GDPR Compliance Policy

Legal Basis for Processing

We process personal data only when we have a valid legal basis under GDPR Article 6(1). The table below maps each processing purpose to its specific legal basis:

Consent Management (Article 7)

Where we rely on consent as the legal basis:

• How We Obtain Consent: Through clear, affirmative action — e.g., checking an unchecked opt-in box, clicking “Subscribe,” or accepting specific cookie categories via our Consent Management Platform (CMP).
• Granularity: Consent is requested separately for each distinct purpose (e.g., marketing emails are separate from analytics cookies).
• Withdrawal: You may withdraw consent at any time via: (a) the “Unsubscribe” link in any marketing email, (b) your account privacy settings, (c) our Cookie Consent Banner to revoke cookie consent, or (d) emailing privacy@upmos.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Records: We maintain records of all consent given, including when and how consent was obtained (Art. 7(1)).

Legitimate Interest Assessment (Article 6(1)(f))

Where we rely on legitimate interests, we have conducted a Legitimate Interest Assessment (LIA) balancing test for each activity. Our assessment considers:

• Purpose Test: Whether there is a legitimate interest behind the processing.
• Necessity Test: Whether the processing is necessary for that purpose (i.e., no less intrusive alternative exists).
• Balancing Test: Whether the individual’s interests, rights, or freedoms override our legitimate interest, considering the nature of the data, reasonable expectations of data subjects, the impact on individuals, and any additional safeguards we can apply.

You may request a copy of our LIA for any specific processing activity by contacting dpo@upmos.com.

Data We Collect

We collect and process the following categories of personal data:

Identity Data: Name, username, title, date of birth, gender.

Contact Data: Email address, billing address, shipping address, phone number.

Financial Data: Payment card details (processed securely via third-party payment processors), bank account information (for vendor payments).

Transaction Data: Purchase history, order details, payment records, refund information.

Technical Data: IP address, browser type and version, device information, operating system, time zone setting, browser plug-in types, approximate location (country, region, city — derived from IP via Cloudflare geolocation headers for server-side content rendering; not stored beyond the page request), unique device identifiers.

Profile Data: Username and password, purchase history, preferences, feedback, survey responses.

Usage Data: How you use our website, products, and services, including page views, clicks, search queries, and interaction with features.

Marketing and Communications Data: Your preferences for receiving marketing communications and your communication preferences.

Sensitive Data (Special Categories — Article 9): We do NOT intentionally collect special categories of personal data (e.g., race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation). If we ever need to process such data, we will do so only under one of the conditions set out in Article 9(2) GDPR — specifically, with your explicit consent (Art. 9(2)(a)), to protect vital interests (Art. 9(2)(c)), or where necessary for legal claims (Art. 9(2)(f)). We will inform you at the point of collection.

Data Sources (Article 14)

In addition to data you provide directly, we may obtain personal data from the following third-party sources:

• Payment Processors: Transaction confirmation and fraud-screening data from Stripe, PayPal.
• Analytics Providers: Aggregated usage and behavioral data from Google Analytics, Mixpanel.
• Advertising Partners: Conversion and attribution data from Google Ads, Facebook Ads.
• Public Sources: Publicly available information (e.g., business registries, social media profiles you have made public).
• Marketplace Vendors: Order fulfillment data and shipping information from vendors on our platform.

Where we collect data indirectly, we will provide notice within one month of obtaining the data, or at the point of first communication with you, whichever is earlier (Art. 14(3)).

Mandatory vs. Optional Data (Article 13(2)(e))

Some personal data is required to provide our services; other data is optional:

• Mandatory: Name, email address, billing address, and payment information are required to create an account and process orders. If you do not provide this data, we cannot fulfill our contract with you.
• Optional: Phone number, profile preferences, marketing consent, and feedback are optional. Declining to provide optional data will not affect core service delivery.
• Consequences: Where data provision is a statutory or contractual requirement, we will inform you at the point of collection and explain the consequences of not providing the data.

How We Use Your Data

We use personal data for the following purposes:

• Service Delivery: Processing orders, managing accounts, providing customer support, delivering products and services.
• Payment Processing: Processing payments, preventing fraud, managing billing and invoicing.
• Communication: Sending transactional emails (order confirmations, shipping notifications), responding to inquiries, providing customer service.
• Marketing: Sending promotional materials, newsletters, and offers (only with your consent or where permitted by law).
• Personalization: Customizing your experience, recommending products, tailoring content.
• Analytics: Analyzing usage patterns, improving website performance, conducting research.
• Security: Protecting against fraud, unauthorized access, and security threats.
• Legal Compliance: Complying with legal obligations, responding to legal requests, enforcing our terms.

