Privacy Policy

Table of Contents

    Key Terms

    Here are some of the terms we use in this privacy policy:

    We use the term… Which means…
    We, us, our, LuplLupl, Inc. with our registered office address at One Freedom Square, Reston Town Center, 11951 Freedom Drive, Reston, VA 20190-5656, United States
    Customer TermsThe legal agreement applicable to the Services entered into between you or your organization and us, as applicable
    Our data protection officerThe Data Protection Officer: One Freedom Square, Reston Town Center, 11951 Freedom Drive, Reston, VA 20190-5656, United States (email: privacy@Lupl.com)
    Personal informationAny information relating to an identified or identifiable individual, and any equivalent terms under local protection laws shall have the meaning given to such terms under those laws
    Lupl PlatformThe Lupl platform, across mobile and / or web, as more specifically defined in the Customer Terms
    Lupl WebsitesLupl.com and other Lupl websites from which the Services are promoted, supported or delivered
    ServicesThe Lupl Platform, the Lupl Websites and/or any other services that you have access to, as set out in the Customer Terms

    How and when does this privacy policy apply?

    This privacy policy applies to the collection and use of your personal information in connection with the Services and any other interactions that you have with Lupl, Inc. (e.g. support queries and other communications) to the extent that Lupl is acting as a controller of that information – see ‘What role(s) does Lupl have in the processing of personal information?’.

    You are free to say no to the processing of your personal information as described in this privacy policy. However, the services provided through the Lupl application (“Services”) do require personal information in order to work or for you to have access, and if you choose not to provide certain personal information you and your organization won’t be able to use the Services in question.

    What about other apps and integrations?

    Lupl allows you to “bring your own system”. This means you and other users can integrate Lupl with certain third party systems and services. This privacy policy does not apply to those third party systems and services (or indeed to any other third party products, services or organizations), which we refer to together as ‘Third Party Systems’. You should check the privacy policies of those Third Party Systems (including any updates to them) to understand more about who those third parties are and how and why they process personal information. You can explore the Third Party Systems currently supported by Lupl for your organization within the Lupl Platform.

    What about your organization?

    If you use the Services on behalf of or via your organization or their systems, your organization may be able to control, monitor and administer all or any part of your use of the Services, including access by you or others within your organization, certain privacy-related settings, and integrations with Third Party Systems. Your organization may also be able to access and process your data, including interaction data, metadata and the contents of your communications associated with your use of the Services. If you no longer have access to the work account you use to access the Services, you might lose access to the relevant Services. Lupl isn’t in control of or responsible for the privacy policies and practices of your organization. In relation to your use of the Services on behalf of or via your organization or their systems, your organization is required to make you aware of their policies and practices that they have, and you should contact them for details.

    Who is the controller and who is the processor?

    Data protection law in some countries draws a distinction between the “controller” and “processor” of personal information. Other countries might use similar terms like “organization” (instead of controller) and “intermediary” (instead of processor), but we use controller and processor for consistency.

     

    The “controller” is the main decision-maker which exercises overall control over the purposes and means of the processing of personal information. The processor acts on behalf of, and only on the instructions of, the relevant controller.

     

    Lupl is generally a data controller with respect to the processing of your profile information (e.g. name, email address, etc.) to enable us to provide you with an account and provide the Services to you (see below ‘What personal information do we collect?’).

     

    In all other cases, Lupl generally acts as processor of personal information on behalf of the persons and organizations using the Lupl Platform. For example, if you or someone in your organization creates a matter on the Lupl Platform (i.e. the “Matter Owner”), you are in control of that matter and of the personal information of that matter, and Lupl simply processes any personal information associated with that matter on behalf of you or your organization. You can find out who is the Matter Owner for a given matter on the Lupl Platform by looking at the People tab.

     

    Our subsidiaries, C-Cubed Innovations (UK) Limited and C-Cubed Innovations (Singapore) Pte. Ltd. are also joint controllers with Lupl in respect of providing local/regional support services, such as marketing, onboarding and customer success. This privacy policy is intended to also cover these entities to the extent that you do business with or interact with them, and when we say “we” or “us” in this policy, this is also intended to cover those entities, as relevant.

