AI and Algorithmic Decision-Making Disclosure

Why We Publish This Disclosure

Upmos uses artificial intelligence (“AI”), machine learning (“ML”), and other automated systems in a number of marketplace functions. This Disclosure describes (a) where we use these systems, (b) how decisions are made and the role of human review, (c) your rights with respect to these decisions, and (d) how we comply with applicable AI-governance laws.

This Disclosure is published pursuant to (citations include date precision as of 2026-05-26):

• EU AI Act, Regulation (EU) 2024/1689 (entered into force August 1, 2024; phased application — Article 5 prohibitions from February 2, 2025; general-purpose AI (GPAI) obligations from August 2, 2025; high-risk AI system obligations and most other provisions from August 2, 2026; certain Annex III obligations from August 2, 2027). Specific articles referenced in this Disclosure: Article 5 (prohibited AI practices), Article 13 (transparency for limited-risk systems including chatbots), Article 14 (human oversight of high-risk systems), Article 26 (deployer obligations), and Article 50 (AI-generated content labeling);
• EU GDPR (Regulation (EU) 2016/679) & UK GDPR Article 22 (the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects);
• Colorado AI Act, Colo. Rev. Stat. § 6-1-1701 et seq. (Senate Bill 24-205, signed May 17, 2024; effective February 1, 2026) — among the first comprehensive U.S. state AI consumer-protection laws (the Utah AI Policy Act, S.B. 149, signed March 13, 2024 / effective May 1, 2024, was first to pass, while Colorado was first to impose AIA requirements and reasonable-care duties), imposing reasonable-care duties on developers and deployers of high-risk AI systems and requiring algorithmic impact assessments;
• California AB 2013 (Generative AI Training Data Transparency Act; effective January 1, 2026) and California AB 1008 (CCPA amendment clarifying personal information includes data stored in AI systems);
• Texas Responsible AI Governance Act (TRAIGA), House Bill 149 (signed 2025; effective January 1, 2026) — prohibits certain AI uses (social scoring, manipulation, behavioral inference from biometrics) and imposes disclosure obligations on consumer-facing AI;
• NYC Local Law 144 for automated employment-decision tools (applicable only to Upmos hiring, not to marketplace functions covered by this Disclosure);
• The Digital Services Act, Regulation (EU) 2022/2065, Article 27 (recommender system transparency) and Article 28 (online-interface design including dark-pattern prohibitions);
• U.S. Voluntary Frameworks: the NIST AI Risk Management Framework (AI RMF 1.0, January 2023) and the White House Blueprint for an AI Bill of Rights (OSTP, October 2022) and Executive Order 14179 (“Removing Barriers to American Leadership in Artificial Intelligence,” January 23, 2025), which superseded the prior Executive Order 14110 (Oct. 30, 2023; revoked Jan. 20, 2025) and directs federal agencies to prioritize American AI dominance while addressing safety, security, and trustworthiness through subsequent rulemaking;
• FTC enforcement guidance, including the FTC’s “Aiming for truth, fairness, and equity in your company’s use of AI” (April 2021), “Keep your AI claims in check” (February 2023), the September 2024 “Operation AI Comply” enforcement initiative, and the FTC’s consent decrees in In re Rite Aid Corp. (December 2023, facial-recognition false-flagging) and In re Everalbum, Inc. (2021, algorithmic disgorgement), all enforced under FTC Act § 5 (15 U.S.C. § 45) prohibiting unfair or deceptive acts or practices involving AI.

Where We Use AI on the Upmos Marketplace

CSAM and Illegal-Content Detection

Upmos uses automated image-, text-, and hash-matching systems (including PhotoDNA-class hashing and behavioral classifiers) to detect child sexual abuse material (“CSAM”), terrorist content, and other content unlawful to host. Confirmed CSAM is reported to the National Center for Missing & Exploited Children (“NCMEC”) CyberTipline pursuant to 18 U.S.C. § 2258A, and to corresponding national hotlines (e.g., IWF in the UK, INHOPE network in the EU) where the content has a regional nexus. This detection is mandatory by law and is not subject to the consumer opt-out rights described in §Your Rights Regarding AI Decisions.

