← Back UPPER / FindMyRockstar — Legal
Legal

Privacy Policy

Last updated: June 21, 2026  ·  UPPER / UpperLev

This Privacy Policy explains how UPPER (UpperLev, Inc.) collects, uses, shares, and protects information when you use FindMyRockstar and related UPPER services. It also describes your rights and choices regarding your data.

1. Who We Are

UPPER (UpperLev, Inc.) operates FindMyRockstar, a B2B SaaS talent-sourcing platform designed for recruiting teams and hiring organizations. In this Privacy Policy, "UPPER," "we," "us," or "our" refers to UpperLev, Inc. "Customer" refers to the business or organization that subscribes to the Service. "User" refers to individual employees or contractors who access the Service on behalf of a Customer.

For questions about this Privacy Policy, contact us at legal@upperlev.com.

2. Scope of This Policy

This Privacy Policy applies to:

  • The FindMyRockstar web application and any associated mobile applications;
  • The UPPER website at upperlev.com;
  • Communications you have with UPPER (email, support tickets, etc.); and
  • Candidate data that UPPER processes on behalf of Customers.

This Policy does not apply to third-party websites or services linked from the Service. We are not responsible for the privacy practices of those third parties.

3. Data We Collect

3.1 Account and User Information

When you register for or use the Service, we collect:

  • Name, work email address, and job title;
  • Organization name and domain;
  • Authentication information provided via third-party identity providers (Google, Microsoft, or Enterprise SSO — we receive an authenticated token, not your password);
  • Account preferences and settings; and
  • Communications with UPPER support.

3.2 Requisition and Usage Data

As you use the Service, we collect:

  • Job requisition content you create (role title, location, required skills, compensation, and other sourcing parameters);
  • Interactions with candidate profiles (views, notes, stage changes, outreach initiated);
  • Feature usage patterns and workflow data; and
  • Log data including IP address, browser type, operating system, pages viewed, and timestamps.

3.3 Candidate Data (Processed on Behalf of Customers)

UPPER sources candidate data from third-party public and semi-public channels on behalf of Customers. This data may include:

Category Examples Source
Professional identity Name, current and past job titles, employer names LinkedIn, GitHub, professional directories
Contact information Professional email address, LinkedIn profile URL Hunter, Prospeo, Apollo, public profiles
Skills and experience Technical skills, years of experience, open-source contributions GitHub, HackerNews, LinkedIn
Location City, region, country (derived from profile) LinkedIn, public profiles
AI-generated scores Match score, fit ranking generated by UPPER UPPER's AI system (derived)
Engagement data Outreach sent, response status, stage in pipeline UPPER platform (derived from Customer activity)

UPPER processes Candidate Data as a data processor on behalf of the Customer (the data controller). Customers are responsible for ensuring they have a lawful basis under applicable law to source and process candidate personal data.

3.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Service. See Section 10 (Cookies) for details.

4. How We Use Your Data

We use the data we collect for the following purposes:

Purpose Legal Basis (GDPR)
Providing and operating the Service (authentication, requisition management, candidate sourcing, pipeline management) Contract performance
Processing candidate outreach on behalf of Customers Legitimate interests / Customer instructions
Improving and developing Service features (anonymized/aggregated analytics) Legitimate interests
Customer support and responding to inquiries Contract performance / legitimate interests
Sending service-related communications (billing, security, policy updates) Contract performance / legal obligation
Sending product and marketing communications (opt-in) Consent
Security, fraud prevention, and abuse detection Legitimate interests / legal obligation
Complying with legal obligations Legal obligation

We do not sell your personal data or Customer Data. We do not use Candidate Data to train AI models for purposes outside of providing the Service to the Customer who controls that data.

5. Data Sharing and Subprocessors

5.1 We Do Not Sell Data

UPPER does not sell, rent, or trade personal data to third parties for their own marketing purposes.

5.2 Service Providers (Subprocessors)

We share data with carefully selected service providers that help us operate the Service. These include:

  • Cloud infrastructure: Hosting, compute, and storage providers (e.g., AWS, Google Cloud);
  • Authentication: Identity providers used at Customer request (Google Workspace, Microsoft Entra);
  • Analytics: Anonymized product usage analytics (no personal data sold or shared with advertising networks);
  • Support tooling: Customer support and ticketing platforms;
  • Email delivery: Transactional email services for service notifications; and
  • Data enrichment sources: Apollo, Hunter, Prospeo, and similar services used to source Candidate Data on behalf of Customers.

All subprocessors are bound by contractual obligations to process data only as instructed by UPPER and to implement appropriate security measures. An up-to-date list of subprocessors is available upon request at legal@upperlev.com.

5.3 Legal Disclosures

We may disclose data if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of UPPER, our Customers, or the public.

5.4 Business Transfers

If UPPER is involved in a merger, acquisition, or sale of all or substantially all of its assets, data may be transferred as part of that transaction. We will notify affected Customers via email or prominent notice on the Service before data is transferred and becomes subject to a different privacy policy.

