwords hashed with bcrypt. Sessions use signed JWTs with short expiry.
Row-level security: Every query is filtered by organisation ID at the database level — one org can never access another's data even if an application bug were to occur.
File attachments: Stored in private storage buckets, never publicly accessible — served only via signed, time-limited URLs.
5Data Backup & Retention
Automated backups: Supabase performs daily automated backups with a 7-day retention window (free tier) or 30 days (paid plans), stored in a separate availability zone.
Point-in-time recovery: Available on Pro and Business plans.
Account deletion: When you delete your account, all associated data is permanently deleted within 30 days. Deleted tasks go to Trash and are purged after 30 days.
Point-in-time recovery: Available on Pro and Business plans.
Account deletion: When you delete your account, all associated data is permanently deleted within 30 days. Deleted tasks go to Trash and are purged after 30 days.
6Data Sharing & Sub-processors
We share data only with these sub-processors, as necessary to provide the service:
Supabase Inc. — database & file storage (AWS)
Vercel Inc. — application hosting (USA)
Resend Inc. — transactional email (USA)
Payment processor — payment processing
Inngest Inc. — background job processing (USA)
Each sub-processor is bound by data processing agreements. We share no data with any other third party.
Supabase Inc. — database & file storage (AWS)
Vercel Inc. — application hosting (USA)
Resend Inc. — transactional email (USA)
Payment processor — payment processing
Inngest Inc. — background job processing (USA)
Each sub-processor is bound by data processing agreements. We share no data with any other third party.
7Your Rights
You have the right to access, export, correct, or delete your data at any time. Export is available in-app at Reports → Tasks CSV or Time CSV. To exercise any other right, email privacy@sngadvisers.com. We respond within 30 days.
8Cookies
Floatup uses only a technically-necessary authentication session cookie. No advertising, tracking, or analytics cookies are set. No cookie banner is shown.
9Changes to This Policy
We will notify you of material changes by email and in-app at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.
10Contact
Privacy questions: privacy@sngadvisers.com. Response time: within 2 business days.
Questions? Email us at privacy@sngadvisers.com — you will get a response from a real person.