About this CCPA/CPRA Compliance Policy. This Policy covers the rules, obligations, and rights that apply to this policy on the Upmos marketplace. Read the full text below; by using our Services you agree to comply with it.
In Plain English (Non-Binding Summary)
Notice at Collection. We provide this Notice at the point of collection online (checkout, account registration, seller onboarding, ad forms) and offline (phone support) and link it from the footer as CALIFORNIA PRIVACY CHOICES. We retain pers Category Matrix (Past 12 Months). | Category | Sources | Business/Commercial Purposes | Disclosed to (Service Providers/Contractors) | Sold/Shared for Ads? | Retention | Your Rights (CCPA/CPRA). California residents have the rights to Know, Delete, Correct, Opt-Out of Sale/Sharing, Limit SPI, and Non-Discrimination. We honor GLOBAL PRIVACY CONTROL (GPC) signals for sale/sharing opt-out.
This plain-language box is provided for accessibility and readability only. It is not a substitute for the full Policy below, which controls in case of any conflict.
Upmos Inc. (“Upmos,” “we,” “us,” or “our”) is a Delaware corporation (registered office c/o Republic Registered Agent LLC, 262 Chapman Rd Ste 240, Newark, DE 19702, New Castle County), with its principal place of business at 9896 Bissonnet St, Houston, TX 77036, United States. Upmos operates an e-commerce marketplace at upmos.com. This CCPA/CPRA Compliance Policy (the “Policy” or this “Notice”) describes how Upmos collects, uses, discloses, and protects the personal information of California residents under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and the regulations promulgated by the California Privacy Protection Agency (CPPA) at 11 CCR § 7000 et seq. This document serves as Upmos’s notice at or before collection of personal information pursuant to Cal. Civ. Code § 1798.100(b) and the regulatory requirements at 11 CCR § 7012.
In Plain Language: We tell you what personal information we collect and why before we collect it. You always know what data is gathered and its business purpose.
We provide this Notice at the point of collection online (checkout, account registration, seller onboarding, ad forms) and offline (phone support) and link it from the footer as CALIFORNIA PRIVACY CHOICES. We retain personal information only as long as reasonably necessary for the disclosed purposes. WE DO NOT SELL OR SHARE SENSITIVE PERSONAL INFORMATION.
IP geolocation: not stored beyond page request; shipping address: per order/legal requirements
Inferences (interest segments)
Derived from interactions
Recommendations and UX improvements
Recommendation/search providers
Not sold; may be shared for ads unless you opt out
Up to 2 years
Sensitive PI (payment token IDs, account password, government ID for sellers)
You; payment processors; seller onboarding
Account security, payment via tokenization, vendor compliance verification
Payment processors; ID verification providers
Never sold or shared for advertising
Only as needed for the stated purpose and legal obligations
Sensitive PI allowed uses: perform services, ensure security/integrity, short-term transient use, servicing accounts/orders, verifying/maintaining quality/safety, and not to infer characteristics beyond those purposes. Use “Limit Use of Sensitive Personal Information” in the footer or Account Settings to exercise this right.
Your Rights (CCPA/CPRA)
In Plain Language: California law gives you the right to know, delete, correct, and control your personal information. You can also opt out of the sale or sharing of your data.
California residents have the rights to Know (Cal. Civ. Code § 1798.110), Delete (§ 1798.105), Correct (§ 1798.106), Opt-Out of Sale/Sharing (§ 1798.120), Limit Use of Sensitive Personal Information (SPI) (§ 1798.121), and Non-Discrimination (§ 1798.125). Pursuant to Cal. Civ. Code § 1798.135 and 11 CCR § 7025, we honor Global Privacy Control (GPC) signals as a valid sale/sharing opt-out where supported.
How to exercise:
Submit: PRIVACY PORTAL (footer), privacy@upmos.com, or Account Settings.
Opt-Out of Sale/Sharing: DO NOT SELL OR SHARE MY PERSONAL INFORMATION link or GPC.
