Privacy

Topper Privacy Notice

Last updated september 6th, 2024

This Privacy Notice describes how Topper collects, uses, and shares the Personal Data that it receives from you. It answers the following questions:
‍

How do we collect Personal Data about you?
What Personal Data do we collect?
Cookies and Similar Tracking Technologies
How do we use your Personal Data, and on what legal basis do we collect your Personal Data?
How do we keep your Personal Data safe?
How do we share your Personal Data?
Do we transfer your Personal Data outside of the European Union?
What are your legal data privacy rights?
How long do we retain your Personal Data?
Notice to California Residents
How do we protect children’s privacy?
How do we use your Personal Data to inform you and market to you?
How do we make changes to this Privacy Notice?
Where does this Privacy Notice apply?
Who can you contact if you have further questions or requests about your privacy?

Topper or the “Service” is offered by Uphold HQ Inc. to individuals residing in the U.S., by Uphold Europe Limited to individuals residing in the U.K., by Uphold Lithuania UAB to individuals residing in the EEA, and by Uphold Worldwide Ltd. to individuals residing elsewhere. Throughout this Privacy Notice, the term “Topper”, “Uphold”, “we”, “us” or “our” refers to the relevant entity that provides the Service to you.

It is important that you read this Privacy Notice together with any other Privacy Notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.

How do we collect Personal Data about you?

We collect Personal Data about you both directly and indirectly when you register, open and use a Topper account. We also collect the information that is sent to us by your device to improve your experience. If you are using Topper on a location-enabled device we may also collect geographical location data or use various means to determine your location (such as sensor data from your device that may, for instance, provide data on nearby cell towers and Wi-Fi access spots). We may also automatically collect technical data about your equipment, browsing actions and patterns by using cookies, server logs, and other similar technologies. Please see the section on Cookies and Similar Tracking Technologies for additional information.

We also receive data about you indirectly from third parties, for instance technical data from analytics and advertising partners like Google; from identity verification providers and other screening services; and affiliated and non-affiliated third parties, such as credit bureaus and other financial institutions.

What Personal Data do we collect?

We only collect the Personal Data necessary to offer and support our Topper services and meet our legal and regulatory obligations. It may be collected directly from you or indirectly from other sources and an overview is provided below.
‍
Identity verification data: To verify your identity, we collect your name, address, phone, email and facial image (selfie). We may also require you to provide additional Personal Data for verification purposes, including your date of birth, taxpayer or government identification number, or a copy of your government-issued identification. We may obtain information from affiliated and non-affiliated third parties, such as credit bureaus, identity verification services, and other screening services to verify that you are eligible to use Topper.

Financial data: We may collect various information regarding your finances from third parties and this may include accounts and credit and debit cards you hold, balances, transactions, and a risk score.

Account activity data: We collect information about your transactions using Topper, as well as other details of products and services you have purchased from us.

Application use data: We may collect data on your interaction and use of Topper. This includes visits to our website or app, sign-up activity, your debit or credit card, other payment details to enable you to use Topper, along with any additional information you may disclose to our user support team in order to resolve problems you report.

Your device data: We collect and process your internet protocol (IP) addresses, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access Topper.

Marketing data: We collect and process your preferences in receiving marketing from us, and your email address.

Cookies and Similar Tracking Technologies

We and third parties on our behalf may employ various tracking technologies, such as cookies. and other similar technologies (collectively, “Tracking Technologies”) to collect additional Personal data automatically as you interact with our Services, that help us to personalize your experience with our Service, and help us better manage content on our Service by informing us what content is effective.

Cookies

Cookies are small data files stored on your hard drive by a website. Cookies help us make our website and Service and your use of them better by allowing us to recognize your browser and capture and remember certain information. We may use cookies and similar technologies for various purposes, including to:
‍

Analyze our web traffic using an analytics package
Identify whether you already visited our Sites
Test content on our Sites
Store information about your preferences
To recognize when you return to our Sites
Track advertising attribution statistics

Our Sites may use a ‘load balancer’ to store an identifier on your browser to help keep you connected to the same web server throughout your visit, for a smoother browsing experience.Similarly, session cookies enable our individual web servers to keep track of your progress throughout your visit. When you submit data through a form such as a contact page or comment box, cookies may be set to remember your user details for future correspondence.

