GDPR Compliance

1. Introduction

UPSCILL ("we", "our", or "us") is committed to protecting the privacy and personal data of individuals located in the European Economic Area (EEA), United Kingdom, and Switzerland. This page explains how we comply with the General Data Protection Regulation (GDPR) and your rights under this regulation.

2. Our Commitment to GDPR

We are committed to the principles of GDPR, which require that personal data must be:

• Processed lawfully, fairly, and transparently
• Collected for specified, explicit, and legitimate purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and kept up to date
• Kept for no longer than necessary
• Processed in a manner that ensures appropriate security

3. Legal Basis for Processing

We process your personal data under the following legal bases:

3.1 Consent

When you sign up for our Service or provide explicit consent for specific processing activities, such as marketing communications or voice data processing for AI training.

3.2 Contractual Necessity

To fulfill our contractual obligations when providing the Service to you, including account management, AI-powered training, and customer support.

3.3 Legal Obligations

To comply with legal requirements, such as tax regulations, financial reporting, and responding to lawful requests from authorities.

3.4 Legitimate Interests

To pursue our legitimate business interests, provided they do not override your fundamental rights and freedoms. This includes:

• Improving our Service and developing new features
• Detecting and preventing fraud and security threats
• Analyzing usage patterns to enhance user experience
• Direct marketing to existing customers (with opt-out option)

4. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

4.1 Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used electronic format.

4.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly through your account settings.

4.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw your consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

4.4 Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain situations:

• You contest the accuracy of the data
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

4.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transfer it to another service provider.

4.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. This includes objecting to:

• Processing for direct marketing (absolute right)
• Processing based on legitimate interests
• Processing for scientific or historical research purposes

4.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. While we use AI for training feedback, all significant decisions involve human oversight.

4.8 Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal.

5. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at:

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, but we will inform you of any such extension.

Identity Verification: To protect your privacy, we may need to verify your identity before fulfilling your request. We may ask for additional information to confirm you are the person whose data you are requesting access to.

6. Data Protection Officer

You can contact our Data Protection Officer (DPO) for any questions about how we process your personal data or to exercise your GDPR rights:

7. International Data Transfers

Some of our service providers are located outside the EEA. When we transfer your data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with adequate data protection
• Binding Corporate Rules for intra-group transfers
• Additional security measures to protect transferred data

Key Service Providers:

• Supabase (EU region) - Database and authentication
• Vercel (Edge Network with EU presence) - Hosting
• OpenAI and Anthropic - AI services (US-based, SCCs in place)
• Stripe (EU presence) - Payment processing

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account Data: While your account is active and for 90 days after deletion
• Voice Recordings: 30 days after training session (unless you delete earlier)
• Training Analytics: 2 years for performance tracking
• Financial Records: 7 years for tax and legal compliance
• Marketing Data: Until consent is withdrawn or 3 years of inactivity

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Regular security audits and penetration testing
• Access controls and authentication requirements
• Employee training on data protection and security
• Incident response procedures and breach notification protocols
• Regular backups with secure storage

10. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach poses a high risk to you, we will also notify you directly without undue delay, providing information about the nature of the breach, its likely consequences, and the measures we are taking to address it.

11. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority. You can file a complaint:

• In the EU member state of your habitual residence
• In your place of work
• In the place where the alleged infringement occurred

However, we encourage you to contact us first at support@upscill.ai so we can try to resolve your concerns.

EU Data Protection Authorities: You can find your local supervisory authority at https://edpb.europa.eu/about-edpb/board/members_en

12. Children's Personal Data

Our Service is not intended for individuals under 16 years of age (or the applicable age in your jurisdiction). We do not knowingly collect or process personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

13. Additional Resources

For more detailed information about how we process your personal data, please refer to:

• Privacy Policy - Comprehensive overview of our data practices
• Cookie Policy - Information about our use of cookies and tracking
• Terms of Service - Terms governing your use of our Service

14. Updates to This Page

We may update this GDPR compliance information from time to time to reflect changes in our practices or legal requirements. We will post any updates on this page and update the "Last updated" date. Material changes will be communicated via email or through a prominent notice on our Service.

15. Contact Information

For any questions about GDPR compliance or to exercise your rights, please contact us: