data privacy and security

Privacy Policy

Thanks for being concerned enough (or curious!) to read about our commitment to privacy. Most people don’t bother to read the fine print and end up missing out on all it reveals. Most companies use language that is consumer-unfriendly to obfuscate policies like this

Upstock is a new kind of stock option system. Our mission is to provide simple, fair, and transparent equity.

Your trust is essential to our existence. We will guard that trust. Here is what that means.

Personally identifiable information

Registering with Upstock requires basic personally identifiable information: your name, e-mail address, and address. You may have options to add additional information (such as a legal address, business address etc), some of which may be identifying information, to help you use Upstock more effectively. We’ll use this information to facilitate  the preparation of documents and templates for your company and team members.  We also use it to carry out your requests, or when you ask a question to our support team. By creating an account, you understand that we will be able to identify you by this information, and your team members will also be able to identify you by this information. By providing personal information to us, you accept the terms and conditions of our Terms and Conditions and agree to let us process your information in ways set out in this Privacy Policy. Supplying to us any information deemed “sensitive” by applicable law is entirely voluntary on your part. Your company can withdraw or modify the consent at any time by emailing us at [email protected] and requesting that the entire company’s data including personally identifiable information be deleted from our systems (unless there is a valid ground for us to retain such information such as when we are required by law or court order).Upstock facilitates equity plan management and communication between the company and its team members. To enable us to manage your legal agreements, we need your personal information and signature to assist you with executing legally binding documents and agreements. Note, however, that you are entering these agreements based on your own discretion and decision and our involvement is limited to providing templates and a platform to facilitate it. By agreeing to use Upstock, we will record your legal name, address, and signature. We will never use that information to sell, share an insight or other action with them. We will never use that information inappropriately such as selling or sharing an insight.If you are outside the United States, you should know that any personally identifiable information you enter into the Services will be transferred out of your country and into the United States, and possibly to other countries. By using the Services, you consent to such transfer and are representing that you have the right to transfer such information outside of your country.

Here are some of the ways we may use personal information you provide us:
To allow you to register for our Services and to administer and process the registration.
-To communicate with you about our products, services, and related issues.
-To evaluate the quality of our products and services and to enhance your experience on our websites.
-To maintain and administer our websites and comply with our legal or internal obligations and policies.
-To charge you any fees and provide you with a receipt or resolve billing issues associated with your account.

Hours, Rates & Equity

Upstock allows team members to record the hours they have worked in our online dashboard. Upstock also allows you to see other team member’s contributions with regards to their cash rate and equity rate. The different rates are set by the founder after negotiations that are close to market standards with that team member. If someone’s rate is higher than your rate it will most likely be because they have a more complex role or are bringing a higher level of value to the company.Upstock makes sure that the information in the company dashboard is safe by maintaining the confidentiality of the rates to the general public. This is critical to understand, so we’ll explain in more detail.In some (older) versions of Upstock, you may have access to a cash component feature that makes reference to a “cash rate” and an “equity rate.”

First, by “cash rate” we mean the amount of cash the team member is receiving for every hour they work or task that is done.  Second, by “equity rate” we mean the amount of equity (in dollars) the team member is investing back into the company (through the value of their time) in exchange for performance equity. It must be noted that the company can put a cap on the cash rate per monthly cycle. This means that if the team member works additional hours, his/her cash rate will be added onto their equity rate for these hours.Third, by “equity” we mean “dynamic equity” (also known as  “performance equity”) which is the promise of equity in the future that the company owes a team member based on that team member’s contribution or performance and which will be distributed once a future landmark event occurs. This type of equity is generally visible to all other team members and stakeholders (advisors, accountants, etc).Most importantly, none of your information will be shared with any third party or the general public. Only those team members in the equity performance pool and your company will see your rates, hours and equity. Your information will be kept between you and the company. Also, we don’t create a public profile for you or allow search engines like Google to index any content about you.

How we protect your information

We implement a variety of security measures to maintain the safety of your information.All our servers use secure connections. All supplied sensitive information is transmitted via industry-standard SSL encryption technology. We have physical, electronic, and procedural safeguards to protect the personal information we store. Our servers are physically safe and housed in secure data centers with no public access. We have additional layers of private cloud security with restricted access to our network. These layers make even incredibly sophisticated hacking difficult. Only certain authorized persons on a need to know basis and who are bound by strong confidentiality agreements have any access to our data. Only when absolutely necessary, third-party contractors may have access to our databases. These contractors are vetted, reference-checked, and required to sign a comprehensive confidentiality agreement for your protection.Upstock servers that are used to store your personal information are owned and hosted by Amazon Web Services, LLC, an company. You can read more about measures that have been taken by Amazon to protect the security of their servers and your Personal Information here.