Your GDPR Rights

Under GDPR, you have the following rights:

Right to Access: You can request a copy of the personal data we hold about you.

Right to Rectification: You can request correction of inaccurate or incomplete data.

Right to Erasure (Right to be Forgotten): You can request deletion of your personal data in certain circumstances (e.g., data no longer necessary, consent withdrawn).

Right to Restrict Processing: You can request that we limit how we use your data in certain situations (e.g., disputing accuracy, unlawful processing).

Right to Data Portability: You can request that we provide your data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object — Direct Marketing (Article 21(2)-(3)): You have an unconditional, absolute right to object at any time to the processing of your personal data for direct marketing purposes, including profiling related to direct marketing. Upon receiving your objection, we will immediately cease processing your data for direct marketing — no balancing test or justification is required.

Right to Object — Legitimate Interests (Article 21(1)): You may object to processing based on our legitimate interests (Art. 6(1)(f)) on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.

Right to Withdraw Consent: You can withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing).

Right to Lodge a Complaint: You can file a complaint with your local supervisory authority (Data Protection Authority) if you believe we have violated your rights.

How to Exercise Your Rights

To exercise any of your GDPR rights, contact us:

Email: privacy@upmos.com
Phone: +1 (855) 637-2433
Mail: Upmos Inc, Attn: Privacy Team, 262 Chapman Rd Suite 240, Newark, DE 19702, United States

Response Time: We will respond to verified requests within one month of receipt. For complex requests, we may extend this by an additional two months and will inform you of the extension.

Verification: We may request additional information to verify your identity before fulfilling your request.

No Fee: We do not charge a fee for exercising your rights unless your request is manifestly unfounded, excessive, or repetitive.

Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law:

Account Data: Retained while your account is active and for a reasonable period thereafter (typically 3-7 years for audit and legal purposes).

Transaction Data: Retained for 7-10 years to comply with tax, accounting, and legal requirements.

Marketing Data: Retained until you opt out or withdraw consent, then deleted within 30 days.

Usage Data: Typically retained for 2-3 years for analytics purposes, then anonymized or deleted.

Legal Holds: Data may be retained longer if required for legal proceedings, investigations, or regulatory inquiries.

Data Transfers

We may transfer personal data outside the EEA to countries that do not provide an equivalent level of data protection. When we do so, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers to third countries.

Adequacy Decisions: We transfer data to countries recognized by the European Commission as providing adequate protection (e.g., UK, Switzerland, Japan).

US Service Providers: For US-based processors, we rely on SCCs and supplementary measures to ensure GDPR compliance.

Your Consent: In some cases, we may seek your explicit consent for cross-border transfers.

Supplementary Measures (Schrems II): Following the Court of Justice of the European Union’s Schrems II decision (Case C-311/18), we conduct Transfer Impact Assessments (TIAs) for each transfer to assess the legal framework of the destination country and implement supplementary technical measures (e.g., encryption in transit and at rest, pseudonymization) and organizational measures (e.g., access controls, data handling policies) where necessary.

Your Right to Obtain a Copy (Article 46(2)): You may request a copy of the Standard Contractual Clauses or other transfer safeguards we use by contacting dpo@upmos.com.

Data Sharing & Processor Agreements

We share personal data with the following categories of recipients:

Service Providers: Payment processors (Stripe, PayPal), cloud hosting (AWS, Google Cloud), email services (SendGrid, Mailchimp), analytics (Google Analytics, Mixpanel).

Vendors and Sellers: Marketplace vendors who fulfill your orders (only data necessary for fulfillment).

Advertising Partners: Google Ads, Facebook Ads, programmatic ad networks (with your consent or where legally permitted).

Legal Authorities: Law enforcement, regulatory bodies, courts (when required by law or to protect our legal rights).

Business Transfers: In connection with mergers, acquisitions, or asset sales (with appropriate safeguards).

Affiliates: Our parent company, subsidiaries, and affiliated entities for internal business purposes.

We do NOT sell personal data to third parties.