    The “controller” is the main decision-maker which exercises overall control over the purposes and means of the processing of personal information. The processor acts on behalf of, and only on the instructions of, the relevant controller.

    Lupl is generally a data controller with respect to the processing of your profile information (e.g. name, email address, etc.) to enable us to provide you with an account and provide the Services to you (see below ‘What personal information do we collect?’).

    In all other cases, Lupl generally acts as processor of personal information on behalf of the persons and organizations using the Lupl Platform. For example, if you or someone in your organization creates a matter on the Lupl Platform (i.e. the “Matter Owner”), you are in control of that matter and of the personal information of that matter, and Lupl simply processes any personal information associated with that matter on behalf of you or your organization. You can find out who is the Matter Owner for a given matter on the Lupl Platform by looking at the People tab.

    Our subsidiaries, C-Cubed Innovations (UK) Limited and C-Cubed Innovations (Singapore) Pte. Ltd. are also joint controllers with Lupl in respect of providing local/regional support services, such as marketing, onboarding and customer success. This privacy policy is intended to also cover these entities to the extent that you do business with or interact with them, and when we say “we” or “us” in this policy, this is also intended to cover those entities, as relevant.

    Data protection law in some countries draws a distinction between the “controller” and “processor” of personal information. Other countries might use similar terms like “organization” (instead of controller) and “intermediary” (instead of processor), but we use controller and processor for consistency.

     

    The “controller” is the main decision-maker which exercises overall control over the purposes and means of the processing of personal information. The processor acts on behalf of, and only on the instructions of, the relevant controller.

     

    Lupl is generally a data controller with respect to the processing of your profile information (e.g. name, email address, etc.) to enable us to provide you with an account and provide the Services to you (see below ‘What personal information do we collect?’).

     

    In all other cases, Lupl generally acts as processor of personal information on behalf of the persons and organizations using the Lupl Platform. For example, if you or someone in your organization creates a matter on the Lupl Platform (i.e. the “Matter Owner”), you are in control of that matter and of the personal information of that matter, and Lupl simply processes any personal information associated with that matter on behalf of you or your organization. You can find out who is the Matter Owner for a given matter on the Lupl Platform by looking at the People tab.

     

    Our subsidiaries, C-Cubed Innovations (UK) Limited and C-Cubed Innovations (Singapore) Pte. Ltd. are also joint controllers with Lupl in respect of providing local/regional support services, such as marketing, onboarding and customer success. This privacy policy is intended to also cover these entities to the extent that you do business with or interact with them, and when we say “we” or “us” in this policy, this is also intended to cover those entities, as relevant.

    What personal information do we collect?

    We collect:

     

    • your name, profile picture and contact information, including email address, telephone number and company details (these will also visible to other users of the Lupl Platform as part of your user profile, to enable them to contact you via the Lupl Platform);

     

    • personal information you provide to us on or via the Services, such as if you submit a webform, raise a support ticket or otherwise contact us;

     

    • any user-generated content submitted by you on or via the Services (including files and messages that you create using your account). This type of content will be visible to you and other users who are within the relevant matter or chat group on the Lupl Platform. You can check who will see content via the People tab within the Lupl Platform. We only process this information as a processor and do not access this type of content unless specifically authorized by you or, where applicable, your organization, and we never use it for our own purposes;

     

    • information about how you use the Services, such as how many matters you create and who you are connected with on the Lupl Platform;

     

    • log files relating to your use of the Services, such as your IP address, the address of the website you visited before accessing the Services, your browser type, version and settings, the date and time you used the Services, your language preferences and cookie data;

     

    • device information, including the type of device, what device operating system you use, your device settings, application IDs, unique device identifiers and troubleshooting information;

     

