Upresilience Privacy Policy
Effective date: June 1, 2025 Last reviewed: November 2, 2025
1. Scope
1.1 This Policy describes how Upresilience (“Upresilience,” “we,” “us,” “our”) collects, uses, and discloses personal information when you visit www.upresilience.com and when we provide resilience assessment and mitigation services in the United States.
1.2 This Policy does not cover employees, job applicants, or independent contractors (see our separate notices where applicable).
2. Notice at Collection (Categories, Purposes, Retention)
2.1 We collect the categories of personal information listed below for the stated purposes and retain each category for the periods (or criteria) noted.
2.2 Where a technology or vendor could qualify as “sale,” “sharing,” or “targeted advertising” under state law, opt‑out choices apply (see Section 5).
2.3 Categories, examples, purposes, sale/share/targeted‑ads status, sensitivity, and retention:
2.3.1 Identifiers a) Examples: name, email, phone, postal address, IP address, device/browser identifiers. b) Purposes: account setup, customer support, service delivery, security/fraud, legal compliance. c) Sale/Share/Targeted Ads: not for money; limited disclosures via cookies/SDKs may qualify; opt‑out available. d) Sensitive: no. e) Retention: life of account + 24 months, or legal requirements.
2.3.2 Customer Records a) Examples: service orders, proposals, contracts. b) Purposes: service delivery, billing, support, compliance. c) Sale/Share/Targeted Ads: no. d) Sensitive: no. e) Retention: up to 7 years for tax/accounting/legal.
2.3.3 Commercial Information a) Examples: transaction history, invoices. b) Purposes: billing, audits, support. c) Sale/Share/Targeted Ads: no. d) Sensitive: no. e) Retention: up to 7 years for tax/accounting/legal.
2.3.4 Geolocation (Precise) a) Examples: rooftop/parcel coordinates; device‑level precision if you enable location. b) Purposes: hazard modeling, site assessments, routing. c) Sale/Share/Targeted Ads: no sale for money; not shared for third‑party advertising; “Limit SPI” right (Section 6). d) Sensitive: yes (sensitive personal information, “SPI”). e) Retention: project duration + up to 5 years, or criteria below.
2.3.5 Internet or Network Activity a) Examples: pages viewed, events, timestamps, cookie/SDK IDs, referrers. b) Purposes: site operations, analytics, security/fraud detection. c) Sale/Share/Targeted Ads: may be deemed “sharing” or “targeted advertising” depending on vendor terms; opt‑out available. d) Sensitive: no. e) Retention: 13–24 months (or shorter) consistent with analytics settings.
2.3.6 Professional Information (B2B) a) Examples: employer, title, work contact data. b) Purposes: proposals, account management. c) Sale/Share/Targeted Ads: no. d) Sensitive: no. e) Retention: life of relationship + 24 months.
2.3.7 Audio/Visual a) Examples: site photos you provide; meeting recordings if consented. b) Purposes: documentation, quality assurance, training (with consent where required). c) Sale/Share/Targeted Ads: no. d) Sensitive: no. e) Retention: project duration + up to 5 years.
2.3.8 Inferences a) Examples: non‑identifying property risk indices or model outputs. b) Purposes: service improvement, reporting, research. c) Sale/Share/Targeted Ads: no (used in de‑identified/aggregated form). d) Sensitive: no. e) Retention: until de‑identified; then indefinite.
2.4 Retention criteria: where a fixed period is not specified, we retain data only as long as reasonably necessary and proportionate to achieve the purposes described above, considering security, legal, and operational requirements.
3. How We Use Personal Information
3.1 Provide, operate, and support the Site and services; process transactions; communicate with you.
3.2 Measure and improve performance; develop new features and models; maintain quality and safety.
3.3 Detect, prevent, and investigate security incidents and fraud.
3.4 Comply with law, respond to lawful requests, and enforce agreements.
4. Cookies, Analytics, and Advertising
4.1 We use cookies and similar technologies for site operations, security, and analytics.
4.2 If any technology is used for cross‑context behavioral advertising (“targeted advertising”), you may opt out as described in Section 5.
4.3 Cookie preference management is available via our on‑site consent banner or settings.
5. Sale/Sharing/Targeted Advertising and Opt‑Out Signals
5.1 We do not sell your personal information for money.
5.2 Some analytics/advertising disclosures may be considered a “sale,” “sharing,” or “targeted advertising” under certain state laws. Where applicable, you can opt out via: a) “Do Not Sell or Share My Personal Information” (link or page on our site), and b) a browser‑based opt‑out signal as described below.
5.3 Universal Opt‑Out Mechanisms (UOOM/GPC): We honor legally recognized opt‑out preference signals, including Global Privacy Control (GPC). When detected, we apply the opt‑out to that browser/device and, if you are logged in, to your account.
6. Sensitive Personal Information (SPI)
6.1 We may process precise geolocation for hazard modeling and service delivery.
6.2 In states that require it (e.g., Colorado, Texas), we request opt‑in consent before processing sensitive personal data.
6.3 We do not sell sensitive personal data. If that changes in Florida, we would first obtain your consent and display: “NOTICE: We may sell your sensitive personal data.”
6.4 California “Limit SPI”: If we use sensitive personal information for purposes beyond those permitted by law, you may exercise the right to Limit the Use of My Sensitive Personal Information.
