Age Restriction & COPPA Compliance Policy
Effective Date: January 1, 2026 | Last Revised: May 20, 2026 | Version 2.0.1 · …
About this Age Restriction & COPPA Compliance Policy. This Policy covers the rules, obligations, and rights that apply to this policy on the Upmos marketplace. Read the full text below; by using our Services you agree to comply with it.
In Plain English (Non-Binding Summary)
Legal Framework & Citations. This policy reflects our good-faith approach to the following federal, state, and international minor-privacy and age-restriction frameworks. Some are in active litigation or evolving; we monitor developments and adjust Age Tiers & Restrictions. Upmos operates a four-tier age framework that reflects the core COPPA under-13 prohibition plus a “middle tier” for teens aged 13–17 based on the emerging U.S. state-law consensus (CA AADC, CA SB 976, Data Minimization & Prohibited Collection. Upmos does not direct its service at children under 13 and, in good faith, does not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected pers
This plain-language box is provided for accessibility and readability only. It is not a substitute for the full Policy below, which controls in case of any conflict.
Print, Save & Relevant Links
Table of Contents
- Legal Framework & Citations
- Age Tiers & Restrictions
- Data Minimization & Prohibited Collection
- Age Verification & Verifiable Parental Consent (VPC)
- Age-Gated Product Matrix
- Seller & Vendor Obligations
- Enforcement & Internal Accountability
- Parental & Guardian Rights
- Algorithmic Recommendations & Dark Patterns
- No Sale or Share of Minors’ Personal Information
- Technical & Organizational Security
- Audit Trail, Breach Notification & Reporting
- Independent Review & Safe Harbor
- International Compliance
- Global Age-of-Majority Reference
- Parent/Guardian Education & Resources
- Accessibility & Inclusive Design
- School, District & Teacher-Authorized Use
- Removal of Minor-Uploaded Content & Takedown Procedure
- Emergency-Use Disclosure & Judicial Process
- Frequently Asked Questions
- Governing Law & Jurisdiction
- Binding Arbitration & Minor-Rights Carve-Out
- Limitation of Liability
- Indemnification
- Export Control & Sanctions Compliance
- General Provisions
- Amendments, Scope & Non-Warranty
- How Can You Contact Us About This Policy?
- Version History
Legal Framework & Citations
1.1 Primary Legal Frameworks
This policy reflects our good-faith approach to the following federal, state, and international minor-privacy and age-restriction frameworks. Some are in active litigation or evolving; we monitor developments and adjust practices as needed.
| Framework | Citation | Jurisdiction | What It Covers |
|---|---|---|---|
| U.S. Federal | |||
| COPPA | 15 U.S.C. §§ 6501–6506 | United States | Personal information collected online from children under 13 |
| FTC COPPA Rule (2013) | 16 CFR Part 312 | United States | Implementing regulations for COPPA |
| 2025 FTC COPPA Rule Final Amendments | 90 FR 16960 (Apr. 2025), effective June 2025 (compliance date: April 2026) | United States | New separate-consent requirement for third-party disclosures; expanded definitions of personal information (biometric, inferred data, persistent identifiers); strengthened data-retention limits |
| Tobacco 21 Act | 21 U.S.C. § 387f(d) | United States | Federal minimum age of 21 for tobacco, nicotine, and vape products (effective Dec. 2019) |
| Federal Gun Control Act | 18 U.S.C. § 922(b) | United States | 18+ for long guns / 21+ for handguns from licensed dealers |
| Combat Methamphetamine Epidemic Act (CMEA) | 21 U.S.C. § 830(e) | United States | 18+ for pseudoephedrine / ephedrine OTC products with log-book requirement |
| FERPA (where Ed-Tech applies) | 20 U.S.C. § 1232g; 34 CFR Part 99 | United States (educational records) | Student educational records; overlaps with COPPA for school-sanctioned use |
| U.S. State | |||
| California CPRA (minors) | Cal. Civ. Code §§ 1798.100 et seq.; § 1798.120(c) | California | Opt-in required to sell/share data of under-16s; deletion, access, and correction rights for minors |
| California Age-Appropriate Design Code Act (AADC) | Cal. Bus. & Prof. Code § 22675 et seq. (AB 2273) | California | Default high-privacy settings; data-protection impact assessments; prohibition on dark patterns targeting minors (partially enjoined; Upmos tracks developments) |
| California Protecting Our Kids from Social Media Addiction Act | SB 976 (2024), eff. 2025 | California | Restrictions on algorithmic feeds & overnight notifications to minors without parental consent |
| Texas SCOPE Act | HB 18 (2023), Tex. Bus. & Com. Code ch. 509 | Texas | Digital service providers must register minors’ accounts; parental controls; targeted-advertising opt-out; harmful content filtering |
| New York SAFE for Kids Act | N.Y. Gen. Bus. Law § 1500 et seq. (S 7694, 2024) | New York | Restrictions on addictive algorithmic feeds to minors without parental consent |
| Florida HB 3 (2024) | Fla. Stat. § 501.1736 et seq. | Florida | Parental-consent requirement for minors’ social-media accounts (under-14 prohibition subject to litigation) |
| Utah Social Media Regulation Act | Utah Code Ann. § 13-63-101 et seq. | Utah | Parental consent for minor accounts; time-use restrictions (partially enjoined; Upmos tracks developments) |
| Arkansas Social Media Safety Act | Ark. Code Ann. § 4-88-1401 et seq. | Arkansas | Age-verification & parental-consent framework (partially enjoined pending litigation) |
| Louisiana Act 294 (Secure Online Child Interaction and Age Limitation) | La. Rev. Stat. § 51:1751 et seq. | Louisiana | Age verification for certain online content / platforms |
| Connecticut Kids Online Safety Act | Conn. Gen. Stat. ch. 924 (2023, eff. Oct. 2024) | Connecticut | Data-protection, default high-privacy settings, and dark-patterns prohibitions for consumers under 18 |
| Virginia, Colorado, Utah, Connecticut comprehensive privacy laws | VCDPA, CPA, UCPA, CTDPA (respectively) | Respective states | Prohibition on sale or targeted advertising using minors’ data without affirmative opt-in |
| Illinois BIPA | 740 ILCS 14/1 et seq. | Illinois | Written informed consent required before collecting, storing, or using biometric identifiers (including fingerprints, voiceprints, face/iris/retina scans); private right of action with statutory damages |
| Texas Capture or Use of Biometric Identifier (CUBI) | Tex. Bus. & Com. Code ch. 503 | Texas | Informed consent and retention/destruction requirements for biometric identifiers; enforced by the Texas Attorney General |
| New York SHIELD Act | N.Y. Gen. Bus. Law § 899-aa, § 899-bb | New York | Reasonable-safeguards requirement and breach-notification duties covering New York residents, including minors |
| Washington My Health My Data Act | Wash. Rev. Code ch. 19.373 | Washington | Heightened consent and no-sale rules for “consumer health data,” including data from minors |
| International | |||
| GDPR Article 8 | Regulation (EU) 2016/679, Art. 8 | European Union / EEA | Age of digital consent 16 by default; Member States may lower to 13 (see Global Age-of-Majority table below) |
| EU Digital Services Act Article 28 | Regulation (EU) 2022/2065, Art. 28 | European Union | Online platforms must take appropriate measures to protect minors’ privacy, safety, and security |
| UK Age-Appropriate Design Code (“Children’s Code”) | ICO Code of Practice under Data Protection Act 2018 § 123 | United Kingdom | 15 standards for online services likely to be accessed by children under 18 |
| UK Online Safety Act 2023 | c. 50 (2023) | United Kingdom | Child-safety duties for user-to-user and search services; highly-protected-content age assurance |
| PIPEDA | S.C. 2000, c. 5 | Canada (federal) | Privacy protection including heightened consideration for minors’ data |
| Québec Law 25 | An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (2021) | Québec, Canada | Enhanced consent rules for minors’ personal information |
| Australia Privacy Act 1988 + 2024 amendments | Privacy Act 1988 (Cth); Privacy and Other Legislation Amendment Act 2024 | Australia | Proposed Children’s Online Privacy Code under development; heightened protection for minors |
| Brazil LGPD Article 14 | Lei Geral de Proteção de Dados (Law 13.709/2018) | Brazil | Specific parental-consent and best-interests-of-the-child requirements |
Note. Several U.S. state age-verification and parental-consent laws face ongoing First-Amendment, Commerce-Clause, or preemption challenges. Where a law is enjoined or stayed, Upmos applies our COPPA-compliant baseline and monitors court rulings for updates. This table is not exhaustive and omits country- or state-level rules that do not directly apply to our e-commerce service.