Chatbot Disclosure (EU AI Act Article 13)

Where Upmos deploys an AI-powered customer-support chatbot or similar conversational system, the system is clearly and conspicuously disclosed as AI at the point of first interaction, consistent with EU AI Act Article 13 and Federal Trade Commission guidance on AI persona transparency. Consumers may request human-agent handoff at any time during the interaction.

Decisions With Legal or Similarly Significant Effects

Decisions in the following categories — when made solely by automated processing — would be considered to produce legal or similarly significant effects within the meaning of GDPR Article 22 and analogous provisions of the Colorado AI Act (§ 6-1-1701(3)) and the EU AI Act (Annex III high-risk categories where applicable):

• Permanent termination of a seller’s account;
• Permanent suspension of a buyer’s account;
• Permanent forfeiture of seller funds in escrow;
• Denial of access to a paid service or program (e.g., All Access, Go Membership);
• High-value transaction blocking (defined as any single automated decision that blocks, holds, or reverses a purchase or payment in an amount of USD $1,000 or more, or any series of related decisions blocking, holding, or reversing transactions aggregating to that amount within a thirty (30) day window) that materially affects the consumer’s ability to complete a purchase or receive payment.

For all such decisions, Upmos commits to:

• Maintain a meaningful human review by a trained reviewer with the authority to overturn the automated outcome, conducted prior to enforcement of the decision;
• Inform the affected user of the decision, the underlying logic in plain language, and the categories of data considered;
• Provide a documented appeals process with the following service-level commitments:
  • Acknowledgment of appeal within five (5) business days of receipt;
  • Final decision within thirty (30) business days of complete appeal submission;
  • Expedited seventy-two (72) hour track for appeals where ongoing enforcement creates material financial harm (e.g., escrow funds held);
  • Right to escalate to a senior reviewer not involved in the original decision;
• Not rely solely on automated processing for these categories without the human-review and appeal rights described above.

Your Rights Regarding AI Decisions

Where the law grants you rights with respect to automated decision-making, you may exercise the following rights through the channels listed below:

• Request a human review of the automated decision (GDPR Art. 22(3); UK GDPR Art. 22(3); Colorado AI Act § 6-1-1703(3)(c));
• Express your point of view and contest the decision (GDPR Art. 22(3); UK GDPR Art. 22(3));
• Obtain meaningful information about the logic involved and the significance and envisaged consequences of the automated processing (GDPR Art. 13(2)(f) / 14(2)(g) / 15(1)(h); EU AI Act Art. 13);
• Opt out of automated decision-making used for profiling where authorized by California Civil Code § 1798.185(a)(16) (CCPA ADM regulations) and analogous state privacy laws (VA CDPA § 59.1-577(A)(5); CO CPA § 6-1-1306(1)(a)(II); CT CTDPA § 4(a)(5); MT MTCDPA § 30-14-2807(2)(c); OR OCPA § 646A.578(2)(a)(C));
• Delete personal information used to train AI models to the extent required by CCPA § 1798.105 / CPRA § 1798.106, GDPR Art. 17, and analogous laws (subject to statutory exceptions, including where deletion would compromise model integrity in ways permitted by Cal. Civ. Code § 1798.105(d));
• Lodge a complaint with the competent supervisory authority — for EU/UK residents, your national Data Protection Authority; for Colorado residents, the Colorado Attorney General; for California residents, the California Privacy Protection Agency; for Texas residents, the Texas Attorney General; for other jurisdictions, the supervisory body designated by applicable law.

To exercise these rights, email ai-decisions@upmos.com (AI-specific requests) or privacy@upmos.com (general privacy requests), or use any privacy-rights workflow that may be available from the Privacy Policy. Upmos will respond within 45 days of receipt of a verified request, or such shorter period as required by applicable law (e.g., 30 days under GDPR Art. 12(3); 60 days extension permitted where complex). Verification procedures comply with the “verifiable consumer request” requirements of Cal. Code Regs. tit. 11 § 7060.