We rely on the security inherent in your computer/mobile phone. Someone who could guess your log-in information or otherwise access Upstock on your computer/smartphone could potentially pretend to be you and access your information in our system. Accordingly, it is your responsibility to take appropriate precautions to maintain and preserve the security of your phone/computer. Your data cannot be accessed without your email address and ability to receive a verification email message at that email address (Can have an extra layer of security with phone number too). We use data encryption technology to help protect against loss, misuse or alteration of your sensitive information.

Our employees take your privacy as seriously as we do, and we will take all reasonable measures against any employee found to be in violation of this policy.

Company: If your phone/computer is lost or stolen, please contact us at [email protected] and request that we block access to your account until your situation is resolved.

Team members: If your phone/computer is lost or stolen, please contact your administrator and request to have your password reset. You’ll then receive an email with a link to reset your password.

Non-personally identifiable information

We may aggregate and/or anonymize information collected through Upstock so that the information does not identify you. We may use this aggregated, anonymized, and other non-personally identifiable information for improving the Upstock experience and to generate insights or other research.

Information automatically collected by our system

We receive and store certain types of information whenever you interact with us through our website  or any of our Services. We store a very small amount of information on your device to secure your login and session information and allow you to proceed where you left off in using the website. We use industry-standard analytics tools, including Heap Analytics and MixPanel, to monitor the use of the service  in order to investigate and squash bugs and to improve the experience of using Upstock for all.

Companies and team members who engage in financial transactions to purchase paid services are handed off to PayPal to complete the transaction. In each case, we only collect as much information as is necessary or appropriate given the type of interaction. Cookies are small text files stored by your browser on your computer when you visit our Site. We use cookies to improve our Site and make it easier to use.

Cookies permit us to recognize users and avoid repetitive requests for the same information. We mostly use "session cookies" that are automatically deleted after each visit. Cookies from our Site can not be read by other Sites. Most browsers will accept cookies until you change your browser settings to refuse them.

You are not our product 

Our foundational operating documents express a critical guiding principle: our customers are not, and will never be, our product. That means we won’t sell your personal data to advertisers or data miners.

We don’t do research on you for targeted ads. We don’t care what products you buy.

That’s because your trust and authenticity are essential to our purpose and we believe that trust is a key component in all business relationships

Protecting children

We comply with the requirements of COPPA (Children’s Online Privacy Protection Act) and we do not collect any information from anyone under 13 years of age. We also do not sell or share the personal information of consumers under 16 years of age pursuant to the CPPA.

Compliance with the GDPR

If you are based in the European Union (EU), you have special rights under the EU General Data Protection Regulation  (the “GDPR”). Upstock, through this Privacy Policy, seeks to comply with all its obligations under GDPR.

That is why, in addition to our commitments above, we have the following specific policies regarding how we handle your data and information in compliance with the GDPR:

a. Purpose and Justifications. We will process your personal data for the purposes we previously discussed. Our justifications and bases for processing your personal data include: (1) you have given consent to the process or our service provides for one or more specific purposes; (2) processing is necessary for the performance of a service or contract with you; (3) processing is necessary for compliance with a legal obligation; and/or (4) processing is necessary for any legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests.

b. GDPR Rights. Your rights under the GDPR include the right to: (1) request access and obtain a copy of your Personal Data; (2) request rectification or deletion of your personal data; (3) object to or restrict the processing of your personal data; and (4) request portability of your personal data. Additionally, you may withdraw your consent to our collection at any time.

c. Data Retention. Upstock will only retain your personal data to the length and extent necessary to achieve the purposes we mentioned above which includes providing you our services. We will delete or anonymize your data once it is no longer necessary to retain your data for such purposes.

d. Notification of Breach. We will endeavor to notify you and the relevant regulatory authority within 72 hours of becoming aware of a personal data breach, especially if the breach is likely to result in a high risk to the rights and freedoms of individuals like you. Our notification will include information about the nature of the breach, the likely consequences, and the steps we are taking to address it. We will investigate the breach and provide the regulator with a detailed report within 72 hours of notification, if feasible.

e. Submitting a Request. You can submit a request for information, access, or deletion or the exercise of any right that you may have under the GDPR to [email protected].

Compliance with the CPPA (CPRA)

The California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA) give California consumers more control over their personal information. The CCPA gives you the right to know what information businesses collect about you, how it is used and shared, to delete personal information that has been collected, to opt-out of the sale or sharing of your personal information (if applicable), and to not be discriminated against for exercising your privacy rights. The CPRA expands on these rights by giving you the right to correct inaccurate personal information and to limit the use and disclosure of sensitive personal information.

