Privacy Policy

This Privacy Policy explains what data macup handles, why we handle it, how long we keep it, and the rights you have over it. We wrote it ourselves so you can actually read it. The technical details about how data flows between systems live in our Data Processing Addendum.

Who we are

macup is made by macup, Inc., a Delaware corporation. We build the macup backup application for Mac — a desktop app that protects your work by continuously copying it, encrypted, to the destinations you choose.

For any question about this policy, or to exercise a privacy right, email legal@macup.app. For security disclosures, email security@macup.app.

In this policy, “macup,” “we,” and “us” mean macup, Inc. “You” means the person using the macup app, or the account holder on your team’s plan.

What we collect

We try to collect the minimum data needed to make the product work, keep it secure, and bill for it. Here’s the full list.

Account data

When you create a macup account we store your email address, a hashed and salted form of your passphrase (we never see the plaintext), the identifiers of the Macs you’ve registered against your account, your license state, and your plan. If you’re on a team plan we also store which organization you belong to and your role inside it.

Encrypted backup data

When macup backs up your files it encrypts them on your Mac before they leave the device. The encryption key is derived from your passphrase inside macOS and stored in your Mac’s Keychain. We do not have a copy of that key, and we cannot read your backup contents — not the file bytes, not filenames, not folder structure. If you destroy your passphrase and recovery code, we cannot recover your data for you. That limitation is the whole point of the product.

When you use macup Cloud as a destination, we hold the resulting ciphertext on your behalf in a hot object-storage provider’s infrastructure. When you use an external drive, a NAS, or bring-your-own-storage, we don’t hold the ciphertext at all.

Operational metadata

To run the service we collect a small amount of operational metadata about your backups: when each Mac last checked in, the size of each snapshot, the health of each destination, and error codes when something fails. This metadata does not include filenames, file contents, or folder paths. It exists so the app can show you an honest status, and so we can diagnose failures without asking you to send us logs of your work.

Payment data

We use a third-party merchant of record to process payments. They collect and store your payment instrument; we don’t. We receive a customer identifier, the plan you’re on, and enough transactional information to reconcile invoices and apply tax correctly.

Website and analytics

On macup.app we use strictly necessary cookies to keep the site working and, only after you consent, a small amount of privacy-respecting analytics to understand which pages people read. We cover this in full on the Cookies page.

Why we collect it

Under the General Data Protection Regulation (GDPR), every piece of personal data needs a lawful basis. Here are ours, in plain language:

• Contractual necessity (Article 6(1)(b)) for account data, encrypted backup data, and the operational metadata needed to deliver the product. You can’t have a backup service without these.
• Legitimate interests (Article 6(1)(f)) for security logging, fraud prevention, and basic service-health telemetry. We’ve balanced this against your interests and keep the scope narrow.
• Legal obligation (Article 6(1)(c)) for retaining transactional records for tax, accounting, and anti-fraud purposes.
• Consent (Article 6(1)(a)) for non-essential website analytics. You can withdraw consent at any time from the cookie banner.

If you’re in the UK, the equivalent UK GDPR bases apply. If you’re in California, we handle personal information under the California Consumer Privacy Act as amended by the CPRA.

How we use it

We use the data listed above to:

• Deliver the product — run your backups, talk to your destinations, tell you when something needs your attention, and let you restore.
• Secure the product — detect abuse, rate-limit misuse, investigate incidents, and patch vulnerabilities.
• Communicate service-related notices — expiring licenses, destination failures, security advisories, and planned maintenance. We keep these rare and we don’t sell them as “marketing.”
• Provide support when you ask for it, and only for as long as your ticket is open.
• Comply with legal obligations (tax records, lawful process).

We do not sell your personal data. We do not use your encrypted backup data to train models, profile you, or feed any kind of recommender. Under CCPA/CPRA we do not “sell” or “share” personal information for cross-context behavioral advertising.

