Upmetrics

Terms & Policies

Last Updated: April 30, 2026

This Privacy Policy describes how Upmetrics, Inc. ("Upmetrics", "we", "us", or "our") collects, uses, discloses, and protects your information when you visit our websites, use our services, or otherwise interact with us. By using our services, you agree to the practices described in this Privacy Policy.

This Privacy Policy is supplemented by our Cookie Policy, our AI Privacy Policy, our Security Policy, and, for business customers, our Data Processing Agreement.

1. Revisions to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will notify you by email or by posting a notice on our website prior to the change becoming effective. We will also update the "Last Updated" date at the top of this policy. Your continued use of our services after the effective date of any update constitutes acceptance of the revised Privacy Policy.

2. Collection and Use of Information

Information Obtained from Website Visitors

We collect Personal Information when you visit our websites, subscribe to our blog, register for webinars, or download resources. "Personal Information" includes your name, email address, company name, postal address, and phone number.

We also collect Navigational Information, which includes your IP address, location, browser type, and pages visited. Payment Information is processed through third-party PCI-compliant payment processors (Stripe and Chargebee); we do not store full card details on our servers.

Information Obtained from Participants

If you are invited to collaborate on a business plan or other content within Upmetrics, we collect identifying details necessary for the collaboration: name, email address, IP address, and profile picture.

Information Obtained from Customers

  • Account Information: name and email address used to create and manage your account.
  • Billing Information: processed through Stripe and Chargebee. We retain billing records (invoice and transaction history) but do not store full payment card numbers.
  • User-generated content: business plans, financial forecasts, pitch decks, and other content you create within the Upmetrics service.

Information Obtained from All Users

  • Cookies: we use session and persistent cookies to track login status and user interaction patterns.
  • Web Beacons: tiny graphics that help us monitor website performance and the effectiveness of our communications and advertising.
  • Log Data: server logs that automatically capture IP addresses, browser type, pages visited, search terms, and time spent on our pages.

For a detailed list of the cookies we use, the third parties that set them, and how to manage your cookie preferences, see our Cookie Policy.

3. Information that We Share with Third Parties

  • Service Providers: third-party vendors (hosting, payment processing, email delivery, CRM, analytics, customer support, AI providers, and similar) access Personal Information only to the extent necessary to provide their service to us. They are contractually bound to safeguard the data and use it only for the purposes we specify.
  • Customers and Participants: content and Personal Information shared in collaborative contexts is shared with the relevant Customer and the Participants they invite.
  • Advertising and Analytics Partners: we use third-party advertising and analytics technologies (including Meta Pixel, Google Ads, Google Analytics, and Reddit Pixel) that may collect information about your use of our website. See Sections 6 and 9 below and our Cookie Policy for details.
  • Aggregated Information: we may share aggregated, non-identifying information for research and demographic analysis.
  • Business Transactions: in the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction.
  • Legal Compliance: we may disclose information to government officials or private parties when we believe in good faith that disclosure is necessary to comply with applicable law, respond to a valid legal request, prevent fraud, or protect the rights, property, or safety of Upmetrics, our users, or others.

For business customers, our Data Processing Agreement sets out additional terms governing how we handle Personal Data on your behalf, including a current list of sub-processors.

4. AI-Powered Features

If you use our AI-powered features, certain information is shared with our third-party AI providers (currently OpenAI and Anthropic) to generate responses. The information shared, the purposes for which it is processed, and your options are described in our AI Privacy Policy.

5. Your Choices

  • Opt-out of marketing emails: you can unsubscribe from promotional emails at any time using the unsubscribe link in any marketing message we send.
  • Mandatory communications: you cannot opt out of service updates, security alerts, billing notifications, or changes to our terms.
  • Modify your information: you can access and modify your account information by signing in to your Upmetrics account and updating your settings.
  • Delete your account: you can request deletion of your account and associated Personal Information at any time using the in-product account deletion option or by emailing [email protected]. See Section 7 (Data Retention) for details on the deletion timeline.
  • Cookie preferences: you can manage cookies through your browser settings or as described in our Cookie Policy.

