Privacy Policy
Effective date: April 14, 2026
This Privacy Policy explains how Upshot HQ, Inc. (“Upshot,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you access or use our website at upshothq.com and our cold-email campaign management platform (collectively, the “Service”). By using the Service you agree to the practices described in this policy.
1. Information We Collect
1.1 Information You Provide
- Account data: name, email address, profile photo, and authentication credentials provided through our identity provider (Clerk).
- Workspace & team data: workspace names, team member email addresses, roles, and invitation details.
- Campaign content: email subjects, body copy, templates, and personalization variables you create within the Service.
- Contact lists: prospect names, email addresses, company names, and any custom fields you upload or import.
- Payment information: billing details processed by our payment processor. We do not store full credit-card numbers.
- Communications: messages you send us via support, demo requests, or email.
1.2 Information Collected Automatically
- Usage data: pages visited, features used, clicks, session duration, and timestamps.
- Device & browser data: IP address, browser type, operating system, device identifiers, and screen resolution.
- Cookies & similar technologies: see Section 7 (Cookie Policy) below.
- Email engagement metrics: open rates, click-through rates, and opt-out events associated with campaigns you send.
1.3 Information from Third Parties
We may receive information about you from third-party integrations you connect (e.g., Google Workspace for Gmail OAuth) or from publicly available sources used by our AI-powered prospect research feature.
2. How We Use Your Information
- Provide, operate, and maintain the Service.
- Authenticate your identity and manage workspace access controls.
- Send campaign emails on your behalf through connected email providers.
- Generate AI-powered prospect research and email personalization.
- Process payments and manage billing.
- Analyze usage patterns to improve features, performance, and security.
- Communicate with you about the Service, updates, and support.
- Comply with legal obligations and enforce our Terms of Service.
3. Third-Party Service Providers
We share information with the following categories of service providers, each bound by data-processing agreements:
| Provider | Purpose |
|---|---|
| Supabase | Database hosting and storage |
| Clerk | Authentication and user management |
| Vercel | Application hosting and edge delivery |
| DigitalOcean | Dedicated campaign execution infrastructure |
| Resend | Transactional email delivery |
| Anthropic (Claude) | AI-powered prospect research and email generation |
| OpenAI | AI-powered prospect research and email generation |
| Relevance AI | AI workflow orchestration |
| Apify | Web data extraction for prospect research |
| Google APIs | Gmail integration and Postmaster data |
| CookieYes | Cookie consent management |
We do not sell your personal information to third parties.
4. Data Retention
- Account data: retained for the lifetime of your account plus 30 days after deletion to allow recovery.
- Campaign & contact data: retained until you delete your workspace or request erasure.
- Usage & analytics data: aggregated and anonymized after 24 months.
- Audit logs: retained for 12 months for security and compliance purposes.
- Backups: purged within 90 days of data deletion from primary systems.
5. International Data Transfers
Your information may be transferred to and processed in the United States and other countries where our service providers operate. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and other lawful transfer mechanisms, to ensure adequate protection when transferring personal data outside the European Economic Area (EEA), United Kingdom, or Switzerland.
6. Data Security
We implement industry-standard technical and organizational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls with least-privilege principles.
- Isolated, per-tenant infrastructure for campaign execution.
- Regular security audits and penetration testing.
- Automated vulnerability scanning of dependencies.
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at hello@upshothq.com.
7. Cookie Policy
We use the following categories of cookies:
- Strictly necessary: authentication session cookies (Clerk), password-gate verification, CSRF protection.
- Functional: theme preferences, workspace selection.
- Analytics: anonymized usage metrics to improve the Service.
You can manage your cookie preferences at any time via our cookie consent banner powered by CookieYes, or through your browser settings.
8. Your Rights (EEA, UK, and Switzerland — GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure:request deletion of your personal data (“right to be forgotten”).
- Restriction: request that we limit the processing of your data.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests or direct marketing.
- Withdraw consent: withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email us at hello@upshothq.com with the subject line “GDPR Request.” We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
9. Your Rights (California — CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with the following rights:
- Right to Know: request disclosure of the categories and specific pieces of personal information we have collected.
- Right to Delete: request deletion of your personal information.
- Right to Correct: request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: we do not sell or share your personal information for cross-context behavioral advertising.
- Non-Discrimination: we will not discriminate against you for exercising your privacy rights.
To exercise these rights, email hello@upshothq.com with the subject line “CCPA Request.”
10. Children’s Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice on the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: