Privacy Policy

This Policy applies to all information we collect or process as a controller about you through:

• The Site at uplevelservicesllc.com, including any page, form, or interactive element;
• Our email correspondence with you at admin@uplevelservicesllc.com or any other UpLevel email address;
• Telephone calls, voicemails, or text messages you exchange with us;
• The AI-powered voice assistant on the Site or reached by phone;
• Calendar-scheduling invitations and confirmations sent through Calendly in connection with the Site;
• An UpLevel account that you hold or use, our invite-only client portal (and any operator account), including the information described in Section 3.5, for which UpLevel acts as controller; and
• Any other communication or information-collection channel that references this Policy.

This Policy does not apply to third-party websites, services, or platforms linked from the Site, which are governed by their own privacy policies. This Policy also does not apply to data UpLevel processes on behalf of its clients under a written Master Service Agreement and Statement of Work; such processing is governed by the terms of those agreements and, where applicable, a separate Data Processing Addendum (see Section 10.5).

UpLevel is the entity responsible for the Site and for information collected through the Site and the client portal. Our contact information is:

UpLevel Services LLC
A Virginia single-member limited liability company
Glen Allen, Virginia 23059, United States
Email: admin@uplevelservicesllc.com
Website: uplevelservicesllc.com

We collect the categories of information described below. The specific information we collect depends on how you interact with the Site and whether you hold an UpLevel account.

3.1 Information You Provide Directly

When you submit a contact form, send us an email, schedule a meeting, or speak with us (including through the AI voice assistant), you may provide the following information:

• Contact details: name, email address, telephone number (optional), business or company name, professional title;
• Inquiry content: description of your situation or needs, budget signal, project type, timeline, industry, geographic location, or other details you choose to provide in a freeform message or call;
• Meeting-scheduling information: preferred meeting times, time zone, meeting purpose, and any notes you include when booking;
• Voice and transcript data: if you initiate a conversation with our AI voice assistant, the audio of your voice, the AI-generated transcript of the conversation, and any name, phone number, email, or project details you voluntarily provide during the conversation;
• Other information you voluntarily provide in the course of communicating with us.

3.2 Information Collected Automatically

When you access or use the Site, certain information is collected automatically through Site-hosting infrastructure and a limited set of functional cookies:

• Device and connection information: Internet Protocol (IP) address, browser type and version, operating system, device type, screen resolution, and language preferences, observed by our hosting provider as part of serving and securing the Site;
• Site-usage information: pages requested, timestamps, referring information, and interaction events necessary to deliver and secure the Site;
• Approximate geographic information: a coarse, country- or region-level location inferred from network routing (we do not collect precise GPS coordinates);
• Server-log and security information: access logs, request metadata, timestamps, and security-event data used for fraud prevention, abuse detection, rate-limiting, and Site integrity, collected by our hosting provider, Vercel Inc., and our DNS + edge-network provider, Cloudflare, Inc.

How we handle IP addresses, read this carefully, because it varies by context. (a) The public contact form does not store your IP address with your message. (b) Our first-party analytics beacon stores no IP address at all (Section 9.3). (c) Server access logs maintained by our hosting provider retain IP for a limited security window (Section 12). (d) When you accept our Terms or this Policy, grant a consent we rely on, submit an intake form, electronically sign a document, or sign in to your account, we record the IP address and browser/user-agent associated with that action as part of the record of it, for account security, fraud prevention, and proof of consent, and retain it as described in Section 12. We do not use IP addresses to build advertising profiles, and we use no third-party advertising or analytics cookies (Section 9).

3.3 Information From Third-Party Services

We may receive information about you from third-party services we use:

• Calendly Inc.: when you book a meeting with us through a Calendly link, Calendly collects your name, email address, time zone, and meeting preferences, and shares confirmation details with us. Calendly's collection and use of your information is governed by Calendly's own privacy policy, not ours;
• Vapi AI Inc.: if you interact with our AI voice assistant, Vapi (and the voice-synthesis and telephony sub-processors it engages) processes your voice data to enable the conversation and provide a transcript to us;
• Make.com s.r.o. and Typeform: when your inquiry or brand-intake submission is routed through our internal workflow, these services process your submitted details to deliver them to our systems;
• Resend Inc.: when we send you a transactional or confirmation email, Resend processes your email address to deliver the message;
• Google LLC and Microsoft Corporation (federated sign-in): if you sign in to your account using Google or Microsoft, we receive a verified email address and a stable account identifier from that provider (see Section 3.5).

The complete, current set of authorized third-party service providers and sub-processors is disclosed in Section 10.1.

