top of page
UPNOTCH PRIVACY POLICY

Effective date: November 1, 2025
Who we are: Upnotch Inc., PO Box 306, Bellevue, WA 98009, USA
Contact: privacy@upnotch.com

 

Upnotch is a mentorship and professional engagement platform. Users join voluntarily. We do not sell personal information and we do not “share” personal information for cross-context behavioral advertising under the CPRA. We process personal data to operate the platform, provide features you choose to use, improve security and reliability, and comply with law.

​

1. Scope

This Policy applies to visitors, registered users (mentors/mentees), enterprise customer users, and candidates who interact with Upnotch products, sites, and services (the “Services”). It does not cover third-party sites/services we link to (e.g., Zoom, Slack, Google/Microsoft Calendar), which have their own privacy notices.

​

2. Roles, Legal Entities & Representatives

  • Data Controller. Upnotch Inc. is the controller for personal data we collect and determine the purposes and means of processing.

  • EU/UK Data Protection Representative (GDPR Art. 27; UK DPA 2018). We have appointed Data Protection Representative Ltd. (DataRep) as our EU/UK data protection representative.

  • EU Digital Services Act (DSA) Representative. DataRep also serves as our DSA representative.

  • How to contact.
    Please contact Upnotch first at privacy@upnotch.com for any privacy inquiries or data subject rights requests.
    If you are located in the EEA/UK and prefer to use a local representative—or if your matter remains unresolved—you may contact DataRep using the postal locations in Annex A or by email at digitalrequest@datarep.com. Address postal requests to “DataRep” (not “Upnotch”) so they can be correctly routed.

​

3. Information We Collect

(a) Information you provide

  • Account and profile (name, email, password, photo, role, industry, skills, biography, links)

  • Mentorship session logs and “Praise” you choose to publish

  • Enterprise admin settings and workspace configuration (for enterprise users)

  • Support requests, feedback, and communications
     

(b) Automatically collected

  • Device identifiers, IP address, app/OS/browser data, language, timestamps, log files

  • Crash diagnostics and basic analytics for reliability and security
     

(c) Optional integrations (only if you connect or your admin enables)

  • Calendars (Google/Microsoft 365): read availability and create/update meeting entries only if you authorize; otherwise read-only scheduling.

  • Zoom / Microsoft Teams / Slack: create/join calls or message within your workspace; these providers process content under their own terms.
     

(d) Upnotch video calling

  • In-product audio/video; we collect metadata for quality, troubleshooting, and abuse prevention.
     

(e) AI features (prompts & outputs)

  • If you use AI-powered features, we process inputs you provide (e.g., prompts, text, uploaded files/attachments, meeting notes) and the outputs returned, plus limited technical logs/metadata (timestamps, feature used, model/provider ID, error codes).

  • Do not submit sensitive personal data unless necessary for a feature you choose to use.
     

(f) Enterprise customer data

  • For enterprise workspaces, Upnotch hosts the workspace and processes member data on the Licensee’s behalf to deliver the Services. As between Upnotch and the Licensee, the Licensee owns the enterprise member data submitted to its workspace; Upnotch processes it under the license agreement and this Policy.

​

4. How We Use Personal Data (Purposes & Legal Bases)

  • Provide and improve Services (account, profiles, matching, scheduling, calls, messaging, content display, support): Contract performance; legitimate interests (reliability and quality).

  • Security & abuse prevention (detect spam/scraping/fraud; protect accounts; investigate misuse): Legitimate interests; legal obligations.

  • Product analytics & diagnostics (crash/error logs, UX measurement): Legitimate interests; consent where required.

  • Communications (transactional emails, important service notices, policy updates): Contract performance; legal obligations; legitimate interests.

  • Marketing (where permitted; you can opt out any time): Consent; legitimate interests where allowed by law.

  • Compliance & enforcement (legal obligations, dispute handling).
     

AI features & assistance. To generate drafts, summaries, recommendations, and similar outputs you request: Contract performance; legitimate interests; consent where required. We configure AI providers to process data only for inference and not for provider model training by default (see Section 14).

​

5. Cookies & Similar Technologies

We use strictly necessary cookies (security, session), functional cookies (preferences), and limited analytics. Where required by local law, we obtain consent before setting non-essential cookies. You can manage non-essential cookies via our banner or your browser/device settings.

