Privacy Policy

Effective Date: December 7, 2025

Elucidsoft LLC, a Virginia limited liability company doing business as Upstat ("Upstat," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at https://upstat.io and use our incident management platform and related services (collectively, the "Services").

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

1. Information We Collect

We collect information that you provide directly to us, information collected automatically when you use our Services, and information from third-party sources. We distinguish between information we collect about you ("Account Data") and information you store within our platform ("Customer Data").

1.1 Account Data (Information About You)

We collect the following categories of personal information:

Category	Examples
Identifiers	Name, email address, account username, unique user identifiers
Contact Information	Email address, mailing address (if provided for billing)
Commercial Information	Subscription plan, billing history, transaction records
Internet/Network Activity	IP address, browser type, operating system, device information, pages visited, clickstream data
Geolocation Data	Approximate location derived from IP address
Authentication Data	Login credentials, authentication tokens, session information
Social Login Data	If you sign in with Google: name, email, profile picture from your Google account
Integration Credentials	API keys, OAuth tokens, and credentials for third-party integrations you configure

1.2 Customer Data (Information You Store)

When you use our Services, you may store data within our platform, including monitor configurations, incident records, alert definitions, on-call schedules, status page content, runbooks, and related operational data ("Customer Data"). You control what Customer Data you submit, and we process it on your behalf in accordance with our Terms of Service and Data Processing Agreement.

1.3 Payment Information

Payment card details are collected and processed directly by our payment processor, Stripe. We do not receive or store your full payment card numbers. We receive only limited information from Stripe, such as the last four digits of your card, card type, and billing address for tax purposes.

2. How We Collect Information

2.1 Information You Provide Directly

We collect information when you:

Create an account or register for the Services
Subscribe to a paid plan or update billing information
Configure monitors, alerts, status pages, or other features
Contact us for customer support
Respond to surveys or provide feedback
Participate in promotions or events

2.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information, including:

Log Data: IP address, browser type and version, operating system, referring URLs, pages visited, time and date of visits, time spent on pages, and other diagnostic data
Device Information: Device type, unique device identifiers, screen resolution, and device settings
Usage Data: Features used, actions taken, frequency and duration of activities
Location Data: Approximate geographic location based on IP address

You may opt out of certain automatic data collection through our cookie consent banner or your browser settings. See Section 6 for more details.

2.3 Information from Third Parties

We may receive information from:

Authentication Providers: If you sign in using Google, we receive your name, email address, and profile picture from Google
Payment Processors: Stripe provides us with transaction confirmations and limited billing details
Your Organization: If you are invited to an account by your employer or another user, we receive information about your role and permissions

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Maintaining Services

Create and manage your account
Process transactions and send related information
Provide customer support and respond to inquiries
Deliver the features and functionality of our Services
Send transactional emails (account confirmations, alerts, notifications, security updates)

3.2 Improving and Developing Services

Analyze usage patterns to improve user experience
Develop new features, products, and services
Conduct research and analytics
Monitor and analyze trends and usage

3.3 Security and Compliance

Detect, prevent, and address fraud, abuse, and security issues
Protect the rights, property, and safety of Upstat, our users, and the public
Comply with legal obligations and enforce our terms
Verify identity and prevent unauthorized access

3.4 Aggregated and De-identified Data

We may create aggregated, anonymized, or de-identified data from your information. This data cannot reasonably be used to identify you and may be used for any lawful purpose, including benchmarking, analytics, and improving our Services.

We do not sell your personal information. We will never sell, rent, or trade your personal information to third parties for their marketing purposes.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data based on the following legal grounds:

Legal Basis	Processing Activities
Contract Performance	Creating and managing your account; providing the Services; processing payments; sending transactional communications; providing customer support
Legitimate Interests	Improving and developing our Services; analyzing usage patterns; ensuring security and preventing fraud; protecting our legal rights; conducting analytics
Consent	Setting non-essential cookies; collecting device/location data (where consent is required); any future marketing communications
Legal Obligation	Complying with applicable laws; responding to legal requests; maintaining required records

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms.

5. How We Share Your Information

We may share your information in the following circumstances:

5.1 Service Providers

We share information with third-party vendors who perform services on our behalf, subject to confidentiality obligations and data processing agreements:

Provider	Purpose	Privacy Policy
Google Cloud Platform	Cloud infrastructure and hosting	Link
Stripe	Payment processing	Link
Google Analytics	Website analytics	Link
Google (Firebase Auth)	Authentication services	Link
Google Gemini	AI-powered features	Link

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

Subpoenas, court orders, or legal process
Requests from law enforcement or government agencies
To protect the rights, property, or safety of Upstat, our users, or the public
To enforce our Terms of Service or other agreements

5.3 Business Transfers

If Upstat is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information.

5.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5.5 Within Your Organization

If you use our Services as part of an organization (e.g., your employer), account administrators may access your account information and activity within the Services.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with our Services.

6.1 Types of Cookies We Use

Type	Purpose	Can Opt Out?
Strictly Necessary	Authentication, security, session management, load balancing. Required for the Services to function.	No
Functional	Remember your preferences (language, timezone, display settings).	Yes
Analytics	Understand how visitors interact with our website and Services (Google Analytics).	Yes

6.2 Managing Your Cookie Preferences

You can control cookies through:

Cookie Consent Banner: When you first visit our website, you can choose which non-essential cookies to accept or reject
Browser Settings: Most browsers allow you to refuse cookies or alert you when cookies are being sent
Google Analytics Opt-Out: Install the Google Analytics Opt-out Browser Add-on

Please note that disabling certain cookies may affect the functionality of our Services.

7. Data Retention

We retain your information only for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations.