1.2 FTC COPPA Safe Harbor Program
Safe Harbor status. The FTC’s COPPA Safe Harbor Program allows approved self-regulatory organizations (for example, iKeepSafe, PRIVO, kidSAFE, Entertainment Software Rating Board (ESRB) Privacy Certified, and TRUSTe) to review and certify COPPA compliance. Upmos is evaluating Safe Harbor admission and will disclose its certifying organization, certificate number, and renewal dates at compliance@upmos.com once admitted. Until then, Upmos self-assesses against the FTC COPPA Rule and the 2025 amendments using a combination of internal review and, where engaged, independent accessibility and privacy professionals.
This section will be updated with specific certifier, ID, and expiration details following Safe Harbor admission.
1.3 Regulatory Penalties
COPPA violations carry significant legal and financial penalties:
- Civil Penalties: Up to $50,120 per violation (adjusted annually)
- FTC Enforcement: Cease and desist orders, consent decrees
- State Actions: Attorney General enforcement under state consumer protection laws
- Private Actions: Class action lawsuits for privacy violations
- Reputational Damage: Brand integrity and consumer trust erosion
Critical Compliance Notice: COPPA violations are per child, per instance. A single data collection event affecting 100 children could result in penalties exceeding $5 million. Upmos treats COPPA compliance as our highest operational priority.
Age Tiers & Restrictions
2.1 Multi-Tier Age Framework
Upmos operates a four-tier age framework that reflects the core COPPA under-13 prohibition plus a “middle tier” for teens aged 13–17 based on the emerging U.S. state-law consensus (CA AADC, CA SB 976, TX SCOPE, NY SAFE, CT Kids Online Safety, FL HB 3) and international frameworks (UK Children’s Code, EU DSA Art. 28).
| Age Tier | Access | Verification | Parental/Guardian Consent | Data Handling |
|---|---|---|---|---|
| Under 13 (COPPA “child”) |
Prohibited. UPMOS is not directed at children; no accounts are permitted. | Age self-declaration at sign-up; behavioral signals trigger additional review. | Not applicable — accounts not allowed. | No knowing collection. On discovery of inadvertent collection, data is deleted and the account blocked; parents notified where contact is known. |
| 13–15 (“younger teen”) |
Limited account, with parental/guardian consent. | DOB + email verification + verifiable parental consent (see § 4 VPC methods). | Required. Verifiable Parental Consent before account activation; parent/guardian receives confirmation email and account-control portal access. | Minimum-necessary data only. No sale or share for targeted advertising. No sensitive-data processing without separate VPC. |
| 16–17 (“older teen”) |
Standard account with heightened defaults. | DOB + email verification. | Parental notification where required by state law (TX SCOPE, FL HB 3, UT, LA, AR, etc.). Opt-in required to change default privacy settings. | Default high-privacy settings (UK Children’s Code standard). No sale or share for targeted advertising without affirmative opt-in per CPRA § 1798.120(c). No algorithmic recommendation of content known to be harmful. |
| 18+ (“adult”) |
Full access. | DOB. | Not required. | Standard collection per our Privacy Policy. |
| Age-Gated Products (21+ or 18+ depending on product & jurisdiction) |
Purchase permitted only after enhanced verification. | Government-ID verification, facial match where legally available, or signature-on-delivery with adult-ID check. See § 5 Age-Gated Product Matrix. | Not required (adult purchaser). | Verification data retained only as long as needed for compliance and legal hold; encrypted at rest. |
2.2 Account Creation Workflow
Step-by-Step Registration Process
- Initial Form: User provides email, creates password
- Age Declaration: User enters date of birth (required field, cannot proceed without)
- Automatic Calculation: System calculates age from DOB
- Under 13 Block: If under 13, registration immediately blocked with COPPA notice
- 13-15 Parental Gate: If 13-15, redirected to parental consent flow
- 16-17 Notice: If 16-17, parental notification option presented
- 18+ Standard: If 18+, proceeds to email verification
- Email Confirmation: Verification email sent with time-limited token
- Account Activation: Upon email verification, account activated
- AI Monitoring: Behavioral analysis initiated for age anomaly detection
False age information. Providing false age information to obtain access you would otherwise be denied may, depending on circumstances, constitute a breach of our Terms of Use and applicable consumer-protection or fraud statutes. Consequences can include:
- Account suspension or termination, and removal of any data collected as a result of the misrepresentation
- Forfeiture of non-essential subscription benefits or pending order items (subject to applicable consumer-protection law)
- Device or IP block where misuse is repeated or coordinated
- Referral to law enforcement if criminal activity is reasonably suspected
- Possible civil liability under applicable law
Data Minimization & Prohibited Collection
Upmos does not direct its service at children under 13 and, in good faith, does not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we delete that information promptly and, where contact information is known, notify the parent or legal guardian.
3.1 “Personal Information” under COPPA (as Amended 2025)
Per the FTC COPPA Rule (16 CFR § 312.2), as amended in 2025, “personal information” includes:
- First and last name
- Home or other physical address (including street name and city or town)
- Online contact information (email, messaging IDs, usernames/handles that function as contact)
- Telephone number
- Social Security number
- Persistent identifiers used to recognize the user over time and across different online services (cookies, IP addresses, device IDs, unique device serial numbers, processor or device serial numbers)
- Photographs, videos, and audio files (including voice recordings) containing a child’s image or voice
- Geolocation information sufficient to identify street name and city or town
- Biometric identifiers (fingerprints, voiceprints, retina/iris scans, facial-geometry scans, DNA, and genetic information) — expressly added by the 2025 amendments
- Inferred data and profile information about the child (per the 2025 amendments)
- Any other information concerning the child or the parents that could reasonably be combined to identify or profile the child
3.2 Third-Party Disclosures — New Separate-Consent Requirement
Under the 2025 FTC COPPA Rule amendments, even where we have parental consent to collect personal information from a child, we must now obtain separate verifiable parental consent before disclosing that information to third parties for purposes unrelated to the service. Upmos’s default is to not share known-minor personal information with third parties for targeted advertising, behavioral profiling, or cross-context behavioral advertising under any circumstances.
