Legal

Privacy Policy

Effective date: April 7, 2026

Questions? privacy@upcot.com

UPCOT (“we,” “us,” or “our”) operates the UPCOT platform, accessible at upcot.com and related subdomains (the “Platform”). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you access or use our Platform. By using the Platform you agree to the practices described here.

This Policy is incorporated by reference into our Terms of Service. Defined terms used here carry the meanings assigned in those Terms.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account, enroll in a course, or communicate with us, we may collect:

  • Identity data: first name, last name, username, and profile photograph (if uploaded).
  • Contact data: email address.
  • Authentication data: hashed passwords (we never store plaintext passwords).
  • Educational data: course enrollments, assignment submissions, quiz responses, grades, attendance records, and instructor feedback.
  • Payment data: billing name and address. We do not store full credit card numbers or bank account details; all payment processing is handled by Stripe, Inc. (see Section 6).
  • Communications: messages you send to support, discussion posts, and any content you create on the Platform.
  • Interest-list data: name and email address submitted via our waitlist form prior to account creation.

1.2 Information Collected Automatically

When you interact with the Platform, our servers automatically log:

  • Log data: IP address, browser type and version, operating system, referring URLs, pages viewed, and the date and time of each request.
  • Device data: device identifiers, screen resolution, and language preferences.
  • Usage data: features used, lesson completion status, quiz attempts, and clickstream data.
  • Session data: session tokens stored in encrypted, HTTP-only cookies.

1.3 Cookies and Similar Technologies

We use strictly necessary cookies to maintain your authenticated session and prevent cross-site request forgery. We do not use third-party advertising cookies or sell your data to data brokers. If you use a browser that transmits a Global Privacy Control (GPC) signal, we treat it as a valid opt-out of any sale or sharing of personal information.

1.4 Information From Third Parties

If an institution uses UPCOT under an institutional license, the institution may provide us with enrollment rosters or other data about students or instructors. In those cases the institution is the data controller and we act as a data processor on its behalf.

2. How We Use Your Information

We use the information we collect to:

  • Create and maintain your account and authenticate your identity.
  • Provide, operate, and improve the Platform, including gradebooks, lesson delivery, QR attendance, quiz scoring, and AI-assisted lesson planning tools.
  • Issue digital credentials and certificates of completion.
  • Process payments and prevent fraud.
  • Send transactional emails such as email verification, password resets, grade notifications, and credential issuance notices.
  • Respond to your support requests and resolve disputes.
  • Monitor platform security, detect abuse, and enforce our Terms of Service.
  • Comply with applicable law and respond to lawful legal process.
  • With your separate consent, send you promotional communications about new features. You may opt out at any time via the unsubscribe link in any such email.

We do not use your educational records or course performance data to train third-party AI models or to serve you behavioral advertising.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under one or more of the following legal bases:

  • Contract: processing necessary to perform the contract with you (account creation, course delivery, credential issuance).
  • Legal obligation: processing required to comply with applicable law.
  • Legitimate interests: security monitoring, fraud prevention, and platform improvement, where those interests are not overridden by your rights.
  • Consent: marketing communications (you may withdraw consent at any time).

4. Educational Records and FERPA

For users enrolled in courses offered by institutions that are subject to the Family Educational Rights and Privacy Act (“FERPA”), grades, attendance records, and assignment submissions constitute “education records” under FERPA. We collect and process those records as a “school official” with a legitimate educational interest, pursuant to a written Data Processing Agreement with the relevant institution (as contemplated by 34 C.F.R. § 99.3(b)). Institutions represent and warrant to UPCOT that they have obtained all legally required parental or student consents before enrolling individuals in UPCOT-powered courses. We do not disclose education records to third parties except as permitted by FERPA and described in this Policy.

When we receive a subpoena, court order, or other legal process that could require disclosure of education records, we will, to the extent legally permissible, notify the relevant educational institution before complying so that the institution may seek a protective order or otherwise respond.

Eligible students and their parents (for students under 18) have the right to inspect their education records, request corrections, and limit certain disclosures, subject to FERPA’s requirements. Requests should be directed to the institution first; if the institution directs the request to us, we will respond within 45 days.

5. Children’s Privacy (COPPA)

The Platform is not directed to children under 13. We do not knowingly collect personal information from any child under 13 without verifiable parental consent. If we learn that we have collected personal information from a child under 13 without such consent, we will delete that information promptly. Parents or guardians who believe their child has submitted personal information to us should contact us at privacy@upcot.com.

Children ages 13–17: If you are between 13 and 17, you may use the Platform only with the knowledge and consent of your parent or guardian. Instructors who enroll minors are responsible for obtaining any required parental consents under applicable law.

COPPA 2025 Amendment Notice: The Federal Trade Commission’s updated Children’s Online Privacy Protection Rule takes effect April 22, 2026 — after this Policy’s effective date. The updated rule expands protections to teens under 17 and imposes enhanced consent requirements. We are committed to full compliance and will update our practices on or before April 22, 2026, and will notify users of any material changes to how we handle minors’ data.

6. Payment Processing and Stripe

Payments on the Platform are processed by Stripe, Inc., a PCI DSS Level 1 certified payment processor. When you enter payment information, it is transmitted directly to Stripe using TLS encryption; we receive only a non-sensitive token and the last four digits of your card. Stripe’s collection and use of your payment data is governed by Stripe’s Privacy Policy. We are not responsible for Stripe’s data practices.

Instructors who receive payments through UPCOT’s marketplace feature are subject to Stripe Connect’s identity-verification requirements, which may include collection of government ID information directly by Stripe.

7. How We Share Your Information

We do not sell your personal information. We may share your information with:

  • Service providers: companies that provide hosting, email delivery, payment processing, and analytics on our behalf, under written data-processing agreements that restrict their use of your data to performing services for us.
  • Institutional partners: if you are enrolled in a course offered through an institutional license, we share relevant educational records with that institution.
  • Other users: your display name and course-related contributions (discussion posts, peer feedback) are visible to other enrolled users and instructors.
  • Public credential verification: completed credentials are assigned a public verification URL. Anyone who has that URL can confirm whether a credential is valid. No other personal data is exposed on the verification page.
  • Legal compliance: we may disclose information if required by law, subpoena, court order, or to protect the rights, property, or safety of UPCOT, our users, or the public.
  • Business transfers: if UPCOT is acquired or merges with another entity, your information may be transferred as part of that transaction. We will notify you via email or a prominent Platform notice before your information becomes subject to a materially different privacy policy.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Platform. Specific retention periods:

  • Account data: retained for the life of your account plus 3 years after account deletion, to resolve disputes and comply with legal obligations.
  • Educational records: retained for 7 years from the end of the course enrollment, or longer if required by the applicable institution’s records-retention policy.
  • Issued credentials: retained indefinitely for verification purposes, unless revoked by the issuing instructor or institution. A revoked credential is removed from public verification but a record of revocation is kept.
  • Payment records: retained for 7 years to comply with tax and financial reporting requirements.
  • Server logs: retained for 90 days and then automatically purged.
  • Interest-list entries: retained for 2 years from submission or until the email address converts to a full account, whichever is sooner.

You may request deletion of your account at any time (see Section 10). Deletion removes your personal profile and contact information; anonymized usage records and aggregate analytics may be retained.

9. Data Security

We use industry-standard technical and organizational measures to protect your information, including:

  • TLS/HTTPS encryption for all data in transit.
  • Bcrypt hashing (cost factor ≥ 12) for all stored passwords.
  • Encryption at rest for sensitive database fields.
  • CSRF tokens on all state-changing requests.
  • Role-based access controls limiting internal access to your data.
  • Regular security reviews and dependency audits.

No system is perfectly secure. If we learn of a security breach that is reasonably likely to harm you, we will notify you and the applicable authorities as required by law. For breaches affecting Florida residents, we will provide notification within 30 days of determining a breach has occurred, consistent with Florida’s Information Protection Act (Fla. Stat. § 501.171). For breaches affecting residents of other states, we will comply with the notification timelines required by applicable state law.

10. Your Rights and Choices

10.1 All Users

  • Access & correction: You may view and update most of your account information in your profile settings.
  • Marketing opt-out: You may opt out of promotional emails at any time using the unsubscribe link in those emails or by emailing privacy@upcot.com. Transactional emails (e.g., password resets) cannot be opted out of while your account is active.
  • Account deletion: Email privacy@upcot.com to request deletion. We will process your request within 30 days. Certain information may be retained as described in Section 8.

10.2 California Residents (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: You may request a copy of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: You may request deletion of personal information we have collected about you, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. If our practices change, we will update this Policy and honor GPC signals.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Platform.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, email privacy@upcot.com with the subject line “California Privacy Request.” We will respond within 45 days. You may designate an authorized agent to make a request on your behalf; we require written authorization signed by you and may also require a copy of a government-issued ID and a signed declaration under penalty of perjury verifying the agent’s authority. We will not discriminate against authorized agents making proper requests.

10.3 EEA / UK / Switzerland Residents (GDPR)

In addition to the rights above, you have the right to:

  • Data portability: receive a machine-readable copy of your personal data.
  • Restrict processing: ask us to limit how we use your data in certain circumstances.
  • Object to processing: object to processing based on our legitimate interests.
  • Lodge a complaint: file a complaint with your national data protection authority.

Our designated representative for GDPR purposes can be reached at privacy@upcot.com. We are in the process of designating an Article 27 representative within the European Economic Area. Until that designation is finalized, EEA/UK residents may direct inquiries to privacy@upcot.com and we will respond within the timeframes required by applicable law.

11. International Data Transfers

UPCOT is operated in the United States. If you access the Platform from outside the United States, your information may be transferred to and processed in the United States, where data protection laws may differ from those in your country. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms as appropriate.

12. DMCA and Intellectual Property

If you believe content on the Platform infringes your copyright, please send a written notice to our designated DMCA agent at dmca@upcot.com containing: (a) a description of the copyrighted work; (b) the URL or other location of the allegedly infringing material; (c) your contact information; (d) a statement that you have a good-faith belief the use is not authorized; (e) a statement under penalty of perjury that the notice is accurate and that you are the copyright owner or authorized to act on their behalf; and (f) your physical or electronic signature. We respond to valid notices in accordance with 17 U.S.C. § 512.

13. Third-Party Links and Integrations

The Platform may contain links to third-party websites, including YouTube videos embedded within course lessons. We are not responsible for the privacy practices of those sites. Where technically feasible, UPCOT uses YouTube’s privacy-enhanced embed mode (youtube-nocookie.com) to limit data transmitted to Google before a user plays a video; however, once a video is played, YouTube’s data collection applies. Embedded YouTube content is subject to Google’s Privacy Policy.

14. Do Not Track

Some browsers transmit Do Not Track (DNT) signals. Because no industry standard has been established for DNT, we do not currently respond to DNT signals. We do, however, honor Global Privacy Control (GPC) signals as described in Section 10.2.

15. Email Communications and CAN-SPAM Compliance

We send two categories of email:

  • Transactional emails: messages necessary to operate your account or deliver the service you requested — including email verification, password resets, grade notifications, attendance confirmations, and credential issuance. These emails are not marketing communications and cannot be opted out of while your account is active.
  • Promotional emails: messages about new features, events, or other news. These are sent only with your consent (e.g., upon opt-in during registration or through account settings). Every promotional email will clearly identify UPCOT as the sender, include our mailing address, and contain a one-click unsubscribe mechanism. We honor unsubscribe requests within 10 business days, consistent with the CAN-SPAM Act (15 U.S.C. § 7701 et seq.).

We do not send email on behalf of third parties for advertising purposes. We do not sell email addresses to third-party marketers.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (sent to the address on your account) and by posting the revised Policy with an updated effective date. Your continued use of the Platform after the effective date constitutes your acceptance of the revised Policy. If you disagree with any changes, you must stop using the Platform and may request account deletion as described in Section 10.

17. Contact Us

For privacy-related questions, requests, or complaints:

We will respond to all privacy requests within 30 days (or within the timeframe required by applicable law, if shorter).

Back to home · Terms of Service