We may use the following third-party cookies:
‍

Cloudflare - to keep the connection stable and to identify spammers.
Google Analytics (including Ad tags) - website traffic tracking and user ad targeting. It helps us to analyze how you use our sites along with the performance of various advertisements we place.
LinkedIn Ads - user ad targeting and advertisment performance.
Twitter Ads - user ad targeting and advertisment performance.

If you do not want Topper to deploy cookies and other similar technologies in your browser, you can decline these via our cookie consent banner, opt-out by setting your browser to refuse some or all cookies, or notify you when a website tries to set a cookie in your browser software. If you choose to disable cookies in your browser, you can still use the Website, although your ability to use some of the features may be affected. If you want to learn the correct way to modify your browser settings, please use the Help menu in your browser or review the instructions provided by the following browsers: Internet Explorer, Google Chrome, Mozilla Firefox, Safari Desktop, Safari Mobile; and Android browser.

If you want to exercise your rights regarding personal data collected via cookies and similar tracking technologies, please see the What are your legal data privacy rights section below.

The information generated by the cookies will be transferred to Google and Cloudflare in the above-mentioned scope. Therefore, we would like to inform you that detailed information on the use of cookies by these entities can be found at:

Google Link
Cloudflare Link
‍
Analytics

Our Site and our third-party technology providers use third-party analytics services (such as Google Analytics) to evaluate your use of the Sites, compile reports on activity, collect demographic data, analyze performance metrics, and collect and evaluate other information relating to the Sites and Internet usage. These third parties use cookies and other technologies to help analyze and provide us the data. For more information on how to opt-out Google Analytics tracking, click here.

You can opt-out of targeted advertising by using the links below:
‍Google
‍Twitter
‍LinkedIn

‍Additionally, you can opt-out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/. Or by visiting any of the links below: http://optout.networkadvertising.org/ or http://youronlinechoices.eu/.

How do we use your Personal Data, and on what legal basis do we collect your Personal Data?

Listed below are the ways in which we may use and process your Personal Data.
‍

To provide you with a service: It may sound obvious, but we need to make Topper workin the first place. Without your name, credit/debit card information, and other details; and information about your interaction and use of Topper and the technology you use to access Topper, we simply could not offer you our products and services.
To verify your identity: As a financial institution, it is essential that we are able to confirm the true identity of our users. There are rules and regulations across the globe that require us to identify our customers, including laws concerning anti-corruption, anti-bribery, anti-terrorism, and anti-money laundering. We use Veriff to verify your identity by determining whether a selfie you take matches the photo in your government-issued identification. Veriff’s facial recognition technology collects information from your photos that may include biometric data, and when you provide your selfie, you will be asked to agree that Veriff may process biometric data and other data (including special categoriesof data) from the photos you submit and share it with us. Automated processes may be used to make a verification decision. Veriff’s privacy policy describes its collection, processing, storage and use of your personal data in more detail.
To verify your address: We use Ekata to validate your physical address. Automated processes may be used to make a verification decision. Ekata’s privacy policy describes its collection, processing, storage and use of your personal data in more detail. In lieu of Ekata, we may use Trulioo to validate your physical address. Automated processes maybe used to make a verification decision. Trulioo’s privacy policy describes its collection, processing, storage and use of your personal data in more detail. We additionally may require further address verification and validation through our partner, SumSub by requesting that you provide us with documentation verifying your physical address suchas bank statements, utility bills, Internet/cable TV/house phone line bills, tax returns, council tax bill, and or government-issued certifications of residence. SumSub’s Privacy Notice describes its collection, processing, storage and use of your personal data in more detail.
To perform your transactions: To verify that you are eligible to use Topper and perform the transactions you request, and also to ensure compliance with regulatory requirements (e.g., anti-money laundering laws) and our own internal policies, we must receive and share various information regarding your finances with third parties including accounts you hold, balances, transactions, and a risk score. Please review our sub-processor list for more information on these third-parties.
To prevent fraud: We use the personal information we collect in connection with providing you our services to detect and prevent fraudulent activity. We share thisinformation with Unit 21 and Sift, both third party service providers, to assist us with this effort. Unit 21 and Sift use various technologies to capture various device identifiers, such as canvas fingerprinting and may use automated decision making in order to detect and prevent fraudulent activity. For more information on the privacy practices of Unit 21 please review their Privacy Policy. For more information on the privacy practices of Sift, please review their Service Privacy Notice.
To keep your account secure: We use your phone number to verify the number you provide at signup. This includes sending SMS or text messages (including by an automatic telephone dialing system) to any of the phone numbers provided by you or on your behalf in connection with your Topper account. We additionally use your email address to conduct a verification round trip at each session.
To keep you informed: It is important for security and financial transparency that we keep you aware of your transactions and related activity at Topper. We will send you emails with confirmations, invoices, technical notices, updates, security alerts, legal and support and administrative messages.
For investigations: Occasionally, we need to look at your account activity in order to check and protect against fraudulent, unauthorized or illegal behavior.
For customer care: We strive to make sure you can easily use Topper with no headaches, but sometimes you need help. Our customer care team will occasionally need access to your account data in order to fix any issues or answer your questions.
To manage and improve our service: We like to understand how you use and engage with Topper in order to make sure it is the best it can be. This process includes combining different accounts, transactional, marketing and other data to analyze the effectiveness and performance of our offering.
Marketing and advertising analytics: We want you to be aware of product updates, news, events, and promotions and much more. If you consent, we will (i) send you information, including regular personalized emails, to keep you up to date with all things Topper; (ii) keep you informed of industry updates and much more; (iii) from time to time we may also invite you to take part in our polls, surveys, focus groups and other types of market research; and (iv) if you have consented / opted in by accepting our cookies we collect hashed identifiers derived from email addresses for the purposes of cross-device tracking for targeted advertising, and where you may have seen Topper advertisements.
Business operations: We may need to use your Personal Data for our business operations, including internal training and administration, legal compliance, to enforce our legal rights, to protect third party rights, and in connection with a business transition such as a merger, acquisition by another company, or sale of all or a portion of our assets.
Website and software applications: We use data analytics to improve our website and software applications, activities and operations, products/services, events, etc.
Third parties: If you (i) use Topper by (a) using an application (whether directly or by authorizing an application to use Topper, (b) using a link provided by a third-party, or (c) any third party integrations or (ii) if you partner with us in a program or other business arrangement where a third-party intermediary is involved, all such third parties may receive detailed information about your account, your use of Topper, transaction history or even the ability to take actions on your behalf. When you authorize an application or third party integration via Topper, you will be notified of what Personal Data will be shared with these third parties. Information collected by these applications or third-party integrations are subject to their terms and policies and are required by contract by Uphold to maintain the confidentiality and security of your Personal Data.

The primary legal grounds upon which we collect and process your Personal Data are:
‍

through obtaining your consent at the time of collection,
due to the necessity of doing so to perform the services as requested,
in order to comply with our legal obligations, and
to pursue our legitimate interests (e.g., to improve our services).

Note that we may process your Personal Data for more than one lawful basis depending on the specific purpose for which we are using that data.

How do we keep your Personal Data safe?

We have implemented security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.

We protect your Personal Data by maintaining physical, electronic, and procedural safeguards, incorporating tested security technologies, in compliance with applicable laws. We may use network safeguards such as firewalls and data encryption, enforce physical access controls, and authorize access to Personal Data only for those people who require access to fulfill their job responsibilities.

In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality. Those with access to your Personal Data are carefully screened, periodically reevaluated, and are required to keep all your Personal Data confidential.

Do we transfer your Personal Data outside of the EU?

Topper’s parent company Uphold is headquartered in the United States. Many of our affiliates and third party service providers are based outside the EEA, so processing of your Personal Data may involve a transfer of your Personal Data outside the EEA and may be maintained or accessed in servers or files located in countries outside the EEA, including the United States.

By voluntarily providing your Personal Data on or via this website or app, you consent to its transfer, processing and storage in the United States or other countries outside the EEA, some which have not been deemed by the EEA to have “adequate” privacy safeguards.

