Upstream's Privacy Policy

Last updated: September 26, 2023

We at Upstream Security Ltd. (“Upstream”, “we”, “our” or “us”) offer automotive cybersecurity and data management solutions for connected vehicles that help companies (our “Customers”) to secure, optimize and enhance connected mobility all through one cloud-based data platform (the “SaaS Services”). We put great efforts into communicating our privacy practices and ensuring the information we process is safe and properly used.

This privacy policy (“Policy”) describes how we collect, use, store and disclose information that relates to identified or identifiable individuals (“Personal Data” and “Data Subjects”, respectively) who:

    • visit or otherwise interact with our websites (“Visitors”), available at www.upstream.auto/, or any other website, webpage, e-mail, text message, or online ad under our control (collectively – “Sites”) (collectively, with the SaaS Services, the “Services”);
    • interact with us with respect to the Services via various sales and marketing channels such as events, webinars, or other business activities, including via our selected business and channel partners, and resellers of our Services (collectively – “Prospects”); and/or
  • are registered to the Services as our Customer’s account users (“Users”) or account administrators and individuals who otherwise interact with us as the business contacts of our Customer (“Admins”, and together with Users, Visitors and Prospects – “you” or “your”).

Specifically, this Policy describes our practices regarding:

  1. Data Collection
  2. Data Uses
  3. Data Location
  4. Data Retention
  5. Data Sharing
  6. Cookies & Tracking Technologies
  7. Communications
  8. Data Security
  9. Your Rights
  10. Roles & Responsibilities
  11. Additional Notices & Contact Details

 

Please read this Policy carefully and make sure that you fully understand it. 

You are not legally required to provide us with any Personal Data, but without it, we may not be able to provide you with the full range of our Services or with the best user experience when interacting with our Sites. If you do not wish to provide us with your Personal Data or to have it processed by us or by our Service Providers (defined in Section 5 below), please avoid any further interaction with us or use of our Services. 

  1. Data Collection
    We collect and generate about you the following types of Personal Data:

    • Usage Data: When you visit our Sites or interact with our SaaS Services, we collect, record, or generate certain technical data about you. Such data usually consists of connectivity, technical and aggregated usage data, such as IP addresses and general locations, device and application data (e.g.,  type, operating system, mobile device ID, browser version, locale, and language settings used), usage date and time stamps, the cookies, pixels and other tracking tools installed or utilized on such Sites (as further detailed in Section 6) and your recorded activity (sessions, clicks, and other interactions) in connection with our Sites. We do so either independently or with the help of third-party Service Providers (defined in Section 5)
    • Prospect Data: This pertains to Personal Data relating to individuals who are employed or engaged by our prospective business customers or partners, which we collect in the following ways – 
      • Direct interactions and communications with us: Personal data you provide when submitting an online form on the Sites (e.g., the “Demo Request”, “Newsletter Subscription”, “Partner Registration” and “Get the Whitepaper/eBook” forms), such as your full name, title, company, e-mail address, phone number, country, zip code, and your comments/questions or when interacting with us through other means, including surveys, feedbacks, and analyses thereof. In this respect, please do not provide us with any Personal Data that is not required for us to process your request or inquiry.
      • Data received from third parties: We receive Prospect’s Personal Data from other sources. For example, if you participate in an event, webinar, or promotion that we sponsor or participate in, we may receive your personal data from its organizers. We may also receive your contact and professional details (e.g., your name, company, title, business contact details, and professional experience, preferences, and interests) from our business partners or Services Providers, and through the use of tools and channels commonly used for connecting between companies and individuals to explore potential business opportunities, such as LinkedIn.
    • Admin Data: We collect Personal Data such as your name, professional e-mail address, workplace, and your communications with us concerning your organizational account (e.g., email correspondences). We receive such data directly from you or from the Customer of which you are our internal focal person.
  2. Data Uses

    We use your Personal Data as necessary for the following purposes and in reliance on the lawful bases detailed in the chart below:

    Usage Data

    Purpose

    Legal basis for processing (GDPR applicable only)

    To facilitate, operate and provide our Services.

    • Legitimate Interests 

    To monitor, study and analyze the use of our Services.

    • Legitimate Interests

    To gain a better understanding of how individuals use and interact with our Sites, and how we could improve their and others’ user experience and continue improving our offerings and the overall performance of our Services.

