Upside receives information about individuals or their devices from the following sources:

• Individuals (or others who book or manage travel on their behalf) who provide information to us to:
• Establish or maintain an account with us;
• Make a purchase or receive a service from us;
• Post comments to online communities;
• Participate in a survey, sweepstakes or contest; or
• Connect with us via social media.
• Our websites, apps and emails, through the use of automated means (such as cookies) to collect data from users’ devices.
• Information sharing within the Upside corporate family and with the Dow Jones & Company, Inc.
• Referrals from users and others.
• Travel suppliers, gift card and other incentive offer suppliers, and others involved in providing the Services.
• Other third parties, including, advertisers, data partners, marketing partners and publicly available sources such as social networks.

We collect some information directly from you, and we also collect certain information through automated means when you use the Services.

1. Information from and about you

From the sources listed above, we may receive information such as:
• name, physical address, email address, telephone number
• travel details including dates, location, purchase information
• title, company and professional details
• gender and date of birth
• billing details (such as payment or gift card numbers)
• meal and travel preferences
• special needs or requested accommodations
• Known Traveler Number and other government-issued ID numbers
• frequent flyer and other loyalty and reward program numbers
• opinions and other user-submitted content or information
• details from social network profiles (such as name, email address, profile picture, location, and friend list)
• data regarding use of travel and of gift cards
• travel companion information when you make a reservation for another person

2. Information Collected Automatically Through Websites and Apps

Use of Cookies and Similar Technologies

Through the Services, we, our service providers, and other third parties may collect certain information through automated means such as cookies, Web and audio beacons, JavaScript, and mobile device functionality (such as Bluetooth low energy and iBeacons). This information may include unique browser identifiers, IP address, browser and operating system information, device identifiers (such as the Apple IDFA or Android Advertising ID), geolocation information (as described in the next section below), Internet connection information, as well as details about individuals’ interactions with the Services (including referring and exit pages and URLs, platform type, the number of clicks, domain names, landing pages, pages and content viewed and the order of those pages, the amount of time spent on particular pages, the date and time you used the Services, the frequency of your use of the Services, error logs, and email open rate).

We and third parties also may use such automated means to read or write information on users’ devices, such as through various types of cookies and other browser-based or plugin-based local storage (such as HTML5 storage or Flash-based storage). Cookies and local storage are files that contain data, such as unique identifiers, that we or a third party may place on or read from a user’s device for purposes such as recognizing the device, service provision, record-keeping, analytics and marketing. You may choose to set your web browser to refuse certain types of cookies, or to alert you when certain types of cookies are being sent. Some browsers offer similar settings for HTML5 local storage, and Flash storage can be managed here. However, if you block or otherwise reject our cookies or local storage, certain websites and emails (including our own) may not function properly.

For more information about how we use cookies and similar technologies, see Section 5 below.

Location Information

We may collect different types of information about your location, including general information (e.g., IP address, zip code) and more specific information (e.g., GPS-based functionality on mobile devices used to access the Services), and may use that information to customize the Services with location-based information, advertising, and features. For example, if your IP address indicates an origin in Chicago, the Services may be customized with Chicago-specific information and advertisements. If you access the Services through a mobile device and you do not want your device to provide us with location-tracking information, you can disable the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer’s instructions for further details.

Using Mobile and Other Devices

We and/or our service providers may collect and store unique identifiers matched to your mobile device, in order to deliver customized ads or content while you use applications or surf the internet, or to identify you in a unique manner across other devices or browsers. In order to customize these ads or content, we, or third parties may collect your information e.g., your email address, or data passively collected from you, such as your device identifier or IP address.

You may be able to manage how your mobile device and mobile browser share information with the Services, by adjusting the privacy and security settings on your device. Please refer to instructions provided by your mobile service provider or the manufacturer of your device to learn how to adjust your settings.

Upside uses and discloses the data we collect as follows:

• To carry out travel-related transactions and track gift card eligibility and redemption.
• On the basis of implied or express consent, such as:
• To send you certain information, including marketing communications, technical notices, updates, security alerts, and support messages; or
• To improve and customize the content and advertising you see on the Services, across the Internet, and elsewhere.
• For our legitimate interests in conducting our business, such as:
• To respond to questions, concerns, or customer service inquiries;
• To communicate with individuals about Upside accounts, transactions, or travel;
• To address travelers’ requests;
• To carry out certain marketing activities;
• To conduct research and analysis, including surveys; or
• To enforce the legal terms that govern our services.
• For the legitimate interests of employers in verifying and accounting for business travel (such as to confirm the accuracy of an Upside receipt or other travel and transaction details).
• To comply with law, protect rights, safety and property, and respond to lawful requests from public authorities; or
• To perform a service on behalf of a client who gives us the data.

