Privacy Policy
Effective Date: January 1, 2026 | Last Revised: May 20, 2026 | Version 1.4
What We Collect
How We Use It
Sharing
Your Rights
Cookies
CCPA/CPRA
GDPR
Your privacy matters. This Privacy Policy describes what personal data we collect, how we use and share it, the legal bases we rely on, and the rights you can exercise. It applies to the Upmos marketplace, member programs, and related services. By using our Services you accept the practices described here — do not use the Services if you do not agree.
In Plain English (Non-Binding Summary)
We collect what we need to run the marketplace. Account, order, payment, device, and behavioral data are used to operate Upmos, fulfill orders, prevent fraud, personalize the experience, and meet legal obligations. We share data only with vendors, payment processors, carriers, and service providers needed to run the marketplace — we do not sell personal data for cross-context behavioral advertising without your opt-in. You can access, correct, delete, port, or restrict your personal data, opt out of marketing, and exercise CCPA/CPRA, GDPR/UK GDPR, VCDPA, CPA, and PIPEDA rights through our DSAR process. We retain data only as long as necessary and protect it with industry-standard security.
This plain-language box is provided for accessibility and readability only. It is not a substitute for the full Policy below, which controls in case of any conflict.
Print, Export & Relevant Links
Table of Contents
- 1. Policy Scope & Applicability
- 2. Information We Collect
- 3. How We Use Your Information
- 4. Legal Basis for Processing
- 5. Sharing with Third Parties
- 6. Vendor & Data Processor List
- 7. International Data Transfers
- 8. Data Retention
- 9. Your Privacy Rights
- 10. Data Subject Access Request (DSAR) Process
- 11. Data Deletion Request Process
- 12. Automated Decision Making & Profiling
- 13. Special Categories of Data
- 14. Cookies & Tracking Technologies
- 15. Data Security
- 16. Marketing & Communications Preferences
- 17. Third-Party Links & External Sites
- 18. Privacy by Design & Default
- 19. Complaints & Grievance Procedures
- 20. Children's Privacy
- 21. Age, Minors, and Minor Logins
- 22. AI Products, Social Logins, and Google API Limited Use
- 23. Do-Not-Track (DNT) and Global Privacy Control (GPC)
- 24. Financial Incentives & Loyalty Programs
- 25. Authorized Agents & Verification
- 26. Anonymized Data & Research
- 27. Australia & New Zealand Supplement
- 28. California Supplement (CCPA/CPRA)
- 29. Virginia Supplement (VCDPA)
- 30. Colorado Supplement (CPA)
- 31. Canadian Supplement (PIPEDA)
- 32. UK GDPR Supplement
- 33. Policy Updates & Amendments
- 34. Contact Us
- How Can You Contact Us About This Policy?
- Version History
1. Policy Scope & Applicability
- Jurisdictions: Global (with specific supplements for California, Virginia, Colorado, Canada, UK, EU/EEA, Australia)
- Services: UPMOS website, mobile applications, e-commerce platform, customer support, and all related services
- Data Subjects: Customers, website visitors, newsletter subscribers, vendors, employees, contractors
- Processing Locations: United States (primary), EU (cloud backup), Canada (service providers)
Version Control: This is Version 3.0 of our Privacy Policy. Previous versions available upon request at privacy@upmos.com.