Limit SPI: LIMIT USE OF SENSITIVE PERSONAL INFORMATION link or Account Settings.
Authorized agents: include signed authorization and we will verify your identity plus proof of agency.
Timelines: we acknowledge within 10 days; respond within 45 days (one 45-day extension with notice). We verify identity using account login or reasonable documentation matched to existing records. Household requests require verified household members. We document denials with reasons and appeal options.
Requests, Verification & Appeals
Intake: privacy portal, privacy@upmos.com, Account Settings, or toll-free number.
Verification: account login or matching 2–3 data points; for sensitive data or specific pieces, stronger verification may be required.
Authorized agents: provide signed permission plus your verification; for minors, parent/guardian confirmation.
Appeals: submit via portal or privacy@upmos.com; we respond within 45 days (one 45-day extension with notice) and state the decision. If denied, we explain why and how to escalate to regulators. APPEALS ARE ALWAYS FREE.
Financial Incentives (Rewards & Membership)
Pursuant to Cal. Civ. Code § 1798.125(b), we may offer rewards, membership benefits, referral bonuses, and promotional credits in exchange for personal information, where the financial incentive is reasonably related to the value of the data provided. These programs are voluntary and require opt-in consent. Material terms:
Summary: rewards points, tier benefits, and credits based on purchases and engagement.
Categories of PI: identifiers (name, email, phone), commercial information (order history), and inferences (preferences) used to operate rewards and determine eligibility.
Value Calculation: financial incentives reasonably relate to value provided by your data, estimated using program costs, expected engagement, and redemption rates.
Opt-In/Opt-Out: you can opt in during signup; you may withdraw at any time in Account Settings without losing basic access. Withdrawal ends participation and forfeits unredeemed incentives unless required by law.
Non-Discrimination: we do not deny goods/services for exercising privacy rights; incentives are a permissible difference reasonably related to the value of your data.
For purposes of Cal. Civ. Code § 1798.140(ad) (definition of “Sale”), we do not sell personal information. For purposes of Cal. Civ. Code § 1798.140(ah) (definition of “Sharing”), we may share identifiers and device information with advertising partners for cross-context behavioral advertising unless you opt out. We disclose personal information to service providers (Cal. Civ. Code § 1798.140(ag)) and contractors (§ 1798.140(j)) for business purposes, subject to written contracts that limit their use of personal information to the specified business purpose and prohibit retention, use, or disclosure for any other purpose.
Merchants (sellers): receive only the personal information necessary to fulfill your orders (e.g., name, shipping address, contact, order details). Merchants are independent controllers of their own customer data and must comply with applicable law.
Payment processors: receive payment token IDs and transaction details to process payments. We do not store full card numbers.
Shipping carriers: receive delivery details.
Analytics/security providers: receive device and interaction data for functionality and fraud prevention.
Pursuant to Cal. Civ. Code § 1798.140(ae)(1)(C), biometric information is treated as sensitive personal information; we do not disclose biometric identifiers for advertising and do not use precise geolocation (GPS-level) for tracking.
Do Not Sell or Share / Global Privacy Control
In Plain Language: You can tell us to stop selling or sharing your data at any time. We also honor the Global Privacy Control (GPC) signal from your browser automatically.
DO NOT SELL OR SHARE: exercise via the footer link or Account Settings. Pursuant to Cal. Civ. Code § 1798.135 and 11 CCR § 7025, we honor Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing request where supported.
Do Not Track (DNT): California law does not require honoring legacy DNT signals. We currently do not respond to DNT, but you may use GPC to express opt-out preferences.
Data Retention & Deletion
In Plain Language: We keep your data only as long as needed for its stated purpose, then securely delete it. You can request deletion at any time.
We retain personal information only as long as reasonably necessary for the disclosed purposes, consistent with CPRA and other applicable laws.
Data Category
Retention Period
Reason
Account Identifiers
While account is active; 2 years after last activity
We delete or de-identify data when retention periods expire, when you request deletion (subject to legal holds), or when data is no longer needed for the disclosed purposes. We instruct service providers and relevant merchants to delete personal information received from us when legally required and when you exercise deletion rights.
