PatchKit Privacy Policy
This Privacy Policy applies to the services and websites related to the PatchKit platform.
Effective date: 30 April 2026
1. Data Controller and Contact
The controller of personal data processed in connection with the use of PatchKit services is:
Upsoft sp. z o.o. Al. Marcina Kromera 51A 51-163 Wrocław Poland
Contact for matters relating to the protection of personal data: contact@patchkit.net
PatchKit is a service developed, maintained, and provided by Upsoft sp. z o.o. The platform enables software developers and publishers to distribute, update (patch), host, and manage versions of applications and games using cloud infrastructure.
Depending on the nature of the use of the service, Upsoft may process personal data:
- as the controller of personal data, or
- as a processor acting on behalf of customers using the PatchKit service.
Upsoft’s role with respect to the processing of personal data depends on the nature of the services provided and the relationship with the customer using PatchKit, and is described in Section 2 of this Privacy Policy.
2. Roles in the Processing of Personal Data
When using the PatchKit service, Upsoft may act both as a controller of personal data and as a processor of personal data. Upsoft’s role depends on the nature of the services provided, the type of data processed, and the way customers use the platform.
2.1 Upsoft as Controller
Upsoft acts as the controller of personal data in particular with respect to:
- management of PatchKit user accounts,
- handling payments and billing,
- communication with users and customers,
- handling contact requests and technical support,
- ensuring the security of the services and infrastructure,
- monitoring the operation of the platform,
- fulfilling legal obligations,
- pursuing or defending claims.
In such cases, Upsoft independently determines the purposes and means of processing personal data.
2.2 Upsoft as Processor
Upsoft may also process personal data on behalf of customers using the PatchKit service. This applies in particular to data of end users of applications or games distributed through PatchKit, and to data processed as part of services related to the publication, hosting, updating, and distribution of software.
In such cases:
- the customer using PatchKit remains the controller of personal data,
- Upsoft processes data only to the extent necessary to provide the PatchKit services,
- processing is carried out in accordance with the agreement concluded with the customer and applicable law.
Where personal data is processed on behalf of customers, Upsoft uses data processing agreements (DPAs) or appropriate contractual provisions compliant with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
3. What Personal Data We Process
The scope of personal data processed depends on the way the PatchKit services are used, the features utilized, and the relationship between Upsoft and the customer using the service.
3.1 User and Customer Data
In connection with the use of PatchKit services, Upsoft may process:
- first and last name,
- email address,
- login or username,
- account identifier,
- organization name,
- contact details of customer representatives,
- information regarding the subscription and the service plan used.
3.2 End User Data
As part of the services provided by PatchKit, technical data relating to end users of applications or games distributed through the platform may be processed. Depending on the service configuration and the way it is integrated with the application, the data may include in particular:
- IP address,
- device or installation identifier,
- operating system and its version,
- system architecture,
- application or game version,
- information about the application download, installation, and update process,
- application launch time,
- statistical data on application usage,
- information about download, installation, or update errors,
- other technical data transmitted by the application according to the configuration set by the customer.
The scope of data transmitted depends on the service configuration, the way the application is integrated with PatchKit, and the data made available by the customer using the service.
3.3 Technical and Security Data
To ensure the security and proper operation of PatchKit services, Upsoft may process:
- IP addresses,
- system logs,
- application logs,
- security logs,
- file download and distribution logs,
- device identifiers,
- login information,
- telemetry and diagnostic data,
- data relating to the operation of applications and services,
- information related to security, infrastructure monitoring, and error detection.
Technical data may also include information about the configuration of the user’s environment, used to ensure the proper operation of the distribution, update, and diagnostic processes.
3.4 Payment and Billing Data
Upsoft may process data necessary to handle payments and billing, in particular:
- invoicing data,
- payment history,
- subscription information.
Payment card data is processed directly by payment operators. Upsoft does not store full payment card details.
3.5 Data Processed Through Integrations and External Services
Depending on the service configuration and the integrations used by customers, PatchKit may process data originating from external services, such as:
- Amazon Web Services (AWS),
- Content Delivery Network (CDN) services,
- source code repositories,
- Continuous Integration and Continuous Deployment (CI/CD) systems,
- application and game distribution platforms,
- customer launchers,
- application monitoring and analytics tools,
- other integrations used by customers.
The scope of data processed depends on the service configuration and the integrations used by PatchKit customers.