Whenever we transfer any Personal Data outside the EEA, we will put in place an adequate level of protection to ensure that any such transfers comply, and are consistent with applicable EU data protection laws, including with respect to transfers among Uphold affiliates, the standard data protection clauses adopted by the EU Commission.

Please contact us at data.privacy@uphold.com if you are located in the EU and want further information on the specific mechanism used by us when transferring Personal Data outside of the EEA.

What are your legal data privacy rights?

You have the right to:
‍

Access the Personal Data we store and process about you or to request a copy of it to transfer to another service provider.
Request that we correct inaccurate data about you.
Ask us to delete, restrict, or object to us processing your data, although for legal reasons (e.g. anti-money laundering rules and regulations) we cannot always do this.
Request the transfer of your personal data to you or to a third party, in a structured, commonly used, machine-readable format.
Withdraw your consent at any time where we are relying on consent to process your personal data, including for marketing
To lodge a complaint with a supervisory authority.

Your marketing preferences can be updated within Topper under your user settings or through any Newsletter via the “Unsubscribe” link. For all other Data Privacy inquiries, please submit your request through our standard customer support process, by contacting our Support Team.

Also, under the relevant privacy laws of the EEA (including the European Union’s General Data Protection Regulation) in respect of your EEA Personal Data you may have a number of important rights. For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the European Commissioner’s Office (ECO) on individual’s rights under the European Union’s General Data Protection Regulation here.

How long do we retain your Personal Data?

Topper’s parent company Uphold maintains reasonable procedures to help ensure that your Personal Data is reliable for its intended use, accurate, complete, and current.
‍

We will only retain your Personal Data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, as well as other factors required by General Data Protection Regulation or other laws to which we are subject, including those relating to anti-money laundering and counter terrorist financing. Our legal and regulatory compliance obligations require that we retain customer data for a period of 7 years after the end of the customer relationship.
When it is no longer necessary to retain your Personal Data, we will securely delete it, subject to applicable law and regulations.
In some circumstances, we may anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
If you request that we stop sending you marketing materials, we will continue to keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us.
Should you make a Data Subject request through our standard customer support channel, we will retain the minimum required amount of data in order to keep a record of your request and the action we took to resolve it.

Notice to California Residents

This section applies to California residents. The purpose of this section is to inform California residents (“consumers” or “you”), at or before the time of collection of “personal information” (as that term is defined in the California Consumer Privacy Act (“CCPA”) amended by the California Privacy Rights Act 2020 (CPRA), effective January 1, 2023), about our data collection practices and your privacy-related rights under California law). Your “right to know” about personal information collected, used, and disclosed by Topper includes what categories of personal information we collect from you and the purpose for its collection; how we use those categories of personal information; and how we share the personal information you entrust to us.

Categories of Personal Data Collected

The chart below describes the categories of personal information that Uphold has collected in the preceding 12 months, the sources and purpose of such collection, and the parties to whom the information was shared for business purposes.
‍

Category	Examples	Collected
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.	YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.	YES
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	NO
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	NO
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	YES
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	YES
G. Geolocation data.	Physical location or movements.	YES
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	YES
I. Professional or employment-related information.	Current or past job history or performance evaluations.	NO
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	NO
K. Inferences drawn from other personal information.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	NO

Topper obtains the categories of personal information (including sensitive personal information) listed above from the following categories of sources:
‍

Directly from you. For example, from forms you complete or products and services you purchase, or from applications for employment with us.
Indirectly from you. For example, from observing your actions on our Website.
From third parties. For example, from our third-party service providers to verify your identity or to facilitate our provision of services to you.

All references to personal information below may include sensitive personal information as explained above.

Rights Under the CCPA

Access to Specific Information and Data Portability Rights – Subject to certain exceptions, if you are a California resident you have the right to request a copy of the personal information that we collected about you during the 12 months before your request. Once we receive your request and verify your identity, we will disclose to you:
‍

The categories of personal information we have collected about you;
The categories of sources for the personal information we have collected about you;
Our business or commercial purpose for the information collection;
The categories of third parties with whom we share that personal information;
The specific pieces of personal information we collected about you.