3.3 Retention & Deletion
Information collected from children under 13 (including the limited set allowed by the “internal-operations” exception) is retained only as long as reasonably necessary to fulfill the purpose for which it was collected, after which it is deleted using standard secure-deletion practices. Parents and guardians may request deletion at any time via compliance@upmos.com.
Age Verification & Verifiable Parental Consent (VPC)
Upmos uses a layered approach to age verification that balances accuracy with data minimization. We do not require more identification than is reasonably necessary for the purpose at hand, and we do not retain verification artifacts (e.g., ID images, facial scans) longer than needed for compliance and legal hold.
4.1 Age Signals at Sign-up
- Self-declared date of birth with server-side validation (rejects impossible or under-13 dates).
- Email confirmation to establish a working contact point.
- Behavioral signals: where an account’s activity is materially inconsistent with declared age (for example, signals commonly associated with younger users), we may prompt for additional verification or restrict access until resolved. We do not use these signals to build advertising profiles of known minors.
4.2 FTC-Approved Verifiable Parental Consent (VPC) Methods
Where verifiable parental consent is required (for users age 13–15 and certain disclosures under the 2025 FTC amendments), Upmos supports the following methods, all currently recognized by the FTC or its COPPA-Rule list of approved methods. The method used is selected based on the sensitivity of the processing and the parent’s preference.
| VPC Method | How It Works | FTC Basis | Upmos Notes |
|---|---|---|---|
| Signed consent form | Parent signs a printed/electronic consent form and returns by mail, fax, scan, or electronic signature. | 16 CFR § 312.5(b)(2)(i) | Supported via DocuSign or equivalent e-signature. |
| Credit card / debit card / online-payment nominal-charge | Parent enters payment-card details and a nominal charge (or $0 authorization) is used to verify the card and, by extension, an adult account holder. | 16 CFR § 312.5(b)(2)(ii) | Upmos can use an existing payment profile on file. |
| Government-ID + delete | Parent submits a government-issued ID (driver license, passport) for a one-time check; the ID image is deleted immediately after verification. | 16 CFR § 312.5(b)(2)(iv) | Minimized-retention implementation; ID images are not stored. |
| Video-conference review | Parent participates in a live video call with a trained Upmos representative who visually confirms the parent’s ID. | 16 CFR § 312.5(b)(2)(v) | Available by appointment through the Support portal. |
| Knowledge-based authentication (KBA) | Parent answers out-of-wallet identity-verification questions (from public or financial records). | 16 CFR § 312.5(b)(2)(vi) | Used in combination with another check for higher-risk processing. |
| Toll-free call with trained personnel | Parent calls a dedicated toll-free number; a trained representative confirms parent identity. | 16 CFR § 312.5(b)(2)(iii) | Phone: 1 (855) 637-2433. |
| Facial-age estimation with liveness check (FTC-approved method — 2024) |
Short, real-time facial scan is analyzed by a third-party age-estimation model with liveness detection; no facial template is stored beyond the check. | FTC Approval Letter, In re Privo / Yoti Facial Age Estimation (2024) | Optional alternative offered where an ID check would be unduly burdensome; facial data is not retained after verification. |
| Digital identity wallet / mobile driver’s license (mDL) (where available) |
Parent presents a verified credential (e.g., ISO/IEC 18013-5 mDL) that discloses only “age over 18” without full ID contents. | Permissible under 16 CFR § 312.5(b)(2) (general “reasonable method” standard) | Selective-disclosure preferred where supported by the parent’s device/OS. |
4.3 Parent/Guardian Notice
When VPC is triggered, the parent or guardian receives a clear, plain-language notice explaining: (a) what personal information will be collected from the child, (b) how it will be used and disclosed (if at all), (c) the parent’s rights under COPPA (review, correct, delete, refuse further collection), (d) how to exercise those rights, and (e) how to withdraw consent. A copy of the notice and the verification receipt is available in the parent’s account.
Age-Gated Product Matrix
Certain product categories on UPMOS require age verification at checkout and, in many cases, an adult-signature-on-delivery requirement. The specific minimum age depends on federal law, state or provincial law, and the product’s SKU classification. Where federal and state laws conflict, the more protective standard applies. Sellers are required to classify listings correctly; misclassified listings may be removed and seller accounts may be suspended.
5.1 Age-Restricted Category Reference
| Category | Minimum Age | Federal Basis | Verification |
|---|---|---|---|
| Alcohol (beer, wine, spirits, RTD cocktails) | 21+ (US); lower in some countries (18–20). Subject to state shipping laws & dry-county rules. | 27 U.S.C. §§ 204–215; 27 CFR Part 1; state ABC laws | Gov-ID at checkout + adult-signature-on-delivery (21+ ID required at door). |
| Tobacco, nicotine, vape, e-liquid, synthetic-nicotine products | 21+ federal (no state exceptions). | Tobacco 21 Act, 21 U.S.C. § 387f(d); PACT Act (15 U.S.C. § 375 et seq.) | Gov-ID at checkout + adult-signature-on-delivery; PACT-Act compliant shipping only. |
| Cannabis (THC, Delta-8/9/10, edibles) & CBD-above-threshold | Varies by state/province (21+ typical in legalized U.S. states; Canada 18–19 depending on province). Federal status: Schedule I under CSA. | 21 U.S.C. §§ 812, 841; 2018 Farm Bill § 10113 for ≤0.3% THC hemp; state cannabis acts | State-licensed marketplace operators only; gov-ID + in-state delivery only. |
| Firearms & ammunition (where sold through licensed channels only) | 18+ for long guns; 21+ for handguns from federally-licensed dealers (FFLs). | Gun Control Act, 18 U.S.C. §§ 921–931; ATF Form 4473 | FFL-to-FFL transfer required; NICS background check at receiving FFL. Upmos does not ship firearms direct to buyers. |
| Knives, swords, edged weapons | Typically 18+; some states and cities set higher ages or ban certain types (e.g., switchblades, ballistic knives). | Federal Switchblade Act, 15 U.S.C. § 1241–1245; state knife laws | Gov-ID at checkout; adult-signature-on-delivery for high-risk categories. |
| Fireworks & pyrotechnics (consumer-grade 1.4G only, no display-grade) | Typically 18+ or 21+; many states ban or restrict. | Federal Hazardous Substances Act; CPSC 16 CFR Parts 1500, 1507; state fire-marshal rules | State-legal only; gov-ID + adult-signature-on-delivery; no shipping to prohibited states. |
| Gambling-related products (lottery systems, gaming tokens, casino paraphernalia where regulated) | 21+ typical in regulated jurisdictions. | UIGEA, 31 U.S.C. §§ 5361–5367; state gaming codes | Gov-ID + location verification; no sale in prohibited states. |
| Adult content / sexual-wellness products (where sold) | 18+ (21+ in some state jurisdictions). | Protection of Children from Sexual Predators Act; state obscenity & age-verification laws (e.g., LA Act 440, TX HB 1181) | Gov-ID or attested-age-verification; discreet packaging standard. |
| OTC medicines subject to CMEA (pseudoephedrine / ephedrine) | 18+ federal. | Combat Meth Epidemic Act, 21 U.S.C. § 830(e) | Gov-ID + signature log retained for 2 years; daily/monthly purchase-quantity limits enforced. |
| Chemical solvents & inhalable products (e.g., whipped-cream chargers/N2O, butane, aerosol dusters, certain paint solvents) | Varies by state — commonly 18+ or 21+; some states have outright bans on retail N2O for non-culinary use. | State inhalant-abuse prevention laws (e.g., NY Public Health Law § 3380; CA Penal Code § 381b) | Gov-ID at checkout; shipping to prohibited states blocked. |
| Rated-M video games (ESRB M17+) & R-rated physical media | 17+ (ESRB); 17+ MPAA R (self-regulatory). | ESRB & MPAA voluntary standards; CARU advertising rules for minors | Age gate at listing level; no targeted advertising to under-18s. |
| Prescription & DEA-scheduled items | Not sold through the consumer marketplace. | Controlled Substances Act, 21 U.S.C. § 801 et seq. | Prohibited listing category. |
| Body-modification products (piercing kits, tattoo supplies where regulated) | 18+ typical. | State body-art regulations | Gov-ID at checkout for regulated items. |
Table is illustrative. Actual age-gating, shipping eligibility, and verification standard are applied at the SKU level based on product classification, destination jurisdiction, and applicable law at the time of sale. Listings that misrepresent age-restricted status are subject to removal.
