upcell, LLC (“upcell,” “we,” “our,” or “us”) provides a B2B sales intelligence and CRM enrichment platform that enables business professionals to capture public professional profile data and enrich that data with contact information through third-party data providers. This Privacy Policy explains how we collect, use, store, and share personal data in connection with our platform, website, and related services (collectively, the “Services”).
This Policy applies to: (a) business professionals whose data is processed through our Services in connection with B2B sales and marketing activities; (b) our customers and their authorized users (“Customers” or “Users”); and (c) visitors to our website at upcell.io.
We are committed to protecting personal data in accordance with applicable privacy laws globally, including the General Data Protection Regulation (“GDPR”) as applicable in the European Economic Area and the United Kingdom, the California Consumer Privacy Act (“CCPA”), and other applicable US state privacy laws.
Who We Are and How to Contact Us
Company: upcell, LLC
Address: 6 Liberty Square, PMB 455, Boston, MA 02109, USA
Privacy Contact: [email protected]
Opt-Out / Data Requests: upcell.io/data-claim
For data subjects located in the European Economic Area or the United Kingdom, upcell has appointed VeraSafe Ireland Ltd. as its designated representative under Article 27 of the GDPR. VeraSafe can be contacted in addition to [email protected], only on matters related to the processing of personal data by upcell.
To make such an inquiry, please contact VeraSafe using this contact form:
https://verasafe.com/public-resources/contact-data-protection-representative
or via telephone at: +420 228 881 031.
Alternatively, VeraSafe Ireland Ltd. can be contacted at:
VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P, Ireland
Please note that contacting our representative does not constitute a formal legal notice to upcell. For legal notices, please contact us directly at [email protected].
Scope of This Policy
This Policy covers personal data processed by upcell in the following contexts:
Business contact data processed through our platform in connection with B2B prospecting and CRM enrichment services
User account data collected from Customers and Users who access our platform
Website visitor data collected through our website at upcell.io
Our Services are designed exclusively for business-to-business (“B2B”) use cases. We process professional contact information — such as names, business titles, employer names, and professional contact details — relating to individuals acting in their professional or employment capacity. We do not process special categories of personal data, data relating to criminal convictions, or consumer data.
Personal Data We Process
3.1 Business Contact Data
In connection with our B2B enrichment services, upcell processes the following categories of professional data:
Public professional profile data: first name, last name, job title, employer/company name — surfaced from publicly available professional profiles via our Chrome extension
Enriched contact data: business email addresses and professional telephone numbers appended through third-party enrichment providers using Customer-supplied API credentials
CRM record identifiers: data used to match and merge records with existing entries in a Customer’s CRM system
This data relates to business professionals acting in their professional capacity. It does not include personal email addresses, home addresses, financial information, health data, or other categories of sensitive personal information.
3.2 User Account Data
When Customers and Users access our platform, we collect the following account data through Google or Microsoft OAuth authentication:
First name and last name
Business email address
User ID (assigned by Google or Microsoft at authentication)
Export and enrichment activity logs tied to the User ID
This data is collected and processed on the basis of contractual necessity — it is required to provide the platform access and audit functionality that Users have signed up for.
3.3 Website Visitor Data
When you visit upcell.io, we may collect standard web analytics data including IP address, browser type, pages visited, and session duration. This data is used to operate and improve our website. We use Datadog for application monitoring and logging in connection with platform operations.
How We Collect Personal Data
4.1 Chrome Extension — Public Profile Capture
Our Chrome extension enables Users to capture public professional profile data displayed in their browser while visiting professional networking platforms. This data is surfaced to upcell through a licensed third-party professional data provider. The data captured consists solely of publicly available professional information (name, title, employer).
upcell’s servers receive and process this data for the purpose of facilitating its push to the Customer’s CRM system and for maintaining transaction logs accessible through the Customer’s compliance dashboard within the platform.
4.2 Third-Party Enrichment Providers
Customers may connect their own API credentials from third-party enrichment providers (such as ZoomInfo, SalesIntel, LeadIQ, People Data Labs, Cleon1, Prospeo, and others) to our platform. When a Customer initiates an enrichment request, upcell routes the request through that Customer’s API credentials to the designated provider, receives the enrichment response, maps the returned data fields to the appropriate CRM fields, and delivers the enriched record to the Customer’s CRM.
Customers represent and warrant, by connecting their API credentials, that they have the legal right to use those credentials and that the data provided by their chosen enrichment provider was lawfully collected. Each enrichment provider maintains its own privacy policy and data compliance framework governing the data it provides.
4.3 Licensed Data Providers
upcell sources certain business contact data through licensed third-party data providers who compile and maintain databases of professional contact information. These providers represent that their data has been collected in compliance with applicable law. This data is used to support our platform’s search and discovery functionality.
4.4 Data Submitted Directly by Customers
Customers and Users may submit data to the platform directly, including through CRM integration and platform configuration. This data is processed in accordance with our agreements with the relevant Customer.
Lawful Basis for Processing
5.1 Legitimate Interest — Business Contact Data
Our primary lawful basis for processing business contact data is Legitimate Interest under Article 6(1)(f) of the GDPR. We process professional contact data to enable B2B sales and marketing outreach, which is a recognized legitimate interest under GDPR Recital 47. This basis applies because:
The data relates exclusively to individuals acting in a professional or employment capacity
The processing supports lawful B2B commercial activities that business professionals reasonably expect
The data processed is limited to professional context information (name, title, employer, work contact details)
The privacy impact is limited — we do not process sensitive categories of data, consumer data, or data unrelated to professional activities
We have conducted and documented a Legitimate Interests Assessment (LIA) in accordance with GDPR requirements. Data subjects have the right to object to this processing at any time. See Section 10 for how to exercise this right.
5.2 Contractual Necessity — User Account Data
Processing of User account data (name, email, User ID, activity logs) is carried out on the basis of contractual necessity under Article 6(1)(b) — this data is required to provide the platform services that Users have agreed to receive.
5.3 Legal Obligation
We may process personal data where necessary to comply with a legal obligation to which we are subject, including responding to valid legal requests from supervisory authorities or law enforcement.
How We Use Personal Data
We use the personal data we process for the following purposes:
Business Contact Data
To facilitate the capture of public professional profile data through the Chrome extension and deliver shell records to the Customer’s CRM
To route enrichment requests through Customer-supplied API credentials and deliver enriched records to the Customer’s CRM
To perform field mapping and CRM record matching as part of the enrichment workflow
To maintain enrichment and transaction logs accessible to Customers through their compliance dashboard
To maintain a suppression file of individuals who have opted out of or requested deletion of their data
User Account Data
To authenticate Users and provide platform access
To associate export and enrichment activity with the relevant User account for audit and compliance purposes
To support billing, customer support, and account administration
Website Data
To operate, maintain, and improve our website
To monitor platform performance and diagnose technical issues
What we do not do: upcell does not use personal data processed through our platform to build, enhance, or supplement our own proprietary contact database for resale or licensing to third parties. upcell does not sell personal data. upcell does not use Customer-submitted or Customer-processed data for upcell’s own marketing or product development beyond operating and improving the platform mechanics. Data processed through our platform on behalf of Customers is used solely to deliver the requested service to that Customer.
Our Role: Controller and Processor
upcell acts as a data controller and as a data processor depending on the context of the processing activity:
7.1 upcell as Controller
upcell acts as a data controller when we independently determine the purposes and means of processing, including:
Decisions about how to structure, store, and maintain enrichment and transaction logs
Decisions about field mapping logic and CRM record matching methodology
Processing of data sourced from our licensed third-party data providers
Processing of User account data and website visitor data
Maintenance of our suppression file
7.2 upcell as Processor
upcell acts as a data processor when processing personal data submitted to us by Customers in accordance with their instructions, including:
When a Customer uploads or transmits contact records to the platform for enrichment
When a Customer initiates a CRM push or enrichment request using their own API credentials
In contexts where upcell acts as a processor, the Customer is the data controller and is responsible for ensuring there is a lawful basis for the processing. Customers who are subject to GDPR should ensure a Data Processing Agreement (DPA) is in place with upcell. Please contact [email protected] to obtain our standard DPA.
In some contexts, upcell and a Customer may act as joint controllers where both parties independently influence the purposes or means of processing. Where this is the case, it will be addressed in the applicable agreement between upcell and the Customer.
Data subjects whose data is processed by upcell acting as a processor should direct requests to exercise their data protection rights to the relevant Customer, who is responsible for handling such requests. If you are uncertain whether upcell is acting as controller or processor in a specific context, please contact us at [email protected].
How We Share Personal Data
upcell does not sell personal data. We share personal data only in the following circumstances:
8.1 Sub-Processors
We engage trusted third-party service providers (“Sub-Processors”) to support our platform operations. These Sub-Processors process personal data on our behalf and are contractually bound to appropriate data protection standards. Our current Sub-Processor list is maintained at:
https://www.upcell.io/legal/subprocessors
We will notify Customers of material changes to our Sub-Processors. Enterprise Customers operating under a DPA may request additional details in accordance with that agreement.
8.2 Customers
Personal data processed through our platform is delivered to the Customer who initiated the relevant request, for use in that Customer’s own B2B sales and marketing activities. Customers are responsible for their own use of data delivered through the platform.