6. The Security of Your Information

We take the security of your Personal Information seriously and implement appropriate technical and organizational measures designed to protect it against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption in transit: all communication with our website and application is delivered over HTTPS using industry-standard TLS encryption.
  • Encryption at rest: Personal Information stored in our production databases and backups is encrypted at rest using AES-256 or equivalent.
  • Access control: access to production systems and Personal Information is restricted to authorized Upmetrics personnel on a need-to-know basis. Multi-factor authentication is required for administrative access to production systems.
  • Two-factor authentication for accounts: Upmetrics customers can enable two-factor authentication (2FA) on their accounts for an additional layer of protection. We strongly recommend enabling it.
  • Secure infrastructure: our services are hosted on Amazon Web Services (AWS) in the United States, with disaster recovery across multiple availability zones.
  • Payment security: we do not store full payment card details. Card information is tokenized and processed by our PCI-compliant payment processors (Stripe and Chargebee).
  • Monitoring and logging: we maintain audit logs of access and significant administrative actions to support security investigations and incident response.
  • Vulnerability management: we monitor our software dependencies for known vulnerabilities and apply security patches promptly.
  • Personnel security: all employees and contractors are bound by written confidentiality obligations and receive periodic security and privacy training.
  • Incident response: we maintain an incident response plan to detect, respond to, and remediate security incidents. We will notify affected users and, where applicable, regulatory authorities of confirmed Personal Data Breaches in accordance with applicable law (and within 72 hours for business customers as set out in our Data Processing Agreement).

For a more detailed description of our security practices, see our Security Policy. Business customers can also review the technical and organizational measures set out in our Data Processing Agreement.

While we work hard to protect your Personal Information, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security. If you become aware of a potential security issue, please contact us at [email protected].

7. Data Retention

We retain your Personal Information only for as long as necessary to fulfill the purposes for which it was collected, including to provide you with the Upmetrics service, comply with our legal and tax obligations, resolve disputes, and enforce our agreements.

The specific retention periods we apply vary by the type of information and the purpose for which we hold it. The list below summarizes our standard retention periods. Where we are required by law to retain information for longer, or where it is necessary for the establishment, exercise, or defense of legal claims, we will retain it for that longer period.

Standard Retention Periods

  • Account information (name, email, login credentials, profile data) β€” for the lifetime of your active account, plus up to 24 months after account closure for backup, dispute resolution, and legal compliance.
  • User-generated content (business plans, financial forecasts, pitch decks, and other content you create within Upmetrics) β€” for the lifetime of your active account. After account closure, this content is deleted within 90 days unless you have requested an export or our legal obligations require us to retain it.
  • Billing and transaction records (invoices, payment receipts, subscription history) β€” up to 7 years to comply with U.S. and international tax, accounting, and audit obligations.
  • Payment card information β€” we do not store full card numbers. Card details are tokenized and held by our PCI-compliant payment processors according to their retention policies.
  • Marketing and communication preferences (subscription status, email engagement) β€” until you unsubscribe. We retain a suppression record indefinitely to honor your opt-out and prevent us from re-contacting you.
  • Customer support communications (emails, chat transcripts, ticket history) β€” up to 36 months after the last interaction.
  • Server logs, security logs, and usage analytics (IP address, browser type, pages visited, error logs) β€” typically up to 26 months.
  • Cookies and similar technologies β€” for the duration set in each cookie, ranging from the end of your browser session to up to 24 months. See our Cookie Policy for details.
  • AI feature interactions (prompts, generated outputs, and metadata from AI-powered features) β€” up to 12 months, after which they are deleted or anonymized. See our AI Privacy Policy for additional detail.
  • Webinar registrations, downloads, and form submissions β€” up to 36 months from the date of submission.
  • Legal, compliance, and dispute records β€” for as long as necessary to comply with applicable law or to establish, exercise, or defend legal claims.

Account Deletion

You can request deletion of your account and associated Personal Information at any time using the in-product account deletion option, or by contacting us at [email protected]. Once your request is verified, we will delete or anonymize your Personal Information within 30 days, except where we are required or permitted by law to retain it (for example, billing records held for tax compliance, or information needed to defend a legal claim). Information held in routine, encrypted backups will be overwritten in the normal course of our backup rotation, typically within 90 days.

Anonymization

In some cases, rather than delete your information, we may aggregate or de-identify it so that it can no longer be linked to you. We may retain and use aggregated, anonymized data indefinitely for analytics, service improvement, and other lawful business purposes.

Backup Retention

For service reliability and disaster recovery, we maintain encrypted backups of our production systems. Personal Information may persist in these backups for a short period after deletion from our live systems, but is overwritten on the standard backup rotation cycle and is not used for any other purpose.

8. Responding to Do Not Track Signals

Our website does not respond to "Do Not Track" (DNT) browser signals. However, we do recognize and honor the Global Privacy Control (GPC) browser signal as described in Section 9 below.

9. Your Rights Under U.S. State Privacy Laws (California, Virginia, Colorado, Connecticut, Utah, and Other States)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another U.S. state with a comprehensive consumer privacy law, you have specific rights regarding the Personal Information we collect about you. This section applies in addition to the rest of this Privacy Policy.

Categories of Personal Information We Collect

In the past 12 months, we have collected the following categories of Personal Information, as defined under the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"):

  • Identifiers: name, email address, postal address, phone number, IP address, account login credentials, and unique online identifiers.
  • Customer records information: billing address and payment information (processed by our PCI-compliant payment processor; we do not store full card numbers).
  • Commercial information: products or services purchased, subscription history, and transaction records.
  • Internet or other network activity information: browsing history on our site, interaction with our pages, advertisements, and emails, device and browser information.
  • Geolocation data: approximate location derived from IP address (not precise GPS).
  • Professional or employment-related information: company name, job title, industry, and business size, where you provide them.
  • Inferences: drawn from the above to create a profile reflecting your preferences, interests, and behavior.
  • User-generated content: business plans, financial forecasts, and other content you create within the Upmetrics service.

We do not knowingly collect sensitive personal information as defined under the CPRA (such as Social Security numbers, government IDs, precise geolocation, racial or ethnic origin, religious beliefs, health information, biometric data, or contents of mail or messages) other than account login credentials, which we use solely to provide the service and not to infer characteristics about you.

Sources of Personal Information

  • Directly from you when you visit our website, create an account, subscribe, contact support, or use our services.
  • Automatically from your device through cookies, pixels, server logs, and similar technologies.
  • From third parties such as advertising partners, analytics providers, payment processors, and publicly available sources.

Purposes for Collection

  • To provide, operate, and maintain the Upmetrics service.
  • To process payments and manage subscriptions.
  • To respond to your inquiries and provide customer support.
  • To send service updates, security alerts, and administrative messages.
  • To send marketing communications (where permitted by law and subject to your preferences).
  • To personalize and improve the service, including measuring engagement and developing new features.
  • To run advertising campaigns, including retargeting on third-party platforms.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations and enforce our terms.

Categories of Personal Information We Disclose, Sell, or Share

We disclose Personal Information to the following categories of third parties for business purposes:

  • Service providers and processors: hosting and infrastructure providers, payment processors, email and CRM platforms, customer support tools, analytics providers, and security vendors.
  • Advertising partners: Meta (Facebook), Google, Reddit, and other advertising platforms that help us measure and optimize advertising campaigns.
  • Professional advisors: lawyers, accountants, and auditors, where necessary.
  • Government and law enforcement authorities: when required by law or to protect our rights.
  • Business transaction counterparties: in the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets.

"Sale" and "Sharing" of Personal Information. Under the CPRA's broad definitions, our use of third-party advertising and analytics technologies β€” including the Meta Pixel, Google Ads tags, Google Analytics with advertising features, Reddit Pixel, and similar advertising platforms β€” may constitute a "sale" or "sharing" of Personal Information for cross-context behavioral advertising. The categories of Personal Information involved are identifiers, internet or other network activity information, commercial information, and inferences. We do not knowingly sell or share the Personal Information of consumers under the age of 16.

We do not sell or share sensitive personal information, and we do not use sensitive personal information for purposes that require a right to limit under the CPRA.

Your Rights

Subject to applicable law and verification of your identity, you have the right to:

  • Right to know: request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to access / portability: receive a copy of the Personal Information we hold about you in a portable, readily usable format.
  • Right to correct: request correction of inaccurate Personal Information.
  • Right to delete: request that we delete the Personal Information we have collected from you, subject to certain legal exceptions.
  • Right to opt out of sale or sharing: direct us to stop the sale or sharing of your Personal Information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information: as described above, we do not use sensitive personal information for purposes that trigger this right.
  • Right to non-discrimination: we will not deny goods or services, charge different prices, or provide a different level or quality of service because you exercised your privacy rights.
  • Right to appeal (Virginia, Colorado, Connecticut, and other states): if we deny your request, you may appeal that decision by replying to our response or contacting us again.

How to Exercise Your Rights

You can exercise your rights by:

  • Email: writing to us at [email protected] with the subject line "Privacy Request" and stating which right you wish to exercise.
  • Mail: sending a written request to the postal address listed in the "Contact Information" section below.
  • "Do Not Sell or Share My Personal Information" link: available in the footer of every page of our website.

We will respond to verifiable requests within 45 days. If we need more time, we will inform you of the reason and the extension period in writing, which will not exceed an additional 45 days (90 days total).

Authorized agents. You may designate an authorized agent to make a request on your behalf. We will require written permission signed by you and may require you to verify your identity directly with us.

