Owner and Data Controller
Paladin Data Insurance Corp. dba Upfort
1990 N CALIFORNIA BLVD FL 8
1272
WALNUT CREEK, CA 94596
EU Representative
Instant EU GDPR Representative Ltd
Represented by Adam Brogden
Office 2 12A Lower Main Street, Lucan Co. Dublin K78 X5P8 Ireland
Contact: contact@gdprlocal.com
UK Representative
GDPR Local Ltd
Represented by Adam Brogden
1st Floor Front Suite 27-29 North Street, Brighton England BN1 1EB
Contact: contact@gdprlocal.com
Owner contact email: contact@upfort.com
Types of Data collected
Among the types of Personal Data that Upfort collects, by itself or through third parties, there are:
first name; last name; phone number; email address; password; profile picture; Usage Data; address; company name; calendar information; name; Tracker; IP address; various types of Data; answers to questions; clicks; keypress events; motion sensor events; mouse movements; scroll position; touch events; browser information; page views; device information; number of Users; session statistics.
Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using Upfort.
Unless specified otherwise, all Data requested by Upfort is mandatory and failure to provide this Data may make it impossible for Upfort to provide its services. In cases where Upfort specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.
Any use of Cookies – or of other tracking tools — by Upfort or by the owners of third-party services used by Upfort serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy.
Users are responsible for any third-party Personal Data obtained, published or shared through Upfort.
Mode and place of processing the Data
Methods of processing
The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of Upfort (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Owner at any time.
Place
The Data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located.
Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.
Retention time
Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent.
The purposes of processing
The Data concerning the User is collected to allow the Owner to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as the following:
Registration and authentication, Hosting and backend infrastructure, Handling payments, Managing contacts and sending messages, Contacting the User, Managing support and contact requests, Interaction with live chat platforms, Interaction with support and feedback platforms, Displaying content from external platforms, Traffic optimization and distribution, Platform services and hosting, Collection of privacy-related preferences, Data transfer outside of the UK, Data transfer outside the EU, Infrastructure monitoring, Managing data collection and online surveys, Spam and bots protection, Analytics and Heat mapping and session recording.
For specific information about the Personal Data used for each purpose, the User may refer to the section “Detailed information on the processing of Personal Data”.
Detailed information on the processing of Personal Data
Personal Data is collected for the following purposes and using the following services:
-
Analytics
The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.
PostHog product analytics (PostHog, Inc.)
PostHog product analytics is an analytics service provided by PostHog, Inc. that gives the Owner insight into the use of Upfort by Users.
Personal Data processed: browser information; clicks; page views.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
- a Sale in the United States
Google Analytics 4 (Google LLC)
Google Analytics 4 is a web analysis service provided by Google LLC (“Google”). Google utilizes the Data collected to track and examine the use of Upfort, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation.
In order to understand Google's use of Data, consult their partner policy and their Business Data page.
Personal Data processed: number of Users; session statistics; Trackers; Usage Data.
Place of processing: United States – Privacy Policy – Opt out.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
- a Sale in the United States
-
Collection of privacy-related preferences
This type of service allows Upfort to collect and store Users’ preferences related to the collection, use, and processing of their personal information, as requested by the applicable privacy legislation.
iubenda Privacy Controls and Cookie Solution (iubenda srl)
The iubenda Privacy Controls and Cookie Solution allows the Owner to collect and store Users’ preferences related to the processing of personal information, and in particular to the use of Cookies and other Trackers on Upfort.
Personal Data processed: IP address; Trackers.
Place of processing: Italy – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
-
Contacting the User
Mailing list or newsletter (Upfort)
By registering on the mailing list or for the newsletter, the User’s email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning Upfort. Your email address might also be added to this list as a result of signing up to Upfort or after making a purchase.
Personal Data processed: address; company name; email address; first name; last name; phone number.
Category of Personal Information collected according to the CCPA: identifiers; commercial information.
This processing constitutes:
- a Sale in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana
-
Displaying content from external platforms
This type of service allows you to view content hosted on external platforms directly from the pages of Upfort and interact with them.
This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.
Calendly widget (Calendly, LLC)
Calendly widget is a calendar content visualization service provided by Calendly, LLC that allows Upfort to incorporate content of this kind on its pages.
Personal Data processed: calendar information; email address; name.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: identifiers; internet or other electronic network activity information.
This processing constitutes:
Google Fonts (Google LLC)
Google Fonts is a typeface visualization service provided by Google LLC that allows Upfort to incorporate content of this kind on its pages.
Personal Data processed: Tracker; Usage Data.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
-
Handling payments
Payment processing services enable Upfort to process payments by credit card, bank transfer or other means. To ensure greater security, Upfort shares only the information necessary to execute the transaction with the financial intermediaries handling the transaction.
Some of these services may also enable the sending of timed messages to the User, such as emails containing invoices or notifications concerning the payment.
Stripe (Stripe, Inc.)
Stripe is a payment service provided by Stripe, Inc.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
-
Heat mapping and session recording
Heat mapping services are used to display the areas of Upfort that Users interact with most frequently. This shows where the points of interest are. These services make it possible to monitor and analyze web traffic and keep track of User behavior.
Some of these services may record sessions and make them available for later visual playback.
PostHog session replay (PostHog, Inc.)
PostHog session replay is a session recording service provided by PostHog, Inc.
Personal Data processed: clicks; device information; page views; Usage Data.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
- a Sale in the United States
-
Hosting and backend infrastructure
This type of service has the purpose of hosting Data and files that enable Upfort to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of Upfort.
Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.
Firebase Cloud Firestore (Google LLC)
Firebase Cloud Firestore is a hosting and backend service provided by Google LLC.
Personal Data processed: Usage Data; various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
Firebase Cloud Functions (Google LLC)
Firebase Cloud Functions is a hosting and backend service provided by Google LLC.
Personal Data processed: Usage Data; various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
Firebase Cloud Storage (Google LLC)
Firebase Cloud Storage is a hosting service provided by Google LLC.
Personal Data processed: Usage Data; various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
Firebase Hosting (Google LLC)
Firebase Hosting is a hosting service provided by Google LLC.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
Firebase Realtime Database (Google LLC)
Firebase Realtime Database is a hosting and backend service provided by Google LLC.
Personal Data processed: Usage Data; various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
-
Infrastructure monitoring
This type of service allows Upfort to monitor the use and behavior of its components so its performance, operation, maintenance and troubleshooting can be improved.
Which Personal Data are processed depends on the characteristics and mode of implementation of these services, whose function is to filter the activities of Upfort.
Sentry (Functional Software, Inc. )
Sentry is a monitoring service provided by Functional Software, Inc. .
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
Uptime Robot (Buzpark Bilisim Tarim Urunleri Sanayi Tic. Ltd. Sti.)
Uptime Robot is a monitoring service provided by Buzpark Bilisim Tarim Urunleri Sanayi Tic. Ltd. Sti.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: Turkey – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
-
Interaction with live chat platforms
This type of service allows Users to interact with third-party live chat platforms directly from the pages of Upfort, in order to contact and be contacted by Upfort‘s support service.
If one of these services is installed, it may collect browsing and Usage Data in the pages where it is installed, even if the Users do not actively use the service. Moreover, live chat conversations may be logged.
Zendesk Chat (Zendesk, Inc.)
Zendesk Chat is a service for interacting with the Zendesk live chat platform provided by Zendesk, Inc.
Personal Data processed: company name; email address.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: identifiers; commercial information.
This processing constitutes:
-
Interaction with support and feedback platforms
This type of service allows Users to interact with third-party support and feedback platforms directly from the pages of Upfort.
If one of these services is installed, it may collect browsing and Usage Data in the pages where it is installed, even if the Users do not actively use the service.
Zendesk Widget (Zendesk, Inc.)
The Zendesk Widget is a service for interacting with the Zendesk support and feedback platform provided by Zendesk Inc.
Personal Data processed: company name; email address.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: identifiers; commercial information.
This processing constitutes:
-
Managing contacts and sending messages
This type of service makes it possible to manage a database of email contacts, phone contacts or any other contact information to communicate with the User.
These services may also collect data concerning the date and time when the message was viewed by the User, as well as when the User interacted with it, such as by clicking on links included in the message.
SparkPost (Message Systems, Inc.)
SparkPost is an email address management and message sending service provided by Message Systems, Inc.
Personal Data processed: email address; various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: identifiers; internet or other electronic network activity information.
This processing constitutes:
- a Sale in California
- a Sharing in California
Customer.io (Peaberry Software Inc.)
Customer.io is an email address management and message sending service provided by Peaberry Software Inc.
Personal Data processed: email address; Tracker; Usage Data.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: identifiers; internet or other electronic network activity information.
This processing constitutes:
- a Sale in California
- a Sharing in California
Appcues (Appcues, Inc.)
Appcues is a message sending service provided by Appcues, Inc.
Appcues may also be used to manage the creation, deployment, administration, distribution and analysis of online forms and surveys.
Personal Data processed: email address; first name; last name; phone number.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: identifiers.
This processing constitutes:
- a Sale in California
- a Sharing in California
-
Managing data collection and online surveys
This type of service allows Upfort to manage the creation, deployment, administration, distribution and analysis of online forms and surveys in order to collect, save and reuse Data from any responding Users.
The Personal Data collected depend on the information asked and provided by the Users in the corresponding online form.
