Upside receives information about individuals or their devices from the following sources:

• Individuals (or others who book or manage travel on their behalf) who provide information to us to:
• Establish or maintain an account with us;
• Make a purchase or receive a service from us;
• Post comments to online communities;
• Participate in a survey, sweepstakes or contest; or
• Connect with us via social media.
• Our websites, apps and emails, through the use of automated means (such as cookies) to collect data from users’ devices.
• Information sharing within the Upside corporate family and with the Dow Jones & Company, Inc.
• Referrals from users and others.
• Travel suppliers, gift card and other incentive offer suppliers, and others involved in providing the Services.
• Other third parties, including, advertisers, business or data partners, marketing partners and publicly available sources such as social networks.

We collect some information directly from you, and we also collect certain information through automated means when you use the Services. We collect, use and disclose this information, as described within this Privacy Policy, for the purpose of providing you with travel services that you seek or that your employer seeks on your behalf. Our collection, use and disclosure, if any, to third parties of your personally identifiable information or personal data, occurs only after we give you clear notice of our intent to collect, use and disclose that information and with your explicit consent so that we can provide you with travel services. Your employer may also provide us with this information or data after having giving you notice that it will be shared with Upside, in which case we will process your personally identifiable information or personal data, as applicable, with either your explicit consent, implicit consent, or based upon our legitimate interest in fulfilling the requests of our customer in obtaining travel services for you.

You may withdraw your consent for our collection and use of your personally identifiable information or personal data at any time, however doing so may prevent us from offering you some or all of our Services given requirements imposed upon us by travel partners and various governments.

1. Information from and about you

• From the sources listed above, we may receive information such as: name, physical address, email address, telephone number
• travel details including dates, location, purchase information
• title, company and professional details
• gender and date of birth
• billing details (such as payment or gift card numbers)
• meal and travel preferences
• special needs or requested accommodations
• Known Traveler Number and other government-issued ID numbers
• frequent flyer and other loyalty and reward program numbers
• opinions and other user-submitted content or information
• details from social network profiles (such as name, email address, profile picture, location, and friend list)
• data regarding use of travel and of gift cards
• travel companion information when you make a reservation for another person

2. Information Collected Automatically Through Websites and Apps

Use of Cookies and Similar Technologies

Through the Services, we, our service providers, and other third parties may collect certain information through automated means such as cookies, Web and audio beacons, JavaScript, and mobile device functionality (such as Bluetooth low energy and iBeacons). This information may include unique browser identifiers, IP address, browser and operating system information, device identifiers (such as the Apple IDFA or Android Advertising ID), geolocation information (as described in the next section below), Internet connection information, as well as details about individuals’ interactions with the Services (including referring and exit pages and URLs, platform type, the number of clicks, domain names, landing pages, pages and content viewed and the order of those pages, the amount of time spent on particular pages, the date and time you used the Services, the frequency of your use of the Services, error logs, and email open rate).

We and third parties also may use such automated means to read or write information on users’ devices, such as through various types of cookies and other browser-based or plugin-based local storage (such as HTML5 storage or Flash-based storage). Cookies and local storage are files that contain data, such as unique identifiers, that we or a third party may place on or read from a user’s device for purposes such as recognizing the device, service provision, record-keeping, analytics and marketing. You may choose to set your web browser to refuse certain types of cookies, or to alert you when certain types of cookies are being sent. Some browsers offer similar settings for HTML5 local storage, and Flash storage can be managed here. However, if you block or otherwise reject our cookies or local storage, certain websites and emails (including our own) may not function properly.

For more information about how we use cookies and similar technologies, see Section 5 below.

Location Information

We may collect different types of information about your location, including general information (e.g., IP address, zip code) and more specific information (e.g., GPS-based functionality on mobile devices used to access the Services), and may use that information to customize the Services with location-based information, advertising, and features. For example, if your IP address indicates an origin in Chicago, the Services may be customized with Chicago-specific information and advertisements. If you access the Services through a mobile device and you do not want your device to provide us with location-tracking information, you can disable the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer’s instructions for further details.

Using Mobile and Other Devices

We and/or our service providers may collect and store unique identifiers matched to your mobile device, in order to deliver customized ads or content while you use applications or surf the internet, or to identify you in a unique manner across other devices or browsers. In order to customize these ads or content, we, or third parties may collect your information e.g., your email address, or data passively collected from you, such as your device identifier or IP address.