Data Processing Agreements (Article 28)

We enter into written Data Processing Agreements (DPAs) with all third-party processors who process personal data on our behalf, as required by Article 28 GDPR. These DPAs include:

• Processing only on our documented instructions
• Confidentiality obligations on all personnel processing data
• Appropriate technical and organizational security measures
• Restrictions on sub-processing without our prior written authorization
• Assistance with data subject rights requests
• Deletion or return of data upon termination of services
• Provision for audits and inspections

Sub-Processor Management

Our processors may not engage sub-processors without our prior specific or general written authorization. Where general authorization is given, the processor must inform us of any intended changes to add or replace sub-processors, giving us the opportunity to object. We maintain an up-to-date list of sub-processors, available upon request by contacting dpo@upmos.com.

Automated Decision-Making & Profiling

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements (Article 4(4)).

Your Right (Article 22(1)): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is: (a) necessary for entering into or performing a contract, (b) authorised by EU or Member State law, or (c) based on your explicit consent.

We may use automated decision-making and profiling for:

Fraud Prevention: Automated systems analyze transactions for fraudulent patterns.

Personalization: Algorithms recommend products based on browsing and purchase history.

Marketing: Automated systems segment users for targeted marketing campaigns.

Your Rights: You have the right to:

• Request human intervention in automated decisions
• Express your point of view
• Contest automated decisions that produce legal or similarly significant effects

To exercise these rights, contact privacy@upmos.com.

Cookies & Tracking

We use cookies and similar tracking technologies. You can manage cookie preferences via our Cookie Consent Banner or browser settings.

For details, see our Cookie Policy.

Cookies We Use:

• Essential Cookies: Required for website functionality (e.g., shopping cart, authentication).
• Analytics Cookies: Help us understand how visitors use our site (Google Analytics).
• Marketing Cookies: Used for targeted advertising and retargeting campaigns.

Your Choices:

• Accept or reject non-essential cookies via the consent banner
• Disable cookies in your browser settings
• Opt out of interest-based advertising via Digital Advertising Alliance

Children’s Privacy

Our services are NOT directed to children under 16 years of age. We do not knowingly collect personal data from children under 16 without verifiable parental consent.

If you believe we have collected data from a child under 16, contact us immediately at privacy@upmos.com, and we will delete it promptly.

Data Security

We implement appropriate technical and organizational measures to protect personal data:

Encryption: Data in transit is encrypted using TLS/SSL. Sensitive data at rest is encrypted using AES-256.

Access Controls: Role-based access controls limit employee access to personal data.

Authentication: Multi-factor authentication (MFA) for administrative accounts.

Security Monitoring: Continuous monitoring for security threats and vulnerabilities.

Incident Response: We have procedures to detect, investigate, and respond to data breaches.

Breach Notification: In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee GDPR compliance:

DPO Contact:
Email: dpo@upmos.com
Mail: Data Protection Officer, Upmos Inc, 262 Chapman Rd Suite 240, Newark, DE 19702, United States

You may contact our DPO with questions or concerns about our data processing practices.

Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority:

EEA Residents: Contact your national Data Protection Authority. Find your authority at https://edpb.europa.eu/about-edpb/board/members_en

UK Residents: Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/
Phone: +44 303 123 1113

Swiss Residents: Federal Data Protection and Information Commissioner (FDPIC)
Website: https://www.edoeb.admin.ch/

GDPR Core Principles (Article 5)

We are committed to upholding all seven data protection principles set out in Article 5 of the GDPR:

Privacy by Design & Default (Article 25)

In accordance with Article 25 GDPR, we implement data protection by design and by default throughout our systems, products, and business processes:

Privacy by Design

• At the Design Stage: We integrate data protection considerations into the design and development of new products, services, features, and business processes from the earliest stage.
• Technical Measures: We implement pseudonymization, encryption, access controls, and data segregation as default architectural components.
• Organizational Measures: Staff training, privacy impact reviews, and internal policies ensure that data protection is embedded in our organizational culture.

Privacy by Default

• Minimum Data: By default, we process only the personal data necessary for each specific purpose.
• Default Privacy Settings: User accounts are configured with the most privacy-protective settings by default (e.g., marketing opt-out by default, minimal data sharing).
• Limited Access: Personal data is not made accessible to an indefinite number of persons without the individual’s intervention.
• Retention: Data is retained only for the minimum period necessary for the purpose of processing.