3.4 Information We Do Not Collect

We do not collect: payment-card numbers (payments for our services are made by bank transfer; a third-party card-payment processor is not currently active on the Site, and UpLevel does not store card or bank-account numbers, see Section 3.5, and the Website Terms of Service, Section 11); social-security numbers; driver's-license or state-identification numbers; medical or health information; biometric identifiers (other than voice audio voluntarily submitted to the AI voice assistant); precise geolocation data; or any category of information we have no business need to process.

For the avoidance of doubt, UpLevel does not create, derive, or store voiceprints or other unique biometric templates from voice audio for the purpose of uniquely identifying any individual. Voice audio is processed solely to enable the conversation, generate a transcript, and support the purposes described in Section 6.2. See Sections 8 and 21.7.

3.5 Information Collected Through an UpLevel Account

UpLevel operates an invite-only client portal. There is no public self-registration; accounts are created by invitation. If you hold or use an UpLevel account (a client account, an authorized team-member account, or an operator account), we collect and process the following as controller:

• Account and identity: your email address; your password, stored only as a salted, peppered one-way hash (never the password itself, see Section 18); two-factor-authentication enrollment, recovery codes, and any short-lived one-time sign-in codes, including a one-time code we may email to your account address as a sign-in fallback, all stored encrypted or hashed, never in the clear; optional federated-login identifiers if you sign in with Google or Microsoft (Section 3.3); and a display name. For client accounts we also hold your legal or business name, entity type, state of formation, business address and phone number, and service tier and status;
• Authentication and security telemetry: for each sign-in session and for security-relevant events, we record the IP address, browser/user-agent, and a device indicator, for account security, session management, and fraud and abuse detection (this is separate from analytics, see Section 9);
• Messages and files: the content of messages you exchange with UpLevel through the portal, and any files you upload (images and PDFs), including the filename, type, and size. Uploaded files are stored in a private location and are released for use only after operator review (see the Website Terms of Service);
• Billing: invoice and payment records (amounts, status, and timestamps). We do not store payment-card numbers;
• Consent and acceptance records: the version and text of the Terms, this Policy, and (for clients) the Master Service Agreement you accept, the date and time of acceptance, and the IP address and user-agent at the moment of acceptance; together with your separate, unbundled consents (to electronic communications, to SMS, to AI-voice recording, to eligibility, to authority to bind your entity, and to intellectual-property warranties);
• Intake submissions: if you complete a brand-intake form, the answers you provide, signer name, title, and email, and the submission's IP address and user-agent;
• Operator-maintained records: internal notes and lifecycle or relationship-management fields that UpLevel keeps about an account. These are accessible only to UpLevel personnel and are never visible to the client.

The personal information we process comes from the following sources:

• Directly from you, through contact forms, emails, phone calls, AI voice-assistant interactions, meeting scheduling, brand-intake forms, and your use of the client portal;
• Automatically from your device and browser, through functional cookies, server logs, and similar technologies when you visit the Site or use your account;
• From our service providers and processors, including Calendly, Vapi, Make.com, Typeform, Resend, Supabase, Vercel, Cloudflare, Twilio, and Upstash, in connection with the services they provide to us (see Section 10.1);
• From identity providers, namely Google or Microsoft, if you choose to sign in to your account with federated sign-in;
• From publicly available sources, such as your public business website, LinkedIn profile, Google Business Profile, or other public information we may consult to determine fit for our services prior to or in connection with your inquiry.

For clarity and consistency with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the "CCPA"), the following table maps the information described in Section 3 to statutory categories of personal information. This categorization is provided as a reference regardless of whether the CCPA currently applies to UpLevel.

We use the information we collect for the following business purposes. The specific uses depend on the information and the context in which it is collected.

6.1 Contact-Form and Inquiry Information

• Respond to your inquiry and provide the information you requested;
• Evaluate whether your business is a fit for UpLevel's services;
• Schedule and conduct discovery calls or meetings;
• Follow up with you about your inquiry and related services;
• Maintain business records of inquiries received;
• Send you transactional or confirmation emails relating to your inquiry.

6.2 AI Voice Assistant Audio and Transcripts

• Qualify you as a prospective client and determine fit;
• Enable UpLevel personnel to follow up with you after the conversation;
• Conduct quality-assurance review of the AI voice assistant's performance;
• Improve the accuracy and effectiveness of the AI voice assistant and related systems;
• Comply with call-recording consent and record-keeping requirements.

6.3 Analytics and Automatically Collected Information

• Understand, in aggregate, how the Site and the websites we build are used and which content is engaging;
• Diagnose technical issues, improve performance, and guide design decisions;
• Detect and prevent fraud, abuse, bot traffic, and unauthorized access;
• Monitor and secure operations;
• Plan business priorities.