You may be able to manage how your mobile device and mobile browser share information with the Services, by adjusting the privacy and security settings on your device. Please refer to instructions provided by your mobile service provider or the manufacturer of your device to learn how to adjust your settings.

Upside uses and discloses the data we collect as follows:

• To carry out travel-related transactions and track gift card eligibility and redemption.
• On the basis of implied or express consent after providing you full and clear notice of our data practices, such as:
• To send you certain information, including marketing communications, technical notices, updates, security alerts, and support messages; or
• To improve and customize the content and advertising you see on the Services, across the Internet, and elsewhere;
• To share information with our partners to provide you the Services; or
• To provide you the best quality services, travel opportunities and prices for your travel.
• For our legitimate interests in conducting our business to provide you the Services you seek, such as:
• To respond to questions, concerns, or customer service inquiries;
• To communicate with individuals about Upside accounts, transactions, or travel;
• To book your travel, such as air, accommodations and rental cars;
• To address travelers’ requests;
• To carry out certain marketing activities;
• To conduct research and analysis, including surveys; or
• To enforce the legal terms that govern our services.
• For the legitimate interests of employers in verifying and accounting for business travel (such as to confirm the accuracy of an Upside receipt or other travel and transaction details).
• To comply with law, protect rights, safety and property, and respond to lawful requests from public authorities; or
• To perform a service on behalf of a client who gives us the data.

We may also use your information to anticipate your travel needs or provide you with potential travel opportunities that may benefit you both at the time of your request and in the future. To do so, we may process your information using algorithms alone or in combination with the data of others. This processing is undertaken to provide you with improved travel options.

We may use manual or automated means (such as automated text messages and automated live or prerecorded/artificial voice calls) to perform some of the marketing and other communications described in this Section.

Combined Information You consent that, for the purposes discussed in this Policy, we may combine the information that we collect through the Services with information that we receive from other sources, both online and offline, and use such combined information in accordance with this Policy.

Aggregate/De-Identified Information. We may aggregate and/or de-identify information collected through the Services so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and marketing purposes, and may also share such data with any third parties, including advertisers, promotional partners, sponsors, event promoters, and/or others.

We share your information in the following ways:

• Affiliates and Subsidiaries. We may share all data we collect within the Upside family of companies.
• Suppliers. We share your data with hotel, airline, car rental, ride share, and activity providers, to fulfill your travel reservations and requests. By making a reservation or request through the Services, you are authorizing us to disclose to our suppliers the data required to complete the booking and deliver the travel related services. We do not control the privacy practices of suppliers. We encourage you to review the privacy policies of suppliers for more information regarding the applicable privacy practices.
• Third Party Vendors. We share your data with third party vendors, for example Full Story, Braintree, Sift Science, Salesforce, Hubspot and Flight Center Travel Group, who provide services or functions on your behalf. These third party vendors include credit card processing companies, wholesale purchasers of hotel, airline and car rental services, gift card awards and redemption providers, business analytics platforms, customer service organizations, advertising and business partners, distributors of surveys or sweepstakes programs, and fraud prevention firms.
• Business Partners. We may jointly offer products or services with business partners, including, for example, Flight Center Travel Group. You can tell when a business partner is involved in a product or service you have requested because their name will appear, either alone or with ours. If you choose to access these optional services, we may share your data with our partners. We do not control the privacy practices of business partners. We encourage you to review the privacy policies of our business partners for more information regarding the applicable privacy practices.
• Customers. If you are part of our Upside Corporate Program, we share information regarding your travel itineraries with your employer.
• Future Business Transactions. We may share your data in connection with any proposed or actual merger, reorganization, transfer of control, a sale of some or all of our assets, or a financing or acquisition of all or a portion of our business by another company (whether the recipient of data in these cases will handle the data pursuant to this Privacy Policy depends on applicable law and other factors).
• Referring Platforms. If you are referred to our Services from another service, an advertising site, a blog, a social media site, etc., we may collect data about you from the referring service. Also, we may provide them with appropriate referral data (such as the amount of a purchase) to compute referral fees or for similar purposes.
• Surveys and Promotions. Upside may conduct surveys and promotions on our Services that collect your data. Our surveys and promotions are voluntary and any information you provide may be collected, used, shared, disclosed, stored, transferred and processed in accordance with this policy. Your participation in our surveys and promotions, and your submission of Information, serves as your consent to these practices.
• Protection of Upside and Others. By using the Services, you acknowledge, consent and agree that we may access, preserve and disclose your data if required to do so by law or in a good faith belief that such access, preservation or disclosure is reasonably necessary to: (a) comply with legal process (e.g., a subpoena or court order); (b) enforce our Terms of Service, this Policy, or other contracts with you, including investigation of potential violations thereof; (c) respond to claims that any content violates the rights of third parties; (d) respond to your requests for customer service; and/or (e) protect the rights, property or personal safety of Upside, its agents and affiliates, its users and/or the public. This includes exchanging information with other companies and organizations for fraud protection, and spam/malware prevention, and similar purposes.
• Public Forums. Some features of our websites, apps and services allow users to make data public or engage in other sharing. For example, if you post content or otherwise participate in discussion forums or other social areas of our websites or apps, your participation (including the content you post, your name, and a link to your profile) may be shared across our websites and apps and in other public or private areas of the internet.