    • information from Third Party Systems that are linked to the Lupl Platform. For example, if you, your organization or someone you work with connect an identity provider, document management system, cloud services provider, messaging application or video conferencing application to the Lupl Platform, Lupl may receive personal information that the Third Party System makes available to Lupl in order to facilitate the integration; you or your organization are in control of setting up this functionality and we only process this as a processor;

     

    • information you provide to us if you submit a job application to join the Lupl team, such as professional, educational or employment related information;

     

    • information you provide to us during other interactions, such as via calls or meetings you have with members of the Lupl team, if you interact with us via social media or other channels, if you participate in a workshop or focus group, or if you submit a job application to join the Lupl team;

     

    • cookie information – the Services may include cookies and similar tracking technologies – for more on which, see “What about Cookies?” below; and

     

    • information to enable us to check and verify your identity for security purposes, e.g., your date of birth, IP address.

     

    We don’t generally collect any special category personal information (also known as sensitive personal data), such as personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Any special category data that you submit in user generated content via the Services will be your and your organization’s responsibility, as we do not generally have access to this information.

     

    We will only process this kind of data with your explicit consent based on your decision to provide such information to us or as otherwise permitted by law. If you submit this kind of information to us, you agree that you will provide and hereby do provide your explicit consent for our processing of this information in accordance with this privacy policy.

     

    What about cookies?

    In limited situations, we may collect information using cookies. Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We may use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your computer or mobile device until you delete them) to provide you with a more personal and interactive experience on our Services.

     

    We use two broad categories of Cookies: (1) first party Cookies, served directly by us to your computer or mobile device, which are used only by us to recognize your computer or mobile device when it revisits Services; and (2) third party Cookies, which are served by service providers on Services, and can be used by such service providers to recognize your computer or mobile device for the purposes of things like Single Sign On.

     

    Our Services use(s) the following types of Cookies for the purposes set out below:

    Type of Cookies Purpose
    Essential CookiesThese Cookies are essential to provide you with the Services and to enable you to use some of its features. For example, they allow you to log in to a given matter and recognize you as having logged in. Without these Cookies, the Services that you have asked for cannot be provided, and we only use these Cookies to provide you with those Services.
    Functionality CookiesThese Cookies allow the Services to remember choices you make when you use our Services, such as remembering your login details and remembering the changes you make to other parts of our Services which you can customize. The purpose of these Cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you visit our Services.

    We do not currently respond to “do not track” signals or other mechanisms that might enable users to opt out of tracking on our Services where that tracking is necessary for the purpose of operating the Services.

     

    We use user analytics tools in order to better understand our users’ needs and to optimize this service and experience. These tools help us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. These services use cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. This is stored in a pseudonymized user profile. These tools are configured to ensure that we cannot access any private, confidential or privileged information (e.g., the data from within your matters or documents on the platform).

     

    How is this personal information collected?

    Most of the personal information we process via the Services comes directly from you. However, we may also collect personal information:

     

    • if your organization provides it to us;

     

    • from publicly-accessible sources;

     

    • from Third Party Systems, as outlined above;

     

    • from other users, e.g. if someone else you know uses the Lupl Platform, and they send you an invitation to join the Lupl Platform and/or a specific matter, they might provide your information to facilitate this, just as you may provide theirs. In these situations, we rely on the relevant users or their respective organizations to obtain whatever consents are required for the sharing of this information with us;

     

    • from any other third party to whom you have given your consent; and

     

    • from cookies — for more information on our use of cookies, please see “What about cookies?” above.

    How and why do we use your personal information?

    Most of the personal information we process via the Services comes directly from you. However, we may also collect personal information:

     

    • if your organization provides it to us;

     

    • from publicly-accessible sources;

     

    • from Third Party Systems, as outlined above;

     

    • from other users, e.g. if someone else you know uses the Lupl Platform, and they send you an invitation to join the Lupl Platform and/or a specific matter, they might provide your information to facilitate this, just as you may provide theirs. In these situations, we rely on the relevant users or their respective organizations to obtain whatever consents are required for the sharing of this information with us;

     

    • from any other third party to whom you have given your consent; and

     

    • from cookies — for more information on our use of cookies, please see “What about cookies?” above.