We may use manual or automated means (such as automated text messages and automated live or prerecorded/artificial voice calls) to perform some of the marketing and other communications described in this Section.

Combined Information You consent that, for the purposes discussed in this Policy, we may combine the information that we collect through the Services with information that we receive from other sources, both online and offline, and use such combined information in accordance with this Policy.

Aggregate/De-Identified Information. We may aggregate and/or de-identify information collected through the Services so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and marketing purposes, and may also share such data with any third parties, including advertisers, promotional partners, sponsors, event promoters, and/or others.

We share your information in the following ways:

• Affiliates and Subsidiaries. We may share all data we collect within the Upside family of companies.
• Suppliers. We share your data with hotel, airline, car rental, and activity providers, to fulfill your travel reservations and requests. By making a reservation or request through the Services, you are authorizing us to disclose to our suppliers the data required to complete the booking and deliver the travel related services. We do not control the privacy practices of suppliers. We encourage you to review the privacy policies of suppliers for more information regarding the applicable privacy practices.
• Third Party Vendors. We share your data with third party vendors, including Full Story who provide services or functions on our behalf. These third party vendors include credit card processing companies, wholesale purchasers of hotel, airline and car rental services, gift card awards and redemption providers, business analytics platforms, customer service organizations, advertising and business partners, distributers of surveys or sweepstakes programs, and fraud prevention firms.
• Business Partners. We may jointly offer products or services with business partners, including, for example, the Dow Jones & Company, Inc. You can tell when a business partner is involved in a product or service you have requested because their name will appear, either alone or with ours. If you choose to access these optional services, we may share your data with our partners. We do not control the privacy practices of business partners. We encourage you to review the privacy policies of our business partners for more information regarding the applicable privacy practices.
• Future Business Transactions. We may share your data in connection with any proposed or actual merger, reorganization, transfer of control, a sale of some or all of our assets, or a financing or acquisition of all or a portion of our business by another company (whether the recipient of data in these cases will handle the data pursuant to this Privacy Policy depends on applicable law and other factors).
• Referring Platforms. If you are referred to our Services from another service, an advertising site, a blog, a social media site, etc., we may collect data about you from the referring service. Also, we may provide them with appropriate referral data (such as the amount of a purchase) to compute referral fees or for similar purposes.
• Surveys and Promotions. Upside may conduct surveys and promotions on our Services that collect your data. Our surveys and promotions are voluntary and any information you provide may be collected, used, shared, disclosed, stored, transferred and processed in accordance with this policy. Your participation in our surveys and promotions, and your submission of Information, serves as your consent to these practices.
• Protection of Upside and Others. By using the Services, you acknowledge, consent and agree that we may access, preserve and disclose your data if required to do so by law or in a good faith belief that such access, preservation or disclosure is reasonably necessary to: (a) comply with legal process (e.g., a subpoena or court order); (b) enforce our Terms of Service, this Policy, or other contracts with you, including investigation of potential violations thereof; (c) respond to claims that any content violates the rights of third parties; (d) respond to your requests for customer service; and/or (e) protect the rights, property or personal safety of Upside, its agents and affiliates, its users and/or the public. This includes exchanging information with other companies and organizations for fraud protection, and spam/malware prevention, and similar purposes.
• Public Forums. Some features of our websites, apps and services allow users to make data public or engage in other sharing. For example, if you post content or otherwise participate in discussion forums or other social areas of our websites or apps, your participation (including the content you post, your name, and a link to your profile) may be shared across our websites and apps and in other public or private areas of the internet.

In some cases, we facilitate the collection of information through advertising services administered by third parties. The ad services may track users’ online activities over time by collecting information through automated means such as cookies, and they may use this information to show users advertisements that are tailored to their individual interests or characteristics and/or based on prior visits to certain sites or apps, or other information we know, infer or have collected from those users. For example, we and these third-parties may use cookies, first-party cookies and third-party cookies together, as well as other automated means, and other data (such as the data described above) (i) to recognize users and their devices, (ii) to inform, optimize, and serve ads, and (iii) to provide analytics about our ad impressions, uses of ad services, and how users interact with these impressions and services (including how they are related to visits to specific sites or apps).