These services may be integrated with a wide range of third-party services to enable the Owner to take subsequent steps with the Data processed - e.g. managing contacts, sending messages, analytics, advertising and payment processing.
Typeform (TYPEFORM S.L)
Typeform is a form builder and data collection platform provided by TYPEFORM S.L.
Personal Data processed: email address; first name; last name.
Place of processing: Spain – Privacy Policy.
Category of Personal Information collected according to the CCPA: identifiers.
This processing constitutes:
-
Managing support and contact requests
This type of service allows Upfort to manage support and contact requests received via email or by other means, such as the contact form.
The Personal Data processed depend on the information provided by the User in the messages and the means used for communication (e.g. email address).
Zendesk (Zendesk, Inc.)
Zendesk is a support and contact request management service provided by Zendesk Inc.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
-
Platform services and hosting
These services have the purpose of hosting and running key components of Upfort, therefore allowing the provision of Upfort from within a unified platform. Such platforms provide a wide range of tools to the Owner – e.g. analytics, user registration, commenting, database management, e-commerce, payment processing – that imply the collection and handling of Personal Data.
Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.
Webflow (Webflow, Inc.)
Webflow is a platform provided by Webflow, Inc. that allows the Owner to build, run and host Upfort. Webflow is highly customizable and can host websites from simple blogs to complex e-commerce platforms.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy – Opt out.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
-
Registration and authentication
By registering or authenticating, Users allow Upfort to identify them and give them access to dedicated services.
Depending on what is described below, third parties may provide registration and authentication services. In this case, Upfort will be able to access some Data, stored by these third-party services, for registration or identification purposes.
Firebase Authentication (Google LLC)
Firebase Authentication is a registration and authentication service provided by Google LLC.
To simplify the registration and authentication process, Firebase Authentication can make use of third-party identity providers and save the information on its platform.
Personal Data processed: email address; first name; last name; password; phone number; profile picture.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: identifiers; audio, electronic, visual, thermal, olfactory, or similar information.
This processing constitutes:
Google OAuth (Google LLC)
Google OAuth is a registration and authentication service provided by Google LLC and is connected to the Google network.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
- a Sale in the United States
Adherence to the Google API Services User Data Policy and Limited Use Requirements (Upfort)
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Legal basis for processing: Contract.
Category of Personal Information collected according to the CCPA: identifiers.
-
Spam and bots protection
This type of service analyzes the traffic of Upfort, potentially containing Users' Personal Data, with the purpose of filtering it from unwanted parts of traffic, messages and content that are recognized as spam or protecting it from malicious bots activities.
Google reCAPTCHA (Google LLC)
Personal Data processed: answers to questions; clicks; keypress events; motion sensor events; mouse movements; scroll position; touch events; Trackers; Usage Data.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information; inferences drawn from other personal information.
-
Traffic optimization and distribution
This type of service allows Upfort to distribute their content using servers located across different countries and to optimize their performance.
Which Personal Data are processed depends on the characteristics and the way these services are implemented. Their function is to filter communications between Upfort and the User's browser.
Considering the widespread distribution of this system, it is difficult to determine the locations to which the contents that may contain Personal Information of the User are transferred.
Cloudflare (Cloudflare, Inc.)
Cloudflare is a traffic optimization and distribution service provided by Cloudflare Inc.
The way Cloudflare is integrated means that it filters all the traffic through Upfort, i.e., communication between Upfort and the User's browser, while also allowing analytical data from Upfort to be collected.
Personal Data processed: various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
Google Hosted Libraries (Google LLC)
Google Hosted Libraries is a traffic optimization and distribution service provided by Google LLC.
Personal Data processed: Trackers; Usage Data.
Place of processing: United States – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
jsDelivr CDN (Prospect One Sp. z o.o. sp. k.)
jsDelivr CDN is a traffic optimization and distribution service provided by Prospect One Sp. z o.o. sp. k.
Personal Data processed: Usage Data.
Place of processing: Poland – Privacy Policy.
Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.
This processing constitutes:
Information on opting out of interest-based advertising
In addition to any opt-out feature provided by
any of the services listed in this document, Users may learn more on
how to generally opt out of interest-based advertising within the
dedicated section of the Cookie Policy.
Further information about the processing of Personal Data
-
Network traffic data
We may analyze your network traffic data for the sake of stopping cyber attacks. We will never sell network traffic data to 3rd party data brokers.
This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.
-
Gmail Inbox Access
We request read rights to your inbox in order to analyze emails for phishing and malware attacks. Emails are destroyed after being analyzed and are not used to develop, improve, or train generalized AI and/or ML models. Security procedures are in place to protect the confidentiality of your data. We use encryption to protect your information.