    Reasons for which we use your personal information Our legal basis for processing your personal information
    To provide the Services to you and/or your organization including setting up our products and services for you and providing you with support, onboarding, integration to our platform, helping you with Platform settings, processing payments and completing other actions which need to be taken to establish or perform our contract with you or your organization.For the performance of our contract with you for our legitimate interests or those of a third party, i.e., to provide the Services to you and your organization
    To improve and develop our Services, and customize your experienceFor the performance of our contract with you for our legitimate interests or those of a third party, i.e., to provide the Services to you and your organization For our legitimate interests or those of a third party, i.e., to improve our services, enable us to understand our customers better and ensure the commercial viability of our business
    To enable other users of the Services to communicate with youFor the performance of our contract with you for our legitimate interests or those of a third party, i.e., to provide the Services to you, your organization and other users
    To provide analytics and reporting to your organization on usage and other aspects of the ServicesFor our legitimate interests or those of a third party, i.e., to support the provision of the Services to you and your organization
    To enable the Lupl team to communicate with youFor our legitimate interests or those of a third party, i.e., to provide the Services to you and your organization, and communicate with you about the Services
    To prevent and detect fraud against you, your organization, other organizations on the Lupl Platform, or LuplFor our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging
    To gather and provide information required by or relating to audits, enquiries or investigations by regulatory bodies, law enforcement agencies or jurisdictionsTo comply with our legal and regulatory obligations, such as regarding sanctions, KYC, anti-corruption and taxation obligations
    For operational reasons, such as to manage our internal administration, improving efficiency, training and quality control where you contact our Support deskFor our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you
    To ensure the confidentiality of relevant informationWhere we have a legal or regulatory obligation, to comply with that legal and regulatory obligation. Where we don’t have a legal and regulatory obligation, for our legitimate interests or those of a third party, i.e. to protect trade secrets and other commercially valuable information
    To prevent unauthorized access or modifications to the ServicesWhere we have a legal or regulatory obligation, to comply with that legal and regulatory obligation. Where we don’t have a legal and regulatory obligation, for our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity
    To update and enhance user recordsFor the performance of our contract with you or to take steps at your request before entering into a contract. To comply with our legal and regulatory obligations
    To ensure safe working practices, staff administration and assessmentsTo comply with our legal and regulatory obligations
    Marketing the Services to: —existing and former customers; —third parties who have previously expressed an interest in our services; —third parties with whom we have had no previous dealings.Based on your consent, where required by law. Otherwise, for our legitimate interests in marketing and promoting our products, services and business
    Marketing the Services to you.For our legitimate interests, i.e. to promote our business to you
    External and internal audits and quality checks, e.g. for ISO certification and the audit of our accountsWhere we have a legal or regulatory obligation, to comply with that legal and regulatory obligation. Where we don’t have a legal and regulatory obligation, for our legitimate interests or a those of a third party, i.e. to obtain and maintain relevant certifications and accreditations so we can demonstrate we operate at the highest standards
    Contemplated or actual reorganization, merger, sale, joint venture, assignment, transfer or other operations regarding all or any portion of our businessFor our legitimate interests or those of a third party, e.g., for our legitimate interest to sell all or part of our business
    Meet any legal obligations (e.g., tax, accounting and administrative obligations)To comply with our legal and regulatory obligations
    Enforcement, exercise or defense of legal claimsFor our legitimate interests or those of a third party, i.e. to defend our rights and interests
    Essential cookies and functionality cookiesFor our legitimate interests or those of a third party, i.e., to provide you with the Services and give you access to our website/platform
    Targeted advertising or audience measurement cookiesBased on your consent
    To evaluate and progress your job application, including taking preliminary steps to your potential employment with usFor the performance of our contract with you or to take steps at your request before entering into a contract. To comply with our legal and regulatory obligations. For our legitimate interests in protecting our business and commercial interests

    The above table does not apply to special category personal information, which is described above in the section titled “What personal information do we collect?”