6.4 Account and Service-Delivery Information

• Create, operate, secure, and support your UpLevel account;
• Authenticate you, including through two-factor authentication and, if you choose it, federated sign-in;
• Deliver portal messaging, document review and electronic signature, and file exchange;
• Issue and administer invoices and record payments;
• Send service, security, and (where you have consented) text-message (SMS) communications;
• Execute and retain electronic signatures and proof-of-consent records;
• Maintain a tamper-evident audit log of security- and account-significant events.

6.5 All Information Across Categories

• Enforce our Website Terms of Service and other applicable agreements;
• Comply with applicable legal, regulatory, and contractual obligations;
• Respond to lawful requests from regulators, law enforcement, and courts;
• Establish, exercise, and defend legal claims;
• Conduct corporate-development activities such as financing, restructuring, merger, acquisition, or asset sale.

For visitors located in the United States, our processing is principally based on our legitimate business interest in operating a business-to-business inquiry channel, responding to prospective-client communications, securing our Site and systems, and maintaining accurate business records, together with your consent where you voluntarily submit information or initiate interaction with the AI voice assistant. For people who hold an UpLevel account, we additionally process information as necessary to perform, or take steps toward, a contract with you or the entity you represent (operating the account, delivering the portal, billing, and support). Where processing is required to comply with law, we process information on that legal basis. We do not rely on any legal basis beyond what is permitted under applicable United States law.

Where we send marketing communications or deploy regulated outreach channels, we obtain the separate, unbundled consents described in Section 21.6. We do not merge those consents into a single "agree to be contacted" election.

UpLevel is not directed at, and does not intentionally target, residents of the European Economic Area, the United Kingdom, or Switzerland. If you are a resident of such a jurisdiction and voluntarily submit information to us, see Section 23 (International Visitors) below.

UpLevel does not intentionally collect sensitive personal information as that term is defined under applicable United States privacy laws, including without limitation precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health information, sex-life or sexual-orientation information, government-issued identification numbers, or financial-account credentials.

For clarity, while the AI voice assistant records voice audio that you voluntarily submit, UpLevel does not use that audio to generate a voiceprint or any other biometric identifier for the purpose of uniquely identifying a natural person. We therefore do not treat that audio as biometric data of the kind regulated by state biometric-privacy statutes premised on unique biometric identification.

The Site's contact form, brand-intake form, AI voice assistant, and portal messaging accept freeform text, voice, or file input. If you voluntarily disclose sensitive personal information, including any health or medical information, in a freeform message, in a conversation with the AI voice assistant, in an uploaded file, or in any other communication with us, we will handle that information with the same care as other categories we collect, but we discourage you from submitting sensitive personal information. If you have inadvertently submitted sensitive personal information you wish us to delete, contact us at admin@uplevelservicesllc.com.

We do not use or disclose sensitive personal information for any purpose other than those permitted under the CCPA and analogous state laws without providing you notice and the opportunity to limit such use.

The Site uses a limited number of cookies and similar technologies to enable functionality and to measure usage. We do not use cookies to sell personal information, to facilitate targeted advertising, or for cross-context behavioral advertising.

9.1 Strictly Necessary / Functional Cookies

We use session cookies and similar mechanisms necessary to deliver the Site and the portal, to keep you signed in, to remember your preferences during a session, and to protect against abuse (including a cross-site-request-forgery token and a session token). These cookies do not require your consent under applicable United States law.

9.2 No Third-Party Advertising or Analytics Cookies

UpLevel does not deploy Google Analytics, third-party advertising cookies, advertising pixels, social-media trackers, or cross-context behavioral-advertising technologies on the Site. We do not load third-party analytics scripts that profile you across other websites. Site usage that we do measure is handled through the first-party, cookieless beacon described next, or through server logs maintained for security and delivery.

9.3 First-Party, Cookieless Analytics Beacon

UpLevel operates a first-party analytics beacon that measures website usage without cookies and without identifying you. Where it runs, including on websites UpLevel builds and operates for a client, it records only: an anonymous per-visit session identifier that resets each browser session and is never a persistent or cross-site identity; the page path with any query string removed; the referring site's host name only (never the full referring URL); a coarse device class (desktop, mobile, or tablet); and a coarse country derived from network routing. It sets no cookies and stores no IP address. It honors the browser "Do Not Track" and Global Privacy Control signals, sending nothing when those signals are present. Where this beacon runs on a client's own website, that measurement is part of the services UpLevel provides to the client and is governed by the client's agreement and the Data Processing Addendum (Section 10.5); the privacy posture described here applies in either case.