​

6. “No Sale / No Share” (CPRA)

We do not sell personal information and do not “share” it for cross-context behavioral advertising under the CPRA. We also do not use Sensitive Personal Information to infer characteristics for targeted advertising.

​

7. How We Share Information

We share personal data with:

  • Service providers / processors under contract (e.g., secure hosting, email delivery, analytics). Our primary infrastructure is via reputable cloud providers (e.g., Google Cloud) under data-processing terms and security measures.

  • AI model providers (processors) only when you use AI features (see Section 14).

  • Enterprise customers (content visible to other members within that enterprise’s workspace and consistent with admin policies).

  • Legal, safety, and compliance (to comply with law, protect rights, security, and platform integrity).

  • Corporate transactions (merger, acquisition), with appropriate safeguards and notice.
     

We prohibit processors from using personal data for their own purposes and require adequate security and confidentiality.

​

8. International Transfers

We are US-based and may transfer personal data internationally. Where required, we rely on:

  • EU Standard Contractual Clauses (SCCs) and the UK Addendum, plus supplementary measures where appropriate;

  • Other recognized transfer mechanisms as applicable;

  • Data minimization and encryption in transit/at rest where applicable.

​

9. Security

We implement administrative, technical, and physical safeguards appropriate to the nature of the data and risks (access controls, encryption in transit/at rest where applicable, vulnerability management, logging/monitoring, least-privilege access, staff training, and periodic reviews).

Security Incident Notice. Each party shall notify the other of any security incident or personal data breach affecting the other party’s or end-users’ data without undue delay and, where required by law, within 72 hours of confirmation. We will provide details required by law and cooperate in remediation.

​

10. Data Retention

We retain account data while you maintain an account and for a reasonable period afterward to comply with legal, tax, accounting, or security obligations, resolve disputes, and enforce agreements.
Mentorship logs and “Praise” remain visible until you remove them or your account is deleted.
Enterprise workspace data follows the Licensee’s tenure and instructions.

​

11. Your Privacy Rights

EEA/UK (GDPR/UK DPA). You may have rights to access, rectify, erase, restrict, data portability, and object (including to direct marketing). You may withdraw consent at any time (processing prior to withdrawal remains lawful). 

 

United States (including California CPRA). Depending on your state, you may have rights to know/access, correct, delete, opt-out of sale/share (not applicable—see Section 6), and to non-discrimination for exercising rights.

 

How to exercise rights.

  • Contact Upnotch at privacy@upnotch.com.

  • EEA/UK residents may also contact DataRep (see Annex A) or digitalrequest@datarep.com.
    If unresolved, you can lodge a complaint with your local supervisory authority (EEA/UK) or state attorney general (US).

​

12. Children

Upnotch is for adults 18+ only. If we learn we collected data from a child under 18, we will delete it.

​

13. Optional Integrations & Third-Party Services

When you connect optional integrations (e.g., Google/Microsoft Calendar, Zoom, Slack), those providers process your data under their own terms and privacy policies. We receive only the minimum data necessary to operate the integration you enable, and you can disconnect any integration in settings.

​

14. AI Features & Third-Party Model Providers

We offer optional AI-powered features (e.g., summarization, drafting, matching support). When enabled by you or your organization, we may send your AI inputs to third-party AI model providers solely to generate the requested outputs and to ensure security and reliability.

  • Providers. Today, our primary AI model providers include OpenAI and Google (Gemini); we may add comparable providers in the future to deliver the Services.

  • Processor role. We require AI providers to act as our processors/service providers, to use data only to provide the requested inference, and not to train their models on your data by default. If a provider’s terms require training or evaluation, we will seek your explicit consent (or ensure applicable configurations/terms exclude your data from training).

  • Data minimization. We transmit only the data necessary to fulfill the AI request and apply measures to reduce unintended transmission of sensitive data (your inputs ultimately control what is sent).

  • Retention. We configure providers, where available, to minimize retention of prompts/outputs/metadata and disable provider re-use for training. Upnotch retains AI request logs only as long as needed for security, troubleshooting, analytics, and legal obligations, then deletes or de-identifies them.

  • International transfers. AI providers may process data in the United States and other jurisdictions. Where required, we rely on SCCs with the UK Addendum and apply appropriate supplementary measures.

  • Enterprise controls. Enterprise admins can enable/disable AI features for their workspace and may set additional guardrails (e.g., blocking file types or redacting certain fields).

