This Privacy Policy ("Policy") explains how Upscend, a company incorporated in England and Wales ("we", "us", "our", or "The Processor"), collects, uses, discloses, and protects personal data in connection with the Upscend platform (the "Platform").
The Platform is a software-as-a-service (SaaS) learning management system provided on a business-to-business (B2B) basis, allowing our customers ("Customers" or "Controller") to deploy and manage educational materials and courses for their designated employees and instructors ("Authorized Users"). We are committed to protecting personal data in compliance with the General Data Protection Regulation ("GDPR"). This Policy applies to all personal data we process as a controller or processor in relation to the Platform.
Our Role as Controller or Processor
When we collect personal data directly from Customer representatives (e.g., for account setup, billing, or support), we act as the data controller, determining the purposes and means of processing. However, when we process personal data on behalf of a Customer (e.g., data of Authorized Users uploaded or generated through the Platform), we act as a data processor, following the Customer's instructions. In such cases, the Customer is the data controller responsible for ensuring lawful processing, and a data processing agreement (DPA) compliant with Article 28 of the GDPR will be incorporated into our Terms and Conditions ("Terms").
If you are an Authorized User, your personal data is primarily controlled by your employer (the Customer). You should refer to their privacy policies for primary details on how they handle your data. This Policy focuses on our processing activities. We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
This Policy uses a layered approach where possible, providing key information upfront with links or expansions for more details. We reserve the right to update this Policy at any time by posting the revised version on the Platform or notifying Customers via email. Changes will take effect 3 days after notice, unless a shorter period is required for legal reasons. Your continued use of the Platform after such changes constitutes acceptance.
1. Definitions
Terms defined in our Terms of Service have the same meaning here, including "Personal Data", "Customer Data", "Authorized Users", "Content", and "Platform". Additional definitions:
- "Data Subject" An individual whose Personal Data is processed, such as Authorized Users or Customer representatives.
- "Processing" Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Special Category Data" Sensitive Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, sex life, or sexual orientation.
2. Personal Data We Collect
We only collect Personal Data that is necessary for providing the Platform and related services. We do not collect Special Category Data unless it is explicitly included in Content uploaded by the Customer, in which case the Customer (as controller) must ensure a lawful basis exists, such as explicit consent or employment-related processing. The categories of Personal Data we collect include:
2.1 From Customers (Business Entities and Their Representatives):
- Contact and Identification Information: Names, email addresses, job titles, phone numbers, and company details (e.g., name, address, registration number) provided during registration, contract negotiations, or support interactions.
- Billing and Payment Information: Bank details, invoice addresses, and payment history for processing Subscriptions.
- Usage and Analytics Data: Aggregated data on how the Customer uses the Platform, such as feature access patterns, to improve services (anonymized where possible).
2.2 From Authorized Users (Employees/Instructors Designated by Customers):
- Account and Profile Information: Names, email addresses, usernames, hashed passwords, job roles, and any profile details provided during account creation or use.
- Activity and Engagement Data: Course progress, quiz scores, completion timestamps, interactions with Content (e.g., views, comments), IP addresses, device types, browser information, and login history.
- Content-Embedded Data: Any Personal Data included in uploaded materials, such as in educational videos, documents, or discussion forums (e.g., employee names in feedback forms or profiles).
2.3 Automatically Collected Data:
- Technical and Log Data: IP addresses, access times, pages viewed, error reports, and device identifiers for security, troubleshooting, and performance monitoring.
- Cookies and Similar Technologies: See Section 9 for details on essential cookies used for functionality.
We minimize data collection and do not require individuals to provide Personal Data under statutory or contractual obligations unless specified by the Customer (e.g., for mandatory training). If data is not provided, certain Platform features may be unavailable, such as course access.
3. How We Collect Personal Data
We collect Personal Data through the following methods:
- Directly from Individuals: When Customer representatives or Authorized Users register, log in, submit support tickets, or interact with the Platform (e.g., completing forms).
- From Customers: When Customers upload Content or designate Authorized Users, including bulk imports of employee lists.
- Automatically During Use: Via server logs, cookies, and analytics tools as users navigate the Platform.
- From Third Parties: Limited to authorized integrations (e.g., single sign-on providers or payment processors) specified in the Order Form, or from sub-processors for hosting and support.
4. Purposes, Categories of Personal Data, and Legal Bases for Processing
We process Personal Data only for specified, explicit, and legitimate purposes. Below is a table linking the purposes of processing, the categories of Personal Data involved, and the applicable legal bases. Where we act as processor, processing is strictly per Customer instructions according to Terms and Conditions.