9.4 Do-Not-Track and Global Privacy Control

UpLevel honors the Global Privacy Control ("GPC") and "Do Not Track" signals to the extent described in Section 9.3. Separately, where applicable law requires us to treat GPC as an opt-out of sale or sharing, we will honor that signal, though, as described in Section 11, UpLevel does not sell personal information and does not share personal information for cross-context behavioral advertising, so there is no sale or sharing for GPC to stop.

We disclose personal information to the following categories of recipients for the business purposes described below. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

10.1 Service Providers and Processors

We disclose personal information to third-party service providers and processors who perform functions on our behalf pursuant to contractual obligations that restrict their processing of the information to the services they provide to us and prohibit them from selling the information. The following table lists our current authorized service providers and sub-processors and the business purposes for which they process personal information. We reconcile this list periodically with the authorized sub-processor list in the Data Processing Addendum referenced in Section 10.5.

In addition to the authorized sub-processors above, UpLevel uses Google Workspace (Google LLC) as its internal business-email service to receive, process, and store email correspondence at admin@uplevelservicesllc.com; uses GitHub, Inc. for source-code hosting (which does not store client personal data in the ordinary course); and may use a secure, append-only retention service to mirror its security audit log. We may update the list of service providers from time to time as our infrastructure evolves. The categories above describe the current set of material service providers as of the Last Updated date.

10.2 Legal, Regulatory, and Safety Disclosures

We may disclose personal information to governmental authorities, regulators, law-enforcement agencies, courts, or other third parties where we reasonably determine disclosure is necessary to: (a) comply with applicable law, legal process, subpoena, or lawful request; (b) protect our rights, property, or safety, or those of our users, our clients, or the public; (c) investigate, prevent, or take action regarding suspected illegal activity, fraud, or violation of our Website Terms of Service; or (d) establish, exercise, or defend legal claims.

10.3 Corporate Transactions

If UpLevel is involved in a merger, acquisition, financing due-diligence process, sale of all or substantially all of its assets, corporate reorganization, re-domestication, or similar transaction, personal information may be transferred to the counterparty or successor entity as part of that transaction, subject to a confidentiality obligation.

10.4 With Your Direction or Consent

We may disclose personal information with your direction or consent, such as when you ask us to introduce you to a partner, vendor, or other third party.

10.5 Processing on Behalf of Clients; Data Processing Addendum

Separate from the processing of information about visitors and account holders described in this Policy, UpLevel also processes the personal data of its clients' customers and end users in the course of delivering paid services (for example, lead data captured through an AI voice agent, website contact form, automation workflow, or first-party analytics beacon that UpLevel builds and operates for a client). With respect to that client end-user personal data, UpLevel acts as a processor (and, under the CCPA, a service provider) on behalf of the client, who acts as the controller (and, under the CCPA, the business). UpLevel processes such data solely to perform the services and not for its own purposes.

That processing is not governed by this Policy. It is governed by the applicable Master Service Agreement and Statement of Work and by a Data Processing Addendum that carries the processor terms required by the Virginia Consumer Data Protection Act, Va. Code § 59.1-579(B), and the service-provider terms required by the CCPA (Cal. Civ. Code § 1798.140(ag) and § 1798.100(d)). The Data Processing Addendum, among other things, restricts UpLevel's use of the data to the services, prohibits any sale or sharing of the data, binds each sub-processor to equivalent obligations under a written contract, and provides for deletion or return of the data at the end of the engagement.

UPLEVEL DOES NOT SELL YOUR PERSONAL INFORMATION, AND UPLEVEL DOES NOT SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING, AS THOSE TERMS ARE DEFINED UNDER THE CALIFORNIA CONSUMER PRIVACY ACT AND ANALOGOUS STATE PRIVACY LAWS. UPLEVEL DOES NOT ENGAGE IN TARGETED ADVERTISING BASED ON PERSONAL INFORMATION COLLECTED ACROSS NON-AFFILIATED WEBSITES OR PLATFORMS. UPLEVEL HAS NOT SOLD OR SHARED PERSONAL INFORMATION FOR THESE PURPOSES IN THE TWELVE (12) MONTHS PRECEDING THE LAST UPDATED DATE AND HAS NO PRESENT INTENTION OF DOING SO.

We also do not sell or share your mobile telephone number or your SMS consent, and we do not disclose them to third parties for those third parties' own marketing purposes.

UpLevel has not knowingly sold or shared the personal information of consumers under the age of sixteen (16).

