CCPA/CPRA Compliance Policy

Effective Date: January 1, 2026 · Last Revised: June 11, 2026 · Version 2.7 · Reading time: computing…

Notice
Categories
Your Rights
Requests
Sharing
DNS & GPC
Retention
Children
ADMT
Cross-Border
FAQs
Contact

Save Policy PDF

Notice at Collection
Category Matrix
Your Rights
Requests, Verification & Appeals
Financial Incentives
Sharing & Service Providers
Do Not Sell or Share
About this CCPA/CPRA Compliance Policy. This Policy covers the rules, obligations, and rights that apply to this policy on the Upmos marketplace. Read the full text below; by using our Services you agree to comply with it.

In Plain English (Non-Binding Summary)

Notice at Collection. We provide this Notice at the point of collection online (checkout, account registration, seller onboarding, ad forms) and offline (phone support) and link it from the footer as CALIFORNIA PRIVACY CHOICES. We retain pers Category Matrix (Past 12 Months). | Category | Sources | Business/Commercial Purposes | Disclosed to (Service Providers/Contractors) | Sold/Shared for Ads? | Retention | Your Rights (CCPA/CPRA). California residents have the rights to Know, Delete, Correct, Opt-Out of Sale/Sharing, Limit SPI, and Non-Discrimination. We honor GLOBAL PRIVACY CONTROL (GPC) signals for sale/sharing opt-out.

This plain-language box is provided for accessibility and readability only. It is not a substitute for the full Policy below, which controls in case of any conflict.

Print, Export & Relevant Links

Print This PolicyExport as PDFTerms of UsePrivacy Policy

Table of Contents

  1. Notice at Collection
  2. Category Matrix (Past 12 Months)
  3. Your Rights (CCPA/CPRA)
  4. Requests, Verification & Appeals
  5. Financial Incentives (Rewards & Membership)
  6. Sharing & Service Providers
  7. Do Not Sell or Share / Global Privacy Control
  8. Data Retention & Deletion
  9. Security Measures
  10. Children & Minors
  11. Accessibility & Language Support
  12. Changes to This Notice
  13. Contributions, Reviews & Ratings
  14. Reporting & Consequences
  15. AI Products & Automated Decisions
  16. Marketplace & Vendor Responsibilities
  17. Purpose Limitation
  18. Shine the Light (§1798.83)
  19. Cross-Border Data Transfers
  20. Annual Metrics & Transparency
  21. Frequently Asked Questions
  22. Related Links
  23. Disclaimer
  24. How Can You Contact Us About This Policy?
  25. Version History

Notice at Collection

Upmos Inc. (“Upmos,” “we,” “us,” or “our”) is a Delaware corporation (registered office c/o Republic Registered Agent LLC, 262 Chapman Rd Ste 240, Newark, DE 19702, New Castle County), with its principal place of business at 9896 Bissonnet St, Houston, TX 77036, United States. Upmos operates an e-commerce marketplace at upmos.com. This CCPA/CPRA Compliance Policy (the “Policy” or this “Notice”) describes how Upmos collects, uses, discloses, and protects the personal information of California residents under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and the regulations promulgated by the California Privacy Protection Agency (CPPA) at 11 CCR § 7000 et seq. This document serves as Upmos’s notice at or before collection of personal information pursuant to Cal. Civ. Code § 1798.100(b) and the regulatory requirements at 11 CCR § 7012.

In Plain Language: We tell you what personal information we collect and why before we collect it. You always know what data is gathered and its business purpose.

We provide this Notice at the point of collection online (checkout, account registration, seller onboarding, ad forms) and offline (phone support) and link it from the footer as CALIFORNIA PRIVACY CHOICES. We retain personal information only as long as reasonably necessary for the disclosed purposes. WE DO NOT SELL OR SHARE SENSITIVE PERSONAL INFORMATION.

Category Matrix (Past 12 Months)

Category Sources Business/Commercial Purposes Disclosed to (Service Providers/Contractors) Sold/Shared for Ads? Retention
Identifiers (name, email, phone, billing/shipping address, account ID) You (accounts, checkout); merchant order data Account setup, fulfillment, support, fraud prevention Payment processors, shipping carriers, email/SMS, support vendors, merchants for your orders Not sold; may be shared for ads unless you opt out Account lifecycle; transactions kept per legal/tax requirements
Commercial Info (orders, products viewed, wishlist) You; session data Fulfillment, receipts, fraud prevention, improvements Merchants fulfilling orders; analytics/ops vendors Not sold; may be shared for ads unless you opt out Orders up to 7 years (tax/accounting)
Internet/Device Activity (IP, cookie ID, pages, device/browser) Your device interactions Security, functionality, analytics Analytics and security providers Not sold; may be shared for ads unless you opt out/GPC IP logs up to 90 days; analytics up to 2 years
Approx. Geolocation (IP city/region; shipping address) Derived from IP via Cloudflare geolocation headers; you provide shipping address Fraud prevention; shipping; server-side content localization Cloudflare (CDN/geolocation); shipping carriers; fraud vendors Not sold; not shared for ads IP geolocation: not stored beyond page request; shipping address: per order/legal requirements
Inferences (interest segments) Derived from interactions Recommendations and UX improvements Recommendation/search providers Not sold; may be shared for ads unless you opt out Up to 2 years
Sensitive PI (payment token IDs, account password, government ID for sellers) You; payment processors; seller onboarding Account security, payment via tokenization, vendor compliance verification Payment processors; ID verification providers Never sold or shared for advertising Only as needed for the stated purpose and legal obligations

Sensitive PI allowed uses: perform services, ensure security/integrity, short-term transient use, servicing accounts/orders, verifying/maintaining quality/safety, and not to infer characteristics beyond those purposes. Use “Limit Use of Sensitive Personal Information” in the footer or Account Settings to exercise this right.