  • Accuracy. AI outputs may be inaccurate or incomplete; use discretion before relying on them.
     

We do not engage in solely automated decision-making that produces legal or similarly significant effects about you within the meaning of GDPR/UK law. If we ever introduce such processing, we will provide required notices and a mechanism for human review and contestation.

​

15. Enterprise Workspaces, Admins & Ownership

If you use Upnotch via an enterprise workspace, your organization’s administrators may control certain settings (e.g., membership, permissions). As between Upnotch and the organization, the Licensee owns the data submitted to that enterprise workspace and directs Upnotch’s processing consistent with the license agreement and this Policy.

​

16. Data Governance, DPIAs & Records

We maintain appropriate records of processing, apply privacy by design, conduct Data Protection Impact Assessments (DPIAs) where risks warrant (including for AI features), and carry out vendor/transfer assessments (e.g., SCCs + UK Addendum, supplementary measures).

​

17. DSR Routing via Representatives (EEA/UK)

EEA/UK residents may submit data subject requests to Upnotch (privacy@upnotch.com) or via DataRep (see Annex A addresses or digitalrequest@datarep.com).
 

If using postal mail, address to “DataRep” at the appropriate country location listed in Annex A so your request is correctly routed. DataRep may update its contact locations periodically; always use the current list.

​

18. Changes to this Policy

We may update this Policy to reflect changes in law or our practices. Material changes will be notified (e.g., banner, email, or in-app). Continued use of the Services after the effective date signifies acceptance.

​

19. How to Contact Us

  • Privacy inquiries / rights requests (preferred first contact): privacy@upnotch.com

  • Postal: Upnotch Inc., PO Box 306, Bellevue, WA 98009, USA

  • EU/UK/DSA Representative: DataRep — see Annex A or email digitalrequest@datarep.com (address letters to “DataRep”)

​

​

​

​

Annex A — EU/EEA/UK Representative (DataRep) Contact Locations

Important: Address your letter to “DataRep” (not “Upnotch”) at the appropriate country contact below so it can be correctly routed. This list is maintained by DataRep and may be updated. 

Austria — City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020
Belgium — Rue des Colonies 11, Brussels, 1000
Bulgaria — 132 Mimi Balkanska Str., Sofia, 1540
Croatia — Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000
Cyprus — Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030
Czech Republic — Platan Office, 28. Října 205/45, Floor 3&4, Ostrava, 70200
Denmark — Lautruphøj 1-3, Ballerup, 2750
Estonia — 2nd Floor, Tornimäe 5, Tallinn, 10145
Finland — Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100
France — 72 rue de Lessard, Rouen, 76100
Germany — 3rd & 4th floor, Altmarkt 10 B/D, Dresden, 01067
Greece — Ippodamias Sq. 8, 4th floor, Piraeus, Attica
Hungary — President Centre, Kálmán Imre utca 1, Budapest, 1054
Iceland — Laugavegur 13, 101 Reykjavik
Ireland — The Cube, Monahan Road, Cork, T12 H1XY
Italy — Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144
Latvia — 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011
Liechtenstein — (served via Austria location) City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020
Lithuania — 44A Gedimino Avenue, 01110 Vilnius
Luxembourg — BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre
Malta — Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013
Netherlands — Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN
Norway — C.J. Hambros Plass 2c, Oslo, 0164
Poland — Budynek Fronton, ul. Kamienna 21, Krakow, 31-403
Portugal — Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algés, Lisbon, 1495-061
Romania — 15 PiaÅ£a Charles de Gaulle, nr. 1-T, BucureÅŸti, Sectorul 1, 011857
Slovakia — Apollo Business Centre II, Block E, 9th floor, 4D Prievozska, Bratislava, 821 09
Slovenia — Trg. Republike 3, Floor 3, Ljubljana, 1000
Spain — Calle de Manzanares 4, Madrid, 28005
Sweden — S:t Johannesgatan 2, 4th floor, Malmö, SE-211 46
United Kingdom — 107-111 Fleet Street, London, EC4A 2AB

​

​

​

​

Annex B — Your Choices & Controls (Quick Links)

  • Update profile & preferences: in-app settings

  • Manage cookies: cookie banner + browser settings

  • Marketing opt-out: unsubscribe link in emails or email unsubscribe to unsubscribe@upnotch.com

  • Delete account / request data copy: privacy@upnotch.com

bottom of page