Security Measures
Consistent with the “reasonable security procedures and practices” standard in Cal. Civ. Code § 1798.81.5 (and as referenced by the private right of action in § 1798.150), we use administrative, technical, and physical safeguards appropriate to the nature of the personal information, including encryption in transit, access controls, vulnerability management, and vendor due diligence. No system is 100% secure; we notify you of material breaches as required by law.
Children & Minors
Under 13: consistent with the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) and 16 CFR Part 312, we do not knowingly collect personal information from children under 13. If we learn we have collected such information, we promptly delete it.
Ages 13–16: pursuant to Cal. Civ. Code § 1798.120(c), we do not sell/share personal information of minors without the affirmative authorization (“opt-in consent”) required by that section; parents/guardians may contact us to exercise rights.
Accessibility & Language Support
For alternate formats or languages, contact privacy@upmos.com or call 1-855-637-2433. We will provide accessible versions and language support where reasonably possible.
Changes to This Notice
We may update this Notice. The “Effective date” reflects the latest revision. Material changes will be communicated via site notice or email. Your continued use after changes indicates acceptance.
Contributions, Reviews & Ratings
Contributions: content you post (e.g., reviews, ratings, comments, listings) may be publicly visible. Do not include personal information you do not wish to make public.
Moderation & Removal: we moderate UGC consistent with the AUP. We may retain moderation logs and related personal information as needed for audit, dispute resolution, and compliance.
AUP Alignment: conduct rules, prohibited content, and consequences are governed by the AUP. This privacy notice describes personal information handling associated with those processes.
Consequences: actions on accounts/content for AUP violations (warnings, limits, suspension) follow the AUP’s Consequences section.
See the Acceptable Use Policy for detailed conduct standards.
Reporting & Consequences
Reporting: you can report suspected violations via the methods described in the AUP (e.g., report links, support channels). Reports may include your contact information and details necessary to investigate.
Enforcement Data: we may preserve investigation records, notifications, and decision outcomes for up to 5 years to support appeals, prevent abuse, and comply with legal obligations.
Appeals & Complaints: privacy rights appeals follow the process in this notice; complaints or conduct appeals follow the process in the AUP.
AI Products & Automated Decisions
AI Features: when you use AI features, we process inputs to provide the service and may log interactions to improve reliability and safety, consistent with the AUP’s AI governance.
Training & Personal Information: we do not use your personal information to train general-purpose AI models without your consent. Service providers operating AI systems are contractually restricted.
Automated Decisions: California is implementing rules under Cal. Civ. Code § 1798.185(a)(16) (CPPA automated decision-making technology, or “ADMT”, regulations) that give consumers the right to access meaningful information about, and to opt out of, the use of automated decision-making technology for decisions that produce legal or similarly significant effects. If we use automated decision-making that produces such effects, we will describe the logic involved, the significance, and your rights to request human review or opt out where required by law. For details about how we use automated systems, see our AI & Algorithmic Disclosure.
See the Acceptable Use Policy’s AI sections for product-level conduct rules.
Marketplace & Vendor Responsibilities
Seller Data Handling: merchants receive only the information required to fulfill your orders (e.g., name, address, contact, order details) and are independently responsible for compliance.
Vendor Onboarding: identity verification and compliance checks may require limited SPI for lawful purposes. We do not disclose biometric identifiers for advertising.
Contracts & DPAs: service providers and contractors are bound by agreements restricting use of personal information to specified business purposes.
Purpose Limitation
In Plain Language: We only use your data for the reasons we told you about. If we need it for something new, we’ll let you know first.
Collection-Use Alignment
Pursuant to CCPA § 1798.100(c), Upmos shall not collect additional categories of personal information or use personal information already collected for additional purposes that are materially different from the purposes disclosed at the time of collection, without first providing the consumer with a new notice at collection.
Data Minimization
Upmos adheres to a data minimization principle: we collect only the personal information that is reasonably necessary and proportionate to achieve the disclosed purpose. We regularly review our data collection practices to ensure alignment with this commitment.