Seller & Vendor Obligations
All marketplace sellers must comply with Upmos age restriction policies and maintain their own COPPA compliance programs.
6.1 Seller Requirements
- Acknowledge and agree to Upmos COPPA policy
- Properly categorize age-restricted products
- Maintain accurate product descriptions including age restrictions
- Respond to compliance inquiries within 24 hours
- Report suspected underage users or violations immediately
6.2 Seller Consequences for Non-Compliance
Sellers who violate our age-restriction or minor-privacy rules are subject to graduated enforcement at Upmos’s discretion, which may include warnings, mandatory compliance training, listing removal, account suspension, forfeiture of pending payments (subject to applicable consumer-protection and payment-services law), and permanent account termination. Severity of enforcement is calibrated to the nature and recurrence of the violation.
Enforcement & Internal Accountability
Upmos maintains strict enforcement procedures for COPPA violations and age restriction breaches.
7.1 User Account Violations
Immediate Account Termination: Any verified instance of a user under 13 attempting to create or maintain an account results in:
- Immediate permanent account termination
- Deletion of all personal information within 48 hours
- IP address and device ID ban
- Notification to parents/guardians if contact information available
- Incident report filed with legal compliance team
7.2 Internal Accountability
Upmos employees and contractors who fail to follow COPPA compliance procedures face:
- Mandatory retraining and probationary status (first offense)
- Written warning and performance improvement plan (second offense)
- Termination of employment (third offense or willful violation)
Parental & Guardian Rights
Parents and legal guardians have comprehensive rights regarding their children’s information and account access.
8.1 Parental Rights Under COPPA
- Right to Review: Access all personal information collected from their child
- Right to Delete: Request deletion of child’s personal information
- Right to Refuse: Refuse further collection or use of child’s information
- Right to Notification: Receive notice of any material policy changes
8.2 Parental Control Portal
Access our 24/7 parental control portal at upmos.com/contact to:
- Review account activity and purchase history
- Set spending limits and purchase restrictions
- Receive real-time alerts for account activity
- Request data deletion or account termination
- Update parental consent preferences
Algorithmic Recommendations & Dark Patterns
Where Upmos uses algorithmic recommendations (for example, on product-detail pages, in search results, or in personalized email), we apply additional restrictions for known minors consistent with the California Age-Appropriate Design Code, California SB 976, the Texas SCOPE Act, the New York SAFE for Kids Act, the Connecticut Kids Online Safety Act, and the EU Digital Services Act Article 28.
9.1 Restrictions for Known Minors (Under 18)
- No cross-context behavioral advertising. We do not use minors’ browsing, purchase, or cart data to serve targeted advertising across other sites or apps.
- No “addictive feed” design patterns. We do not serve minors infinite-scroll, autoplay-by-default, or algorithmically-personalized content streams where prohibited by SB 976, the NY SAFE for Kids Act, or similar laws.
- Default high-privacy settings. Minor accounts are initialized with the most privacy-protective settings available (location off, personalization off, third-party-sharing off) per the UK Children’s Code and California AADC.
- No algorithmic amplification of harmful content. Content reasonably likely to cause material physical, emotional, developmental, or material harm to minors (as defined by applicable state law, e.g., TX SCOPE) is excluded from recommendation surfaces presented to minors.
9.2 Prohibited Dark Patterns
On surfaces presented to known minors, Upmos does not use user-interface patterns designed to impair autonomy, decision-making, or informed consent, including:
- Pre-checked boxes for consent, data-sharing, or purchase upsells
- Visual misdirection that obscures decline/opt-out controls (asymmetric button styling beyond accessibility rules)
- Confirmshaming language designed to pressure acceptance
- Nagging, forced action, or repeated re-prompts for previously declined consent
- “Roach-motel” unsubscribe / account-close flows
- Time-pressure countdowns that manufacture urgency for non-urgent decisions
These restrictions apply in addition to the dark-patterns prohibitions already in the California CPRA (§ 1798.140(h)) and the FTC’s Click-to-Cancel Rule.
Technical & Organizational Security
Upmos implements enterprise-grade security controls to protect user data and enforce age restrictions.
Upmos implements enterprise-grade security measures to protect the data of all users, with heightened safeguards for any information related to minors. Our security architecture is built on a zero-trust model with defense-in-depth strategies, including end-to-end encryption, role-based access controls, and continuous threat monitoring. All systems processing COPPA-related data undergo regular penetration testing and vulnerability assessments conducted by independent security firms.
11.1 Security Certifications
- ISO 27701: Privacy Information Management System
- SOC 2 Type II: Security and availability controls
- PCI DSS: Payment card data security
11.2 Data Protection Measures
- End-to-end encryption for data in transit (TLS 1.3)
- AES-256 encryption for data at rest
- Database-level constraints preventing under-13 data storage
- Automated data retention and deletion policies
- Regular penetration testing and vulnerability assessments
Audit Trail, Breach Notification & Reporting
Upmos maintains comprehensive audit trails and transparency reporting for all COPPA-related activities.