Data Protection Impact Assessments & Records of Processing

DPIAs (Article 35)

We conduct Data Protection Impact Assessments (DPIAs) before initiating any processing that is likely to result in a high risk to the rights and freedoms of individuals, as required by Article 35 GDPR. This includes:

• Systematic and extensive profiling with significant effects on individuals
• Large-scale processing of special categories of data (Article 9)
• Systematic monitoring of publicly accessible areas on a large scale
• Use of new technologies that may present high risks
• Large-scale automated decision-making with legal or similarly significant effects

Each DPIA evaluates: (a) the necessity and proportionality of the processing, (b) the risks to data subjects’ rights and freedoms, and (c) the measures to address those risks. Where a DPIA indicates that processing would result in high risk that cannot be mitigated, we consult the relevant supervisory authority (Art. 36) before proceeding.

Records of Processing Activities (Article 30)

We maintain comprehensive Records of Processing Activities (ROPA) as required by Article 30 GDPR. Our records include:

• The name and contact details of the controller (Upmos Inc) and our DPO
• The purposes of each processing activity
• A description of the categories of data subjects and categories of personal data
• Categories of recipients, including those in third countries
• Details of international transfers and safeguards applied
• Envisaged retention periods for each category of data
• A general description of technical and organizational security measures (Art. 32(1))

Our ROPA is available for inspection by the relevant supervisory authority upon request.

Controller & Processor Roles

Upmos operates as a marketplace platform. Our role under GDPR varies depending on the processing activity:

Joint Controller Arrangements (Article 26)

Where Upmos and a marketplace vendor act as joint controllers, we enter into a Joint Controller Agreement (Art. 26) that transparently determines our respective responsibilities for compliance, including the exercise of data subject rights and provision of information under Articles 13 and 14. The essence of these arrangements is made available to data subjects upon request.

EU/UK Representative (Article 27)

As Upmos Inc is established outside the European Union and United Kingdom but processes personal data of individuals in the EU/UK, we have appointed representatives in accordance with Article 27 GDPR and UK GDPR:

EU Representative

Name: Upmos EU Data Protection Representative
Email: eu-representative@upmos.com
Address: Available upon request by contacting dpo@upmos.com

UK Representative

Name: Upmos UK Data Protection Representative
Email: uk-representative@upmos.com
Address: Available upon request by contacting dpo@upmos.com

Our representatives serve as a point of contact for data subjects and supervisory authorities on all issues related to the processing of personal data under GDPR and UK GDPR.

Governing Law & Jurisdiction

This GDPR Compliance Policy is governed by and construed in accordance with the laws of the State of Texas, United States, without regard to conflict-of-law principles, except where GDPR, UK GDPR, or other mandatory data protection laws of your jurisdiction provide otherwise.

GDPR Primacy: To the extent that any provision of this policy conflicts with GDPR, UK GDPR, or the Swiss FADP, the applicable data protection regulation shall prevail. Nothing in this policy limits or waives any rights you have under mandatory data protection laws.

Jurisdiction: Any disputes arising from or related to this policy shall be submitted to the exclusive jurisdiction of the courts located in Dallas County, Texas, except that you retain the right to lodge a complaint with your local supervisory authority as set out in the Supervisory Authority section of this policy.

Changes to This Policy

We may update this GDPR Compliance Policy from time to time. Changes will be posted at https://upmos.com/gdpr-compliance-policy/ with an updated “Last Updated” date.

Material Changes: We will notify you of material changes via email or prominent notice on our website.

Consent-Based Processing: Where our processing relies on your consent, we will seek fresh, explicit consent for any material changes affecting that processing. Continued use of our services does NOT constitute consent under GDPR (Art. 7, Recital 42). We will never infer consent from inaction or continued use alone.

Non-Consent-Based Processing: For processing based on contract performance, legal obligation, or legitimate interests, updates to this policy will take effect 30 days after posting, and we will notify you in advance so you may exercise your rights (including objection or erasure) before the changes apply.

Related Policies

Privacy & Compliance

• Privacy Policy
• Cookie Policy
• CCPA/CPRA Compliance Policy
• California Consumer Notice

Legal Documents

• Terms of Use
• Disclaimer
• DMCA Policy
• End User License Agreement (EULA)

Marketplace Policies

• Product Listing Guidelines
• Prohibited & Restricted Products
• Vendor Code of Conduct