Training Data and Model Governance

Upmos’s machine-learning models are trained on three categories of data: (a) first-party marketplace transactional data (orders, listings, search queries, and the like), (b) public datasets used for general-purpose tasks (e.g., language understanding, image classification), and (c) third-party vendor data licensed under written agreement. Excluded inputs. Upmos’s ML training pipelines are configured to exclude (i) the content of buyer-vendor private messages, (ii) support-ticket conversation transcripts, and (iii) biometric data from inputs used to train marketing or advertising-targeting models. Where any such use becomes operationally necessary for a future model, Upmos will (a) obtain affirmative consumer consent through a dedicated notice and opt-in mechanism or (b) remove the data from the training set before model deployment. Aggregated, de-identified, and statistically derived signals from these data categories may, however, be used for fraud-prevention, abuse-detection, and trust-and-safety models where permitted by Section §Where We Use AI above.

California AB 2013 Disclosure (effective January 1, 2026): For each generative AI system that Upmos has made available to consumers, Upmos publishes a high-level summary of the datasets used in training, including (i) sources and copyright status of the data, (ii) whether the data includes personal information, (iii) whether the data includes aggregate consumer information, (iv) the time period over which the data was collected, and (v) whether the data was modified or cleaned. Current generative AI training-data summaries are published within the AI section of the Privacy Policy (a standalone /ai-training-data-summary/ landing page is in production deployment); the summary is updated within 30 days of any material change. Pending standalone-page deployment, EU/UK residents requiring the summary for compliance verification purposes may request a copy by emailing ai-decisions@upmos.com and will receive it within 10 business days.

Governance practices: We perform regular model evaluation, bias testing across protected-attribute subpopulations (where lawfully inferable), drift monitoring, and adversarial-input testing. High-impact models are subject to algorithmic-impact assessment (see §Algorithmic Impact Assessments below) before deployment and re-assessment after material change. Categories of third-party AI vendors with which Upmos has data-processing relationships include: (i) foundation-model providers for generative-AI features (large language and multimodal models), (ii) embedding and vector-search providers for product-search relevance, (iii) cloud-AI inference platforms for fraud detection and content moderation, and (iv) translation-service providers for listing localization. A current list of named vendors is maintained in Upmos’s internal Vendor Register and is available to regulators on lawful request. Third-party AI vendor relationships are governed by data-protection agreements that include, where personal data of EEA/UK residents is processed, either (a) EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK’s International Data Transfer Addendum (IDTA), (b) an adequacy decision under GDPR Art. 45, or (c) another lawful transfer mechanism recognized under GDPR Chapter V. Supplementary technical measures applied include encryption in transit (TLS 1.3+) and at rest (AES-256), key-management isolation, and access controls limited to least-privilege role assignments.

Retention. Personal information used for AI model training is retained only for the periods necessary to (a) train, validate, and re-train the model and (b) comply with applicable record-keeping obligations. Specifically: (i) raw training inputs are retained for not more than the longer of three (3) years from the last model retraining cycle or any longer period required by law; (ii) derived model weights and parameters are retained for the operational life of the model plus five (5) years (aligned with the AIA retention in §Algorithmic Impact Assessments below); (iii) training logs are retained for two (2) years; and (iv) personal information of consumers who exercise the deletion right described in §Your Rights is removed from the training set on the schedule described therein, with re-training conducted on the next regular cycle thereafter.

AI Generated Content Identification

Where Upmos uses AI to generate or significantly modify content shown to consumers (e.g., product summaries, automated translations of listings, AI-generated product imagery), the content is clearly and conspicuously labeled as “AI-generated” or “Generated by AI”, and a link is provided to the original source where applicable, consistent with EU AI Act Article 50 (transparency obligations for providers and deployers of certain AI systems and GPAI models).