To provide its service, Upfort uses restricted scopes for Gmail which allow access to User Data related to this Google service (as indicated below). This access is provided by Google LLC under strict terms. Here's what this means for such User Data:
• The use of User Data is limited to providing or improving User-facing features. User Data will not be used for serving ads, including retargeting, personalized, or interest-based advertising.
• User Data will be transferred to third parties only if necessary, to provide or improve User-facing features and as necessary to comply with applicable law or as part of a merger, acquisition, or sale of assets with notice to Users.
Humans will not read the Data unless:
• the Owner has obtained the User's affirmative agreement for specific messages;
• it is necessary for security purposes and/or to comply with applicable law, or;
• the use is limited to internal operations and the Data (including derivations) have been aggregated and anonymized.
-
Google Admin SDK
We collect email and names of your employees via the Admin SDK to streamline the onboarding process and save you the trouble of typing in your employees one by one. We will never resell this data to a 3rd party data broker.
This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.
-
California Consumer Privacy Act (CCPA) Data Deletion
If you would like your data deleted in conjunction with the California Consumer Privacy Act (CCPA), please email us at ccpa@upfort.com for processing
This processing constitutes a sale based on the definition under the CCPA. In addition to the information in this clause, the User can find information regarding how to opt out of the sale in the section detailing the rights of Californian consumers.
-
Google API Usage
We affirm that Google APIs, including but not limited to Google Workspace APIs, are not used to develop, improve, or train generalized AI and/or ML models. Our application does not retain or use Google data to train generalized AI or ML models.
Transfer of Data to Third-Party AI Tools:
We do not transfer any Google user data to third-party AI tools for the purpose of developing, improving, or training generalized or non-personalized AI/ML models.
Your rights:
You have the right to access, correct, and delete your personal information at any time. You can do this by contacting us. You also have the right to object to the processing of your personal information and to lodge a complaint with the appropriate supervisory authority.
Security:
We take appropriate technical and organizational measures to protect your personal information from unauthorized access, use, or disclosure. We use industry-standard encryption technologies and secure Google Cloud Platform servers for data storage and processing to protect your information.
Upfort's use of information received from Google APIs will adhere to the Google API Terms of Service and the Google API Services User Data Policy, including the Limited Use requirements.
Limited Use
Our app strictly complies with all conditions specified in the limited use policy of Google.
• Do not allow humans to read the user's data unless you have obtained the user's affirmative agreement to view specific messages, files, or other data.
• Do not use or transfer the data for serving ads, including retargeting, personalized, or interest-based advertising; and
-
Authorized Agents and Appeals
Authorized Agents: Some U.S. state privacy laws allow you to designate an authorized agent to submit privacy requests on your behalf. If you choose to use an authorized agent, we will require proof of the agent’s authority to act for you. For example, we may ask for a signed written permission from you or a valid power of attorney. We may also require you to verify your own identity with us directly and confirm that you gave the agent permission to make the request. We will only respond to requests from authorized agents that we can verify have been legitimately authorized by the relevant user, in accordance with applicable laws.
Appeals Process: Certain states (such as Colorado, Connecticut, Virginia, and others) grant you the right to appeal if we deny your request to exercise your privacy rights. If we refuse to take action on a request you submitted, our response will include the reason for the denial and instructions on how you can appeal the decision. To initiate an appeal, follow the procedures outlined in our response (for example, by contacting us through the designated email or web form provided for appeals). We will review your appeal and respond within the timeframe required by law (e.g., within 45 days, unless an extension is permitted and needed). If your appeal is ultimately denied, we will inform you of the decision and advise you of any further options available to you under applicable law (for instance, how to contact your state’s Attorney General or privacy regulator to lodge a complaint).
-
Notice of Financial Incentives
We do not offer financial incentives or price/service differences in exchange for your personal information. This means Upfort does not provide any rewards, discounts, loyalty programs, or other benefits that are conditioned upon you providing or allowing us to retain your personal data, nor do we penalize you for exercising your privacy rights. If in the future we choose to offer a program that involves financial incentives or preferential pricing related to the collection, retention, or sale of personal information, we will provide you with a detailed notice explaining the material terms of any such program. We would also obtain your explicit opt-in consent before enrolling you in a financial incentive program, as required by applicable law (for example, the California Privacy Rights Act), and you would have the right to withdraw from such programs at any time.
-
California‑specific notices
The following disclosures supplement our Privacy Policy only for California residents. They explain rights granted by California law and do not apply to users who live elsewhere.
California “Shine the Light” Law: California Civil Code § 1798.83 permits California residents to request information about our disclosures of certain categories of personal information to third parties for those third parties’ direct marketing purposes. Upfort does not disclose personal information to unaffiliated third parties for their own direct marketing use without your consent. Because we do not engage in such sharing, we do not maintain a list of third parties for marketing purposes and we do not anticipate any “Shine the Light” requests. California residents who have questions about our compliance with this law or who seek further information may contact us using the contact details provided in this policy.