    • Legitimate Interests
    • Consent (where applicable)

    To create aggregated data, inferred non-Personal Data, or anonymized or pseudonymized data (de-identified data), which we or our business partners may use to conduct research and to provide and improve our respective services.

    • Legitimate Interests

    To support and enhance our data security measures, including for purposes of preventing and mitigating the risks of fraud, error, or any illegal or prohibited activity.

    • Legal Obligations
    • Legitimate interests

    To comply with court orders and warrants, prevent misuse of the Services, and take any action in any related legal dispute and proceeding.

    • Legal Obligations
    • Public Task
    • Legitimate Interests

    To comply with applicable laws and regulations.

    • Legal Obligations
    • Legitimate interests

    Prospective Customer Data

    Purpose

    Legal basis for processing

    To contact you with general or personalized Services-related messages, as well as promotional messages that may be of specific interest to you.

    • Legitimate Interests 
    • Consent (where applicable)

    To facilitate and optimize our marketing campaigns, ad management, and sales operations, and to manage and deliver advertisements for our products and services more effectively, including on other websites and applications.

    • Legitimate Interests
    • Consent (where applicable)

    To explore and pursue growth opportunities (e.g., by facilitating a stronger local presence and tailored experiences).

    • Legitimate Interests
    • Consent (where applicable)

    To facilitate, sponsor and offer certain events, webinars, and promotions.

    • Legitimate Interests
    • Consent (where applicable)

    To create aggregated data, inferred non-Personal Data, or anonymized or pseudonymized data (de-identified data), which we or our business partners may use to conduct research and to provide and improve our respective services.

    • Legitimate Interests

    To comply with applicable laws and regulations.

    • Legal Obligations
    • Legitimate interests

    Admin Data

    Purpose

    Legal basis for processing

    To send you technical notices, updates, security alerts, information regarding changes to our policies, and administrative messages.

    • Legitimate Interests

    To act on your request to provide customer service and technical support.

    • Legitimate Interests
    • Consent (where appropriate)

    To create aggregated data, inferred non-Personal Data, or anonymized or pseudonymized data (de-identified data), which we or our business partners may use to conduct research and to provide and improve our respective services.

    • Legitimate Interests

    To support and enhance our data security measures, including for purposes of preventing and mitigating the risks of fraud, error or any illegal or prohibited activity.

    • Legitimate Interests
    • Legal obligations

    To comply with applicable laws and regulations.

    • Legal Obligations
    • Legitimate interests

    If you reside or are using the Services in a territory governed by privacy laws under which “consent” is the only or most appropriate legal basis for the processing of personal data as described herein, to the maximum extent permitted by law, your acceptance of this Policy will be deemed as your consent to the processing of your personal data for all purposes detailed in this Policy.

  3. Data Location

    We and our authorized Service Providers (defined in Section 5 below) maintain, store and process Personal Data in Israel, the European Union (e.g., Germany), UK, Japan, Singapore, the United States of America, and other locations as reasonably necessary for the proper performance and delivery of our Services, or as may be required by applicable law.

    While privacy laws may vary between jurisdictions, Upstream, its affiliates, and Service Providers engaged in processing hereunder are each committed to protecting Personal Data in accordance with this Policy, customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection – regardless of any lesser legal requirements that may apply in the jurisdiction to which such data is transferred. To the extent we transfer personal data originating from the European Economic Area (EEA), the United Kingdom (UK), Switzerland, or Japan to countries that have not been recognized as offering an adequate level of data protection by the relevant competent authority, we rely on appropriate data transfer mechanisms as established under applicable law, such as the standard contractual clauses adopted by the EU (available here) and the UK (available here).

    Upstream Security Inc complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Upstream Security Inc has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. Upstream Security Inc has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

  4. Data Retention

    We will retain your Personal Data for as long as it is reasonably necessary in order to maintain our relationship and provide you with our Services and offerings; in order to comply with our legal and contractual obligations; to pursue our legitimate business purposes; or to protect ourselves from any potential disputes (i.e., as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our data retention policy. 

    Please note that except as required by applicable law or our specific agreements with you or the relevant Customer, we will not be obligated to retain your Personal Data for any particular period, and we are free to securely delete it or restrict access to it for any reason and at any time, with or without notice to you. If you have any questions about our data retention policy, please contact us by e-mail at [email protected].