    Promotional Communications

    From time to time, we may use your personal information to send you updates (by email, chat message, telephone or post) about our services, including offers, promotions or new products and/or services. These promotional communications are sent on a business to business basis to the customer organization that you work for or represent.

    We have a legitimate interest in processing your personal information for promotional purposes (see above ‘How and why do we use your personal information?’). However, where consent is needed, we will ask for this consent separately and clearly before sending you the communication.

     

    You have the right to opt out of receiving promotional communications at any time by:

     

    • contacting us at privacy@Lupl.com; or

     

    • using the ‘unsubscribe’ link in emails.

     

    We may ask you to confirm or update your marketing preferences if you instruct us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.

    With whom do we share your personal information?

    We share personal information with:

     

    • your organization, if you use the Services on behalf of or via your organization or their systems (see ‘What about your organization?’ above);

     

    • other users and invited users designated by you (e.g. when you use the Services to send or share communications, documents, or other information to third parties, such as your business contacts, we will share that communication or other information with the relevant third party. You are in control and should ensure that you only send communications or other information to people you trust);

     

    • third parties we use to help deliver the Services to you, e.g. cloud services providers, software developers of the Lupl Platform, support services providers, or independent contractors who work with us to provide the Services to you;

     

    • other third parties we use to help us run our business or support our activities, e.g. marketing agencies or website hosts and recruitment agencies;

     

    • our group companies where necessary for the provision of the Services and the operation of our business;

     

    • Third Party Systems (e.g. if a matter has a chat bridge into a Slack channel, we may share content from the Lupl matter into the bridged Slack channel) (see ‘What about other apps and integrations?’ above);

     

    • our professional advisors, such as external auditors, accountants and legal counsel, and insurers;

     

    • law enforcement agencies and regulatory bodies to comply with our legal and regulatory rights or obligations; and

     

    • other parties, such as potential investors or buyers of some or all of our business or counterparties to a M&A transaction or during a re-structuring.

     

    We only allow our service providers to handle your personal information if they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors.

     

    We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory rights or obligations.

     

    We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymized, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations to ensure they can only use personal information strictly in compliance with applicable law.

    Where is your personal information held?

    Wherever your personal information is stored, it is always processed strictly in accordance with this privacy policy and applicable law.

     

    The Lupl Platform is hosted in the European Economic Area (the Netherlands). We use Microsoft Azure cloud services (see https://www.microsoft.com/en/trust-center for more information).

     

    Lupl itself is registered and incorporated in the United States, with subsidiaries in the United Kingdom and Singapore. See our contact information as set forth in this privacy policy.

     

    Information may also be held at our offices and those of our group companies, third party agencies, service providers, representatives and agents as described above (see above: ‘With whom do we share your personal information?’).

     

    Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal information when this occurs, see below: ‘Transferring your personal information outside of your country or region’.

    Transferring your personal information outside of your country or region

    To deliver services to you, it is sometimes necessary for us to share your personal information outside of your country or region, e.g.:

     

    • with our offices and group companies;

     

    • with our service providers and those of your organization;

     

    • with users who are located outside of your country or region;

     

    • where there is an international dimension to the Services we are providing to you.

     

    These transfers may be subject to special rules under applicable data protection laws, including where relevant the EU’s General Data Protection Regulation and data protection laws applicable in the United Kingdom. We will ensure that such transfers are compliant with the requirements under the applicable data protection law and this may entail taking such necessary measures to ensure that such overseas recipients are bound by legally enforceable obligations to ensure that these overseas recipients provide a standard of protection to the personal information so transferred that is equivalent to the protection under the applicable data protection law. See ‘What about transfers outside of the European Economic Area or the United Kingdom?’

    What about transfers outside of the European Economic Area?

    The transfers described above include transfers outside of the European Economic Area (“EEA”) and the United Kingdom (“UK”).