Do Not Track Signals: Some web browsers and devices can send a “Do Not Track” (DNT) signal to websites, indicating a preference that the website not track the user’s online activities. Currently, there is no consensus or industry standard on how to interpret DNT signals, and therefore Upfort does not respond to browser DNT signals. However, we do honor certain universal opt-out preference signals, such as the Global Privacy Control (GPC), as a valid request to opt out of the sale or sharing of personal information, as described in the “How to exercise your rights to opt out” section above. In short, while DNT browser signals are not processed, any GPC or similar signal that is recognized under applicable law will be honored by Upfort in a frictionless manner.
These California‑specific provisions add to, but do not limit, the rest of our Privacy Policy. If you have questions about any privacy right—whether under California law or another jurisdiction—please contact us. Upfort treats all users fairly and will not retaliate against anyone who exercises a privacy right.
-
Children’s Privacy
Not for children under 13. Upfort is designed for adults. We do not knowingly collect, solicit, or store Personal Data from anyone under 13 years of age. If we learn that we have inadvertently received such information, we will delete it without delay.
Ages 13‑17—parental consent required. Teen users (13 to 17, or the higher age of majority in their jurisdiction) may use Upfort only when a parent or legal guardian has reviewed our Terms of Service and provided verifiable consent.
No sale or sharing of minors’ data. Consistent with the California Consumer Privacy Act and similar state laws, Upfort does not sell or share the Personal Information of consumers under 16 years old without the required opt‑in consent.
EU/UK residents under 16. Where the General Data Protection Regulation or UK GDPR applies, we rely on parental consent for users under 16 years of age (or the lower age—never below 13—set by the user’s country).
Parental rights. Parents or guardians who believe we hold Personal Data about a child may email privacy@upfort.com or write to the address in the “Owner and Data Controller” section. We will verify the request and, where required by law, provide access to or delete the child’s information.
-
Analytics Data and California “Sale/Share” Notice
We do not sell your personal information in the everyday sense of the word. We never exchange your data for cash, we never hand it to data brokers, and we never let anyone use it to build their own marketing lists. We do send limited device and usage data to trusted analytics partners solely to operate, secure, and improve our services. In certain jurisdictions, this can be labeled as a "sale" or "share". You can opt out at any time via our Do Not Sell/Share link or by enabling the Global Privacy Control signal, and we will stop sending your visitor‑level analytics data.
-
Preference Cookies
Preference Cookies store the User preferences detected on Upfort in the local domain such as, for example, their timezone and region.
-
Personal Data collected through sources other than the User
The Owner of Upfort may have legitimately collected Personal Data relating to Users without their knowledge by reusing or sourcing them from third parties on the grounds mentioned in the section specifying the legal basis of processing.
Where the Owner has collected Personal Data in such a manner, Users may find specific information regarding the source within the relevant sections of this document or by contacting the Owner.
-
Selling goods and services online
The Personal Data collected are used to provide the User with services or to sell goods, including payment and possible delivery.
The Personal Data collected to complete the payment may include the credit card, the bank account used for the transfer, or any other means of payment envisaged. The kind of Data collected by Upfort depends on the payment system used.
Cookie Policy
Upfort uses Trackers. To learn more, Users may consult the Cookie Policy.
This section applies to all Users in the European Union, according to the General Data Protection Regulation (the “GDPR”), and, for such Users, supersedes any other possibly divergent or conflicting information contained in the privacy policy. Further details regarding the categories of Data processed, the purposes of processing, the categories of recipients of the Personal Data, if any, and further information about Personal Data can be found in the section titled “Detailed information on the processing of Personal Data” within this document.
Legal basis of processing
The Owner may process Personal Data relating to Users if one of the following applies:
- Users have given their consent for one or more specific purposes.
- provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
- processing is necessary for compliance with a legal obligation to which the Owner is subject;
- processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner;
- processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party.
In any case, the Owner will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.
Further information about retention time
Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent.
Therefore:
- Personal Data collected for purposes related to the performance of a contract between the Owner and the User shall be retained until such contract has been fully performed.
- Personal Data collected for the purposes of the Owner’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding the legitimate interests pursued by the Owner within the relevant sections of this document or by contacting the Owner.
The Owner may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, the Owner may be obliged to retain Personal Data for a longer period whenever required to fulfil a legal obligation or upon order of an authority.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
The rights of Users based on the General Data Protection Regulation (GDPR)
Users may exercise certain rights regarding their Data processed by the Owner.
In particular, Users have the right to do the following, to the extent permitted by law:
- Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
- Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent.
- Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
- Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
- Restrict the processing of their Data. Users have the right to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
- Have their Personal Data deleted or otherwise removed. Users have the right to obtain the erasure of their Data from the Owner.
- Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
- Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.
Users are also entitled to learn about the legal basis for Data transfers abroad including to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.
Details about the right to object to processing
Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time, free of charge and without providing any justification. Where the User objects to processing for direct marketing purposes, the Personal Data will no longer be processed for such purposes. To learn whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. Such requests are free of charge and will be answered by the Owner as early as possible and always within one month, providing Users with the information required by law. Any rectification or erasure of Personal Data or restriction of processing will be communicated by the Owner to each recipient, if any, to whom the Personal Data has been disclosed unless this proves impossible or involves disproportionate effort. At the Users’ request, the Owner will inform them about those recipients.
Transfer of Personal Data outside of the European Union
Data transfer abroad based on consent
If this is the condition for Data transfer, Personal Data of Users shall be transferred from the EU to third countries only if the User has explicitly consented to such transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards.
In such cases, the Owner shall inform Users appropriately and collect their explicit consent via Upfort.
Data transfer abroad based on standard contractual clauses
If this is the condition for Data transfer, the transfer of Personal Data from the EU to third countries is carried out by the Owner according to “standard contractual clauses” provided by the European Commission.
This means that Data recipients have committed to process Personal Data in compliance with the data protection standards set forth by EU data protection legislation. For further information, Users are requested to contact the Owner through the contact details provided in the present document.
Transfer of Personal Data outside of the United Kingdom
Data transfer abroad based on consent (UK)
If this is the condition for Data transfer, Personal Data of Users shall be transferred from the UK to third countries only if the User has explicitly consented to such transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards.
In such cases, the Owner shall inform Users appropriately and collect their explicit consent via Upfort.
Data transfer abroad based on standard contractual clauses (UK)
If this is the condition for Data transfer, the transfer of Personal Data from the UK to third countries is carried out by the Owner according to “standard contractual clauses” provided by the European Commission.
This means that Data recipients have committed to process Personal Data in compliance with the data protection standards set forth by EU data protection legislation, which are recognized as valid also under UK law. For further information, Users are requested to contact the Owner through the contact details provided in the present document.
Further information for Users
in the United States
This part of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the business running Upfort and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).
The information contained in this section applies to all Users (Users are referred to below, simply as “you”, “your”, “yours”), who are residents in the following states: California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana.
For such Users, this information supersedes any other possibly divergent or conflicting provisions contained in the privacy policy.
This part of the document uses the term Personal Information
(and Sensitive Personal Information).
Notice at collection
The following Notice at collection provides you with timely notice about the categories of Personal Information collected or disclosed in the past 12 months so that you can exercise meaningful control over our use of that Information.
While such categorization of Personal Information is mainly based on California privacy laws, it can also be helpful for anyone who is not a California resident to get a general idea of what types of Personal Information are collected.
-
Identifiers
Personal Information collected or disclosed:
first name, last name, phone number, email address, profile picture, various types of Data as specified in the privacy policy of the service, address, company name, calendar information, name, Tracker, Usage Data
Sensitive Personal Information collected or disclosed ℹ️:
password
Purposes:
- Registration and authentication
- Managing contacts and sending messages
- Contacting the User
- Interaction with live chat platforms
- Interaction with support and feedback platforms
- Displaying content from external platforms
- Managing data collection and online surveys
- Further information about Personal Data
Retention period:
for the time necessary to fulfill the purpose
Sold or Shared ℹ️:
Yes
Targeted Advertising: ℹ️:
Yes
Third-parties: Google LLC, Message Systems, Inc., Zendesk, Inc., Calendly, LLC, Peaberry Software Inc., Appcues, Inc., TYPEFORM S.L, Upfort
Service providers or contractors: Upfort
-
Audio, electronic, visual, thermal, olfactory, or similar information
Personal Information collected or disclosed:
first name, last name, phone number, email address, profile picture
Sensitive Personal Information collected or disclosed ℹ️:
password
Purposes:
- Registration and authentication
Retention period:
for the time necessary to fulfill the purpose
Sold or Shared ℹ️:
Yes
Targeted Advertising: ℹ️:
Yes
Third-parties: Google LLC
-
Internet or other electronic network activity information
Personal Information collected or disclosed:
Usage Data, various types of Data as specified in the privacy policy of the service, email address, calendar information, name, Tracker, Trackers, IP address, various types of Data, answers to questions, clicks, keypress events, motion sensor events, mouse movements, scroll position, touch events, browser information, page views, device information, number of Users, session statistics
Purposes:
- Hosting and backend infrastructure
- Handling payments
- Managing contacts and sending messages
- Managing support and contact requests
- Displaying content from external platforms
- Traffic optimization and distribution
- Platform services and hosting
- Collection of privacy-related preferences
- Data transfer outside of the UK
- Data transfer outside the EU
- Further information about Personal Data
- Infrastructure monitoring
- Registration and authentication
- Spam and bots protection
- Analytics
- Heat mapping and session recording
Retention period:
for the time necessary to fulfill the purpose
Sold or Shared ℹ️:
Yes
Targeted Advertising: ℹ️:
Yes
Third-parties: Google LLC, Stripe, Inc., Message Systems, Inc., Zendesk, Inc., Calendly, LLC, Cloudflare, Inc., Webflow, Inc., Peaberry Software Inc., iubenda srl, Functional Software, Inc. , Buzpark Bilisim Tarim Urunleri Sanayi Tic. Ltd. Sti., Prospect One Sp. z o.o. sp. k., PostHog, Inc.