6. Candidate Data and Recruiting Context

UPPER operates in the recruiting and talent-sourcing domain. When you use the Service to source candidates, UPPER processes personal data about individuals who have not directly interacted with UPPER. This section describes our approach and your obligations.

6.1 Customer as Data Controller

With respect to Candidate Data, the Customer is the data controller and UPPER is the data processor. UPPER processes Candidate Data strictly on the Customer's instructions and for the purpose of talent sourcing on the Customer's behalf.

6.2 Lawful Basis

Customers must ensure they have a legitimate basis to process Candidate Data under applicable law. For recruiting purposes, legitimate interest is a commonly used lawful basis in many jurisdictions, but Customers should seek their own legal advice regarding compliance in their specific jurisdictions, particularly for roles involving EU/EEA, UK, or California-resident candidates.

6.3 Candidate Rights Requests

If a candidate contacts UPPER directly to exercise data rights (e.g., access, deletion, correction), UPPER will notify the relevant Customer and, where legally required, honor the request within the timeframe required by applicable law. Candidates may direct requests to legal@upperlev.com.

6.4 Non-Discrimination

UPPER's scoring and ranking algorithms are designed to match candidates to roles based on skills, experience, and stated requirements. UPPER does not build or apply models intended to discriminate on the basis of protected characteristics. Customers remain responsible for ensuring their use of UPPER's output complies with applicable equal employment opportunity law.

7. Data Retention

We retain data for as long as necessary to provide the Service and fulfill the purposes described in this Policy, unless a longer retention period is required by law.

  • Account data: Retained for the duration of the Customer's relationship with UPPER, plus up to 30 days after account termination to facilitate export or re-activation, after which it is deleted or anonymized.
  • Requisition and usage data: Retained during the subscription period and for up to 12 months thereafter for audit and compliance purposes.
  • Candidate Data: Retained during the Customer's active subscription, plus 30 days after termination for export. Customers may request earlier deletion of Candidate Data by contacting legal@upperlev.com.
  • Log data: Retained for up to 90 days for security and performance monitoring.
  • Backup data: May persist in encrypted backups for up to 90 days after deletion from primary systems.

8. Security

UPPER implements industry-standard technical and organizational security measures designed to protect your data against unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
  • Access controls limiting data access to authorized personnel on a need-to-know basis;
  • Multi-factor authentication for administrative access to production systems;
  • Regular security assessments and penetration testing; and
  • Incident response procedures.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that triggers notification obligations under applicable law, UPPER will notify affected Customers promptly.

9. Your Rights and Choices

Depending on your location, you may have rights regarding your personal data. These may include:

9.1 Access and Portability

You may request a copy of the personal data UPPER holds about you or your account, in a structured, machine-readable format where technically feasible.

9.2 Correction

You may request correction of inaccurate or incomplete personal data.

9.3 Deletion

You may request deletion of your personal data. Note that some data may be retained for legal or contractual compliance purposes.

9.4 Restriction and Objection

In certain circumstances, you may request that we restrict processing of your data or object to processing based on legitimate interests.

9.5 Opt-Out of Marketing

You may opt out of marketing emails at any time by clicking "unsubscribe" in any email or contacting legal@upperlev.com. You will continue to receive transactional service-related emails.

9.6 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. UPPER does not sell or share personal information as defined by the CCPA. To exercise CCPA rights, contact legal@upperlev.com.

9.7 EEA / UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have rights under the GDPR/UK GDPR including rights of access, rectification, erasure, restriction, data portability, and the right to lodge a complaint with your local supervisory authority. To exercise these rights, contact legal@upperlev.com.

We respond to verifiable requests within 30 days (or as required by applicable law). We may need to verify your identity before processing a request.

10. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

Category Purpose Can be disabled?
Strictly necessary Authentication session management, security tokens, load balancing No — required for Service to function
Functional Remembering your preferences, language settings, UI state Yes (may degrade experience)
Analytics Aggregate usage analytics to understand feature adoption and improve the product Yes

UPPER does not use advertising or behavioral tracking cookies. We do not participate in cross-site tracking or interest-based advertising networks.

You can control cookies through your browser settings. For more information on managing cookies, visit allaboutcookies.org.

11. International Data Transfers

UPPER is based in the United States. If you or the candidates you source are located outside the United States, their personal data may be transferred to and processed in the United States or other countries where UPPER or its subprocessors operate.

Where data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, UPPER relies on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission or the UK ICO. To obtain a copy of the applicable safeguards, contact legal@upperlev.com.

12. Children's Privacy

The Service is not directed to, and is not intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected such data, we will promptly delete it. If you believe we may have collected data from a child, please contact us at legal@upperlev.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email to the address associated with your account and/or by posting a notice within the Service at least 14 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this Policy was last revised. We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of any revisions constitutes acceptance of the updated Policy.

14. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or UPPER's data practices, please contact us:

UPPER / UpperLev, Inc. — Privacy Team

Email: legal@upperlev.com

This is the sole contact address for all privacy-related inquiries, data subject requests, DPA requests, and subprocessor inquiries.

Website: upperlev.com