We retain personal information for the periods set forth below, except where a longer retention period is required by law, is reasonably necessary to establish or defend legal claims, or is reasonably necessary for legitimate business purposes such as record-keeping, billing reconciliation, or enforcement of the Website Terms of Service.

You may request earlier deletion of data about you by emailing admin@uplevelservicesllc.com. Certain data embedded in routine backup media may persist until backup rotation deletes it in the ordinary course, and records subject to a legal hold are retained until the hold is released.

Records kept for legal and business integrity. Certain records, in particular invoices and billing history and the message history of an engagement, are retained as durable business and legal records: they are not automatically deleted when an account is closed, and they may be kept for the periods above, and longer where a legal hold or legal obligation applies, so that both you and UpLevel have an accurate record if a question or dispute later arises. This retention is balanced by strict access limits: UpLevel stores no payment-card or bank-account numbers (Section 3.4), cannot recover your password (it is kept only as an irreversible hash, Section 18), and isolates each account's data at the database layer so that one client's information is never accessible to another client (Section 18).

UpLevel is committed to respecting reasonable privacy requests from all visitors and account holders, regardless of whether a specific state or federal privacy law legally applies to us. As of the Last Updated date, UpLevel does not meet the statutory applicability thresholds of the CCPA or the Virginia Consumer Data Protection Act ("VCDPA"). Nevertheless, we voluntarily extend the following rights to all individuals, and we will honor them consistent with this Policy and applicable law:

• Right to know what personal information we have collected about you, including the categories, sources, purposes, and recipients;
• Right to access a copy of the personal information we hold about you in a portable format, to the extent technically feasible;
• Right to correct inaccurate personal information we hold about you;
• Right to delete personal information we have collected from you, subject to legal or legitimate-business-purpose exceptions;
• Right to opt out of sale or sharing, inapplicable in practice, as we do not sell or share personal information;
• Right to limit the use of sensitive personal information, inapplicable in practice, as we do not intentionally collect or use sensitive personal information for any purpose requiring such a limit;
• Right to non-discrimination for exercising any of the foregoing rights.

We operate a tracked request-and-appeal workflow with defined service levels (Section 17 and Section 15), so that requests are acknowledged, fulfilled, and, if declined, subject to a conspicuous appeal. Self-service export: if you hold an UpLevel account, you can export your own account data at any time from your portal settings, in a portable format. That export deliberately excludes operator-internal notes, security secrets, and internal system data.

If you are a California resident and the CCPA applies to you with respect to UpLevel, you have the rights described in Section 13 above. In addition, you are entitled to the following CCPA-specific disclosures:

• Categories of personal information collected in the twelve (12) months preceding the Last Updated date: the categories set forth in Section 5 of this Policy;
• Categories of sources from which personal information is collected: the categories set forth in Section 4 of this Policy;
• Business or commercial purposes for which personal information is collected: the purposes set forth in Section 6 of this Policy;
• Categories of third parties with whom personal information is disclosed: the service-provider categories set forth in Section 10 of this Policy;
• No sale or sharing: UpLevel has not sold or shared personal information for cross-context behavioral advertising in the twelve (12) months preceding the Last Updated date.

14.1 Right to Know and Right to Delete

You may submit a request to know or a request to delete by emailing admin@uplevelservicesllc.com with the subject line "CCPA Request: [Type of Request]." We will acknowledge your request within ten (10) business days and respond substantively within forty-five (45) calendar days, subject to a one-time extension of up to forty-five (45) additional calendar days where reasonably necessary, with written notice to you.

14.2 Right to Correct

You may request correction of inaccurate personal information by emailing admin@uplevelservicesllc.com. We may require documentation to substantiate the requested correction.

14.3 Authorized Agents

You may designate an authorized agent to submit a CCPA request on your behalf, subject to applicable verification requirements. We may require the agent to provide a signed written authorization from you, and we may independently verify your identity. If you designate an authorized agent who holds power of attorney under California Probate Code §§ 4000 – 4465, the foregoing verification requirements do not apply, subject to law.

14.4 Right to Non-Discrimination

We will not discriminate against you for exercising any right under the CCPA. We will not deny services, charge different prices, or provide different levels of service solely because you have exercised a CCPA right.

14.5 "Shine the Light" (California Civil Code § 1798.83)

California residents may request information about our disclosures of personal information to third parties for those third parties' direct marketing purposes. UpLevel does not disclose personal information to third parties for their own direct marketing purposes.