Synthetic Media & Deepfake Policy: Vendor listings, reviews, and user-generated content that contain synthetic or substantially altered audio, image, or video purporting to depict real persons, places, events, or products (including AI-generated “deepfakes” per EU AI Act Art. 50(4) and the proposed U.S. NO FAKES Act framework) must be clearly disclosed to the consumer at the point of display. Undisclosed synthetic media of real persons without consent is prohibited under our Acceptable Use Policy and may violate state right-of-publicity laws (Cal. Civ. Code § 3344; N.Y. Civ. Rights Law § 50-51; TN ELVIS Act). Upmos will action removal of non-compliant synthetic media within 24 hours of verified report. Reports may be submitted via trust-safety@upmos.com or, if that mailbox is not yet provisioned at the time of your report, via the general legal@upmos.com address with the subject line “DEEPFAKE / SYNTHETIC MEDIA REPORT”.

Prohibited Uses

Upmos does not engage in any of the following uses of AI on its marketplace, consistent with the prohibited practices enumerated in EU AI Act Article 5 (effective February 2, 2025) and the Texas Responsible AI Governance Act (HB 149) (effective January 1, 2026):

• Social scoring of natural persons by public or private actors leading to detrimental or unfavorable treatment unrelated to the original collection context (EU AI Act Art. 5(1)(c); TRAIGA prohibited use);
• Real-time remote biometric identification of consumers in publicly accessible spaces for law-enforcement purposes (EU AI Act Art. 5(1)(h));
• Subliminal, manipulative, or deceptive techniques beyond a person’s consciousness that materially distort behavior in a manner that causes or is likely to cause significant harm (EU AI Act Art. 5(1)(a); TRAIGA also prohibits AI systems “developed and deployed with the sole intent of inciting or encouraging a person to commit physical self-harm, including suicide, [or] harm another person, or to engage in criminal activity” (Tex. Bus. & Com. Code § 552.054, as enacted by HB 149));
• Exploitation of vulnerabilities due to age, disability, or specific socio-economic situation in a manner that causes or is likely to cause significant harm (EU AI Act Art. 5(1)(b));
• Emotion recognition in the workplace or educational institutions (with respect to Upmos employees and contractors), except where strictly necessary for medical or safety reasons (EU AI Act Art. 5(1)(f));
• Biometric categorization to deduce sensitive characteristics (race, political opinions, trade union membership, religious or philosophical beliefs, sex life, sexual orientation) (EU AI Act Art. 5(1)(g));
• Untargeted scraping of the internet or CCTV for facial-recognition database building (EU AI Act Art. 5(1)(e); aligned with EU Data Protection Authority enforcement (e.g., Dutch DPA €30.5M fine against Clearview AI, Sept. 2024) and FTC consent decrees against U.S. facial-recognition violators (e.g., In re Rite Aid Corp., Dec. 2023));
• Predictive policing of natural persons based solely on profiling or personality traits (EU AI Act Art. 5(1)(d)).

Recommender System Parameters — Article 27 DSA

The main parameters used by our personalized recommender systems, disclosed pursuant to DSA Article 27(1), are:

• Past browsing and purchase history (signed-in consumers);
• Current session signals (search query, view sequence, cart contents);
• Item popularity and aggregate consumer ratings;
• Vendor performance metrics (defect rate, on-time shipping, dispute rate);
• Geographic relevance and shipping availability;
• Price sensitivity inferred from past purchase behavior;
• Inventory availability and freshness signals.

Relative importance: Within the personalized recommender, query-match relevance and inventory availability are weighted most heavily, followed by historical consumer signals and vendor performance metrics. Item popularity acts as a tie-breaker. Sponsored placements are visually distinct, labeled as “Sponsored,” and ranked separately from organic recommendations consistent with FTC Native Advertising guidance and DSA Article 26 (advertising transparency).

Non-personalized alternative (DSA Art. 27(3)): You may switch to a non-personalized view at any time from within your account preferences. The non-personalized view ranks items primarily by popularity, rating, and inventory availability, without use of profile-derived signals. If the in-account toggle is not visible to you (e.g., during a phased rollout), email privacy@upmos.com with the subject line “DSA Recommender Opt-Out” and Upmos will apply the non-personalized view to your account within two (2) business days.

Online-Interface Design (DSA Article 25): Upmos’s recommender interfaces are not designed, organized, or operated in a way that deceives, manipulates, or materially distorts the ability of recipients of the service to make free and informed decisions (DSA Art. 25(1)). The personalization toggle is presented with equal prominence to the personalized default and does not require any pretextual confirmation step.