4. Purposes and Legal Bases for Processing
Personal data is processed only to the extent necessary to operate and develop the PatchKit service, support users, ensure security, and fulfill legal obligations.
Data may be processed in particular for the purpose of:
- providing and maintaining PatchKit services,
- managing user and organization accounts,
- distributing, hosting, and updating applications and games,
- managing application versions and the publication process,
- monitoring the application download, installation, and update process,
- analyzing technical issues and application performance,
- ensuring the security of services and infrastructure,
- monitoring the operation of the platform,
- handling payments and billing,
- communicating with users and customers,
- handling contact requests and technical support,
- developing and improving PatchKit features,
- fulfilling legal obligations,
- pursuing or defending claims.
Technical data related to the operation of applications and their distribution process may also be used to:
- analyze errors and failures,
- ensure the integrity and correctness of distributed files,
- improve the performance and reliability of the distribution process,
- diagnose issues reported by users,
- monitor service quality across different user environment configurations.
The legal basis for processing personal data may be, in particular:
- the performance of a contract or the provision of services,
- the legitimate interest of Upsoft or of customers using PatchKit,
- the user’s consent,
- legal obligations to which the controller is subject.
Where Upsoft processes personal data as a processor on behalf of customers using PatchKit, the data is processed solely in accordance with the documented instructions of the controller, the agreement concluded, and applicable law.
5. Data Sharing and Processors
Personal data may be shared only to the extent necessary to provide the services, ensure security, fulfill legal obligations, or operate the features used by PatchKit.
Depending on the way the service is used, data may be shared with:
- cloud and hosting service providers,
- Content Delivery Network (CDN) providers,
- analytics service providers,
- payment operators,
- communication service providers,
- infrastructure monitoring and security service providers,
- providers supporting the application publication, distribution, and update process,
- Continuous Integration and Continuous Deployment (CI/CD) service providers,
- providers of integrations used by customers,
- entities providing technical or maintenance support.
Upsoft uses only providers that ensure an appropriate level of personal data security, and applies organizational and technical measures to protect the data.
Where providers process personal data on behalf of Upsoft or of customers using PatchKit, processing is carried out on the basis of:
- data processing agreements (DPAs),
- standard data processing terms applied by service providers,
- or other mechanisms compliant with the requirements of the GDPR.
Personal data may also be disclosed to competent public authorities, law enforcement agencies, courts, or other entities authorized to receive it, where such an obligation arises from the law or a legally binding request.
Detailed information regarding providers, services, and data transfers is maintained in the organization’s security documentation and registers.
6. Transfers Outside the European Economic Area (EEA)
In connection with the use of cloud services, SaaS services, Content Delivery Networks (CDNs), analytics tools, integrations, and third-party services, personal data may be transferred outside the European Economic Area (EEA).
Upsoft seeks to store personal data in infrastructure located within the EEA; however, some services or providers used within PatchKit may carry out data processing outside the EEA, in particular in the United States.
Where data is transferred outside the EEA, Upsoft applies appropriate data protection mechanisms in accordance with the requirements of the GDPR, in particular:
- Standard Contractual Clauses (SCCs),
- the EU–U.S. Data Privacy Framework (DPF),
- or other mechanisms permitted by law.
Data transfers may relate in particular to:
- cloud and hosting services,
- Content Delivery Network (CDN) services,
- analytics services,
- monitoring and logging systems,
- communication services,
- systems supporting application publication, distribution, and updates,
- services used by customers as part of integrations with PatchKit.
Upsoft applies a risk-based approach and minimizes the scope of data transferred to external services.
7. Security of Personal Data
Upsoft applies organizational and technical measures to protect personal data and ensure the security of PatchKit services. In particular, the following are applied:
- access control to systems and data,
- authentication of users and administrators,
- encryption of data in transit,
- security monitoring and event logging,
- backup and data recovery mechanisms,
- access restriction based on roles and the principle of least privilege,
- security measures for cloud environments and SaaS services,
- security measures for the infrastructure used to distribute and update applications,
- monitoring of service availability, performance, and integrity.
Data is stored in secured cloud environments, including:
- encrypted PostgreSQL databases,
- encrypted S3-type or equivalent storage resources,
- infrastructure managed using Amazon Web Services (AWS).
Access to personal data is granted only to authorized persons, and only to the extent necessary to perform their duties or provide the services.