Retention

We keep different categories of data for different lengths of time, and we don’t keep anything longer than needed:

• Account data — for the lifetime of your account, plus 30 days after closure to allow reactivation and to finalize billing. After that, it’s deleted or irreversibly anonymized.
• Encrypted backup data — for as long as your retention policy says. You choose the policy in the app; we apply it. When snapshots age out, they’re deleted.
• Operational metadata — 90 days in hot storage, then aggregated or deleted.
• Audit logs (administrative actions, access events, security-relevant events) — 12 months.
• Transactional and invoicing records — up to 7 years, because tax law requires it.

When you delete your account, we delete account data within 30 days and initiate deletion of any macup Cloud storage you hold, subject to any legally required retention of invoicing records.

Sub-processors

We use a small set of third-party providers to deliver the service. We keep the categories public here and the current named list in our Data Processing Addendum, because vendors change faster than privacy policies should:

• A third-party merchant of record for payments, invoicing, and tax.
• An authentication and managed-database provider for account records and server-side state.
• A hot object-storage provider for macup Cloud destinations.
• A CDN and static-hosting provider for macup.app and app downloads.
• An email-delivery provider for transactional messages.

The current sub-processor list with named vendors, their roles, and their locations is part of our Data Processing Addendum, available at /legal/dpa. We notify account holders of material sub-processor changes before they take effect.

International transfers

macup is a US company. Our servers and sub-processors are primarily in the United States and the European Union. Where personal data of EU/UK residents leaves the EEA, we rely on Standard Contractual Clauses (the European Commission’s 2021 SCCs, with the UK International Data Transfer Addendum where applicable) and supplementary measures documented in our DPA. The ciphertext we hold for macup Cloud customers is end-to-end encrypted with keys we don’t possess — which materially limits what any transfer actually exposes.

Your rights

If you’re in the EU, UK, EEA, Switzerland, or a US state with comprehensive privacy legislation, you have rights over your personal data. We honor these rights everywhere we operate, regardless of where you live.

Under GDPR (Articles 15–22) you have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectification of inaccurate data (Art. 16).
• Erasure, also known as the “right to be forgotten” (Art. 17).
• Restrict processing in certain circumstances (Art. 18).
• Data portability — a machine-readable export of the data you’ve given us (Art. 20).
• Object to processing based on legitimate interests (Art. 21).
• Not be subject to solely automated decisions with legal or similarly significant effects (Art. 22). We don’t run any such decisioning.

Under CCPA/CPRA you have the right to: know what we collect, delete what we hold, correct what’s inaccurate, limit use of sensitive personal information, opt out of “sale” or “sharing” (we don’t do either), and not be discriminated against for exercising any of these rights.

To exercise any right, email legal@macup.app from the address on your account, or open a ticket from inside the app. We respond within 30 days. We may need to verify your identity before acting on a request. If we decline a request, we’ll tell you why, and you always have the right to complain to your local data-protection authority.

Cookies and analytics

macup.app uses a minimal set of cookies: strictly necessary ones for the site to function, and, if you consent, privacy-respecting analytics to understand which pages get read. The desktop app itself does not use cookies. For the full list, the purposes, and the retention of each cookie, see /legal/cookies.

Children

macup is a professional backup tool. It is not directed at children. We don’t knowingly collect personal data from anyone under 13 in the United States or under 16 in the European Union. If you believe a child has created an account, email legal@macup.app and we’ll delete it.

Changes to this policy

We’ll update this page when our practices change. When we do, we’ll bump the effectiveDate and lastReviewed fields at the top and log the change under revisions. For material changes — new categories of data, new purposes, new regions — we notify account holders by email at least 14 days before the change takes effect, so you have time to read, ask, or leave.

Contact

• Privacy questions, rights requests, or general legal enquiries: legal@macup.app
• Security vulnerability disclosures: security@macup.app
• Postal address: macup, Inc., Delaware, United States. Full registered address is available in our Data Processing Addendum.

If you’re in the EEA or UK and believe we’ve mishandled your data, you can complain to your local data-protection authority. We’d prefer you email us first so we can try to fix it.