Minor Protection (DSA Article 28): Where Upmos has actual knowledge that a recipient of its service is a minor (under 18), Upmos applies appropriate technical and organizational measures to ensure a high level of privacy, safety, and security for the minor, including (a) defaulting to the non-personalized recommender view, (b) disabling profile-based advertising targeting, and (c) restricting the categories of data processed for personalization. These measures align with DSA Art. 28(1)–(2) and the EDPB’s “Guidelines 02/2023 on the technical scope of Article 5(3) of the ePrivacy Directive” as supplemented by the European Commission’s 2025 Guidelines on the protection of minors online.

Algorithmic Impact Assessments and Records

For each high-impact model, Upmos maintains an Algorithmic Impact Assessment (“AIA”) covering (i) purpose and intended deployment context, (ii) training-data provenance and quality controls, (iii) foreseeable risks (including bias, accuracy, robustness, privacy, and security), (iv) mitigation measures, (v) fairness and accuracy metrics broken down by relevant subpopulations, (vi) the human oversight regime, and (vii) post-deployment monitoring and drift-detection procedures. AIAs are conducted before deployment of any high-impact model and re-conducted after material change to the model, training data, or use context.

AIAs are structured to satisfy the AIA requirements of the Colorado AI Act (Colo. Rev. Stat. § 6-1-1703(3)) and incorporate the four-function risk-management lifecycle (Govern, Map, Measure, Manage) of the NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1, January 2023) together with the NIST Generative AI Profile (NIST AI 600-1, July 2024). For high-risk AI systems within the meaning of the EU AI Act, AIAs additionally cover the conformity-assessment elements required by Articles 9 (risk management), 10 (data governance), 14 (human oversight), 15 (accuracy/robustness/cybersecurity), and 17 (quality management).

AIA records are retained for not less than five (5) years from the later of (a) the date the relevant model is retired or (b) the date of the final AIA covering that model, and are made available to regulators on lawful request. Upon written request and subject to appropriate confidentiality protections for trade secrets, Upmos will provide a redacted summary of the relevant AIA to consumers exercising the rights described above.

Updates

This Disclosure is reviewed at least annually and whenever there is a material change to Upmos’s AI systems or applicable law. For material changes (defined as changes that meaningfully expand the categories of AI systems Upmos deploys, change a Section §Decisions With Legal or Similarly Significant Effects category, or alter a consumer right or appeal SLA), Upmos will provide affected users with at least thirty (30) days’ advance notice through (a) email to the address associated with the user’s Upmos account, (b) an in-product banner displayed on the user’s next sign-in, and (c) a dated entry in the Version History section of this Disclosure. Minor clarifications, typographical fixes, and citation updates that do not change a user’s substantive rights are made without advance notice and are reflected only in the Version History.

Contact

Email: ai-decisions@upmos.com · privacy@upmos.com

EU Representative (GDPR Article 27)

Upmos is in the process of designating an EU Representative pursuant to GDPR Article 27. Until designation is complete, individuals located in the EU/EEA may direct their AI-related requests, inquiries, and complaints to eu-representative@upmos.com or to the general privacy contact below. Upmos will acknowledge such requests within five (5) business days regardless of representative-designation status.

UK Representative (UK GDPR Article 27)

Upmos is in the process of designating a UK Representative pursuant to UK GDPR Article 27. Until designation is complete, individuals located in the United Kingdom may direct their AI-related requests, inquiries, and complaints to uk-representative@upmos.com or to the general privacy contact below.

How Can You Contact Us About This Policy?

If you have any further questions or comments or wish to report any problematic Content or Contribution, you may contact us by:

General Contact

• Phone: 1-855-MERCHED (1-855-637-2433) (Mon–Fri, 9 AM–5 PM Central Time, U.S.)
• General Support: support@upmos.com
• Report Issue: upmos.com/report
• Send Feedback: upmos.com/feedback

Department Directory

Mailing Address

Upmos Inc.
9896 Bissonnet St
Houston, TX 77036
United States