Audit Logging
- Tamper-evident audit logs of access to minors’ personal information
- Automated monitoring and alerting for anomalous access patterns
- Periodic internal compliance reviews
- Independent security review, where engaged
Breach Notification
In the event of a data security incident involving personal information of a known minor, Upmos follows applicable federal and state breach-notification laws (for example, state data-breach statutes, FTC Health Breach Notification Rule where applicable, and equivalent international regimes such as GDPR Art. 33–34 and Canadian PIPEDA s. 10.1). Notification timing and content comply with the shortest applicable statutory deadline and are made to affected individuals, parents/guardians where feasible, and appropriate regulators.
Transparency
Upmos may publish aggregated, non-identifying transparency metrics about this program. Availability of any specific metric depends on operational readiness and is not guaranteed.
Independent Review & Safe Harbor
Upmos partners with certified third-party organizations to validate and audit our COPPA compliance program.
Upmos engages independent third-party auditors and compliance experts to verify our adherence to COPPA requirements and age restriction policies. These external reviews provide an objective assessment of our data collection practices, parental consent mechanisms, and data security measures. Audit findings are reviewed by our compliance team and executive leadership, with corrective actions tracked through formal remediation plans.
FTC Safe Harbor Program (Status)
Upmos is evaluating admission into the FTC COPPA Safe Harbor Program through an approved self-regulatory organization (for example, iKeepSafe, PRIVO, kidSAFE, ESRB Privacy Certified, or TRUSTe). Upon admission, we will disclose the certifying organization, certificate identifier, and renewal cycle on this page. Until then, our program operates on a self-assessment basis against COPPA and the 2025 Rule amendments.
Review Cadence (Target)
Upmos aims to conduct or engage reviews on the target cadences below. Actual timing may vary based on scope and auditor availability; material deviations are reflected in our annual transparency reporting.
- Target at least annually: Independent COPPA / minor-privacy compliance review.
- Periodic: Security penetration testing and vulnerability review.
- Where engaged: Certification renewals (e.g., SOC 2, ISO 27001 / 27701) on the certifier’s required cycle.
International Compliance
Upmos complies with international child privacy regulations across all jurisdictions where we operate.
While COPPA is a United States federal law, Upmos recognizes that child privacy protection is a global concern and strives to meet or exceed the requirements of international data protection frameworks. Our platform is designed to accommodate varying age-of-consent thresholds across jurisdictions and applies the most protective standard when serving users from multiple regions.
While COPPA is a United States federal law, UPMOS recognizes that child and teen privacy is a global concern and works to align with the regimes that most commonly apply to our users. Where we have actual knowledge of a user’s jurisdiction, we apply the more protective of the U.S. COPPA baseline and the applicable local rule.
Key International Frameworks
| Jurisdiction | Instrument | Core Obligation |
|---|---|---|
| European Union | GDPR Art. 8 | Parental consent required for data-processing of children under digital-consent age (13–16 per Member State) |
| European Union | Digital Services Act (Reg. 2022/2065) Art. 28 | Online platforms must adopt appropriate and proportionate measures to ensure a high level of privacy, safety, and security for minors on the platform |
| United Kingdom | Age-Appropriate Design Code (ICO) | 15 standards including default high-privacy settings, data minimization, and prohibition on “nudge techniques” for users under 18 |
| United Kingdom | Online Safety Act 2023 | Child-safety duties for in-scope services; age-assurance for certain content categories |
| Canada — federal | PIPEDA | Heightened-consent standard for minors; OPC guidance on meaningful consent |
| Québec (Canada) | Law 25 (2021) | Under-14 parental consent required; privacy-impact assessments; enhanced transparency |
| Australia | Privacy Act 1988 + 2024 amendments | Children’s Online Privacy Code (under development) to impose heightened APP-11 and APP-5 duties for minors |
| Brazil | LGPD Art. 14 | Best-interests-of-the-child standard; specific parental-consent requirements for data of children and adolescents |
| Japan | APPI | General obligation to obtain meaningful consent; PPC guidance on minors |
| South Korea | PIPA Art. 22(6) | Parental consent required for under-14 data processing |
| Singapore | PDPA + PDPC Minors Advisory | Age 13 as digital-consent threshold under PDPC guidance; heightened duty of care |
| California (USA) | CPRA § 1798.120(c); AADC | Opt-in for sale/share of under-16 data; default high-privacy settings for likely-child services |
Global Age-of-Majority Reference
When users access UPMOS from outside the United States, additional or different age thresholds may apply. The table below summarizes the digital-consent age (the age at which a user can consent to data processing without a parent) and, where relevant, the general age of majority. This is a convenience reference and is not legal advice; applicable law in your jurisdiction controls.
| Jurisdiction | Digital-Consent Age (Under which parental consent is required for data processing) | General Age of Majority | Key Instrument |
|---|---|---|---|
| United States (federal) | 13 | 18 (varies 19 in AL/NE, 21 in MS) | COPPA |
| California | Under 16 (enhanced CPRA protections) | 18 | CPRA § 1798.120(c); AADC |
| United Kingdom | 13 | 18 | Data Protection Act 2018 § 9; Children’s Code |
| European Union — default | 16 (Member States may lower to no less than 13) | 18 | GDPR Art. 8 |
| Austria, Bulgaria, Cyprus, Germany, Hungary, Ireland, Lithuania, Luxembourg, Netherlands, Romania, Slovakia | 16 | 18 | GDPR Art. 8 (Member-State implementation) |
| Belgium, Denmark, Estonia, Finland, Latvia, Malta, Poland, Portugal, Slovenia, Sweden | 13–14–15 (country-specific) | 18 | GDPR Art. 8 (Member-State implementation) |
| France | 15 | 18 | Loi Informatique et Libertés Art. 7-1 |
| Italy, Spain, Greece, Croatia, Czech Republic | 14–16 (country-specific) | 18 | GDPR Art. 8 (Member-State implementation) |
| Canada — federal | Contextual (no fixed age); generally consider child to be under 13 | 18 (19 in BC, NB, NL, NS, NU, NT, YT) | PIPEDA; OPC guidance |
| Québec | Under 14 without parental consent | 18 | Law 25 (2021) |
| Australia | Contextual; generally 15+ treated as presumptively capable | 18 | Privacy Act 1988; OAIC APP Guidelines |
| Brazil | Children defined as under 12; adolescents 12–17 with specific consent rules | 18 | LGPD Art. 14; ECA (Children’s Statute) |
| Japan | 15 (parental consent encouraged below; no fixed digital-consent age in APPI) | 18 (lowered from 20 in 2022) | APPI; Civil Code Art. 4 |
| South Korea | 14 | 19 | PIPA Art. 22(6) |
| Singapore | 13 (under PDPC guidance) | 21 (18 for some purposes) | PDPA; PDPC Advisory on Minors |
| Mexico | Under 18 requires parental consent | 18 | LFPDPPP |
Table is illustrative and may not reflect the most recent legislative or regulatory change in any given jurisdiction. Where UPMOS has actual knowledge of a user’s country of residence, we apply the more protective of the U.S. COPPA baseline and the local digital-consent rule.
Parent/Guardian Education & Resources
Upmos provides comprehensive educational resources to help parents and guardians protect their children online.