If you are a Virginia resident and the VCDPA applies to you with respect to UpLevel, you have the rights described in Section 13 above, which correspond to the rights afforded to consumers under the VCDPA, including:

• The right to confirm whether we are processing your personal data and to access that personal data;
• The right to correct inaccuracies in your personal data;
• The right to delete personal data provided by or obtained about you;
• The right to obtain a copy of your personal data that you previously provided in a portable, technically feasible format;
• The right to opt out of (A) targeted advertising, (B) the sale of personal data, and (C) profiling in furtherance of decisions that produce legal or similarly significant effects, inapplicable in practice, as we do not engage in any of these activities.

15.1 Submitting a VCDPA Request

You may submit a VCDPA request by emailing admin@uplevelservicesllc.com with the subject line "VCDPA Request: [Type of Request]." We will respond within forty-five (45) calendar days of receipt, subject to a single extension of up to forty-five (45) additional calendar days where reasonably necessary, with written notice to you.

15.2 Appeal of Denied Requests

If we decline to take action on your VCDPA request, you may appeal that decision by replying to our denial email, or by emailing admin@uplevelservicesllc.com with the subject line "VCDPA Appeal." We will respond to your appeal within sixty (60) calendar days, with a written explanation of our decision. If your appeal is denied, you may contact the Virginia Attorney General to submit a complaint, at oag.state.va.us.

Beyond California and Virginia, several other U.S. states (including Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) have enacted comprehensive privacy laws that, where applicable to a business, afford consumers rights similar to those described in Sections 13, 14, and 15 above. If you reside in any state with an applicable privacy law and would like to exercise rights under that law, you may submit a request to admin@uplevelservicesllc.com, and UpLevel will evaluate the request consistent with the applicable law and this Policy. UpLevel may require identity verification before processing any request.

To exercise any privacy right described in this Policy, send an email to admin@uplevelservicesllc.com that includes the following:

• (a) The specific right you are exercising (e.g., access, correction, deletion, opt-out);
• (b) Your full name;
• (c) The email address, telephone number, or other identifier you used when interacting with UpLevel, so that we can locate your records;
• (d) A description of your request in sufficient detail to allow us to understand and respond;
• (e) If you are submitting the request on behalf of another person, information sufficient to establish your authority to do so.

17.1 Identity Verification

Before responding to a substantive request, UpLevel may ask for additional information reasonably necessary to verify that you are the person to whom the data relates. Verification may involve confirming information you previously provided, such as the email address or telephone number used for an inquiry, or (for higher-risk requests such as deletion or portability) more rigorous verification. We will not use verification information for any purpose other than verifying your identity in connection with the request, unless otherwise permitted by law.

17.2 Response Timeframes

We will acknowledge receipt of your request promptly (typically within ten (10) business days) and respond substantively within forty-five (45) calendar days of receipt, subject to a single extension of up to forty-five (45) additional calendar days where reasonably necessary due to the complexity of the request or the number of requests we receive. We will notify you in writing if an extension is required.

17.3 Fees

Responding to verified consumer privacy requests is generally free of charge. We reserve the right to charge a reasonable fee or decline to act on a request that is manifestly unfounded, excessive, or repetitive, in accordance with applicable law.

17.4 Limits on Deletion and Correction

We may decline to delete or correct information to the extent retention or retention in its current form is permitted or required under applicable law, for example, to complete a transaction you requested, to detect or prevent fraud, to maintain mandatory business records, to comply with a legal obligation, or to establish or defend legal claims.

UpLevel maintains administrative, technical, and physical safeguards designed to protect the personal information we process against unauthorized access, disclosure, alteration, and destruction. These safeguards include, without limitation:

• Encryption of data in transit using modern TLS protocols, and encryption of data at rest in infrastructure that supports it, including primary database storage;
• Passwords stored only as a strong one-way hash (Argon2id) combined with a server-held secret, never as recoverable text, and screened against known-breached passwords at the time you set or reset them;
• Two-factor-authentication secrets encrypted at rest, and other security tokens stored only as hashes;
• Mandatory two-factor authentication on all accounts;
• Row-level database isolation between accounts, so one account cannot read another's data;
• A tamper-evident, append-only audit log of security- and account-significant events;
• Time-limited, signed access to stored files, so file links cannot be shared or reused indefinitely;
• Access controls limiting access to personal information to personnel with a business need, and logging and monitoring of such access;
• Contractual data-protection obligations with our service providers.

Our third-party service providers each maintain their own security practices. We select service providers that represent they implement commercially reasonable security measures, but we cannot guarantee their security controls. No method of transmission over the Internet and no method of electronic storage is one hundred percent secure. While we strive to protect your information, we cannot guarantee absolute security, and you acknowledge that you transmit information to us at your own risk. If you believe that the security of any information you have provided to us has been compromised, contact us immediately at admin@uplevelservicesllc.com.