Service providers or contractors: Upfort
-
Commercial information
Personal Information collected or disclosed:
email address, first name, last name, phone number, address, company name
Purposes:
- Contacting the User
- Interaction with live chat platforms
- Interaction with support and feedback platforms
Retention period:
for the time necessary to fulfill the purpose
Sold or Shared ℹ️:
Yes
Targeted Advertising: ℹ️:
Yes
Third-parties: Zendesk, Inc.
Service providers or contractors: Upfort
-
Inferences drawn from other personal information
Personal Information collected or disclosed:
Usage Data, Trackers, answers to questions, clicks, keypress events, motion sensor events, mouse movements, scroll position, touch events
Retention period:
for the time necessary to fulfill the purpose
Sold or Shared ℹ️:
Yes
Targeted Advertising: ℹ️:
Yes
Third-parties: Google LLC
ℹ️ You can read the definitions of these concepts inside the “Definitions and legal references section” of the privacy policy.
To know more about your rights in particular to opt out of certain processing activities and to limit the use of your sensitive personal information (“Limit the Use of My Sensitive Personal Information”) you can refer to the “Your privacy rights under US state laws” section of our privacy policy.
For more details on the collection of Personal Information, please read the section “Detailed information on the processing of Personal Data” of our privacy policy.
We won’t process your Information for unexpected purposes, or for purposes that are not reasonably necessary to and compatible with the purposes originally disclosed, without your consent.
What are the sources of the Personal Information we collect?
We collect the above-mentioned categories of Personal Information, either directly or indirectly, from you when you use Upfort.
For example, you directly provide your Personal Information when you submit requests via any forms on Upfort. You also provide Personal Information indirectly when you navigate Upfort, as Personal Information about you is automatically observed and collected.
Finally, we may collect your Personal Information from third parties that work with us in connection with the Service or with the functioning of Upfort and features thereof.
Your privacy rights under US state laws
You may exercise certain rights regarding your Personal Information. In particular, to the extent permitted by applicable law, you have:
- the right to access Personal Information: the right to know. You have the right to request that we confirm whether or not we are processing your Personal Information. You also have the right to access such Personal Information;
- the right to correct inaccurate Personal Information. You have the right to request that we correct any inaccurate Personal Information we maintain about you;
- the right to request the deletion of your Personal Information. You have the right to request that we delete any of your Personal Information;
- the right to obtain a copy of your Personal Information. We will provide your Personal Information in a portable and usable format that allows you to transfer data easily to another entity – provided that this is technically feasible;
- the right to opt out from the Sale of your Personal Information; We will not discriminate against you for exercising your privacy rights.
- the right to non-discrimination.
Additional rights for Users residing in California
In addition to the rights listed above common to all Users in the United States, as a User residing in California, you have:
- The right to opt out of the Sharing of your Personal Information for cross-context behavioral advertising;
- The right to request to limit our use or disclosure of your Sensitive Personal Information to only that which is necessary to perform the services or provide the goods, as is reasonably expected by an average consumer. Please note that certain exceptions outlined in the law may apply, such as, when the collection and processing of Sensitive Personal Information is necessary to verify or maintain the quality or safety of our service.
Additional rights for Users residing in Virginia, Colorado, Connecticut, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana
In addition to the rights listed above common to all Users in the United States, as a User residing in Virginia, Colorado, Connecticut, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana you have
- The right to opt out of the processing of your personal information for Targeted Advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you;
- The right to freely give, deny or withdraw your consent for the processing of your Sensitive Personal Information. Please note that certain exceptions outlined in the law may apply, such as, but not limited to, when the collection and processing of Sensitive Personal Information is necessary for the provision of a product or service specifically requested by the consumer. In Maryland, your Sensitive Personal Information will be collected or processed only if strictly necessary to provide or maintain a specific product or service requested by you.