16.1 Educational Resources
- COPPA Guide for Parents: Comprehensive overview of rights and protections
- Digital Safety Tips: Best practices for monitoring children’s online activity
- Age-Appropriate Content Guide: Recommendations by age group
- Privacy Settings Tutorial: Step-by-step guide to parental controls
16.2 External Resources
- FTC COPPA Information: www.ftc.gov/coppa
- Common Sense Media: www.commonsensemedia.org
- Internet Safety Resources: www.staysafeonline.org
Accessibility & Inclusive Design
Upmos is committed to ensuring that our age verification systems and COPPA compliance features are fully accessible to all users, including parents and guardians with disabilities. Our platform is designed to meet the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards, ensuring that parental consent forms, age gates, and verification workflows are operable by users of all abilities.
17.1 Assistive Technology Compatibility
All age verification prompts, parental consent forms, and COPPA-related notifications are built with semantic HTML and ARIA attributes to ensure compatibility with screen readers and other assistive technologies. We regularly test our compliance features with leading screen readers including NVDA, JAWS, VoiceOver, and TalkBack to verify that all interactive elements are properly announced and operable.
17.2 Keyboard & Navigation Accessibility
Our age verification dialogs and parental consent workflows are fully keyboard-accessible. Users can navigate through all form fields using the Tab key, activate buttons with Enter or Space, and close or dismiss modal dialogs using the Escape key. Focus management ensures that when a dialog opens, focus moves to the first interactive element, and when it closes, focus returns to the triggering element. All interactive components include visible focus indicators for users who navigate without a mouse.
17.3 Visual & Display Accessibility
Upmos supports a dark mode display option for reduced eye strain during extended browsing sessions. Our dark mode implementation adjusts background colors, text contrast, and border styling across all COPPA compliance interfaces while maintaining WCAG-compliant contrast ratios. Age verification prompts, consent forms, and compliance notices are all fully styled in both light and dark mode to ensure readability. Text can be resized up to 200% without loss of content or functionality, and our color choices ensure that information is never conveyed by color alone.
17.4 Multilingual & Cognitive Accessibility
Parental consent notices and age verification instructions are written in clear, plain language at an 8th-grade reading level to maximize comprehension. Critical compliance information is presented using both text and visual indicators such as icons and color badges. We provide step-by-step guidance for parents navigating the verification process and offer multiple contact channels for support, including phone, email, and live chat assistance.
School, District & Teacher-Authorized Use
Where Upmos’s services are used in a school, district, or classroom setting in the United States, we follow the FTC’s guidance that a school may serve as the agent of the parent for the limited purpose of authorizing the collection of personal information from a child for a service that operates solely to support the school’s internal educational operations.
School Consent Exception (COPPA)
- Use must be directed by the school, district, or teacher acting within the scope of their role.
- Information collected is used only for the requested educational purpose and not for commercial purposes unrelated to that purpose (including behavioral advertising).
- We contractually require the school-user to provide notice to parents where required and to obtain any additional consents that apply under state law, FERPA, or local policy.
- We will, on request, provide schools with a description of the types of personal information collected, how it is used, and the school’s right to review and delete that information.
FERPA & Student Educational Records
Where Upmos acts as a “school official” with a legitimate educational interest under FERPA (20 U.S.C. § 1232g; 34 CFR Part 99), we handle education records under the school’s direct control, do not use those records for any purpose other than the one authorized, and do not re-disclose them except as FERPA permits.
Contracted-Service Terms for Schools
Schools and districts may request our standard Student Data Privacy Agreement (SDPA) or sign a mutually acceptable data-processing addendum before deployment. Contact compliance@upmos.com with the subject line “School DPA Request.”
Removal of Minor-Uploaded Content & Takedown Procedure
Upmos provides a dedicated procedure for the prompt removal of user-generated content (images, video, audio, text, product listings, reviews) that depicts, was uploaded by, or concerns an identifiable minor, where removal is requested by a parent, guardian, the minor themselves (if 13–17), a school or law-enforcement agency acting in the minor’s interest, or under any applicable “eraser” or right-to-be-forgotten law.
How to Submit a Removal Request
- Email: compliance@upmos.com with the subject line “Minor Content Removal Request.”
- Include: the specific URL(s) of the content, a description of the content, the minor’s relationship to the submitter, and a sworn statement (under penalty of perjury) that the submitter is authorized to request the removal.
- Urgent safety concerns (imminent harm, exploitation, or illegal content): include “URGENT” in the subject line. These are routed to our trust-and-safety on-call.
Response & Appeal
- We aim to acknowledge requests within 2 business days.
- We aim to make a removal decision within 10 business days of receiving a complete request, and sooner for urgent safety requests.
- If we decline to remove content, we will explain our reasoning and provide a written appeal path to legal@upmos.com. Appeals are reviewed within 15 business days.
- Nothing in this procedure limits any statutory right (including under COPPA § 312.6, the California “eraser” law (Cal. Bus. & Prof. Code § 22581), GDPR Art. 17, or the UK Children’s Code).
Imagery of Child Sexual Abuse (CSAM) and Other Illegal Content
Upmos has zero tolerance for content that sexually exploits or endangers minors. Any such content is removed on discovery and is reported to the National Center for Missing & Exploited Children (NCMEC) CyberTipline in accordance with 18 U.S.C. § 2258A, and to law enforcement as required. We preserve relevant records for the period required by law to support investigation.
Emergency-Use Disclosure & Judicial Process
Under 16 CFR § 312.5(c)(1), COPPA permits narrow, limited collection and use of a child’s personal information without prior verifiable parental consent for one-time response to a specific request, to protect the safety of a child, to respond to judicial process, or to the extent permitted under other federal laws (such as 18 U.S.C. § 2258A regarding reporting of child-exploitation imagery).
Upmos will rely on these exceptions only where strictly necessary to protect a child’s safety or to comply with a binding legal request, and we document any use of them. We never use such information for marketing, profiling, or commercial purposes.