The CCPA also requires certain businesses to provide a “CCPA Notice” to explain how a company collects, uses, and shares personal information of California residents and the rights and choices offered regarding the handling of such data or information. We provide you our CCPA Notice below:

a. Privacy Practices. Upstock will not sell your personal information to third parties.

b. Privacy Rights. The CCPA gives you the right to request information about how Upstock has collected, used, and shared your personal information and gives you the right to request a copy of any information that we may have stored or maintained about you. You may also ask us to delete any personal information that we may have received about you. The CCPA limits these rights, for example, by prohibiting us from providing certain sensitive information in response to access requests and limiting the circumstances under which we must comply with a request for deletion of personal information. We will respond to requests for information, access, and deletion only to the extent that we are able to associate, with a reasonable effort, the information we maintain with the identifying details you provide in your request. If we deny the request, we will communicate this decision to you. You are entitled to exercise the rights described above free from discrimination.

c. Identity Verification. The CCPA requires us to collect and verify the identity of any individual submitting a request to access or delete personal information before providing a substantive response.

d. Authorized Agents. California residents can designate an “authorized agent” to submit requests on their behalf. We will require the authorized agent to have a written authorization confirming their authority.

e. Submitting a Request. You can submit a request for information, access, or deletion or the exercise of any right that you may have under the CCPA (or CPRA) to [email protected].

Our SOC 2 Compliance Commitment

SOC 2 compliance is a voluntary security and compliance standard developed by the American Institute of Certified Public Accountants (AICPA). It provides a framework for service organizations to demonstrate their commitment to protecting customer data. SOC 2 compliance is based on five Trust Services Criteria (TSC):

a. Security: Protecting customer data from unauthorized access, use, disclosure, disruption, modification, or destruction.

b. Availability: Making systems and data accessible to authorized users as needed.

c. Processing integrity: Ensuring that systems process data completely, accurately, timely and with authority.

d. Confidentiality: Protecting the confidentiality of customer data.

e. Privacy: Protecting the privacy of customer data.

SOC 2 is particularly relevant for us since we deal with sensitive data and personal information through our equity management app. That is why, at Upstock, we are committed to working towards SOC 2 compliance since we know that you trust us with your data, and we take that trust and responsibility very seriously.

To demonstrate our commitment, we have implemented security and compliance policies and procedures that seek to meet the requirements of SOC 2. The policies and procedures in our compliance program includes the following:

a. Security policies and procedures: We have developed and implemented security policies and procedures that protect customer data from unauthorized access, use, disclosure, disruption, modification, or destruction.

b. Technical controls: We have implemented technical controls, such as firewalls, intrusion detection systems, and encryption, to protect customer data.

c. Testing and monitoring: We will test and monitor our security controls to ensure that they are effective.

d. Incident response plan: We will continue to develop and then improve our incident response plan to address security incidents promptly and effectively.

We are committed to protecting your data and we will always aim for the continuous improvement of our security and compliance program. We regularly review our program and make changes as needed to ensure that we are meeting these commitments and standards.

Other agreements

This Privacy Policy is a part of our Terms and Conditions and is incorporated in that document by reference. Please refer to that document to review the disclaimers and limitations of liability governing the use of Upstock.

Updates or changes

Over time, we may need to revise our Privacy Policy and Terms and Conditions. Each policy will always reflect the date it was last modified. When we do make modifications, we’ll let you know with a brief summary of the modifications so you don’t have to read the whole document line by line again. Moreover, if permitted by applicable law, we may also choose to implement the updates and revisions immediately and leave it up to you to read through the changes and modifications by making it available and accessible on our website.

We strive to be worthy of your trust, so we will be as transparent and honorable as possible. That’s what we want to remember when we are sitting in our rocking chairs and thinking back on how we’ve conducted our business.

We hope it won't ever come to this, but if you've already contacted us and feel that your complaint cannot be resolved, we have agreed to participate in the dispute resolution procedures established in JAMS alternative dispute resolution. Undergoing this dispute resolution process is mandatory and forms an integral part of the provisions of this Privacy Policy and our Terms and Conditions.

For such disputes, you need to contact us through email at [email protected] and send us mail to 427 N Tatnall St #88152, Wilmington, DE 19801-2230

We strive to be worthy of your trust, so we will be as transparent and honorable as possible. That’s what we want to remember when we are sitting in our rocking chairs and thinking back on how we’ve conducted our business. We hope it won't ever come to this, but if you've already contacted us and feel that your complaint cannot be resolved, we have agreed to participate in the dispute resolution procedures established in JAMS alternative dispute resolution. For such disputes, you can contact email us at [email protected] or send us mail to 427 N Tatnall St #88152, Wilmington, DE 19801-2230.

Thanks for reading!
Last revised: November 2023