8.3 Legal Requirements
We may disclose personal data where required to do so by law, court order, or regulatory authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of upcell, our Customers, or others.
8.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will provide notice of any such transfer and the choices available to data subjects as required by applicable law.
Data Retention
We retain personal data only for as long as necessary for the purposes set out in this Policy and in accordance with our legal obligations:
Enrichment and transaction logs: retained for the duration of the Customer relationship, plus 30 days following termination of the Customer’s account, to support the Customer’s own compliance and audit needs and to resolve any disputes
User account data: retained for the duration of the User’s account, plus 30 days following account termination
Suppression file (opt-outs and deletion requests): retained indefinitely to ensure that individuals who have exercised their rights are not re-added to our platform or licensed data; if we obtain a data subject’s information again, we will be able to exclude it from use
Website visitor data: retained in accordance with our analytics provider’s standard retention settings, typically 12–26 months
Personal data is deleted or anonymized when it is no longer required for any of the above purposes, subject to any legal obligation to retain it for a longer period.
Your Privacy Rights
Depending on your location and applicable law, you may have the following rights with respect to your personal data:
Right of Access: the right to request confirmation of whether we process your personal data and to obtain a copy of that data
Right to Rectification: the right to request correction of inaccurate or incomplete personal data
Right to Erasure: the right to request deletion of your personal data (“right to be forgotten”)
Right to Object: the right to object to our processing of your personal data on the basis of Legitimate Interest, including for direct marketing purposes
Right to Restriction: the right to request that we restrict the processing of your personal data in certain circumstances
Right to Portability: the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller
Right to Withdraw Consent: where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
To exercise any of these rights, please submit a request through our Privacy Center at upcell.io/data-claim or by emailing [email protected]. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).
Please note that some rights may be limited in certain circumstances — for example, where we are required to retain data to comply with a legal obligation, or where the data is necessary to resolve a dispute or enforce an agreement.
If you believe your rights have not been respected, you have the right to lodge a complaint with a supervisory authority. For EEA residents, contact details for supervisory authorities are available at the European Data Protection Board website (edpb.europa.eu). For UK residents, the relevant authority is the Information Commissioner’s Office (ico.org.uk).
Information for Residents of the European Economic Area and United Kingdom
11.1 Data Controller
For personal data processed by upcell as controller, the data controller is upcell, LLC, 6 Liberty Square, PMB 455, Boston, MA 02109, USA. Contact: [email protected].
11.2 Article 27 Representatives
VeraSafe Ireland Ltd. has been appointed as upcell’s representative in the European Union for data protection matters, pursuant to Article 27 of the GDPR. If you are in the European Economic Area, VeraSafe can be contacted in addition to [email protected], only on matters related to the processing of personal data.
To make such an inquiry, please contact VeraSafe using this contact form:
https://verasafe.com/public-resources/contact-data-protection-representative
or via telephone at: +420 228 881 031.
Alternatively, VeraSafe Ireland Ltd. can be contacted at:
VeraSafe Ireland Ltd.
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P, Ireland
11.3 Lawful Bases
Our lawful bases for processing personal data under the GDPR are set out in Section 5 of this Policy. Where we rely on Legitimate Interest as our lawful basis, we have conducted a Legitimate Interests Assessment. You may object to processing based on Legitimate Interest at any time by contacting [email protected] or submitting a request at upcell.io/data-claim.
11.4 International Transfers
upcell is based in the United States. When we process personal data relating to individuals in the EEA or UK, that data may be transferred to and processed in the United States and other countries outside the EEA/UK whose data protection laws may differ from those in your jurisdiction.
We rely on the following transfer mechanisms to ensure adequate protection for international transfers of personal data:
Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreements with Customers and Sub-Processors
The EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework, as described in Section 13 of this Policy
For more information about our international transfer mechanisms or to obtain a copy of our SCCs, please contact [email protected].
11.5 Data Subject Rights (EEA/UK)
Residents of the EEA and UK have the rights set out in Section 10 of this Policy. You also have the right to lodge a complaint with a supervisory authority. If you are in the EEA, you may contact the supervisory authority in the EU Member State where you reside, work, or where the alleged infringement occurred. If you are in the UK, you may contact the Information Commissioner’s Office at ico.org.uk.
We encourage you to contact us first at [email protected] so that we may address your concern directly before you escalate to a supervisory authority.
11.6 Processor Relationships
In cases where upcell acts as a processor for our Customers, data subjects should direct requests to exercise their GDPR rights to the relevant Customer, who is the data controller for that processing. If you are unsure who controls your data in a specific context, please contact us at [email protected] and we will assist you in identifying the appropriate controller.
