Version 1.0 — June 10, 2026
Tupshar is a research preview run by Upside Down Research. This policy explains what data we collect, what we do with it, and — just as important — what we don't do with it.
The short version:
We will NOT examine your documents unless we need to debug a technical problem. If we do, we will tell you.
1. What We Collect
Account data (via Clerk):
- Your email address and name, as provided by your OAuth provider
- An account identifier
- Sign-in events (timestamps, method)
We use Clerk for authentication. Clerk processes your login; we receive your email and profile basics from them. See Clerk's privacy policy for how they handle your data.
Your content:
- Documents you store, including names and metadata
- Search queries you run
- API keys you create (we store only an Argon2id hash of the key, never the key itself)
Usage and request data:
- API request counts, types, error rates, and latency
- IP address, user agent, and timestamps on requests
- Aggregate storage and document counts per tenant
What we don't collect: payment information (the preview is free), advertising identifiers, or tracking cookies. We don't run third-party analytics or ad scripts on this site.
2. What We Do With It
To run the service: store and retrieve your documents, execute searches, authenticate you, enforce rate limits and quotas, and keep the lights on (metrics, logs, alerts).
To improve the service: analyze aggregate usage patterns (things like "median tenant stores 40 documents"), find performance problems, and decide what to build next. That's the research in research preview.
What we will not do:
- We will not read, browse, or review the contents of your documents — with one exception, described in Section 3.
- We will not sell your data. To anyone. Ever.
- We will not share your data with third parties except the infrastructure providers listed in Section 6 or when the law compels us (Section 7).
- We will not use your documents to train machine learning models.
- We will not use your data for marketing.
3. The Debugging Exception
Sometimes fixing a bug requires looking at the actual data that triggered it — for example, a document that crashes the indexer. When we do this:
- Access is limited to what's needed to fix the problem.
- Only the people directly fixing the issue view your data.
- We maintain an internal log of operator access to tenant data.
We design the service so we rarely need to look at your documents. Debugging access is the exception, not routine, and it is logged.
That's the whole exception. Routine curiosity is not debugging.
4. How Long We Keep Data
| Data | Retention |
|---|---|
| Your documents | Until you delete them or your account |
| Account data | Until you delete your account |
| Database backups | We do not currently run backups. If we introduce backups in the future, deleted data will expire from them within 30 days. |
| Usage/request logs | 30 days, then deleted |
| Expired/revoked API key hashes | Retained for abuse investigation; purged periodically (not on a fixed schedule) |
When you delete a document or your account, it's removed from the live database promptly. We currently keep no backup copies — which also means we cannot recover your data if the database is lost (see "Honest limitation" below).
Honest limitation: the preview database runs on a single replica with no backup redundancy and is not encrypted at rest (encryption at rest is planned for v2). Data is encrypted in transit: TLS 1.3 to our edge, and via service-mesh mTLS internally. See our Security page for the full list of known limitations.
5. Your Rights
Regardless of where you live, you can:
- Export — use the
GET /httpserver/filesendpoint to list all your documents (metadata-only); useGET /v1/file/:idto retrieve individual document contents. This is the canonical bulk-export mechanism for your data. - Delete — delete individual documents anytime via the API (
DELETE /v1/file/:id), or email us to delete your entire account and all associated data. - Access and correct — see your account data; email us to request corrections.
For account deletion, email paul@upside-down-research.com or privacy@upside-down-research.com. We'll act within 30 days, usually much faster.
6. Third Parties and Infrastructure
- Clerk — authentication. They process your login and hold your OAuth profile. Clerk privacy policy.
- Google Cloud Platform — hosting. Tupshar and its database run on infrastructure we operate in GCP, in the United States.
- SurrealDB — the database software we use. We run it ourselves inside our own cluster; SurrealDB (the company) does not receive your data.
Your data stays in the United States. We don't transfer it internationally or hand it to data brokers, advertisers, or anyone else not listed here.
7. When the Law Asks
If we receive a valid legal demand (subpoena, court order, warrant) for your data, we will comply where legally required by law. We will meet all obligations under U.S. law, including USC § 2258A (CSAM reporting) and Washington state law.
8. Children
Tupshar is not for children. You must be 18 or older to use it. We don't knowingly collect data from anyone under 13; if we learn we have, we'll delete it.
9. Security
Full details, including known limitations of the research preview, are on the Security page. To report a vulnerability, email security@upside-down-research.com — please don't open a public issue.
10. Changes to This Policy
We may update this policy as the service changes. We'll update the version date at the top and post changes here; for material changes we'll make reasonable efforts to email you. Continued use after a change takes effect means you accept it. If you don't, delete your account and we'll delete your data per Section 4.
11. Contact
Privacy questions: privacy@upside-down-research.com Everything else: paul@upside-down-research.com
Upside Down Research, Washington, United States.