Upside receives information about individuals or their devices from the following sources:
We collect some information directly from you, and we also collect certain information through automated means when you use the Services. We collect, use and disclose this information, as described within this Privacy Policy, for the purpose of providing you with travel services that you seek or that your employer seeks on your behalf. Our collection, use and disclosure, if any, to third parties of your personally identifiable information or personal data, occurs only after we give you clear notice of our intent to collect, use and disclose that information and with your explicit consent so that we can provide you with travel services. Your employer may also provide us with this information or data after having giving you notice that it will be shared with Upside, in which case we will process your personally identifiable information or personal data, as applicable, with either your explicit consent, implicit consent, or based upon our legitimate interest in fulfilling the requests of our customer in obtaining travel services for you.
You may withdraw your consent for our collection and use of your personally identifiable information or personal data at any time, however doing so may prevent us from offering you some or all of our Services given requirements imposed upon us by travel partners and various governments.
Through the Services, we, our service providers, and other third parties may collect certain information through automated means such as cookies, Web and audio beacons, JavaScript, and mobile device functionality (such as Bluetooth low energy and iBeacons). This information may include unique browser identifiers, IP address, browser and operating system information, device identifiers (such as the Apple IDFA or Android Advertising ID), geolocation information (as described in the next section below), Internet connection information, as well as details about individuals’ interactions with the Services (including referring and exit pages and URLs, platform type, the number of clicks, domain names, landing pages, pages and content viewed and the order of those pages, the amount of time spent on particular pages, the date and time you used the Services, the frequency of your use of the Services, error logs, and email open rate).
We and third parties also may use such automated means to read or write information on users’ devices, such as through various types of cookies and other browser-based or plugin-based local storage (such as HTML5 storage or Flash-based storage). Cookies and local storage are files that contain data, such as unique identifiers, that we or a third party may place on or read from a user’s device for purposes such as recognizing the device, service provision, record-keeping, analytics and marketing. You may choose to set your web browser to refuse certain types of cookies, or to alert you when certain types of cookies are being sent. Some browsers offer similar settings for HTML5 local storage, and Flash storage can be managed here. However, if you block or otherwise reject our cookies or local storage, certain websites and emails (including our own) may not function properly.
For more information about how we use cookies and similar technologies, see Section 5 below.
We may collect different types of information about your location, including general information (e.g., IP address, zip code) and more specific information (e.g., GPS-based functionality on mobile devices used to access the Services), and may use that information to customize the Services with location-based information, advertising, and features. For example, if your IP address indicates an origin in Chicago, the Services may be customized with Chicago-specific information and advertisements. If you access the Services through a mobile device and you do not want your device to provide us with location-tracking information, you can disable the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer’s instructions for further details.
We and/or our service providers may collect and store unique identifiers matched to your mobile device, in order to deliver customized ads or content while you use applications or surf the internet, or to identify you in a unique manner across other devices or browsers. In order to customize these ads or content, we, or third parties may collect your information e.g., your email address, or data passively collected from you, such as your device identifier or IP address.
You may be able to manage how your mobile device and mobile browser share information with the Services, by adjusting the privacy and security settings on your device. Please refer to instructions provided by your mobile service provider or the manufacturer of your device to learn how to adjust your settings.
Upside uses and discloses the data we collect as follows:
We may also use your information to anticipate your travel needs or provide you with potential travel opportunities that may benefit you both at the time of your request and in the future. To do so, we may process your information using algorithms alone or in combination with the data of others. This processing is undertaken to provide you with improved travel options.
We may use manual or automated means (such as automated text messages and automated live or prerecorded/artificial voice calls) to perform some of the marketing and other communications described in this Section.
Combined Information You consent that, for the purposes discussed in this Policy, we may combine the information that we collect through the Services with information that we receive from other sources, both online and offline, and use such combined information in accordance with this Policy.
Aggregate/De-Identified Information. We may aggregate and/or de-identify information collected through the Services so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and marketing purposes, and may also share such data with any third parties, including advertisers, promotional partners, sponsors, event promoters, and/or others.