     

    Some of the countries to which we may transfer personal information have been assessed by the European Commission or the UK approving authority as providing an adequate level of protection for personal information: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

     

    Except for the countries listed above, countries outside the EEA or the UK do not always provide the same level of protection for personal information as data protection laws as the EEA or the UK, respectively. We will, however, ensure the transfer and subsequent processing complies with data protection law.

     

    Our standard practice is to use standard contractual clauses (“SCCs”) that have been approved by the European Commission or the UK approving authority, as relevant. Where required by data protection laws (in particular, the Schrems II decision), we carry out pre-transfer assessments and supplement those clauses with additional measures. From time to time, we may update the specific versions of the SCCs that we rely on to transfer personal information, for example, to take into account changes in law and good practice.

     

    To obtain a copy of the SCCs or for further details about transfers, please contact privacy@lupl.com.

     

    EU-US Data Privacy Framework program and the UK Extension to the EU-US DPF

     

    Lupl complies with the EU-US Data Privacy Framework program (EU-US DPF) and the UK Extension to the EU-US DPF as set forth by the US Department of Commerce. Lupl, Inc. has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF.

     

    In compliance with the EU-US DPF and the UK Extension to the EU-US DPF, Lupl, Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-US DPF and the UK Extension to the EU-US DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit please visit the JAMS Dispute Resolution Process web site at https://www.jamsadr.com/DPF-Dispute-Resolution. The services of JAMS are provided at no cost to you.

     

    Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available as set forth in Annex I of the DPF Principles. Lupl, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with respect to its compliance with the provisions of the EU-US DPF and the UK Extension to the EU-US DPF.

     

    Lupl, Inc. will take reasonable and appropriate steps necessary to ensure that any third party who is acting as a “data processor” under EU or UK terminology is processing the personal data we entrust to them in a manner that is consistent with the DPF Principles. Lupl, Inc. is potentially liable in cases of onward transfer to third parties of data of EU and UK individuals received pursuant to the EU-US DPF and the UK Extension to the EU-US DPF respectively.

     

    If there is any conflict between the terms in this privacy statement and the EU-US DPF Principles, the Principles shall govern.

     

    To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

     

    If the EU-US DPF or the UK Extension do not apply, Lupl, Inc. relies on other data transfer mechanisms to transfer personal data outside the EEA, the UK, and Switzerland, such as Standard Contractual Clauses as outlined above.

     

    If you would like further information, please contact us or our Data Protection Officer at privacy@lupl.com.

    How long will your personal information be kept?

    We will keep your personal information while you have an account with us or we are providing products and/or services to your organization. Thereafter, we will keep your personal information:

     

    • to respond to any questions, complaints or claims made by you or on your behalf and/or exercise a legal claim, for a period starting from the end of the provision of the Services as per the contract concluded with your organization and corresponding to the time period in which it is possible to take a legal action in accordance with applicable law;

     

    • to keep records required by law and regulation applicable to us and/or the industries in which we operate.

     

    In addition, any personal information within or relating to a matter on the Lupl system will be retained in line with our standard archiving policies, which are designed to help users manage their compliance with record-keeping obligations under applicable law and regulation (e.g. law firms are required to keep records for certain specified periods of time). Please contact us at privacy@Lupl.com to learn more about these archiving policies.

     

    We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.

     

    When it is no longer necessary to retain your personal information, we will delete or anonymise it to the extent permitted by applicable law.

    A note about children

    The Services are designed for business users, and we do not intentionally gather personal information from users who are under the age of 16. If a child under 16 submits personal information to us and we learn that the personal information is the information of a child under 16, we will attempt to delete the information as soon as possible to the extent required by law. If a parent or guardian becomes aware that his or their child has provided us with information without their consent, he or she should contact us at privacy@lupl.com.

    Your rights

    You have certain rights in relation to your personal data, which are described in general terms below. Your specific rights may vary depending on where you are located, and most rights are subject to exceptions and exemptions.