Administrative access to customer data, organizations, and PatchKit environments is limited to situations requiring:
- technical support,
- error analysis,
- handling of support requests,
- ensuring the security of services,
- maintenance and development of the platform.
Access to data processed as part of customer services is carried out solely to the extent necessary to resolve the reported issue, provide technical support, or ensure the security of services, and in accordance with the access configuration, the support request, or the permissions granted by the account or organization owner.
Upsoft carries out activities aimed at:
- monitoring the security of services,
- mitigating risks related to data processing,
- responding to security incidents,
- ensuring the integrity of the application distribution and update process,
- continuously improving organizational and technical safeguards.
8. Data Retention Period
Personal data is stored only for the period necessary to:
- provide PatchKit services,
- achieve the purposes of processing,
- ensure the security of services and data,
- fulfill contractual obligations,
- comply with legal obligations.
The data retention period depends on the type of data, the nature of the service, legal requirements, information security requirements, and legitimate business needs.
Data related to user accounts, service configuration, application publication, the distribution process, version history, technical logs, and other information processed as part of PatchKit services may be stored for the duration of the use of the service, unless the customer or user deletes the data earlier or requests its deletion in accordance with applicable law.
Where Upsoft processes personal data solely as a processor on behalf of a customer using PatchKit services, the data retention period is determined by the controller in accordance with the agreement concluded and applicable law.
After the retention period ends, data is deleted or anonymized in accordance with applicable legal requirements and information security principles.
Specific retention periods are determined based on applicable legal and business requirements and the information security principles applied by Upsoft.
9. User Rights
Persons whose personal data is processed have the rights set out in Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), in particular the right to:
- access the data,
- rectify the data,
- erase the data,
- restrict processing,
- data portability,
- object to processing,
- withdraw consent,
- lodge a complaint with the competent supervisory authority.
Requests regarding the exercise of these rights can be sent to the contact address: contact@patchkit.net
Upsoft may verify the identity of the person submitting a request before fulfilling it, to the extent necessary to ensure the security of personal data and protect the rights and freedoms of others.
Where Upsoft processes personal data solely as a processor on behalf of a customer using PatchKit services, the exercise of data subject rights takes place in cooperation with the controller, in accordance with applicable law and the provisions of the agreements concluded.
10. Cookies and Analytics Technologies
PatchKit uses cookies and similar technologies in order to:
- ensure the proper operation of the services,
- maintain the user’s session,
- improve the operation of the platform,
- analyze traffic and use of the services,
- ensure the security of the services and users.
As part of PatchKit services, the following may be used:
- technical cookies,
- functional cookies,
- analytics cookies,
- cookies related to the security and operation of the services.
PatchKit may use analytics and monitoring tools, in particular:
- Matomo,
- Google Analytics,
- error and service monitoring tools,
- infrastructure performance and availability monitoring tools.
Analytics tools are used solely for the purpose of:
- analyzing the operation of the services,
- improving the quality of the platform,
- monitoring the performance and stability of the services,
- ensuring security,
- planning the development and optimization of PatchKit features.
Users can manage cookie settings using:
- their web browser settings,
- the settings available within the PatchKit services,
- the cookie management mechanisms provided on PatchKit websites.
To the extent required by law, the use of analytics cookies or similar technologies may require the user’s consent.
11. Children’s Data
PatchKit is not a service intended for independent use by children below the age required by applicable law on the use of digital services.
Upsoft does not direct its services to children and does not knowingly process children’s personal data without an appropriate legal basis or the consent required by law.
PatchKit is a platform used by software developers, publishers, and providers to distribute, update, and manage applications and games. Where applications or games made available through PatchKit are intended for children or may be used by children, the customer using the service is responsible for ensuring that the user acquisition process and the processing of personal data comply with the requirements of applicable law.
If Upsoft becomes aware of the unauthorized processing of a child’s personal data, it may take action to restrict processing, anonymize, or delete the data.
12. Changes to the Privacy Policy
Upsoft may update this Privacy Policy in the event of:
- changes in the law,
- changes to PatchKit service features,
- technological or organizational changes,
- changes to the way personal data is processed,
- the implementation of new services, integrations, or features affecting the processing of personal data.
The current version of the Privacy Policy is published within the services and on the websites related to PatchKit.
In the event of significant changes, users may be informed of the changes via a notice in the service, by electronic means, or through other appropriate communication channels.
The date indicated at the beginning of this Privacy Policy specifies the effective date of its current version.