We share your information in the following ways:
In some cases, we facilitate the collection of information through advertising services administered by third parties. The ad services may track users’ online activities over time by collecting information through automated means such as cookies, and they may use this information to show users advertisements that are tailored to their individual interests or characteristics and/or based on prior visits to certain sites or apps, or other information we know, infer or have collected from those users. For example, we and these third-parties may use cookies, first-party cookies and third-party cookies together, as well as other automated means, and other data (such as the data described above) (a) to recognize users and their devices, (b) to inform, optimize, and serve ads, and (c) to provide analytics about our ad impressions, uses of ad services, and how users interact with these impressions and services (including how they are related to visits to specific sites or apps).
To learn more about interest-based advertising generally, including how to opt out from the targeting of interest-based ads by some of our current ad service partners, visit the consumer choice pages offered by Network Advertising Initiative and Digital Advertising Alliance. For controls specific to advertising and analytics services offered by Google, click here, here and here. You also can use certain choice mechanisms offered by Facebook and Twitter. If you replace, change or upgrade your browser, or delete your cookies, you may need to use these opt-out tools again.
California Do-Not-Track disclosure requirements. We are committed to providing you with meaningful choices about the information collected on our Services for third-party purposes, and that is why we provide above the Network Advertising Initiatives Consumer Opt-out link, Digital Advertising Alliances Consumer Opt-Out Link, and other consumer choice mechanism links above. However, we do not recognize or respond to browser-initiated Do Not Track signals, as the Internet industry is currently still working on Do Not Track standards, implementations and solutions.
As described above, Upside connects individuals with third parties, such as providers of travel and gift card providers. These third parties use and disclose information (including information received from Upside) according to their own privacy policies and practices. For example, travel providers may use the information for communicating with travelers about their travel (including through automated calls or automated text messages regarding travel updates or other topics). As another example, some travel providers may correlate information received from Upside with additional information they collect (such as biometric data you provide to them for services such as baggage tracking or check-in). We encourage you to review their privacy policies and contact them for more information.
Some third parties’ embedded plugins or other automated technology on our websites, apps and emails, such as cookies or social sharing buttons, may allow their operators to learn that you have visited or interacted with our websites, apps and emails, and they may combine this information with other, identifiable information they have collected about your visits to other websites, apps, emails or online services. These third parties may handle this information, and other information they directly collect through their content and plugins, pursuant to their own privacy policies.
There is no perfect security. We have implemented certain physical, technical, and administrative measures to help prevent unauthorized access, use and disclosure of your information, but we cannot promise that these measures will work. You are responsible for maintaining the secrecy of any credentials that can be used to access any account or service with Upside, and you should report suspected unauthorized activity to us. You are responsible for activity conducted with your credentials.
You may review and update certain information Upside holds by logging in to the Upside account through which the information was provided (or by asking the Upside account holder to do so). In some instances you may need to provide updated information directly to the travel supplier.
In addition, individuals residing in California, the European Union and some other jurisdictions outside the United States may obtain confirmation of whether we hold personally identifiable information (as defined by California law) or personal data (as defined by EU privacy law) about them, to access any information or data we hold about them (including, in some cases, in portable form), and to obtain its correction, update, amendment or deletion in appropriate circumstances. They may obtain a version of the personally identifiable information or personal data about them in a common machine readable format so that they may take that information to another travel service provider. They may also object to our uses or disclosures of personal data or exercise legal rights to withdraw consent, though such actions typically will not have retroactive effect. To exercise any of the above rights (or any other rights under applicable law), please contact us through the contact information provided at the beginning of this Privacy Policy.
The rights described here are subject to limitations and exceptions under applicable law. In particular, and as required by California law and by principles of prudent data security, we will endeavor to verify the identity of anyone requesting to exercise a data subject right and will endeavor to only release the personally identifiable information or personal data of that person to that person.
In addition to the rights above, you may lodge a complaint with the relevant supervisory authority. However, we encourage you to contact us first, and we will do our very best to resolve your concern.