     

    Please note that any requests to exercise rights in relation to Customer Information (i.e., data and information provided or submitted by you and/or your organization through the Lupl Platform in a Matter Space) will need to be directed to your organization as the controller of any such personal information.

    Access The right to be provided with a copy of your personal information being processed (the right of access), and details of how we have used or disclosed your personal information in a relevant period
    RectificationThe right to require us to correct any mistakes in your personal information
    To be forgottenThe right to require us to delete your personal information—in certain situations
    Restriction of processingThe right to require us to restrict processing of your personal information—in certain circumstances, e.g., if you contest the accuracy of the data so that we can verify this
    Data portabilityThe right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
    To objectThe right to object: —at any time to your personal information being processed for direct marketing (including profiling); —in certain other situations to our continued processing of your personal information, e.g., in case that processing is carried out for the purpose of our legitimate interests and you state individual grounds for objection relating to your particular situation
    Not to be subject to automated individual decision makingThe right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. We don’t make decisions based solely on automated processing
    To withdraw your consentThe right to withdraw, at any time, your consent to the processing of your personal information with effect for the future, in cases where you have given your consent. However, this will not affect the lawfulness of any processing up to the point when consent was withdrawn.
    Post-mortem consent to privacyWhere we have a legal or regulatory obligation, to comply with that legal and regulatory obligation. Where we don’t have a legal and regulatory obligation, for our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity. The right to set instructions regarding the storage, deletion or communication of your personal data after your death

    For further information on each of those rights, including the circumstances in which they apply, please contact us at privacy@lupl.com.

     

    If you would like to exercise any of those rights, please:

     

    • email, call or write to us or our Data Protection Officer—see below: ‘How to contact us’; and

     

    • let us have enough information to identify you– we may request additional proof of your identity and address; and

     

    • let us know what right you want to exercise and the information to which your request relates.

    Keeping your personal information secure

    We have appropriate security measures to prevent data security breaches involving personal information.

     

    We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.

     

    We regularly test our systems, which means we follow industry standards for information security.

     

    Amongst other things, your information is protected during transmission and at rest in our data systems by cryptographic algorithms.

     

    We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

    How to complain

    We hope that we or our Data Protection Officer can resolve any query or concern you may raise about our use of your information. You may also have a right to lodge a complaint with the data protection regulator in your country or state. If you’re in the EU, this means you have a right to lodge a complaint with a supervisory authority in the place of your habitual residence, place of work, or place of an alleged infringement of GDPR.

    Changes to this privacy policy

    This privacy policy was originally published on March 27, 2020, and was last revised on May 7 2024.

     

    We may change this privacy policy from time to time. We will inform you of any material changes via email and/or the next time you visit the Services.

    How to contact us

    Please contact us and/or our Data Protection Officer by post or email if you have any questions about this privacy policy or the information we hold about you. Our contact details are as follows:

    Our contact details Our Data Protection Officer’s contact details
    Lupl, Inc. One Freedom Square, Reston Town Center, 11951 Freedom Drive, Reston, VA 20190-5656, United StatesLupl, Inc. The Data Protection Officer One Freedom Square, Reston Town Center, 11951 Freedom Drive, Reston, VA 20190-5656, United States email: privacy@Lupl.com

    We have appointed a partner called Verasafe as Lupl’s representative in the European Union for data protection matters, pursuant to Article 27 of the GDPR. If you are in the European Economic Area, VeraSafe can be contacted in addition to Lupl’s DPO on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contactdata-protection-representative or via telephone at: +420 228 881 031. Alternatively, VeraSafe can be contacted at: VeraSafe Ireland Ltd. Unit 3D North Point House North Point Business Park New Mallow Road Cork T23AT2P Ireland.

    Notice to California residents

    We are required by the California Consumer Privacy Act of 2018 (“CCPA”) to provide to California residents an explanation of how we collect, use and share their personal information, and of the rights and choices we offer California residents regarding our handling of the personal information. This notice does not apply to information related to our business contacts.