2. Information We Collect
Information You Provide Directly
- Account Information: Name, email, password, phone, address, profile data
- Transaction Data: Purchase history, payment details, billing/shipping addresses
- Communications: Support tickets, emails, chat messages, feedback
- User Content: Reviews, photos, uploaded files, survey responses
Automatically Collected Information
- Device Data: Device type, OS, browser, unique identifiers, IP address
- Usage Data: Pages viewed, time spent, clicks, search queries, feature usage
- Location Data: Approximate location (country, state/region, city) derived from your IP address via Cloudflare geolocation headers for server-side content rendering; not stored beyond the page request
- Technical Data: Cookies, log files, error reports, performance metrics
Third-Party Sources
- Payment processors, analytics providers, social media platforms (with your authorization)
- Public databases, business partners, affiliate networks
- Verification partners for fraud prevention and identity validation
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide Services | Account, usage data | Contract performance |
| Process payments | Payment, transaction data | Contract, legal obligation |
| Customer support | Communication data | Contract, legitimate interest |
| Improve Services | Usage, technical data | Legitimate interest |
| Marketing | Email, preferences | Consent |
| Fraud prevention | Device, transaction data | Legal obligation, legitimate interest |
| Legal compliance | All data as required | Legal obligation |
4. Legal Basis for Processing
Contract Performance
Processing necessary to fulfill our contract with you (order fulfillment, account management, customer support).
Legitimate Interests
Processing for legitimate business purposes (analytics, fraud prevention, service improvement) where not overridden by your rights.
Consent
Processing based on your explicit consent (marketing, optional features), which you may withdraw anytime at privacy@upmos.com.
Legal Compliance
Processing to comply with laws, regulations, court orders, or governmental requests.
5. Sharing with Third Parties
Service Providers
We share data with vetted service providers who process data on our behalf:
- Payment processors (Stripe, PayPal) – transaction processing
- Cloud hosting (AWS, Azure) – infrastructure and storage
- Analytics (Google Analytics) – usage analysis
- Email services (SendGrid) – transactional and marketing emails
- Shipping carriers (FedEx, UPS) – order fulfillment
- Affiliate program management (Impact Tech, Inc.) – affiliate link attribution, conversion tracking, partner-payout administration, W-9 / W-8BEN tax-form collection. See Affiliate Program Terms.
Legal Requirements
We disclose information when required by law, court order, subpoena, or to protect our rights and safety.
Business Transfers
In merger, acquisition, or asset sale, your information may be transferred. You will be notified of any ownership change.
No Sale of Personal Information
We do NOT sell, rent, or trade your personal information to third parties for their direct marketing purposes.
6. Vendor & Data Processor List
Complete list of third-party processors with data processing activities:
| Vendor | Purpose | Location | Certification | Privacy Policy |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | PCI DSS Level 1, SOC 2 | View Policy |
| Microsoft Azure | Cloud hosting | USA, EU | ISO 27001, SOC 2 | View Policy |
| Google Analytics | Usage analytics | USA | Privacy Shield (legacy), SCCs | View Policy |
| SendGrid (Twilio) | Email delivery | USA | SOC 2 Type II | View Policy |
| Cloudflare | CDN, security, IP geolocation for server-side content localization | Global | ISO 27001, SOC 2 | View Policy |
| FedEx | Shipping logistics | USA | Industry standard | View Policy |
| Airwallex | Payment processing, payouts | Hong Kong / Global | PCI DSS Level 1, ISO 27001 | View Policy |
| MultiVendorX (WC Marketplace) | Marketplace / vendor management | India / Global | GDPR-compliant DPA | View Policy |
| Complianz | Cookie consent & compliance | Netherlands | GDPR, ePrivacy Directive | View Policy |
| AIOSEO | SEO metadata (no personal data stored server-side) | USA | GDPR-compliant | View Policy |
| Impact Tech, Inc. (impact.com) | Affiliate program management — click tracking, conversion attribution, partner payouts (PayPal/ACH/wire/check), W-9 / W-8BEN collection, 1099-NEC issuance. Data fields: hashed/IP-truncated identifiers, click ID, transaction ID, basket value, order line items, customer email hash (for de-duplication only). | USA (HQ Santa Barbara, CA) — global tracking edges | SOC 2 Type II, ISO 27001, GDPR DPA, EU-U.S. Data Privacy Framework certified | View Policy |
All processors are bound by Data Processing Agreements (DPAs) and adhere to GDPR Article 28 requirements.