We generally retain information for so long as it may be relevant to the purposes above. Information may persist in copies made for backup and business continuity purposes for additional time.
If you are a California resident and your questions about our data practices are not fully answered by this Privacy Policy, you may request that we make disclosures pursuant to the California Consumer Privacy Act of 2018, codified at California Civil Code § 1798.100 et seq. You may do so by emailing us a request at: [email protected] You may also contact us by phone at: (855) 252-2151 Alternatively, you may submit a request through our website at: https://upside.com/ (chat with a navigator). Upon receipt of any request, we will endeavor to verify that the identity of the requestor matches the identity of the person whose personally identifiable information is requested. We declare that we do not and have not sold any personally identifiable information.
Subject to certain limits under California Civil Code § 1798.83, if you are a California resident, you may ask us to provide you with (a) a list of certain categories of personal information (as defined in the Civil Code) that we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year; and (b) the identity of the third parties that received personal information from us for their direct marketing purposes during that calendar year. To make such a request, please contact us as described at the beginning of this Privacy Policy.
Upside is based in the United States. The recipients of the data disclosures described in this Privacy Policy may be located in the United States or elsewhere in the world. Privacy laws in these countries may not provide protections equivalent to those of your country of residence, and your government may or may not deem such protections adequate.
Upside complies with all applicable laws regarding your privacy. Individuals from the European Union ("EU") may only use our Services after providing your freely given, informed consent for Upside to collect, transfer, store, and share your Personal Data, as that term is defined in the EU's General Data Protection Regulation. EU residents may grant that consent directly to Upside, or to the company or your employer working directly on your behalf with Upside.
Upside is legally authorized to send the Personal Data of EU or Swiss individuals to the US for processing because we have made legally-binding commitments that are enforceable by US government agencies responsible for consumer protection. Upside provides you, as an EU or Swiss individual, both a means of directly contacting Upside to exercise your privacy rights and with a third party dispute resolution service.
Upside complies with the EU GDPR and makes it easy for EU individuals to exercise their rights described in that regulation. The purposes for which Upside collects your Personal Data, the categories and specific types of Personal Data we collect, and our practices and policies regarding your Personal Data are described in this Privacy Policy. As discussed throughout this Privacy Policy, Upside makes it easy for you to access, correct, delete, or demand deletion of your Personal Data. You may object to our processing of your Personal data by emailing us, although if you prohibit our processing, it may make some of our Services either impossible to offer or less useful. Any of those requests should be sent to [email protected] Should you ever wish to leave Upside and take an electronic copy of the Personal Data and information we have collected about you, you may make that request at [email protected] In addition to contacting our Data Protection Officer or the Better Business Bureau, EU individuals may contact the Data Protection Authority of Ireland by email at [email protected] to raise concerns about Upside's implementation of GDPR or Upside's facilitation of the exercising of your privacy rights.
Upside complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield. Upside has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https: //www.privacyshield.gov/
In compliance with the Privacy Shield Principles, Upside commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact Upside at: [email protected]
Our Data Protection Officer is Catherine R. Jones, our General Counsel, 1 Thomas Circle NW, 8th Floor, Washington, DC 20005, [email protected]
Upside has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
In compliance with the EU-US and Swiss-US Privacy Shield Principles, Upside commits to resolve complaints about your privacy and our collection or use of your Personal Information. Pursuant to the Privacy Shield, Upside remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact Upside at: [email protected] Upside is subject to the jurisdiction of the US Federal Trade Commission for any alleged failure of Upside to meet our privacy commitments. You may contact Upside's Data Privacy Officer at any time at [email protected]
We may change this Privacy Policy to reflect changes in the law, our information handling practices or the features of our services, websites, apps and emails. The updated Privacy Policy will be posted on the relevant Services.
If you have questions regarding our practices or this Privacy Policy, or would like to send us requests or complaints relating to your data, please contact us as described at the beginning of this Privacy Policy.