Frequently Asked Questions
For Parents & Guardians
| Question | Answer |
|---|---|
| My child says they created an account. Can you delete it? | Yes. Email compliance@upmos.com with the child’s email or username. We will delete the account and all associated personal information. No fee. No questions beyond verifying you are the parent or guardian. |
| How do you verify I am the parent? | We use one of the FTC-approved Verifiable Parental Consent (VPC) methods described in Section 4.2 — typically a small refundable credit-card charge, a signed consent form, a knowledge-based quiz, or (for the 2024 FTC-approved option) facial-age estimation with liveness. We use the least-intrusive method that reasonably confirms your identity. |
| Can I see what data you have about my teen (13–17)? | Yes, subject to the teen’s own legal rights in your jurisdiction. Some U.S. state laws and GDPR recognize a teen’s independent right to control certain data from age 13 or 16. We will describe what’s available in the access response. |
| Can I block targeted ads for my teen? | Yes. Upmos does not sell or share the personal information of known minors for cross-context behavioral advertising by default. See No Sale or Share of Minors’ Personal Information. |
| My teen gave someone their Upmos password. What should I do? | Reset the password immediately in the account settings or email support@upmos.com. If you suspect the account was compromised, also email security@upmos.com. |
For Teen Users (13–17)
| Question | Answer |
|---|---|
| Can I have an account without telling my parents? | It depends on where you live and your age. In most U.S. states, teens 13+ may create accounts, but a parent or guardian must consent in states like Texas (SCOPE Act), Florida (HB 3), and under GDPR in most EU Member States until age 16. We’ll prompt for parental consent when required by your location. |
| Can I delete my own account? | Yes. Go to Account Settings → Privacy & Data → Delete Account, or email compliance@upmos.com. Deletion removes your personal information subject to legal-hold exceptions. |
| Do you use my data to train AI? | No. Upmos does not use the personal information of known minors to train generative-AI models or for behavioral profiling. |
For Sellers & Schools
| Question | Answer |
|---|---|
| I sell age-gated products (e.g., alcohol, tobacco, firearms). What are my obligations? | You must comply with the Age-Gated Product Matrix (Section 5) and with all applicable federal and state laws. Upmos runs its own checks at checkout, but the seller of record remains responsible for lawful sale. |
| Can my school use Upmos for classroom purchases? | Yes, under our School, District & Teacher-Authorized Use framework. Email compliance@upmos.com with the subject line “School DPA Request” to receive our standard Student Data Privacy Agreement. |
| What happens if a seller violates a minor-protection rule? | Sellers are subject to the enforcement ladder in Section 7 and in our Acceptable Use Policy, including warnings, suspension, termination, payout holds, and referral to law enforcement for knowing violations. |
Governing Law & Jurisdiction
This Policy and any disputes arising out of or related to it or the Services shall be governed by and construed in accordance with the laws of the State of Texas, United States, without regard to its conflict of law provisions. Nothing in this Section limits the protections provided to minors, parents, or guardians by any mandatory federal, state, or foreign law.
Exclusive Venue
Any legal action or proceeding arising under this Policy shall be brought exclusively in the federal or state courts located in Harris County, Texas. You hereby consent to the personal jurisdiction of such courts and waive any objection to venue in such courts, subject to the non-waiver of statutory rights in Section 18.
Informal Dispute Resolution
Before initiating any legal claim, you agree to first attempt to resolve the dispute informally by contacting legal@upmos.com. If the dispute is not resolved within 30 days, either party may proceed with formal resolution as provided herein.
Binding Arbitration & Minor-Rights Carve-Out
Any dispute, claim, or controversy arising out of or relating to this Policy or the Services that is not resolved informally shall, subject to the opt-out and carve-outs below, be submitted to binding individual arbitration administered by the American Arbitration Association (“AAA”) in Houston, Texas. Arbitration may proceed by telephone, video, or written submission at the consumer’s election.
Minor-Rights & Statutory Carve-Out
Nothing in this arbitration provision waives, limits, or requires arbitration of any claim under COPPA, the FTC Act, the California CPRA or AADC, the Texas SCOPE Act, the New York SAFE for Kids Act, the Florida HB 3, the Utah Social Media Regulation Act, the Arkansas Social Media Safety Act, the Louisiana Act 294, the Connecticut Kids Online Safety Act, the Virginia VCDPA, the Colorado CPA, the Utah UCPA, the Connecticut CTDPA, the Texas Data Privacy and Security Act, the Illinois BIPA, the Texas CUBI, the New York SHIELD Act, the Washington My Health My Data Act, GDPR (including Art. 8), the UK Children’s Code, the UK Online Safety Act 2023, the EU Digital Services Act, PIPEDA, Québec Law 25, the Australia Privacy Act, the Brazil LGPD, or any comparable federal, state, or foreign minor-privacy or consumer-protection statute. Your and your child’s statutory rights — including the right to file a complaint with a regulator — are preserved.
Rules
The AAA Consumer Arbitration Rules govern consumer disputes; the AAA Commercial Arbitration Rules govern business-to-business disputes. The Federal Arbitration Act (9 U.S.C. §§ 1 et seq.) governs interpretation and enforcement.
Delegation
The arbitrator, and not any court, shall have exclusive authority to resolve any dispute relating to the interpretation, applicability, enforceability, or formation of this arbitration agreement, except for the statutory-rights carve-out above, which is preserved for the courts or the applicable regulator.
Mutuality & Injunctive Relief
Both Upmos and you are bound by this arbitration agreement. Either party may nonetheless bring an individual action in court to seek injunctive or equitable relief to prevent infringement or misappropriation of intellectual-property rights, trade secrets, data-security obligations, or confidentiality.
Fees
For consumer claims under $10,000, Upmos will pay all AAA filing and administrative fees beyond the consumer’s first $200 filing fee. Each party bears its own attorneys’ fees, except as otherwise required by the AAA Rules or any applicable fee-shifting statute.
30-Day Opt-Out
You may opt out of this arbitration agreement within 30 days of first accepting this Policy (or within 30 days of the effective date of this revision, whichever is later) by sending written notice to legal@upmos.com or by mail to Upmos Inc., Attn: Legal – Arbitration Opt-Out, 9896 Bissonnet St, Houston, TX 77036. Your opt-out notice must include your full name, account email, and a clear statement that you wish to opt out of arbitration. Opting out does not affect any other provision of this Policy.
Class-Action Waiver
YOU AND UPMOS AGREE THAT ANY ARBITRATION OR LEGAL PROCEEDING SHALL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION. The arbitrator may not consolidate more than one person’s claims and may not otherwise preside over any form of representative proceeding. If the class-action waiver is found unenforceable as to any claim, that claim (and only that claim) shall proceed in court, and all other claims shall proceed in arbitration. Where a claim proceeds in court, you and Upmos each waive any right to a jury trial, subject to applicable law.
Small-Claims Exception
Notwithstanding the above, either party may bring an individual action in small-claims court for disputes within the jurisdictional limits of such court.
Limitation of Liability
Consequential Damages Exclusion
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL UPMOS INC., ITS DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, including loss of profits, revenue, or business opportunities; loss of data or data corruption; loss of goodwill or reputation; cost of substitute services; or business interruption — whether based on warranty, contract, tort (including negligence), strict liability, or any other theory, even if Upmos has been advised of the possibility of such damages.
Aggregate Liability Cap
Upmos Inc.’s total aggregate liability to you for all claims arising out of or related to this Policy or the Services shall not exceed the greater of: (a) the amounts you have paid to Upmos in the twelve (12) months preceding the claim, or (b) one hundred dollars ($100 USD).
Essential Purpose & Basis of the Bargain
The limitations in this Section apply even if any limited remedy fails of its essential purpose. You acknowledge that Upmos has set its fees and entered into this agreement in reliance upon these limitations, and that they form an essential basis of the bargain between the parties. Some jurisdictions do not allow the exclusion or limitation of certain damages; in such jurisdictions, our liability is limited to the fullest extent permitted by law.
Carve-Outs
Nothing in this Section limits or excludes our liability for: (a) death or personal injury caused by our negligence; (b) fraud or fraudulent misrepresentation; (c) gross negligence or willful misconduct; (d) any non-waivable rights under COPPA, the FTC Act, the California CPRA or AADC, state comprehensive privacy laws (VCDPA, CPA, UCPA, CTDPA, TDPSA), the Illinois BIPA, GDPR, the UK Children’s Code, or any other applicable minor-privacy or consumer-protection statute; or (e) any other liability that cannot, under applicable law, be limited or excluded.