7. International Data Transfers
Transfer Mechanisms
We transfer personal data internationally using the following safeguards:
- Standard Contractual Clauses (SCCs): EU-approved contracts for GDPR compliance
- Adequacy Decisions: Transfers to countries recognized by EU Commission as adequate
- Binding Corporate Rules (BCRs): Internal policies approved by data protection authorities
- SCHREMS II Compliance: Supplementary measures including encryption, access controls, data minimization
Countries We Transfer Data To
United States (primary operations), European Union (backup), Canada (service providers), Australia (partners)
For EU/EEA residents, we ensure all transfers comply with GDPR Chapter V requirements.
8. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Account lifetime + 5 years | Tax, legal compliance |
| Transaction records | 7-10 years | Tax law requirements |
| Communication logs | Purpose + 3 years | Dispute resolution |
| Marketing data | 3 years or until opt-out | Campaign effectiveness |
| Security logs | 1-3 years | Fraud prevention |
| Cookies | Per cookie type | Session management |
After retention periods expire, we securely delete or anonymize data. You may request earlier deletion subject to legal requirements.
9. Your Privacy Rights
GDPR Rights (EU/EEA)
Under the General Data Protection Regulation (GDPR), you have:
- Access: Copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Delete your data (right to be forgotten)
- Restrict Processing: Limit how we use data
- Data Portability: Receive data in portable format
- Object: Object to processing for marketing/profiling
- Lodge Complaint: File complaint with supervisory authority
CCPA Rights (California)
Under the California Consumer Privacy Act (CCPA), you have:
- Right to Know: Categories and specific data collected
- Right to Delete: Request deletion of data
- Right to Opt-Out: Opt out of sale/sharing (we don’t sell data)
- Right to Correct: Correct inaccurate information
- Non-Discrimination: No penalties for exercising rights
To exercise rights, email privacy@upmos.com. We respond within 30 days (GDPR) or 45 days (CCPA).
10. Data Subject Access Request (DSAR) Process
Fast track: Email privacy@upmos.com with subject “DSAR Request” and include your account email, request scope (all data or specific systems), and preferred format (CSV/JSON/PDF).
How to Submit a DSAR
- Email privacy@upmos.com with subject line “DSAR Request”
- Provide: Full name, email address, account details, specific data requested
- Identity verification required (government ID or account authentication)
- We respond within 30 days (GDPR) or 45 days (CCPA), may extend 30-60 days if complex
What You’ll Receive
- Copy of personal data in portable format (CSV, JSON, PDF)
- Categories of data collected
- Sources of data
- Purposes of processing
- Third parties with whom data is shared
Fees & Limitations
First request is free. Manifestly unfounded or excessive requests may incur reasonable administrative fees. We may refuse requests that jeopardize others’ rights or are legally prohibited.
11. Data Deletion Request Process
Right to Erasure
You may request deletion of your personal data under GDPR Article 17, CCPA Section 1798.105, and similar laws.
How to Request Deletion
- Email privacy@upmos.com with subject “Deletion Request”
- Verify your identity
- Specify data to be deleted (or request full account deletion)
- We process within 30 days and confirm via email
Exceptions to Deletion
We may retain data when necessary for:
- Completing transactions or providing requested services
- Legal compliance (tax, accounting, regulatory requirements)
- Fraud prevention and security purposes
- Exercising free speech or research purposes
- Internal operations (debugging, improving services)
Deleted data is securely erased within 90 days from all production systems and backups.
12. Automated Decision Making & Profiling
Automated Processing Activities
We use automated decision-making and profiling for:
- Fraud Detection: Algorithms analyze transactions for fraud patterns (affects order approval)
- Product Recommendations: Machine learning suggests products based on browsing history
- Dynamic Pricing: Algorithms may adjust prices based on demand, inventory, user behavior
- Credit/Risk Assessment: Automated scoring for payment plans or financing options
Your Rights (GDPR Article 22)
- Right to human review of automated decisions
- Right to contest automated decisions
- Right to express your point of view
- Right to obtain explanation of decision
To request human review of an automated decision, contact privacy@upmos.com within 30 days.