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Providing and maintaining the Platform, including hosting Content, managing user access, and tracking course progress for Authorized Users. | Account and profile information; Activity and engagement data; Content-embedded data; Technical and log data. | Performance of a contract (b) with the Customer; Legitimate interests (f) in efficient service delivery. |
| Billing, invoicing, and administering Subscriptions, including payment processing and account management. | Contact and identification information; Billing and payment information. | Performance of a contract (b). |
| Providing customer support, responding to queries, and troubleshooting issues. | Contact and identification information; Activity and engagement data; Technical and log data. | Performance of a contract (b); Legitimate interests (f) in resolving issues promptly. |
| Improving the Platform through analytics, bug fixes, and feature development (using anonymized or aggregated data where possible). | Usage and analytics data; Activity and engagement data; Technical and log data. | Legitimate interests (f) in enhancing product quality and user experience. |
| Ensuring security, preventing fraud, and complying with legal obligations (e.g., auditing). | All categories as relevant. | Legal obligation (c); Legitimate interests (f) in protecting the Platform and users. |
| Sending service-related communications (e.g., updates on Platform changes) to Customers. | Contact and identification information. | Legitimate interests (f); Consent (a) if opting in for non-essential updates. |
For any Special Category Data in Content, we do not process such data independently. You have the right to object to processing based on legitimate interests (see Section 8). Where consent is relied upon, it can be withdrawn at any time via support@upscend.com, and withdrawal is as easy as giving consent.
5. Sharing of Personal Data
We share Personal Data only when necessary and with appropriate safeguards:
5.1 With Sub-Processors: We use trusted third-party providers for services like cloud hosting (e.g., AWS), payment processing (e.g., PayPal), and AI services (e.g., OpenAI, Gemini). By using the Upscend Platform you agree to be bound by Sub-processors' Terms and Privacy Policies. A current list of sub-processors is available upon request at support@upscend.com.
5.2 With Affiliates: For internal administrative purposes, limited to entities under common control and subject to this Policy.
5.3 For Legal Reasons: To comply with laws, respond to court orders, or protect rights, property, or safety (e.g., in legal disputes).
5.4 In Business Transfers: If we undergo a merger, acquisition, or asset sale, Personal Data may be transferred to the acquiring entity, with notice provided where required.
5.5 International Transfers: Personal Data may be transferred to countries such as the US for certain sub-processors.
We do not sell or rent Personal Data.
6. Data Security
We implement technical and organizational measures to secure Personal Data against unauthorized access, loss, alteration, or destruction. These include:
- Access Controls: Role-based access, multi-factor authentication, and regular audits.
- Incident Response: A documented plan for breaches, including notification to Customers and authorities.
While we take all reasonable steps, no system is infallible. In the event of a personal data breach likely to result in high risk to individuals' rights, we will notify affected Data Subjects without undue delay.
7. Data Retention
We retain Personal Data only as long as necessary for the purposes outlined, or as required by law. Specific criteria and examples include:
- Customer account and billing data: Retained for the duration of the Subscription plus 7 years to comply with tax laws and resolve disputes.
- Authorized User activity data: Retained as per Customer instructions, Terms and Conditions and regulatory purposes, or up to 6 months post-termination for analytics and support, then anonymized or deleted.
- Log and technical data: Retained for up to 6 months for security auditing, unless needed longer for investigations.
- Content-embedded data: Retained only while hosted on the Platform, deleted upon Customer request or termination.
Upon Subscription termination, we delete or return all Customer Data within 30 days, except for legally required backups (retained up to 6 months, inaccessible for other uses). Anonymized aggregates may be kept indefinitely for statistical purposes. For precise retention per data type, contact support@upscend.com.
8. Authorized Users Rights as a Data Subject
Authorized Users have the following rights regarding their Personal Data. These may be limited if we act as processor (in which case, contact your Employer first):
Right of Access:
Obtain confirmation of processing and a copy of your data.
Right to Rectification:
Correct inaccurate or incomplete data.
Right to Erasure ('Right to be Forgotten'):
Request deletion where no longer necessary or consent is withdrawn (subject to exceptions like legal obligations).
Right to Restriction of Processing:
Limit processing in certain cases, e.g., while accuracy is verified.
Right to Data Portability:
Receive your data in a structured, machine-readable format and transfer it to another controller.
Right to Object:
Object to processing based on legitimate interests or direct marketing, including profiling. We will stop unless compelling grounds override.
Right Not to Be Subject to Automated Decision-Making:
As noted, we do not engage in this.
Right to Withdraw Consent:
Where processing relies on consent, withdraw at any time without affecting prior lawfulness.
To exercise these rights, email support@upscend.com with details of your request. We may require identity verification. Responses are free unless requests are manifestly unfounded or excessive.
9. Cookies and Tracking Technologies
We use only essential cookies for core Platform functionality, such as session management and authentication. These are strictly necessary and do not require consent. No non-essential cookies (e.g., for advertising or third-party tracking) are used.
10. Children's Privacy
The Platform is designed for professional use and not intended for individuals under 18 years old. We do not knowingly collect Personal Data from children. If we become aware of such data, we will delete it immediately and notify the Customer.
11. Links to Third-Party Sites
The Platform may contain links to third-party websites or services (e.g., PayPal, OpenAI). We are not responsible for their privacy practices. Review their policies before interacting with the Upscend Platform.
12. Governing Law
This Policy is governed by the laws of England and Wales. Any disputes will be resolved in accordance with our Terms.
Questions about this policy?
support@upscend.com