Indemnification
Your Indemnification of Upmos
You agree to indemnify and hold harmless Upmos Inc., its affiliates, officers, directors, employees, and agents from and against any third-party claims, damages, or losses (including reasonable attorneys’ fees) arising out of: (a) your material breach of this Policy, our Terms of Use, or any applicable law; (b) your willful misconduct or negligence; (c) your infringement of a third party’s intellectual-property rights in connection with content or listings you provide; or (d) your violation of law. This obligation does not apply to the extent such claim arises from Upmos’s own breach, gross negligence, or willful misconduct.
Upmos’s Indemnification of You (IP Infringement)
Upmos will correspondingly indemnify you for third-party claims that the Services themselves (excluding your content, your listings, third-party content, or combinations of the Services with non-Upmos materials) infringe a US-issued patent, copyright, or trademark.
Cap & Procedure
Each party’s aggregate indemnification obligation shall not exceed the greater of: (a) amounts paid or payable by you to Upmos in the twelve (12) months preceding the claim, or (b) $1,000 USD. The carve-outs in the Limitation of Liability section (including for gross negligence, fraud, personal injury, and non-waivable statutory rights) override this cap to the extent required by law. The party seeking indemnification shall: (i) promptly notify the indemnifying party in writing; (ii) grant the indemnifying party sole control of defense and settlement (provided that no settlement requiring an admission of liability by, or imposing a non-monetary obligation on, the indemnified party shall be made without the indemnified party’s prior written consent, not to be unreasonably withheld); and (iii) provide reasonable cooperation at the indemnifying party’s expense.
Export Control & Sanctions Compliance
You agree to comply with all applicable export control laws and regulations, including the U.S. Export Administration Regulations (EAR), Office of Foreign Assets Control (OFAC) sanctions programs, and the International Traffic in Arms Regulations (ITAR) where applicable.
You Represent and Warrant That:
- You are not located in, a national or resident of, or under the control of any country subject to U.S. sanctions or embargoes;
- You are not on any U.S. government restricted-party list, including the Specially Designated Nationals (SDN) List, the Denied Persons List, or the Entity List;
- You will not use the Services to transfer data, goods, or services in violation of export-control laws;
- You will not use the Services for any purpose prohibited by applicable sanctions.
AML & Anti-Corruption
Upmos maintains an anti-money-laundering program and screens sellers, high-value buyers, and high-risk transactions against the OFAC SDN List, the BIS Denied Persons List, the Entity List, the Consolidated Screening List, and applicable EU, UK, UN, and other relevant sanctions lists. Transactions involving listed persons will be blocked, funds may be frozen in accordance with applicable law, and activity may be reported to OFAC, FinCEN, or the Department of Commerce as required. You agree to comply with the U.S. Foreign Corrupt Practices Act (15 U.S.C. §§ 78dd-1 et seq.), the UK Bribery Act 2010, and equivalent local anti-corruption laws.
General Provisions
Entire Agreement
This Policy, together with our Terms of Use, Privacy Policy, and Acceptable Use Policy, constitutes the entire agreement between you and Upmos Inc. regarding the subject matter hereof and supersedes all prior or contemporaneous communications, representations, or agreements, whether oral or written.
Severability
If any provision of this Policy is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the original intent.
Waiver
The failure of Upmos Inc. to enforce any right or provision of this Policy shall not constitute a waiver of such right or provision. Any waiver must be in writing and signed by an authorized representative of Upmos Inc.
Assignment
You may not assign or transfer your rights or obligations under this Policy without the prior written consent of Upmos Inc. Upmos Inc. may freely assign this Policy without restriction. Any attempted assignment in violation of this Section is void.
Survival
The following Sections survive termination or expiration of this Policy: Limitation of Liability, Indemnification, Governing Law & Jurisdiction, Binding Arbitration, Export Control & Sanctions, Minor-Rights & Statutory Carve-Out, and this General Provisions Section.
No Partnership or Agency
Nothing in this Policy creates a partnership, joint venture, employment, or agency relationship. Neither party has authority to bind the other or incur obligations on behalf of the other.
Third-Party Beneficiaries
This Policy does not confer third-party beneficiary rights, except that a minor’s parent or guardian may enforce the minor’s COPPA and related statutory rights directly against Upmos to the extent required by law.
Interactive Computer Service (Section 230)
Upmos operates as an “interactive computer service” within the meaning of 47 U.S.C. § 230(f)(2). Except as specifically provided in this Policy, Upmos is not the publisher or speaker of third-party content and is not liable for user-generated content beyond the obligations set forth here. Nothing in this Policy waives any immunity, defense, or protection available to Upmos under Section 230, the DMCA, or analogous federal or state laws.
Electronic Communications
Under the ESIGN Act (15 U.S.C. § 7001 et seq.) and the Uniform Electronic Transactions Act, you consent to receive communications from Upmos Inc. electronically.
Statute of Limitations
Any claim arising out of or related to this Policy or the Services must be brought within two (2) years after the cause of action accrues, except that this limitation does not apply to any consumer or minor claim where applicable law (including COPPA, CPRA, or a state comprehensive privacy law) provides a longer period that cannot be shortened by agreement.
Headings
Section headings are for convenience only and shall not affect the interpretation of this Policy.
Notices
All notices to Upmos Inc. must be sent to legal@upmos.com or by mail to Upmos Inc., 9896 Bissonnet St, Houston, TX 77036. Notices to you will be sent to the email address associated with your account. Notices are deemed received when delivered electronically or 3 business days after mailing.
Amendments, Scope & Non-Warranty
UPMOS may update this policy from time to time to reflect changes in applicable law, regulatory guidance, business practices, or technology. Material changes will be communicated via this page and, where we have the relevant contact information, via email to affected account holders. We aim to provide advance notice of material changes to known parents or guardians of minor accounts before the change takes effect.
Scope & Good-Faith Statement
This policy is a good-faith summary of UPMOS’s minor-privacy program as of the “Last Revised” date above. It does not constitute a warranty, guarantee, or representation that UPMOS conforms to every requirement of every applicable law at every moment in time; it describes our program and its intended operation. The minor-privacy legal landscape — particularly U.S. state laws passed between 2023 and 2026 — is evolving rapidly, and several statutes cited above are in active litigation. Where a statute is enjoined or stayed, we apply our COPPA baseline and monitor developments.
Non-Waiver of Rights
Nothing in this policy waives, limits, or requires arbitration of any claim under COPPA, the FTC Act, the California CPRA, the Virginia VCDPA, the Colorado CPA, the Utah UCPA, the Connecticut CTDPA, or any comparable federal, state, or foreign minor-privacy or consumer-protection statute. Statutory rights — including the right to file a complaint with a regulator — are preserved.
Penalties Acknowledgment
Penalties for COPPA violations can include civil penalties up to $53,088 per violation (as of 2025 inflation-adjusted cap; 16 CFR § 1.98) and state-law penalties under CPRA, VCDPA, CPA, and similar regimes. UPMOS cooperates with FTC investigations and with investigations by state attorneys general and international regulators.