13. Special Categories of Data
GDPR Article 9 Sensitive Data
We generally do NOT collect special categories of personal data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data, sexual orientation). If collection is necessary:
- We obtain explicit consent
- Process only when legally permitted
- Apply enhanced security measures
- Limit access to authorized personnel only
Health & Biometric Data
If you voluntarily provide health information (e.g., for product recommendations or accommodations), we:
- Process only with explicit consent
- Encrypt data at rest and in transit
- Restrict access to need-to-know basis
- Retain only as long as necessary
14. Cookies & Tracking Technologies
Types of Cookies
| Type | Purpose | Duration | Consent Required |
|---|---|---|---|
| Essential | Authentication, security, cart | Session to 1 year | No |
| Analytics | Usage patterns, performance | 1-2 years | Yes |
| Functional | Preferences, customization | 1-2 years | Yes |
| Marketing | Personalized ads, campaigns | 1-2 years | Yes |
| Affiliate Tracking | Attribute purchases to the partner whose link you clicked, so they earn a commission (Impact.com via first-party domain impact.upmos.com). Click ID stored as first-party cookie + LocalStorage entry. |
30 days (matches affiliate cookie window) | Yes |
Your Choices
Manage cookies via browser settings or our cookie consent banner. Disabling cookies may affect functionality.
Do Not Track
We honor Do Not Track (DNT) signals where technically feasible.
15. Data Security
Security Measures
- TLS/SSL encryption for data in transit
- AES-256 encryption for data at rest
- Multi-factor authentication (MFA)
- Regular security audits and penetration testing
- Employee training on data protection
- Access controls and principle of least privilege
- Incident response and disaster recovery plans
Data Breach Notification
In case of breach affecting your data, we notify you and authorities within 72 hours (GDPR) via email or website notice.
16. Marketing & Communications Preferences
Email Marketing
We send marketing emails only with your consent. Opt out via unsubscribe link or email preferences@upmos.com.
SMS/Push Notifications
Opt in required. Manage via account settings or reply STOP to SMS.
Preference Management
Control all communication preferences at upmos.com/preferences or privacy@upmos.com.
Transactional emails (order confirmations, account notices) are not affected by marketing opt-out.
17. Third-Party Links & External Sites
Our Services may contain links to third-party websites, plugins, or applications. We are not responsible for privacy practices of third parties.
Disclaimer: Clicking external links takes you to sites governed by their own privacy policies. Review third-party policies before providing information.
We do not endorse or assume liability for content, products, or practices of linked sites.
18. Privacy by Design & Default
We implement privacy-first principles in all Services:
- Data Minimization: Collect only necessary data
- Purpose Limitation: Use data only for stated purposes
- Encryption by Default: Encrypt all sensitive data
- Privacy Impact Assessments: Conduct PIAs for high-risk processing
- Secure by Default: Strongest privacy settings enabled by default
- Transparency: Clear communication about data practices
19. Complaints & Grievance Procedures
Internal Complaints
File complaints at privacy@upmos.com. We respond within 30 days with resolution or action plan.
Supervisory Authorities
EU/EEA residents may lodge complaints with local Data Protection Authority:
- Find your DPA: European Data Protection Board Directory
- UK residents: ICO (Information Commissioner’s Office)
- California residents: California Attorney General
20. Children's Privacy
Services are not directed to children under 13 (or equivalent minimum age) in compliance with COPPA (Children’s Online Privacy Protection Act). We do not knowingly collect data from children.
If we discover child data collected without parental consent, we delete it immediately. Contact privacy@upmos.com if you believe we have child data.
Users 13-18: Enhanced protections apply per COPPA and applicable laws.
21. Age, Minors, and Minor Logins
Account Eligibility: 18+ to create an account and transact. Minors 13-17 may use Services only under a parent/guardian account with supervised payment methods.