In Minnesota and Maryland Users also have the right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data
* Note that in some states like Minnesota you have the following specific rights connected to profiling:
- The right to question the results of the profiling;
- The right to be informed of the reason that the profiling resulted in the decision; if feasible
- The right to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future;
- The right to review personal data used in the profiling;
- If inaccurate, the right to have the data corrected and the profiling decision reevaluated based on the corrected data;
Additional rights for users residing in Utah and Iowa
In addition to the rights listed above common to all Users in the United States, as a User residing in Utah and Iowa, you have:
- The right to opt out of the processing of your Personal Information for Targeted Advertising;
- The right to opt out of the processing of your Sensitive Personal Information. Please note that certain exceptions outlined in the law may apply, such as, but not limited to, when the collection and processing of Sensitive Personal Information is necessary for the provision of a product or service specifically requested by the consumer.
How to exercise your privacy rights under US state laws
To exercise the rights described above, you need to submit your request to us by contacting us via the contact details provided in this document.
For us to respond to your request, we must know who you are. We will not respond to any request if we are unable to verify your identity and therefore confirm the Personal Information in our possession relates to you. You are not required to create an account with us to submit your request. We will use any Personal Information collected from you in connection with the verification of your request solely for verification and shall not further disclose the Personal Information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.
If you are an adult, you can make a request on behalf of a child under your parental authority.
How to exercise your rights to opt out
In addition to what is stated above, to exercise your right to opt-out of Sale or Sharing and Targeted Advertising you can also use the privacy choices link provided on Upfort.
If you want to submit requests to opt out of Sale or Sharing and Targeted Advertising activities via a user-enabled global privacy control, such as for example the Global Privacy Control (“GPC”), you are free to do so and we will abide by such request in a frictionless manner.
How and when we are expected to handle your request
We will respond to your request without undue delay, but in all cases within the timeframe required by applicable law. Should we need more time, we will explain to you the reasons why, and how much more time we need.
Should we deny your request, we will explain to you the reasons behind our denial (where envisaged by applicable law you may then contact the relevant authority to submit a complaint).
We do not charge a fee to process or respond to your request unless such request is manifestly unfounded or excessive and in all other cases where it is permitted by the applicable law. In such cases, we may charge a reasonable fee or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind them.
Additional information about Data collection and processing
Legal action
The User's Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of Upfort or the related Services.
The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.
Additional information about User's Personal Data
In addition to the information contained in this privacy policy, Upfort may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.
System logs and maintenance
For operation and maintenance purposes, Upfort and any third-party services may collect files that record interaction with Upfort (System logs) or use other Personal Data (such as the IP Address) for this purpose.
More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.
Changes to this privacy policy
The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within Upfort and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.
Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required.
Definitions and legal references
Personal Data (or Data)
/ Personal Information (or Information)
Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
Sensitive Personal Information
Sensitive Personal Information means any Personal Information that is not publicly available and reveals information considered sensitive according to the applicable privacy law.
Usage Data
Information collected automatically through Upfort (or third-party services employed in Upfort), which can include: the IP addresses or domain names of the computers utilized by the Users who use Upfort, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.
User
The individual using Upfort who, unless otherwise specified, coincides with the Data Subject.
Data Subject
The natural person to whom the Personal Data refers.
Data Processor (or Processor)
The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.
Data Controller (or Owner)
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of Upfort. The Data Controller, unless otherwise specified, is the Owner of Upfort.
Upfort (or this Application)
The means by which the Personal Data of the User is collected and processed.
Service
The service provided by Upfort as described in the relative terms (if available) and on this site/application.
Sale
Sale means any exchange of Personal Information by the Owner to a third party, for monetary or other valuable consideration, as defined by the applicable privacy US state law. Please note that the exchange of Personal Information with a service provider pursuant to a written contract that meets the requirements set by the applicable law, does not constitute a Sale of your Personal Information.
Sharing
Sharing means any sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's Personal Information by the business to a third party for cross-context behavioral advertising, whether for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged, as defined by the California privacy laws. Please note that the exchange of Personal Information with a service provider pursuant to a written contract that meets the requirements set by the California privacy laws, does not constitute sharing of your Personal Information.
Targeted advertising
Targeted advertising means displaying advertisements to a consumer where the advertisement is selected based on Personal Information obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests, as defined by the applicable privacy US state law.
European Union (or EU)
Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.
Cookie
Cookies are Trackers consisting of small sets of data stored in the User's browser.
Tracker
Tracker indicates any technology - e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting - that enables the tracking of Users, for example by accessing or storing information on the User’s device.
Legal information
This privacy statement has been prepared based on provisions of multiple legislations.
This privacy policy relates solely to Upfort, if not stated otherwise within this document.