Your Rights (CCPA/CPRA)

In Plain Language: California law gives you the right to know, delete, correct, and control your personal information. You can also opt out of the sale or sharing of your data.

California residents have the rights to Know (Cal. Civ. Code § 1798.110), Delete (§ 1798.105), Correct (§ 1798.106), Opt-Out of Sale/Sharing (§ 1798.120), Limit Use of Sensitive Personal Information (SPI) (§ 1798.121), and Non-Discrimination (§ 1798.125). Pursuant to Cal. Civ. Code § 1798.135 and 11 CCR § 7025, we honor Global Privacy Control (GPC) signals as a valid sale/sharing opt-out where supported.

How to exercise:

  • Submit: PRIVACY PORTAL (footer), privacy@upmos.com, or Account Settings.
  • Opt-Out of Sale/Sharing: DO NOT SELL OR SHARE MY PERSONAL INFORMATION link or GPC.
  • Limit SPI: LIMIT USE OF SENSITIVE PERSONAL INFORMATION link or Account Settings.
  • Authorized agents: include signed authorization and we will verify your identity plus proof of agency.

Timelines: we acknowledge within 10 days; respond within 45 days (one 45-day extension with notice). We verify identity using account login or reasonable documentation matched to existing records. Household requests require verified household members. We document denials with reasons and appeal options.

Requests, Verification & Appeals

  • Intake: privacy portal, privacy@upmos.com, Account Settings, or toll-free number.
  • Verification: account login or matching 2–3 data points; for sensitive data or specific pieces, stronger verification may be required.
  • Authorized agents: provide signed permission plus your verification; for minors, parent/guardian confirmation.
  • Appeals: submit via portal or privacy@upmos.com; we respond within 45 days (one 45-day extension with notice) and state the decision. If denied, we explain why and how to escalate to regulators. APPEALS ARE ALWAYS FREE.

Financial Incentives (Rewards & Membership)

Pursuant to Cal. Civ. Code § 1798.125(b), we may offer rewards, membership benefits, referral bonuses, and promotional credits in exchange for personal information, where the financial incentive is reasonably related to the value of the data provided. These programs are voluntary and require opt-in consent. Material terms:

  • Summary: rewards points, tier benefits, and credits based on purchases and engagement.
  • Categories of PI: identifiers (name, email, phone), commercial information (order history), and inferences (preferences) used to operate rewards and determine eligibility.
  • Value Calculation: financial incentives reasonably relate to value provided by your data, estimated using program costs, expected engagement, and redemption rates.
  • Opt-In/Opt-Out: you can opt in during signup; you may withdraw at any time in Account Settings without losing basic access. Withdrawal ends participation and forfeits unredeemed incentives unless required by law.
  • Non-Discrimination: we do not deny goods/services for exercising privacy rights; incentives are a permissible difference reasonably related to the value of your data.

Specific program details are available in the Cash Back Policy, the All Access Terms of Use, and program enrollment screens.

Sharing & Service Providers

For purposes of Cal. Civ. Code § 1798.140(ad) (definition of “Sale”), we do not sell personal information. For purposes of Cal. Civ. Code § 1798.140(ah) (definition of “Sharing”), we may share identifiers and device information with advertising partners for cross-context behavioral advertising unless you opt out. We disclose personal information to service providers (Cal. Civ. Code § 1798.140(ag)) and contractors (§ 1798.140(j)) for business purposes, subject to written contracts that limit their use of personal information to the specified business purpose and prohibit retention, use, or disclosure for any other purpose.

  • Merchants (sellers): receive only the personal information necessary to fulfill your orders (e.g., name, shipping address, contact, order details). Merchants are independent controllers of their own customer data and must comply with applicable law.
  • Payment processors: receive payment token IDs and transaction details to process payments. We do not store full card numbers.
  • Shipping carriers: receive delivery details.
  • Analytics/security providers: receive device and interaction data for functionality and fraud prevention.

Pursuant to Cal. Civ. Code § 1798.140(ae)(1)(C), biometric information is treated as sensitive personal information; we do not disclose biometric identifiers for advertising and do not use precise geolocation (GPS-level) for tracking.

Do Not Sell or Share / Global Privacy Control

In Plain Language: You can tell us to stop selling or sharing your data at any time. We also honor the Global Privacy Control (GPC) signal from your browser automatically.

  • DO NOT SELL OR SHARE: exercise via the footer link or Account Settings. Pursuant to Cal. Civ. Code § 1798.135 and 11 CCR § 7025, we honor Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing request where supported.
  • Do Not Track (DNT): California law does not require honoring legacy DNT signals. We currently do not respond to DNT, but you may use GPC to express opt-out preferences.