Age-Restricted Products: Age verification is required at checkout and delivery; government ID may be requested where permitted by law.
Parental Controls: Parents can manage spending limits, approvals, and notifications; contact privacy@upmos.com for support.
22. AI Products, Social Logins, and Google API Limited Use
AI Products: We use vetted AI service providers (e.g., OpenAI) for automation/analysis with contractual safeguards. Do not submit unnecessary personal data in free-form inputs.
Social Logins: If you sign in with social platforms, we receive the profile fields you permit (e.g., name, email, avatar). You can revoke permissions in the social platform at any time.
Google API Limited Use: Any Google user data obtained via Google APIs is handled per Google API Services User Data Policy (Limited Use). We do not transfer it for advertising or allow human reading except with consent, security needs, or legal requirements.
23. Do-Not-Track (DNT) and Global Privacy Control (GPC)
We process browser Global Privacy Control (GPC) signals to honor opt-outs from sale/share/targeted advertising where required. DNT standards are not yet uniform; we will align with recognized standards as they are finalized.
24. Financial Incentives & Loyalty Programs
If we offer price or service differences, loyalty programs, or incentives, we will disclose the material terms, categories of data involved, valuation method, and opt-out/withdrawal method. Participation is voluntary.
25. Authorized Agents & Verification
You may appoint an authorized agent (e.g., under CCPA/CPRA). We require proof of authorization and identity verification and may contact you to confirm the request. Verification can include matching account details or government ID.
26. Anonymized Data & Research
We may share de-identified or aggregated data for analytics or research. We do not attempt to re-identify such data and contractually prohibit recipients from doing so.
27. Australia & New Zealand Supplement
This section applies to residents of Australia and New Zealand and supplements the rights described elsewhere in this Policy.
Australia — Privacy Act 1988
We handle personal information in line with the 13 Australian Privacy Principles (APPs). Australian residents have rights to:
- Access personal information we hold about you (APP 12)
- Correction of inaccurate, out-of-date, incomplete, irrelevant or misleading information (APP 13)
- Anonymity / pseudonymity where lawful and practicable (APP 2)
- Opt out of direct marketing (APP 7)
- Notification of eligible data breaches under the Notifiable Data Breaches scheme
Cross-border disclosures of Australian personal information are made under written contractual safeguards consistent with APP 8. Complaints can be lodged with the Office of the Australian Information Commissioner (OAIC) after first contacting privacy@upmos.com.
New Zealand — Privacy Act 2020
We follow the 13 Information Privacy Principles (IPPs). New Zealand residents have rights to:
- Access personal information about themselves (IPP 6)
- Correction of personal information (IPP 7)
- Notification of notifiable privacy breaches under Part 6
- Complaint to the Privacy Commissioner if we fail to address concerns
Where personal information is sent outside New Zealand, we use providers in countries with comparable privacy safeguards or contractual protections consistent with IPP 12. File complaints with the Office of the Privacy Commissioner (NZ).
How to Exercise These Rights
Email privacy@upmos.com with the subject line “AU Privacy Request” or “NZ Privacy Request”. We will acknowledge within 10 business days and respond within 30 days (extendable by a further 30 days for complex requests with notice).
28. California Supplement (CCPA/CPRA)
California Consumer Privacy Act Rights
Right to Know: Request categories and specific pieces of data collected in past 12 months.
Right to Delete: Request deletion of personal information (subject to exceptions).
Right to Opt-Out of Sale: We do NOT sell personal information. No opt-out needed.
Right to Correct: Request correction of inaccurate information.
Right to Limit Use of Sensitive Personal Information: Limit use of sensitive data.
Shine the Light Law
California residents may request information about disclosure of personal information to third parties for direct marketing (once per year). Email privacy@upmos.com.
Do Not Sell or Share
We do NOT sell or share personal information for cross-context behavioral advertising.
Authorized Agent
California residents may designate authorized agents to submit requests. Agent must provide written authorization.