     

    We do not sell personal information. As we explain in this Privacy Policy, we use cookies and other tracking technologies to analyze website traffic and facilitate advertising. If you would like to opt out of our use of cookies and other tracking technologies, please review the instructions provided in the Online Tracking Opt-out Guide. Our platform allows users to direct us to share their information with Providers with whom they wish to connect.

     

    In addition to the information in our Privacy Policy, the following chart further describes our privacy practices with respect individuals whose information is governed by the CCPA.

    Personal information we collect CCPA-defined* categories Sources of personal information Purposes for which we may collect and use the personal information Data sharing
    Contact informationIdentifiers Online IdentifiersYou Third party service providersTo provide, operate and improve the Service For research and development To send you communications related to the Lupl PlatformOther users on the Lupl Platform
    Profile information Demographic InformationIdentifiers Online Identifiers Protected Classification Characteristics (if you choose to provide it)You Third party service providersTo provide, operate and improve the Lupl Platform For research and development To send you communications related to the Lupl platform or other service providersOther users on the Lupl Platform
    Content supplied by you (including user-generated content)Identifiers Online IdentifiersYouTo provide, operate and improve the Service For research and developmentOther users on the Lupl Platform, subject to your control and direction
    Device data Online activity and usage dataIdentifiers Inferences Internet or other network activity informationYour Automatic collectionTo provide, operate and improve the Service For research and development To display messages to youNone

    *Click here for details.

     

    Please note that we may also disclose all personal information to service providers, to comply with law, in connection with compliance, fraud prevention and safety purposes, or in connection with a business transfer. For additional information, visit the section of our Privacy Policy entitled “With whom do we share your personal information?”

     

    Privacy Rights. Except as excluded above, the CCPA grants California residents the following rights:

     

    • Information. You can request information about how we have collected, used and shared your personal information during the past 12 months. We have made this this information available to California residents without having to request it by including it in this Privacy Policy, in the chart above.

     

    • Access. You can request a copy of the personal information that we maintain about you.

     

    • Deletion. You can ask us to delete the personal information that we collected or maintain about you.

     

    Please note that the CCPA limits these rights by, for example, prohibiting us from providing certain sensitive information in response to an access request and limiting the circumstances in which we must comply with a deletion request. If we deny your request, we will communicate our decision to you.

     

    You are entitled to exercise the rights described above free from discrimination.

     

    How to Submit a Request. To request access to or deletion of personal information:

     

    • Call: +1 346 388 0769

     

    • Email: privacy@lupl.com

     

    Identity verification. The CCPA requires us to verify the identity of the individual submitting a request to access or delete personal information before providing a substantive response to the request. We may attempt to verify your identify by asking you to confirm information that we have on file about you or your interactions with us. Where we ask for additional personal information to verify your identity, we will only use it to verify your identity or your authority to make the request on behalf of another consumer.

     

    Authorized agents. California residents can empower an “authorized agent” to submit requests on their behalf. We will require the authorized agent to have a written authorization confirming that authority.

    Online Tracking Opt-Out Guide for California Residents

    Like many companies online, we use services that use tracking technology. These services rely on tracking technologies – such as cookies and web beacons – to collect directly from your device information about your browsing activities, your interactions with websites, and the device you are using to connect to the Internet.

     

    There are a number of ways to opt out of having your online activity and device data collected through these services, which we have summarized below:

     

    • Blocking cookies in your browser. Most browsers let you remove or reject cookies, including cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.

     

    • Blocking advertising ID use in your mobile settings. Your mobile device settings may provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.

     

    • Using privacy plug-ins or browsers. You can block our websites from setting cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery or uBlock Origin, and configuring them to block third party cookies/trackers.

     

    • Advertising industry opt-out tools. You can also use these opt-out options to limit use of your information for interest-based advertising by participating companies:
    o Digital Advertising Alliance: https://optout.aboutads.info
    o Network Advertising Initiative: https://optout.networkadvertising.org/?c=1

     

    Note that because these opt-out mechanisms are specific to the device or browser on which they are exercised, you will need to opt-out on every browser and device that you use.