Secondary Use
If Upmos determines a need to use previously collected personal information for a purpose materially different from the original disclosure, Upmos will:
Provide you with a supplemental notice identifying the new purpose
Obtain your explicit consent where required by law
Update this notice and the effective date accordingly
Retention Alignment
Personal information is retained only for as long as reasonably necessary to fulfill the purpose for which it was collected. See Data Retention & Deletion for our full retention schedule.
Shine the Light (§1798.83)
In Plain Language: California’s “Shine the Light” law lets you ask us which companies we shared your data with for marketing purposes.
Your Shine the Light Rights
Under California Civil Code § 1798.83 (“Shine the Light”), California residents who have provided personal information to a business with which they have an established business relationship may request, once per calendar year:
The categories of personal information that the business has disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year
The names and addresses of all such third parties
How to Make a Request
To exercise your Shine the Light rights, send a written request to:
Mail: Upmos Inc., Attn: Privacy Team — Shine the Light Request, 9896 Bissonnet St, Houston, TX 77036, United States
We will respond within 30 days of receiving your verifiable request.
Current Disclosure Status
Upmos does not disclose personal information to third parties for their direct marketing purposes. If this practice changes, we will update this section and provide appropriate opt-out mechanisms.
Cross-Border Data Transfers
In Plain Language: Your data is processed in the United States. We apply CCPA-level protections regardless of where your data flows.
Data Processing Location
Upmos processes and stores personal information primarily on servers located in the United States. By using our services, you acknowledge that your personal information may be transferred to, processed, and stored in the United States, which may have different data protection laws than your jurisdiction.
Safeguards
Regardless of where personal information is processed, Upmos applies the following safeguards:
Contractual Protections: All service providers and contractors are bound by CCPA-compliant data processing agreements (DPAs) that restrict the use, retention, and disclosure of personal information
Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Controls: Strict role-based access controls limit who can access personal information
Vendor Assessments: Third-party vendors are assessed for privacy and security compliance before engagement
No Sale Across Borders
Upmos does not sell personal information to entities outside of the United States. Any sharing with service providers outside the U.S. is strictly for business operations and governed by CCPA-compliant contractual obligations.
Annual Metrics & Transparency
In Plain Language: We publish statistics about how many privacy requests we receive and how quickly we respond, even though we may not be legally required to.
Transparency Commitment
Under 11 CCR § 7102 (formerly § 999.317(g)), businesses that process the personal information of 10 million or more consumers annually must compile and publish certain metrics. While Upmos may not currently meet this threshold, we publish the following in the spirit of transparency and accountability:
Annual Privacy Request Metrics
Metric
Current Period
Requests to Know (Access)
—
Requests to Delete
—
Requests to Opt-Out of Sale/Sharing
—
Requests to Correct
—
Median Response Time (days)
—
Requests Denied (with reason)
—
Metrics are updated annually by July 1 for the preceding calendar year. Dashes (—) indicate no requests were received or that the reporting period has not yet concluded.
Frequently Asked Questions
What is the CCPA/CPRA?
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a comprehensive privacy law that gives California residents specific rights over their personal information. It applies to businesses that meet certain thresholds and collect personal information from California consumers.
Am I covered by this notice?
You are covered if you are a California resident (as defined by Cal. Rev. & Tax Code §17014) and Upmos collects your personal information, regardless of whether you have made a purchase. This includes browsing our website, creating an account, or interacting with our services.
How do I submit a privacy request?
You can submit a verifiable consumer request through any of the following channels:
We will acknowledge your request within 10 business days and respond substantively within 45 calendar days.
What is the Global Privacy Control (GPC)?
GPC is a browser-level signal that tells websites you do not want your personal information sold or shared. Upmos honors GPC signals as a valid opt-out request under the CCPA/CPRA. You can enable GPC in supported browsers or through browser extensions. See Do Not Sell or Share / GPC for details.
Does Upmos sell my personal information?