Non-Discrimination
We will NOT discriminate against you for exercising CCPA rights (deny services, charge different prices, provide different quality).
29. Virginia Supplement (VCDPA)
Virginia Consumer Data Protection Act (effective Jan 1, 2023) grants Virginia residents:
- Right to Access: Confirm and access personal data
- Right to Correct: Correct inaccuracies
- Right to Delete: Delete personal data
- Right to Data Portability: Obtain copy in portable format
- Right to Opt Out: Opt out of targeted advertising, sale, profiling
- Appeal Rights: Appeal denials; if denied again, you may contact the Virginia Attorney General.
- GPC: We honor Global Privacy Control signals as an opt-out request.
Exercise Virginia rights at privacy@upmos.com. Appeals: privacy-appeals@upmos.com. Virginia Attorney General: File a Complaint
30. Colorado Supplement (CPA)
Colorado Privacy Act (effective July 1, 2023) grants Colorado residents:
- Access & Portability: Access and obtain copy of data
- Correction: Correct inaccurate data
- Deletion: Delete personal data
- Opt Out: Opt out of targeted advertising, sale, profiling for significant decisions
- Appeal Window: 45 days to respond; you may appeal within 45 days of a denial.
Colorado residents may appeal decisions at privacy-appeals@upmos.com within 15 days.
31. Canadian Supplement (PIPEDA)
Personal Information Protection and Electronic Documents Act applies to Canadian residents:
Accountability & Consent
We are accountable for personal data in our possession. We obtain meaningful consent for collection, use, disclosure.
Cross-Border Transfers
Data may be processed in USA. We use contracts and safeguards to protect data transferred outside Canada.
Canadian Privacy Commissioner
File complaints with Office of the Privacy Commissioner of Canada
Quebec Law 25
Quebec residents have additional rights under Quebec’s modernized privacy law. Contact privacy@upmos.com for Quebec-specific requests.
32. UK GDPR Supplement
This section applies to residents of the United Kingdom and supplements the rights set out in §9 (Your Privacy Rights). The UK GDPR and the Data Protection Act 2018 (DPA 2018) govern our processing of UK personal data.
Your Rights Under UK GDPR
- Right of access — obtain a copy of your personal data
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure (“right to be forgotten”) — subject to legal-retention exceptions
- Right to restrict processing — pause certain uses pending verification
- Right to data portability — receive your data in a structured, commonly used, machine-readable format
- Right to object — including objection to direct marketing (absolute) and to profiling
- Rights related to automated decision-making — including a meaningful human review
- Right to withdraw consent — where processing is based on consent
- Right to lodge a complaint with the ICO
Lawful Bases for UK Processing
We rely on the same lawful bases described in §4 (Legal Basis for Processing): contract, legitimate interests, consent, legal obligation, vital interests, and public interest, as applicable.
International Transfers from the UK
Where we transfer UK personal data outside the UK, we use the ICO’s International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, supplemented by Transfer Risk Assessments where required.
UK Representative & Data Protection Officer
UK-specific privacy requests, including subject access requests under Article 15 UK GDPR, may be sent to privacy-uk@upmos.com. We respond within one calendar month (extendable by up to two further months for complex or numerous requests, with notice).
Supervisory Authority
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113 · Online: ico.org.uk/make-a-complaint
33. Policy Updates & Amendments
How We Update
We may update this policy to reflect changes in practices, laws, or Services. Material changes will be communicated via:
- Email notification (if you have account)
- Prominent website notice
- Updated “Last Updated” date at top
Your Rights on Changes
Continued use after changes constitutes acceptance. If you disagree, discontinue use and request account deletion.
Changelog
- May 15, 2026 (v1.3): Unwrapped broken collapsible-disclosure containers on sections 27–32 so AU/NZ, California, Virginia, Colorado, Canada, and UK GDPR supplements render as full sections instead of collapsed empty pills. Removed stray empty contact-info container. Enriched AU/NZ and UK GDPR sections with rights enumerations, transfer mechanisms, and supervisory-authority details.