If we become aware of a security incident affecting personal information we control, we will respond in accordance with applicable law, including Virginia Code § 18.2-186.6 (breach of personal information notification), analogous laws of other states, and any contractual breach-notification commitments we have made to clients. Where required by law, we will notify affected individuals and relevant authorities without unreasonable delay and within the timeframes required by such law. Where the affected information is personal data that UpLevel processes on behalf of a client (the owner of that data), we will notify the client without unreasonable delay so that the client can fulfill its own notification obligations. We maintain an incident-tracking process that records the scope of an incident, the individuals or accounts affected, and the dates of any notifications.

The Site is directed to adult business decision-makers. The Site is not directed to children under the age of thirteen (13), and UpLevel does not knowingly collect personal information from children under thirteen. UpLevel is not an "operator" of an online service directed to children for purposes of the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.). If you believe that a child under thirteen has provided personal information to UpLevel, contact us at admin@uplevelservicesllc.com, and we will delete that information promptly.

The Site features an AI-powered voice assistant (the "AI Assistant") that you may optionally initiate, on the Site or by phone. This Section 21 describes our collection and processing of information in connection with the AI Assistant and supplements, but does not replace, the information in Sections 3 through 17 above.

21.1 Required Consent Language

When you initiate a conversation with the AI Assistant, the assistant opens with disclosure language substantially as follows: "You're speaking with UpLevel's AI assistant, not a human. This call is recorded and transcribed so we can follow up and improve our service. If you'd prefer not to be recorded, you can end the call or ask to speak with a person. By continuing, you consent to the recording."

This disclosure is designed to satisfy all-party (two-party) consent requirements in states including California (Penal Code §§ 632, 632.7), Florida (Florida Statutes § 934.03), Nevada (NRS § 200.620), Washington (RCW § 9.73.030), and Illinois (720 ILCS 5/14-2). Consistent with all-party-consent framing, the AI Assistant provides a genuine opportunity to decline recording: you may say that you do not wish to be recorded, you may ask to speak with a person, and the AI Assistant can disable recording on request or transfer or end the call. Your continuation of the conversation after this disclosure, with that opportunity to decline available, constitutes your affirmative consent to recording and transcription.

21.2 Information Collected Through the AI Assistant

During an AI Assistant conversation, we collect: (a) the audio recording of the full conversation; (b) an AI-generated transcript of the conversation; (c) any name, telephone number, email address, business name, project details, budget indicators, or other information you voluntarily provide during the conversation; and (d) metadata such as call start and end times, duration, caller identifier where available, and disposition (completed, disconnected, etc.).

21.3 How We Use AI Assistant Information

AI Assistant information is used for the purposes set forth in Section 6.2 of this Policy. UpLevel personnel may review AI Assistant recordings and transcripts after the conversation for quality-assurance, lead-qualification, follow-up, and training purposes. Recording and transcript data are retained as set forth in Section 12.

21.4 Accuracy Limitations and Non-Reliance

The AI Assistant is an automated system that generates responses based on machine-learning models. Its responses may be inaccurate, incomplete, outdated, out of context, or otherwise unreliable. No statement by the AI Assistant constitutes legal, financial, tax, technical, or professional advice, and no statement by the AI Assistant creates any binding commitment, offer, warranty, guarantee, or representation by UpLevel. For authoritative information about UpLevel's services, contact UpLevel directly at admin@uplevelservicesllc.com.

21.5 What You Should Not Share with the AI Assistant

Because the AI Assistant accepts freeform voice input and because conversations may be reviewed after the fact, you should not share with the AI Assistant any highly sensitive information, including without limitation: financial-account credentials; social-security or government-identification numbers; protected health information; passwords; confidential information about third parties; or trade secrets.

21.6 Outbound Calls, Marketing Messages, and TCPA

The AI Assistant deployed on the Site is engaged only at your affirmative initiation. UpLevel does not use the Site's AI Assistant to place unsolicited outbound calls to you.

UpLevel acknowledges the Federal Communications Commission's February 2024 declaratory ruling (FCC 24-17) classifying AI-generated voices as "artificial or prerecorded voice" under the Telephone Consumer Protection Act ("TCPA"), 47 U.S.C. § 227. Accordingly, any artificial- or prerecorded-voice call, AI-voice call, or marketing text message (SMS) that UpLevel might place or send is treated as regulated under the TCPA.