Sale of Personal Information

You have the right to request that we disclose to you: the categories of your personal information that we sold, and the categories of third parties to whom your personal information was sold. Topper does not sell your personal information in its ordinary course of business and will never sell your personal information to third parties without your explicit consent.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request through our standard customer support process, by contacting our Support Team.

Use of an Authorized Agent to Submit a Request

Only you or a person you formally authorize to act on your behalf, may make a verifiable consumer request related to your personal information as a California consumer. If you use an authorized agent to submit such a request, we will require written proof that the authorized agent has been authorized to act on your behalf or a copy of the power-of-attorney document granting that right.

How do we protect children’s privacy?

We do not knowingly solicit or collect information from individuals under 18. If we become aware that a child under the age of 18 has provided us with Personal Data, we will close the account and restrict their information. If you believe that we might have collected Personal Data from a child under 18, please contact us using the information below.

How do we use your Personal Data to inform you and market to you?

In compliance with applicable laws, we may send you personalized marketing information, including by email, and such information may include product and service updates, industry news, our events, activities and offers, information about our business and personnel and tips. We may combine your Personal Data such as age, transaction history, account usage to improve the value and specificity of these communications.

You can ask us to stop sending you marketing messages or information at any time by following the “unsubscribe” link on any marketing message sent to you or by updating your contact preferences directly on the Uphold Platform. Please note, it may take up to 10 days for this to take effect. Where you opt out of receiving these marketing messages or publications, this will not apply to Personal Data collected by or provided to us in connection with a specific purpose, request, order, event or activity or any dealings with you, and you may still receive emails from us relating to the operation of Topper, like transaction confirmations.

How do we make changes to this Privacy Notice?

This version was last updated on the date indicated above and historic versions are archived and can be obtained by contacting us. We may update this Privacy Notice from time to time as we deem necessary or appropriate in our sole discretion. If there are any material changes to this Privacy Notice, we will notify you by email, by means of a notice on Topper, or as otherwise required by applicable law. We encourage you to review this Privacy Notice periodically to be informed regarding how we are using and protecting your information and to be aware of any changes. Any changes to this Privacy Notice take effect immediately after being posted or otherwise provided by us.
‍
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

Where does this Privacy Notice apply?

This Privacy Notice applies to all of the Topper services. This Privacy Notice does not apply to services that have separate Privacy Notices that do not incorporate this Privacy Notice.

This Privacy Notice doesn’t apply to the information practices of other companies and organizations that advertise our services or to services offered by other companies or individuals, including products or sites that may include Topper or be linked from Topper.

This website and app may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their Privacy Notices. When you leave our website, we encourage you to read the Privacy Notice of every website you visit.

Who can you contact if you have further questions or requests about your privacy?

You can direct any questions or complaints about the use or disclosure of your Personal Data to us by contacting us as set out below. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your Personal Data as soon as possible.
‍
If you have any questions about this Privacy Notice or need to contact us, please email us at data.privacy@uphold.com, or contact us by mail at 80 East Sir Francis Drake Blvd., Ste. 3D, Larkspur, CA 94939. All Data Subject Requests should be submitted to our Customer Support Team. Uphold does not process requests received by a privacy automated service (bot). All requests must come directly from the individual to the email address noted above.

As Uphold is based in the United States it has appointed Uphold, Lda. a company incorporated in Portugal (Co. Number: PT513095136) to be its representative within the EEA. They may be contacted at data.privacy@uphold.com.

If you are a resident of the European Union and are dissatisfied with the resolution of your complaint in respect of your EEA Personal Data, you may contact the EU data protection authority in your jurisdiction using the contact details provided here for further information and assistance.
‍

Subprocessor	Purpose	Country
Amazon	Cloud Hosting	United States
Checkout.com	Credit/Debit Card Processing	United States
Customer.io	Customer communications	United States
DLocal	Payment Processor	Brazil
Ekata	Address Verfication Services	United States
Trulioo	Address verification Services	Canada
Veriff	Identity Verification	Estonia
SumSub	Address verification Services	Germany
Sift	Fraud Prevention	United States
Twilio	Automated SMS Services	United States
Unit 21	Fraud Prevention	United States
Zendesk	Customer Support Ticket Management	United States