Verification. To protect your Personal Information, we will verify your identity before fulfilling your request by matching the information you provide with information we already hold. For deletion or sensitive requests, we may require additional verification.

Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) browser signal as a valid request to opt out of the sale and sharing of Personal Information for visitors from California and other jurisdictions that recognize GPC. When we detect a GPC signal, we will treat it as an opt-out request for the browser and device from which the signal is sent.

Shine the Light (California Civil Code Β§ 1798.83)

California residents may request information about the categories of Personal Information we have shared with third parties for those parties' direct marketing purposes during the preceding calendar year. To make such a request, contact us at [email protected].

Notice of Financial Incentive

We do not currently offer financial incentives or price differences in exchange for the collection, sale, or retention of your Personal Information.

10. Your Rights Under GDPR (EU and UK Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and UK GDPR give you specific rights regarding your Personal Information. This section explains those rights and how to exercise them.

Legal Bases for Processing

We only process your Personal Information when we have a lawful basis to do so. The bases we rely on are:

  • Performance of a contract: when processing is necessary to provide the Upmetrics service you have signed up for, including account creation, billing, and customer support.
  • Legitimate interests: for product improvement, security monitoring, fraud prevention, direct marketing to existing customers, and analytics, where our interests are not overridden by your rights.
  • Consent: for marketing communications to prospects, non-essential cookies, and any optional features that require it. You can withdraw consent at any time.
  • Legal obligation: when processing is required to comply with applicable law, tax requirements, or a binding legal request.

Your Rights

Subject to applicable law, you have the right to:

  • Access the Personal Information we hold about you and request a copy.
  • Rectify inaccurate or incomplete Personal Information.
  • Erase your Personal Information ("right to be forgotten") where there is no overriding legal reason for us to keep it.
  • Restrict our processing of your Personal Information in certain circumstances.
  • Object to processing based on our legitimate interests, including direct marketing.
  • Data portability: receive your Personal Information in a structured, machine-readable format and transmit it to another controller.
  • Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

How to Exercise Your Rights

To exercise any of these rights, write to us at [email protected] with the subject line "Privacy Request." Please include enough information for us to verify your identity and locate your records. We will respond to your request within 30 days. If your request is complex or we receive a high volume of requests, we may extend this period by up to 60 additional days, in which case we will inform you of the extension and the reasons for it within the first 30 days.

There is no fee for exercising your rights. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded, excessive, or repetitive.

International Data Transfers

Upmetrics is a Delaware-registered company based in the United States, and uses service providers located in the United States, the European Union, and other countries. When we transfer your Personal Information from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country that has not received an adequacy decision from the European Commission or the UK government, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and the United Kingdom's International Data Transfer Addendum, or transfers that are necessary for the performance of our contract with you.

You can request more information about the safeguards we have in place by contacting us at [email protected].

Right to Lodge a Complaint

If you believe our processing of your Personal Information infringes data protection law, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State or UK region of your habitual residence, place of work, or the place of the alleged infringement. A list of EU supervisory authorities is available at edpb.europa.eu. UK users can contact the Information Commissioner's Office (ICO).

We would, however, appreciate the chance to address your concerns before you approach a supervisory authority, so please consider contacting us first at [email protected].

Privacy Contact

For any questions about this Privacy Policy, our data practices, or to exercise your rights, contact our Privacy Team at [email protected].

11. Links to Other Sites

Our website and application may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties, and we recommend that you review their privacy policies before providing any Personal Information.

12. Processing of Personal Information on Behalf of Customers

When we process Personal Information on behalf of a Customer (for example, information about Participants invited to collaborate on a business plan), the Customer is the data controller and Upmetrics acts as a data processor. Customers are responsible for obtaining any necessary consents from Participants and for the lawfulness of the processing they direct. We implement appropriate technical and organizational measures to protect Personal Information processed on Customers' behalf, as set out in our Data Processing Agreement.

13. Our Policy Toward Children

Our services are not directed to individuals under the age of 13. We do not knowingly collect Personal Information from children under 13. If we become aware that we have inadvertently collected Personal Information from a child under 13, we will delete it promptly. If you believe a child has provided us with Personal Information, please contact us at [email protected].

We do not knowingly sell or share the Personal Information of consumers under the age of 16, as described in Section 9.

14. Contact Information

For questions about this Privacy Policy or our data practices, or to exercise any of the rights described above, contact us at:

Upmetrics, Inc.
Attn: Privacy Team
1301 N Broadway STE 32302
Los Angeles, CA 90012
Email: [email protected]

If you want to learn more about us, just drop us a line at [email protected]