11.7 Automated Decision-Making
upcell does not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on individuals as defined under GDPR Article 22(1). upcell’s outputs are used by Customers to inform human-led decisions; no decision with legal or similarly significant consequences for a data subject is made solely by automated means.
U.S. State Privacy Rights
12.1 California (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Right to Know: the right to request information about the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom it has been shared
Right to Delete: the right to request deletion of personal information we have collected about you, subject to certain exceptions
Right to Correct: the right to request correction of inaccurate personal information
Right to Opt-Out of Sale or Sharing: upcell does not sell or share personal information for cross-context behavioral advertising purposes
Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights
To submit a CCPA request, please visit upcell.io/data-claim or email [email protected]. We will respond within 45 days of a verifiable consumer request, with an extension of up to an additional 45 days when reasonably necessary.
upcell is registered as a data broker in California and other applicable states as required by law.
upcell does not collect or process sensitive personal information as defined under the CPRA, including Social Security numbers, financial account credentials, precise geolocation, health data, or similar categories. Accordingly, upcell does not offer a “Limit the Use of My Sensitive Personal Information” opt-out, as no such processing occurs.
12.2 Other U.S. States
Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have similar rights to those described above, including rights of access, correction, deletion, portability, and opt-out of certain processing. To exercise these rights, please contact us at [email protected] or upcell.io/data-claim.
EU-U.S. Data Privacy Framework
13.1 Certification
upcell, LLC complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce.
upcell has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
upcell has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit:
https://www.dataprivacyframework.gov/
13.2 FTC Enforcement
upcell is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
13.3 Complaints and Dispute Resolution
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, upcell commits to resolve DPF Principles-related complaints about our collection and use of your personal data. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension, or the Swiss-U.S. DPF should first contact upcell at:
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, upcell commits to refer unresolved complaints concerning our handling of personal data to VeraSafe, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your complaint to your satisfaction, please visit the following link for more information or to file a complaint:
https://verasafe.com/public-resources/dispute-resolution/
The services of VeraSafe are provided at no cost to you.
Under certain conditions, individuals may invoke binding arbitration for complaints regarding DPF compliance not resolved by other mechanisms. For more information, please see Annex I of the EU-U.S. DPF Principles at:
https://www.dataprivacyframework.gov/
13.4 Onward Transfer Liability
upcell remains liable under the DPF Principles if its agents or service providers process personal data received under the EU-U.S. DPF, the UK Extension, or the Swiss-U.S. DPF in a manner inconsistent with the DPF Principles, unless upcell proves it is not responsible for the event giving rise to the damage.
13.5 Relationship to Standard Contractual Clauses
In addition to its DPF certification, upcell relies on Standard Contractual Clauses (SCCs) and conducts Transfer Impact Assessments as required for data transfers outside of the European Economic Area. To the extent legally required — including in the event the Data Privacy Framework is invalidated — the parties are subject to the SCCs incorporated into upcell’s Data Processing Agreement.
Data Security
upcell implements technical and organizational measures designed to protect personal data against unauthorized access, accidental loss, destruction, or alteration. Our platform is hosted on Google Cloud Platform infrastructure, which maintains industry-standard security certifications. Our application monitoring is provided by Datadog.
While we take data security seriously, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals as required by applicable law.
Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to operate the site and understand how it is used. We use:
Essential cookies: required for the website to function correctly
Analytics cookies: used to understand how visitors interact with the website, provided by our monitoring and analytics tools
You can control cookie preferences through your browser settings or through any cookie preference tool displayed on our website. Disabling certain cookies may affect your ability to use some features of the website. We choose the most privacy-protective settings available when configuring third-party tracking tools.
Children’s Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If we become aware that we have collected personal data from someone under 16, we will take steps to delete that information promptly.
Third-Party Services and Links
Our platform integrates with third-party services including CRM platforms (HubSpot, Salesforce) and enrichment providers. Our website may contain links to third-party websites. We are not responsible for the privacy practices of third-party services or websites. We encourage you to review the privacy policies of any third-party services you use in connection with our platform.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this Policy and provide notice through our platform or by email where required by law.
We encourage you to review this Policy periodically. Your continued use of our Services after any update constitutes acceptance of the updated Policy. If you disagree with any changes, you should stop using our Services and may submit a deletion request at upcell.io/data-claim.
How to Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our privacy practices, please contact us:
Email: [email protected]
Privacy Center / Data Requests: upcell.io/data-claim
Mail: upcell, LLC, 6 Liberty Square, PMB 455, Boston, MA 02109, USA
For matters relating to GDPR compliance or to reach our Article 27 representatives in the EEA or UK, please see Section 11.2 of this Policy.