- May 13, 2026 (v1.2): Added Cloudflare IP geolocation disclosure for country/region/city derived from request headers; updated Cloudflare processor scope.
- May 12, 2026 (v1.1): Restored pill-chip navigation and In Plain English summary; rebuilt jump-bar into three categorized columns; readability hardening for light + dark mode.
- May 11, 2026 (v1.0): Initial publication under the Upmos Gold Standard policy format with accessibility chrome, JSON-LD schema, dark mode, reading progress, two-column TOC, jump-bar, and Department Directory.
- December 31, 2025: Pre-Gold-Standard refresh: added minors, AI, DNT/GPC, financial incentives, agent verification, anonymization, AU/NZ supplement.
- January 1, 2024: Prior comprehensive refresh and supplemental rights alignment.
34. Contact Us
Data Protection Officer
UPMOS Inc.
Email: privacy@upmos.com
Website: https://upmos.com
Response Time: 30 days
EU Representative (GDPR)
Email: gdpr@upmos.com
UK Representative (UK GDPR)
Email: privacy-uk@upmos.com
California Privacy Rights (CCPA)
Email: privacy@upmos.com
Toll-Free: 1-800-UPMOS-CA
Security & Responsible Disclosure
Email: security@upmos.com
PGP Key: Available at upmos.com/security
Last Updated: December 31, 2025
GDPR | CCPA/CPRA | VCDPA | CPA | PIPEDA | UK GDPR | COPPA
ISO 27001 | SOC 2 Type II | Privacy Shield (Legacy SCCs)
How Can You Contact Us About This Policy?
If you have any further questions or comments or wish to report any problematic Content or Contribution, you may contact us by:
General Contact
- Phone: 1(855)637-2433 (Mon–Fri, 9 AM–5 PM CST)
- General Support: support@upmos.com
- Report Issue: upmos.com/report
- Send Feedback: upmos.com/feedback
Department Directory
| Department | Purpose | |
|---|---|---|
| General Support | support@upmos.com | Account help, general inquiries |
| Legal | legal@upmos.com | Legal questions, appeals, terms inquiries |
| DMCA / Copyright | dmca@upmos.com | Copyright infringement notices & counter-notices |
| Privacy | privacy@upmos.com | Data requests, CCPA/GDPR inquiries |
| Fraud | fraud@upmos.com | Report fraudulent activity (24/7) |
| Security | security@upmos.com | Vulnerability reports, bug bounty |
| Disputes | disputes@upmos.com | Transaction & seller disputes |
| Refunds | refunds@upmos.com | Refund requests & status |
| Accessibility | accessibility@upmos.com | Accessibility issues & feedback |
Mailing Address
Upmos Inc.
9896 Bissonnet St
Houston, TX 77036
United States
Version History
Material revisions to this Policy are tracked below. Minor typographical fixes are not separately enumerated.
| Version | Date | Changes |
|---|---|---|
| v1.4 | May 20, 2026 | Added Impact Tech, Inc. (impact.com) to the third-party data-processor disclosures in tandem with the Affiliate Program Terms v2.1 launch. §5 Sharing with Third Parties — new Service Provider bullet for affiliate program management (click tracking, conversion attribution, partner payouts, W-9 / W-8BEN, 1099-NEC). §6 Vendor & Data Processor List — new row for Impact Tech (purpose, data fields shared, location USA / global edges, certifications SOC 2 Type II + ISO 27001 + GDPR DPA + EU-U.S. DPF), with link to Impact’s Privacy Policy. §14 Cookies & Tracking Technologies — new “Affiliate Tracking” row in the cookie-types table (first-party cookie via impact.upmos.com; 30-day duration matching the affiliate cookie window; consent required). Cross-link to Affiliate Program Terms added in §5. Single-row Version History (v1.1 / v1.2 / v1.3 historical rows collapsed per the policy-wide single-row standard). Additive only — no
|