  5. Data Sharing

    We may share your data with certain third parties, including law enforcement agencies, our Service Providers and our affiliates, in accordance with this Policy and as described below:

      • Service Providers: We engage selected third-party companies and individuals to perform services complementary to our own. Such service providers includes hosting and server co-location services, communications and content delivery networks (CDNs), data security services, fraud detection and prevention services, web analytics, e-mail distribution and monitoring services, session or activity recording and analysis services, performance measurement, data optimization and marketing services, social and advertising networks, content providers, e-mail, voicemail, support and customer relations management systems, workflow automation tools, and our legal, financial and compliance advisors (collectively, “Service Providers”). Our Service Providers may have access to your Personal Data, depending on each of their specific roles and purposes in facilitating and enhancing our Services, and may only use the data for such limited purposes as set out in our agreements with them.
      • Third-party Websites and Services: Our Sites include links to third-party websites and integrations with third-party services. Such websites and third-party services may process any Personal Data that you submit, transmit, or otherwise share with such websites and third-party services. Please note that such third-party services and website are governed by such third party’s terms and privacy policies, and not by this Policy. We encourage you to carefully read the terms and privacy policies of such websites and third-party services before you use them.
    • Event Partners: If you register for any event that we host, organize or sponsor, then with your permission we may share your registration details with others, including the hosts, organizers, speakers, service providers, and/or sponsors of that event, so that they may contact you with relevant information and offers, or to fulfil any promotions related to that event.  
    • Legal Compliance: In exceptional circumstances, we may disclose or allow government and law enforcement officials access to your Personal Data, in response to a subpoena, search warrant, or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may only occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect the security or integrity of our Sites and related products and services.
    • Protecting Rights and Safety: We may share your Personal Data with others if we believe in good faith that this will help protect the rights, property or personal safety of Upstream, any of our partners, Customers or their Admins or Users, or any member of the general public.
    • Upstream Affiliates and Organizational Changes: We may share your Personal Data internally within our group of companies for the purposes described in this Policy. In addition, should Upstream or any of its affiliates undergo any change in control or ownership, including by means of merger, acquisition, or purchase of substantially all or part of its assets, Personal Data may be shared with or transferred to the parties involved in such an event. 

    For the avoidance of doubt, Upstream may share your Personal Data in additional manners, pursuant to your explicit consent, or if we are legally obligated to do so.

  6. Cookies & Tracking Technologies

    Cookies: Our Sites (including some of our Service Providers) utilize “cookies”, anonymous identifiers, pixels, container tags, and other technologies in order for us to provide our Services and ensure that they perform properly, to analyse our performance and marketing activities, and to personalize your experience. Such cookies and similar files or tags may also be temporarily placed on your device. Certain cookies and other technologies serve to recall Personal Data, such as an IP address, previously indicated by a Visitor. To learn more about our practices concerning cookies and tracking, please see our Cookies Policy

    Google Analytics: we use Google Analytics to collect information about the use of our Sites. Google Analytics collects information such as how often you visit the Sites, which pages you visited when doing so, and which other sites you used prior to coming to our Sites. We do not merge the information collected through the use of Google Analytics with personally identifiable information. Google’s ability to use and share information collected by Google Analytics about your visits to and use of the Sites is restricted by the Google Analytics Terms of Service and the Google Privacy Policy. You can learn more about how Google collects and processes data specifically in connection with Google Analytics here. Further information about your option to opt out of these analytics services is available here

    Hotjar. We use Hotjar in order to better understand our users’ needs and to optimize our digital content  and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, user journey, etc.) and this enables us to build and maintain our digital content and improve it over time. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.  For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.

    We reserve the right to remove or add new analytic tools.

  7. Communications

    Service Communications: We will contact you from time to time with important information regarding our Services. For example, we may send notifications (through any of the means available to us) of changes or updates to our Services, billing issues, service changes, etc. Please note that you will not be able to opt out of receiving certain service communications which are integral to your use (like billing notices) of the Services.

    Promotional Communications: We will send you additional offerings, events, and special opportunities, or any other information we think you will find valuable. Generally speaking, we provide such communications through any of the contact means available to us (e.g., phone, mobile, or e-mail), or through our marketing campaigns on any other sites. If you do not wish to receive such promotional communications, you may notify Upstream at any time by sending an e-mail to [email protected], or by following the “unsubscribe”, or “manage preferences” instructions contained in the promotional communications you receive.