In some cases, we facilitate the collection of information through advertising services administered by third parties. The ad services may track users’ online activities over time by collecting information through automated means such as cookies, and they may use this information to show users advertisements that are tailored to their individual interests or characteristics and/or based on prior visits to certain sites or apps, or other information we know, infer or have collected from those users. For example, we and these third-parties may use cookies, first-party cookies and third-party cookies together, as well as other automated means, and other data (such as the data described above) (i) to recognize users and their devices, (ii) to inform, optimize, and serve ads, and (iii) to provide analytics about our ad impressions, uses of ad services, and how users interact with these impressions and services (including how they are related to visits to specific sites or apps).

To learn more about interest-based advertising generally, including how to opt out from the targeting of interest-based ads by some of our current ad service partners, visit the consumer choice pages offered by Network Advertising Initiative and Digital Advertising Alliance. For controls specific to advertising and analytics services offered by Google, click here, here and here. You also can use certain choice mechanisms offered by Facebook and Twitter. If you replace, change or upgrade your browser, or delete your cookies, you may need to use these opt-out tools again.

California Do-Not-Track disclosure requirements. We are committed to providing you with meaningful choices about the information collected on our Services for third-party purposes, and that is why we provide above the Network Advertising Initiatives Consumer Opt-out link, Digital Advertising Alliances Consumer Opt-Out Link, and other consumer choice mechanism links above. However, we do not recognize or respond to browser-initiated Do Not Track signals, as the Internet industry is currently still working on Do Not Track standards, implementations and solutions.

Travel and Gift Card Providers

As described above, Upside connects individuals with third parties, such as providers of travel and gift card providers. These third parties use and disclose information (including information received from Upside) according to their own privacy policies and practices. For example, travel providers may use the information for communicating with travelers about their travel (including through automated calls or automated text messages regarding travel updates or other topics). As another example, some travel providers may correlate information received from Upside with additional information they collect (such as biometric data you provide to them for services such as baggage tracking or check-in). We encourage you to review their privacy policies and contact them for more information.

Other Third Parties

Some third parties’ embedded plugins or other automated technology on our websites, apps and emails, such as cookies or social sharing buttons, may allow their operators to learn that you have visited or interacted with our websites, apps and emails, and they may combine this information with other, identifiable information they have collected about your visits to other websites, apps, emails or online services. These third parties may handle this information, and other information they directly collect through their content and plugins, pursuant to their own privacy policies.

There is no perfect security. We have implemented certain physical, technical, and administrative measures to help prevent unauthorized access, use and disclosure of your information, but we cannot promise that these measures will work. You are responsible for maintaining the secrecy of any credentials that can be used to access any account or service with Upside, and you should report suspected unauthorized activity to us. You are responsible for activity conducted with your credentials.

You may review and update certain information Upside holds by logging in to the Upside account through which the information was provided (or by asking the Upside account holder to do so). In some instances you may need to provide updated information directly to the travel supplier.

In addition, individuals residing in California, the European Union and some other jurisdictions outside the United States may have certain legal rights to obtain confirmation of whether we hold personally identifiable information (as defined by California law) or personal data (as defined by EU privacy law) about them, to access any information or data we hold about them (including, in some cases, in portable form), and to obtain its correction, update, amendment or deletion in appropriate circumstances. They may obtain a version of the personally identifiable information or personal data about them in a common machine readable format so that they may take that information to another travel service provider. They may also object to our uses or disclosures of personal data or exercise legal rights to withdraw consent, though such actions typically will not have retroactive effect. To exercise any of the above rights (or any other rights under applicable law), please contact us through the contact information provided at the beginning of this Privacy Policy.

The rights described here are subject to limitations and exceptions under applicable law. In particular, and as required by California law and by principles of prudent data security, we will endeavor to verify the identity of anyone requesting to exercise a data subject right and will endeavor to only release the personally identifiable information or personal data of that person to that person.

In addition to the rights above, you may lodge a complaint with the relevant supervisory authority. However, we encourage you to contact us first, and we will do our very best to resolve your concern.

We generally retain information for so long as it may be relevant to the purposes above. Information may persist in copies made for backup and business continuity purposes for additional time.

If you are a California resident and your questions about our data practices are not fully answered by this Privacy Policy, you may request that we make disclosures pursuant to the California Consumer Privacy Act of 2018, codified at California Civil Code § 1798.100 et seq. You may do so by emailing us a request at: [email protected] You may also contact us by phone at: (855) 252-2151 Alternatively, you may submit a request through our website at: https://upside.com/(chat with a navigator). Upon receipt of any request, we will endeavor to verify that the identity of the requestor matches the identity of the person whose personally identifiable information is requested. We declare that we do not and have not sold any personally identifiable information.

Subject to certain limits under California Civil Code § 1798.83, if you are a California resident, you may ask us to provide you with (a) a list of certain categories of personal information (as defined in the Civil Code) that we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year; and (b) the identity of the third parties that received personal information from us for their direct marketing purposes during that calendar year. To make such a request, please contact us as described at the beginning of this Privacy Policy.

Upside is based in the United States. The recipients of the data disclosures described in this Privacy Policy may be located in the United States or elsewhere in the world. Privacy laws in these countries may not provide protections equivalent to those of your country of residence, and your government may or may not deem such protections adequate.

European Union Residents

Upside complies with all applicable laws regarding your privacy. Individuals from the European Union ("EU") may only use our Services after providing your freely given, informed consent for Upside to collect, transfer, store, and share your Personal Data, as that term is defined in the EU's General Data Protection Regulation. EU residents may grant that consent directly to Upside, or to the company or your employer working directly on your behalf with Upside.

Upside is legally authorized to send the Personal Data of EU or Swiss individuals to the US for processing because we have made legally-binding commitments that are enforceable by US government agencies responsible for consumer protection. Upside provides you, as an EU or Swiss individual, both a means of directly contacting Upside to exercise your privacy rights and with a third party dispute resolution service.

How may I exercise my privacy rights as an EU or Switzerland individual who uses Upside?

Upside complies with the EU GDPR and makes it easy for EU individuals to exercise their rights described in that regulation. The purposes for which Upside collects your Personal Data, the categories and specific types of Personal Data we collect, and our practices and policies regarding your Personal Data are described in this Privacy Policy. As discussed throughout this Privacy Policy, Upside makes it easy for you to access, correct, delete, or demand deletion of your Personal Data. You may object to our processing of your Personal data by emailing us, although if you prohibit our processing, it may make some of our Services either impossible to offer or less useful. Any of those requests should be sent to [email protected] Should you ever wish to leave Upside and take an electronic copy of the Personal Data and information we have collected about you, you may make that request at [email protected] In addition to contacting our Data Protection Officer or the Better Business Bureau, EU individuals may contact the Data Protection Authority of Ireland by email at [email protected] to raise concerns about Upside'simplementation of GDPR or Upside's facilitation of the exercising of your privacy rights.

How does Upside protect my privacy rights as an European Union or Swiss Individual?

Upside complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield. Upside has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https: //www.privacyshield.gov/

In compliance with the Privacy Shield Principles, Upside commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact Upside at: [email protected]

Our Data Protection Officer is Catherine R. Jones, our General Counsel, 1 Thomas Circle NW, 8th Floor, Washington, DC 20005, [email protected]

Upside has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

In compliance with the EU-US and Swiss-US Privacy Shield Principles, Upside commits to resolve complaints about your privacy and our collection or use of your Personal Information. Pursuant to the Privacy Shield, Upside remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact Upside at: [email protected] Upside is subject to the jurisdiction of the US Federal Trade Commission for any alleged failure of Upside to meet our privacy commitments. You may contact Upside's Data Privacy Officer at any time at [email protected]

We may change this Privacy Policy to reflect changes in the law, our information handling practices or the features of our services, websites, apps and emails. The updated Privacy Policy will be posted on the relevant Services.

If you have questions regarding our practices or this Privacy Policy, or would like to send us requests or complaints relating to your data, please contact us as described at the beginning of this Privacy Policy.