To learn more about interest-based advertising generally, including how to opt out from the targeting of interest-based ads by some of our current ad service partners, visit the consumer choice pages offered by Network Advertising Initiative and Digital Advertising Alliance. For controls specific to advertising and analytics services offered by Google, click here, here and here. You also can use certain choice mechanisms offered by Facebook and Twitter. If you replace, change or upgrade your browser, or delete your cookies, you may need to use these opt-out tools again.

California Do-Not-Track disclosure requirements. We are committed to providing you with meaningful choices about the information collected on our Services for third-party purposes, and that is why we provide above the Network Advertising Initiatives Consumer Opt-out link, Digital Advertising Alliances Consumer Opt-Out Link, and other consumer choice mechanism links above. However, we do not recognize or respond to browser-initiated Do Not Track signals, as the Internet industry is currently still working on Do Not Track standards, implementations and solutions.

Travel and Gift Card Providers

As described above, Upside connects individuals with third parties, such as providers of travel and gift card providers. These third parties use and disclose information (including information received from Upside) according to their own privacy policies and practices. For example, travel providers may use the information for communicating with travelers about their travel (including through automated calls or automated text messages regarding travel updates or other topics). As another example, some travel providers may correlate information received from Upside with additional information they collect (such as biometric data you provide to them for services such as baggage tracking or check-in). We encourage you to review their privacy policies and contact them for more information.

Other Third Parties

Some third parties’ embedded plugins or other automated technology on our websites, apps and emails, such as cookies or social sharing buttons, may allow their operators to learn that you have visited or interacted with our websites, apps and emails, and they may combine this information with other, identifiable information they have collected about your visits to other websites, apps, emails or online services. These third parties may handle this information, and other information they directly collect through their content and plugins, pursuant to their own privacy policies.

There is no perfect security. We have implemented certain physical, technical, and administrative measures to help prevent unauthorized access, use and disclosure of your information, but we cannot promise that these measures will work. You are responsible for maintaining the secrecy of any credentials that can be used to access any account or service with Upside, and you should report suspected unauthorized activity to us. You are responsible for activity conducted with your credentials.

You may review and update certain information Upside holds by logging in to the Upside account through which the information was provided (or by asking the Upside account holder to do so). In some instances you may need to provide updated information directly to the travel supplier.

In addition, individuals in the European Union and some other jurisdictions outside the United States have certain legal rights to obtain confirmation of whether we hold personal data (as defined by EU privacy law) about them, to access personal data we hold about them (including, in some cases, in portable form), and to obtain its correction, update, amendment or deletion in appropriate circumstances. They may also object to our uses or disclosures of personal data or exercise legal rights to withdraw consent, though such actions typically will not have retroactive effect. To exercise any of the above rights (or any other rights under applicable law), please contact us through the contact information provided at the beginning of this Privacy Policy.

The rights described here are subject to limitations and exceptions under applicable law.

In addition to the rights above, you may lodge a complaint with the relevant supervisory authority. However, we encourage you to contact us first, and we will do our very best to resolve your concern.

We generally retain information for so long as it may be relevant to the purposes above. Information may persist in copies made for backup and business continuity purposes for additional time.

Subject to certain limits under California Civil Code § 1798.83, if you are a California resident, you may ask us to provide you with (i) a list of certain categories of personal information (as defined in the Civil Code) that we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year and (ii) the identity of the third parties that received personal information from us for their direct marketing purposes during that calendar year. To make such a request, please contact us as described at the beginning of this Privacy Policy.

Upside is based in the United States. The recipients of the data disclosures described in this Privacy Policy may be located in the United States or elsewhere in the world. Privacy laws in these countries may not provide protections equivalent to those of your country of residence, and your government may or may not deem such protections adequate.

We may change this Privacy Policy to reflect changes in the law, our information handling practices or the features of our services, websites, apps and emails. The updated Privacy Policy will be posted on the relevant Services.

If you have questions regarding our practices or this Privacy Policy, or would like to send us requests or complaints relating to your data, please contact us as described at the beginning of this Privacy Policy.