  8. Data Security

    We implement industry-standard physical, procedural, and electronic security measures to secure your Personal Data held with us, as also demonstrated by our ISO 27001 and SOC 2 security certifications, in order to minimize the risks of theft, damage, loss of information, or unauthorized access or use of information. However, please be aware that regardless of any security measures used, we cannot and do not guarantee that our Site will be immune from any wrongdoing, malfunctions, unlawful interceptions or access, or other kinds or abuse and misuse.

  9. Your Rights

    If you wish to exercise your privacy rights under any applicable laws, including the EU General Data Protection Regulation (GDPR), such as the right to be informed; the right to request access to, and rectification or erasure of, your Personal Data held with us; to restrict the processing of such data; to object at any time to processing of Personal Data concerning you (as detailed in Section 2 above); to withdraw at any time your consent to any processing of your data on the basis of such consent; or the right to equal services and prices (each to the extent available to you under the laws that apply to you) – you may do so by contacting us at [email protected].

    Please note that once when you ask us to exercise any of your rights under this Policy or applicable law, we may require additional information and documents, including certain Personal Data, in order to authenticate and validate your identity as needed to process your request. Some request-related information (e.g., correspondences related to your request), may be retained by us for legal purposes (e.g., as proof of the identity of the person submitting the request), in accordance with Section 4 above.

    Additionally, you have a right to lodge a complaint with a competent authority.

    If you would like to make any requests or queries regarding your Personal Data that we process on our Customer’s behalf, please contact the Customer or Admin of such Customer’s account directly, as they would be the “Data Controller” of such data (see Section 10 below).

  10. Roles & Responsibilities

    Certain data protection laws and regulations, such as the GDPR, typically distinguish between two main roles for parties processing Personal Data: the “Data Controller” who determines the purposes and means of processing; and the “Data Processor” (, who processes the data on behalf of the Data Controller. Below we explain how these roles apply to our SaaS Services, to the extent that such laws and regulations apply.

    Upstream is the Data Controller of Personal Data relating to Visitors and Prospects, as well as Usage Data relating to our Customer’s Users and Admins, and Admin Data (as detailed in Section 1 above). With respect to such data, we assume the responsibilities of data controller (solely to the extent applicable under the law), as set forth in this Policy. In such instances, our Service Providers processing such data on our behalf will assume the role of Data Processors. 

    Upstream is the Data Processor of the log-in details relating to Users or Admins, and of Personal Data relating to individuals whose vehicle data we may process on behalf of our Customer. Such Personal Data is processed on behalf of our Customer (who is the Data Controller of your Personal Data).  If you are an individual and you have questions related to your Personal Data, please contact the Customer.

  11. Additional notices & Contact Details

    Updates and Amendments: We may update and amend this Policy from time to time by posting an amended version on our Sites. The amended version will be effective as of the date it is published. We will provide prior notice if we believe any substantial changes are involved via any of the communication means available to us. After such notice period, to the maximum extent permitted by law, all amendments shall be deemed accepted by you.

    Our Services are Not Directed to Children: We do not knowingly collect Personal Data from children, nor do we wish to do so. If we learn that a person who is underage according to the law applicable to him or her is using the Services, we will make reasonable efforts to promptly delete any Personal Data stored with us with regard to such a child. If you believe that we might have any such Personal Data, please contact us by e-mail at [email protected].

    Data Protection Officer: Upstream has appointed PrivacyTeam Ltd. as our Data Protection Officer (DPO), for monitoring and advising on Upstream’s ongoing privacy compliance and serving as a point of contact on privacy matters for Data Subjects and supervisory authorities. If you have any comments or questions regarding this Policy, if you have any concerns regarding your privacy, or if you wish to make a complaint about how your Personal Data is being processed by Upstream, you can contact our DPO at [email protected].

    EU Representative: Upstream Security GmbH, c/o Mazars GmbH & Co. KG
    Theodor-Stern-Kai 1 60596 Frankfurt am Main, Germany.

    Questions, Concerns, or Complaints: If you have any comments or questions regarding this Policy, or if you have any concerns or complaints regarding your Personal Data held with us, please contact us at [email protected].