7. Your Privacy Rights
7.1 Depending on your state of residence, you may have the right to: a) Access the categories and specific pieces of personal information we hold about you. b) Delete personal information, subject to lawful exceptions. c) Correct inaccuracies. d) Portability of certain information in a usable format. e) Opt‑out of sale, sharing, targeted advertising, and (in some states) certain profiling. f) Limit the use/disclosure of sensitive personal information (California). g) Appeal if we deny your request (Colorado, Connecticut, Texas and similar laws). h) Non‑discrimination for exercising your rights.
7.2 How to submit a request: a) Web form: https://www.upresilience.com/privacy-request b) Email: questions@upresilience.com c) Toll‑free (US): +1‑855‑423‑2781
7.3 Timing and verification: a) We acknowledge requests within 10 business days and respond within 45 days; one 45‑day extension may be used where permitted. b) We verify identity for access, portability, correction, and deletion; verification is not required to opt out of sale/sharing/targeted advertising or to submit a GPC/UOOM signal. c) Authorized agents may submit requests subject to verification of both the agent and the consumer.
7.4 Appeals: If we deny your request, you may appeal by emailing privacy@upresilience.com with “Appeal” in the subject line. We respond within applicable state timelines and provide how to contact your state Attorney General if you disagree.
8. Automated Decision‑Making and Profiling
8.1 We do not use automated decision‑making that produces legal or similarly significant effects about you (e.g., decisions about housing, employment, or insurance) without providing required disclosures and choices under applicable law.
8.2 If we introduce such features (for example, property risk scoring used to make eligibility decisions), we will publish additional notices, provide opt‑out or opt‑in where required, and describe the logic and key parameters consistent with emerging California regulations.
9. How We Disclose Information (Service Providers/Contractors)
9.1 We disclose personal information to service providers/contractors that support hosting, analytics, customer support, security, and similar functions.
9.2 Written contracts limit use to specified purposes; require confidentiality and appropriate security; restrict combining data outside our instructions; require sub‑processor flow‑downs; and require assistance with consumer requests and deletion/return at end of services.
9.3 We do not allow vendors to re‑use personal information for their own purposes.
10. De‑identified and Aggregated Data
10.1 We may de‑identify or aggregate personal information for analytics, research, and reporting.
10.2 We do not attempt to re‑identify de‑identified data and we contractually require recipients (if any) to do the same.
11. Security
11.1 We implement reasonable security measures appropriate to the nature of the information, which may include encryption in transit, access controls, logging/monitoring, vulnerability remediation, least‑privilege access, and secure disposal.
11.2 We require comparable protections from our service providers.
12. Data Breach Notification
12.1 If a data breach affects your personal information, we will notify you as required by law.
12.2 Several states require notification within 30 days; California adopts a 30‑day deadline effective January 1, 2026. Our incident response aligns with those timelines, subject to lawful law‑enforcement delay.
13. International Visitors (EEA/UK/Switzerland)
13.1 If you are in the EEA/UK/Switzerland, our processing may rely on legal bases such as contract performance, legitimate interests, consent, legal obligation, or vital interests.
13.2 We use appropriate transfer mechanisms (e.g., Standard Contractual Clauses) when personal data is transferred to the United States.
13.3 Additional rights (access, deletion, correction, portability, objection, restriction) may apply under local law.
14. Children’s Data
14.1 Our services are not directed to children under 13, and we do not knowingly collect personal information from children under 13.
14.2 If we learn that such information was collected, we will delete it consistent with applicable law.
15. State‑Specific Disclosures
15.1 California a) Notice at Collection: see Section 2. b) Do Not Sell or Share: opt out via our “Do Not Sell or Share My Personal Information” process and by using GPC. c) Limit Sensitive Personal Information: see Section 6. d) Methods & timing: at least two request methods; acknowledgment within 10 business days; response within 45 days (one 45‑day extension possible). e) Annual review: this Policy is reviewed at least annually.
15.2 Colorado a) UOOM: we honor recognized universal opt‑out mechanisms for targeted advertising and sales. b) Sensitive data: opt‑in consent required before processing. c) Appeals: available with defined timelines.
15.3 Texas a) UOOM: recognized as of January 1, 2025. b) Sensitive data: opt‑in consent required before processing; special notices apply to sales of sensitive/biometric data (we do not sell). c) Appeals: available with defined timelines.
15.4 Florida a) Consent and notice are required for selling sensitive personal data. We do not sell sensitive personal data. If that changes, we will obtain prior consent and display the required notice.
15.5 Georgia a) Georgia does not currently have a comprehensive consumer privacy statute beyond its breach‑notification law. Your rights under other state laws still apply as described in this Policy.
16. Changes to This Policy
16.1 We review this Policy at least annually and post updates with a new “Last reviewed” date.
16.2 Material changes will be posted here and, where required, sent directly to you.
17. Contact Us
17.1 Email: questions@upresilience.com
17.2 Toll‑Free (US): +1‑855‑423‑2781 17.3 Web form: https://www.upresilience.com/privacy-request
17.4 Postal: UPRESILIENCE, 8831 Wonderland Park Avenue, Los Angeles, CA, USA
18. Your Privacy Choices (Quick Reference)
18.1 Submit a Privacy Request (access, delete, correct, portability).
18.2 Do Not Sell or Share My Personal Information (opt‑out).
18.3 Limit the Use of My Sensitive Personal Information (California).
18.4 Send a Browser Opt‑Out Signal (UOOM/GPC) for sale/sharing/targeted advertising.
19. Legal Note
19.1 This Policy describes our privacy practices and rights provided by law; it does not create contractual or legal rights beyond those required by applicable statutes and regulations.