Upmos does not sell personal information in the traditional monetary sense. We do not exchange personal information for money. However, certain data sharing for targeted advertising may constitute a “sale” or “sharing” under the CCPA/CPRA’s broad definitions. You can opt out at any time via Do Not Sell/Share.
Can I delete my account and all associated data?
Yes. You may request deletion of your personal information at any time. Upon receiving a verified deletion request, we will delete (and direct our service providers to delete) your personal information from our records, subject to certain legal exceptions (e.g., fraud prevention, legal compliance, completing a transaction). See Data Retention & Deletion.
Can I appeal if my request is denied?
Yes. If we deny your request in whole or in part, we will provide a written explanation. You may appeal the decision by contacting us within 30 days. We will respond to your appeal within 60 days. If your appeal is also denied, you have the right to file a complaint with the California Attorney General or the California Privacy Protection Agency (CPPA). See Requests, Verification & Appeals.
What happens if Upmos violates the CCPA?
Pursuant to Cal. Civ. Code § 1798.155, the California Attorney General and the California Privacy Protection Agency (CPPA) may impose administrative fines of up to $2,500 per unintentional violation, $7,500 per intentional violation, and a separate $7,500 per violation involving the personal information of a consumer Upmos has actual knowledge is under 16 years of age. In addition, pursuant to Cal. Civ. Code § 1798.150, consumers have a private right of action in the event of a data breach involving certain categories of personal information, with statutory damages of $100–$750 per consumer per incident or actual damages, whichever is greater. Before initiating an action for statutory damages, the consumer must give Upmos 30 days’ written notice identifying the specific provisions violated; pursuant to § 1798.150(b)(2), no advance notice is required for actions seeking solely actual pecuniary damages. Upmos takes compliance seriously and has implemented comprehensive safeguards to prevent violations.
This California Privacy Notice describes our personal information practices. It does not constitute a warranty, guarantee, or legal liability beyond what is required by CCPA/CPRA and applicable law. We strive to protect your information, but no system is 100% secure. We are not liable for:
Unauthorized access due to circumstances beyond our control
Data breaches resulting from third-party service provider failures (subject to our vendor contracts)
Loss or damage resulting from your breach of this policy or applicable law
Decisions made by AI systems, which operate under our Acceptable Use Policy and AI governance frameworks
Merchant or seller actions; merchants are independent controllers of customer data
For detailed liability disclaimers, see our main Terms of Use and Acceptable Use Policy.
For questions or concerns about this policy, contact privacy@upmos.com or call 1-855-637-2433.
Upmos Inc.
9896 Bissonnet St
Houston, TX 77036
United States
Version History
Material revisions to this Policy are tracked below. Minor typographical fixes are not separately enumerated.
Version
Date
Changes
v2.3
June 1, 2026
Content audit and statutory refinement. Corrected the annual-metrics publication schedule from January 1 to July 1 for the preceding calendar year (11 CCR § 7102). Expanded the violation-penalties FAQ to reflect CPRA § 1798.155 in full (separate $7,500 cap for violations involving consumers under 16, and CPPA civil enforcement alongside the AG) and added the § 1798.150(b)(2) carve-out so actions seeking solely actual pecuniary damages do not require 30-day notice. Added COPPA citations (15 U.S.C. § 6501 et seq.; 16 CFR Part 312) to the under-13 paragraph. Added the notice-at-or-before-collection citations at the top of the Notice at Collection (§ 1798.100(b) and 11 CCR § 7012). Added Service-Provider, Contractor, and biometric-SPI definitional citations (§ 1798.140(ag) / (j) / (ae)(1)(C)) to Sharing & Service Providers. Added the developing CPPA Automated Decision-Making Technology (ADMT) regulations reference (§ 1798.185(a)(16)) and cross-linked the AI & Algorithmic Disclosure from AI Products & Automated Decisions. Normalized brand chrome (all-caps mentions converted to title case in 14 places), standardized statutory citation style (§ entity → literal § in three cites), and removed a duplicate “This policy is part of our Terms of Use” sentence from the Disclaimer.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