Where UpLevel sends marketing text messages or places autodialed or artificial- or prerecorded-voice marketing calls, UpLevel obtains prior express written consent as required by the TCPA before doing so. We maintain separate, unbundled consent bases for distinct regulated channels, and we do not combine them into a single "agree to be contacted" election. In particular:

• Marketing SMS is sent only with prior express written consent, accompanied by the disclosure that consent is not a condition of any purchase, the applicable message-frequency notice, "message and data rates may apply," and clear opt-out instructions ("reply STOP to opt out, HELP for help"). We do not sell or share your mobile number or SMS consent;
• AI-voice call recording is governed by the all-party-consent recording disclosure described in Section 21.1, and any outbound artificial- or prerecorded-voice or AI-voice call is placed only with prior express consent (prior express written consent where the call is for marketing); and
• Marketing email is governed by the CAN-SPAM Act, including accurate sender identification, a functioning opt-out honored promptly, and a valid physical postal address, as described in Section 21.8.

For clarity on the current federal standard: the FCC's 2023 "one-to-one consent" rule was vacated by the U.S. Court of Appeals for the Eleventh Circuit (Insurance Marketing Coalition, Ltd. v. FCC (11th Cir. 2025)) and is not in force. This Policy therefore does not assert a one-to-one consent mandate. The operative federal standard for marketing SMS and for autodialed or artificial- or prerecorded-voice calls is prior express written consent. UpLevel will comply with the standard then in effect and with any stricter applicable state law.

21.7 Voice Audio and Biometric Framing

The AI Assistant records and transcribes voice audio that you voluntarily submit, solely to enable the conversation and the purposes described in Section 6.2. UpLevel does not create, extract, or store a voiceprint or any other biometric template from that audio for the purpose of uniquely identifying any individual, and does not use the audio to identify you across interactions through biometric means. UpLevel therefore does not treat that audio as a biometric identifier of the kind regulated by state biometric-privacy statutes premised on unique biometric identification.

21.8 Email (CAN-SPAM) Mailing Address

Where UpLevel sends commercial or marketing email, the message includes the sender's valid physical postal address as required by the CAN-SPAM Act (15 U.S.C. § 7701 et seq.; 16 C.F.R. Part 316). For this purpose UpLevel uses a designated business mailing address (a post office box or commercial mail-receiving agency private mailbox); UpLevel does not publish a residential street address. Transactional and relationship messages, such as replies to your inquiry, service and security notices, and account communications, are not subject to the CAN-SPAM physical-address requirement.

UpLevel may publish on the Site testimonials, case studies, client logos, portfolio items, performance metrics, and other marketing content that reference or describe UpLevel's engagements with clients. Any such content:

• Is published with the client's prior written consent or pursuant to a portfolio-rights provision in the applicable Master Service Agreement;
• Describes specific engagements under specific conditions and is not a guarantee of typical or future results for any other client;
• Where performance metrics are included, is accompanied by a general disclaimer that results are not guaranteed and may not be typical.

If you are a former or current client and would like to update, revise, or withdraw a testimonial or case-study feature that describes you or your business, contact admin@uplevelservicesllc.com.

UpLevel is based in the United States and operates the Site from the United States. The Site is intended for users located in the United States. UpLevel does not intentionally target, market to, or offer services to residents of the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction outside the United States. If you access the Site or submit information to UpLevel from outside the United States, you acknowledge and agree that your information will be transferred to, processed in, and stored in the United States, where privacy laws may differ from, and may not provide equivalent protection to, the laws of your jurisdiction. By submitting information to UpLevel from outside the United States, you consent to that transfer.

The Site may contain links to, or references to, third-party websites and services. Third-party websites and services are operated by entities other than UpLevel and have their own privacy policies, which govern those entities' collection and use of your information. UpLevel is not responsible for the privacy practices, content, or security of any third-party website or service. We encourage you to review the privacy policy of any third-party website or service before providing information to it.

UpLevel may update this Policy from time to time to reflect changes in our practices, technology, applicable law, or other factors. When we update this Policy, we will revise the Effective Date and Last Updated dates at the top of this document. For material changes, we may take additional steps to notify you, such as posting a notice on the Site or, for account holders, requiring renewed acknowledgment at sign-in. Your continued use of the Site after any update constitutes your acknowledgment of the updated Policy. We encourage you to review this Policy periodically.

If you have questions about this Policy, wish to exercise any privacy right, or wish to submit a complaint about our privacy practices, contact us:

UpLevel Services LLC
Attn: Privacy
Glen Allen, Virginia 23059
United States of America
Email: admin@uplevelservicesllc.com
Website: uplevelservicesllc.com

For the fastest response, please include in the subject line of your email the type of request or inquiry (for example, "CCPA Request: Deletion," "VCDPA Appeal," or "General Privacy Question").