Data Type	Retention Period
Account Data	Duration of account plus 24 hours after deletion request
Customer Data	Configurable by you; deleted within 24 hours of deletion request or account termination
Backup Data	Up to 30 days (automatically purged from backup rotation)
Billing Records	As required by tax and accounting laws (typically 7 years)
Analytics/Log Data	Rolled off gradually based on system capacity; no fixed retention period

You can delete your Customer Data at any time via the dashboard or API. You can also request deletion of your account by contacting us.

8. Data Security

We implement and maintain appropriate technical and organizational security measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption: Data is encrypted in transit using TLS/HTTPS and at rest using industry-standard encryption
Access Controls: Role-based access controls and principle of least privilege for systems and data
Infrastructure Security: Hosted on Google Cloud Platform with enterprise-grade physical and network security
Credential Protection: Third-party integration tokens and credentials are encrypted at rest
Security Monitoring: Continuous monitoring for security threats and anomalies
Regular Assessments: Periodic security reviews and vulnerability assessments

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. International Data Transfers

Your information is stored and processed in the United States on Google Cloud Platform's US-Central data center. If you are located outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on:

Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide adequate safeguards for data transfers
Data Processing Agreements: Contracts with our service providers that include appropriate data protection commitments

By using our Services, you consent to the transfer of your information to the United States as described in this Privacy Policy.

10. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information. We provide the following rights to all users regardless of location:

Access: Request a copy of the personal information we hold about you
Correction: Request that we correct inaccurate or incomplete information
Deletion: Request that we delete your personal information
Data Export: Export your Customer Data at any time via the dashboard or API
Opt-Out: Opt out of non-essential cookies and analytics tracking

How to Exercise Your Rights

To submit a privacy request:

Email us at support@upstat.io with the subject line "Privacy Request"
Include your account email address and a description of your request
We will verify your identity before processing your request

We will respond to your request within 30 days (or 45 days for California residents, with possible 45-day extension if needed). We will not charge you for making a request unless the request is manifestly unfounded or excessive.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

Your California Rights

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties with whom we share it
Right to Delete: Request deletion of your personal information, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of your personal information for cross-context behavioral advertising
Right to Limit Use of Sensitive Information: Limit the use and disclosure of sensitive personal information
Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

Sale and Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. As such, we do not offer an opt-out for the sale or sharing of personal information because we do not engage in these practices.

Categories of Information Collected

In the past 12 months, we have collected the categories of personal information described in Section 1 of this Privacy Policy. We collect this information for the business purposes described in Section 3.

Authorized Agent

You may designate an authorized agent to make a request on your behalf. To do so, you must provide the authorized agent with written permission and we may require you to verify your identity directly with us.

Financial Incentives

We do not offer financial incentives or price differences in exchange for the retention or sale of your personal information.

12. Virginia Privacy Rights (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) provides you with specific rights regarding your personal data:

Right to Access: Confirm whether we are processing your personal data and access that data
Right to Correction: Correct inaccuracies in your personal data
Right to Deletion: Delete personal data you have provided or that we have obtained
Right to Data Portability: Obtain a copy of your personal data in a portable format
Right to Opt Out: Opt out of processing for targeted advertising, sale of personal data, or profiling

We do not sell personal data or process personal data for targeted advertising or profiling that produces legal or similarly significant effects. To exercise your rights, contact us at support@upstat.io. If we decline your request, you may appeal by contacting us with the subject line "Privacy Appeal."

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access: Obtain confirmation of whether we process your personal data and access to that data
Right to Rectification: Have inaccurate personal data corrected
Right to Erasure: Have your personal data deleted in certain circumstances
Right to Restriction: Restrict processing of your personal data in certain circumstances
Right to Data Portability: Receive your personal data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
Right to Lodge a Complaint: Lodge a complaint with a supervisory authority

To exercise these rights, contact us at support@upstat.io. We will respond within one month, which may be extended by two months for complex requests.

14. Children's Privacy

Our Services are not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@upstat.io.

15. Third-Party Links

Our Services may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services, and we are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services you access.

16. Artificial Intelligence

We use artificial intelligence (AI) powered by Google Gemini to provide certain features within our Services. When you use AI-powered features:

Your inputs may be sent to Google Gemini for processing
We do not use your data to train AI models
Google's processing of data is subject to Google's Privacy Policy
AI outputs are provided "as-is" and should be reviewed for accuracy

You can choose not to use AI-powered features if you prefer not to have your data processed in this manner.

17. Do Not Track / Global Privacy Control

Global Privacy Control (GPC): We honor Global Privacy Control signals. When we detect a GPC signal from your browser, we will treat it as a valid opt-out request for the sale or sharing of personal information (though we do not engage in these practices) and will limit non-essential data collection accordingly.

Do Not Track (DNT): Some browsers offer a "Do Not Track" setting. Because there is no industry-standard interpretation of DNT signals, we do not currently respond to DNT browser signals. However, we do honor GPC signals as described above.

18. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law. We will:

Notify affected users via email within 48 hours of becoming aware of the breach
Provide information about the nature of the breach and the types of data affected
Describe the measures we are taking to address the breach
Provide guidance on steps you can take to protect yourself
Notify relevant supervisory authorities as required by law

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Update the "Effective Date" at the top of this Privacy Policy
Notify you via email to the address associated with your account
Post a prominent notice on our website

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy.

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Elucidsoft LLC d/b/a Upstat

2769 Jefferson Davis Highway

Suite 111-1054

Stafford, Virginia 22554

United States

Email: support@upstat.io

Privacy Requests: Email us with subject line "Privacy Request"

For European Users: Although we do not have a physical presence in the EU, you may contact us at the address above for any GDPR-related inquiries. You also have the right to lodge a complaint with your local data protection supervisory authority.