Upcroft hello@upcroft.ai

Privacy Policy

1. Who we are

Upcroft Works Pty Ltd (ACN 696 443 133) (“Upcroft”, “we”, “us”) operates the technology platform that powers AI customer support operations. We connect to our clients’ business platforms — such as Shopify, Stripe, Gorgias, Zendesk, and Intercom — to ingest, transform, and store the data that drives support workflows.

This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our website (upcroft.ai) and our platform services.

2. Personal data we collect

We collect personal data in two contexts:

2.1 Website visitors

When you visit upcroft.ai, we may collect:

  • Usage data — pages visited, referring URL, browser type, device type, IP address
  • Cookies — we use Google Analytics to understand how visitors use our site. See Section 6 for details.

We do not require you to create an account or provide any personal information to use our website.

2.2 Client data (as a data processor)

When we provide platform services to our clients, we process personal data on their behalf. Our clients are the data controllers for this data — they determine what data is shared with us and for what purpose.

The categories of personal data we process on behalf of clients typically include:

  • Customer names and email addresses
  • Order details and transaction metadata
  • Support conversation history and ticket content

We do not process:

  • Payment card numbers (platform APIs return masked data only)
  • Health information
  • Other special categories of personal data

Our clients remain responsible for ensuring they have a lawful basis to share personal data with us. Our processing of client data is governed by our Data Processing Agreement.

3. How we use personal data

3.1 Website visitor data

We use website visitor data to:

  • Understand how visitors use our site and improve it
  • Monitor site performance and security
  • Comply with legal obligations

3.2 Client data

We process client data to provide our platform services. This includes:

  • Ingesting data from client platforms via API
  • Transforming, structuring, and cross-referencing data for support workflows (including pseudonymised identifiers such as hashed email addresses)
  • Making customer information — including names, email addresses, and phone numbers — available to the authorised systems, AI agents and human operators handling support enquiries for the purpose of delivering support services
  • Generating reports and analytics for our clients

We do not use client personal data for our own marketing purposes. We do not use identifiable client personal data to train AI models used by other clients. We may use aggregated statistics derived from client data — such as ticket volumes, resolution times, and category distributions — to improve our services. These statistics do not identify individuals.

Where required by applicable law (including GDPR), we rely on the following legal bases:

  • Consent — for analytics cookies (Google Analytics). We will only set analytics cookies after you provide consent. You can withdraw consent at any time.
  • Legitimate interest — for website server logs, security monitoring, and site performance. Our legitimate interest is maintaining the security and availability of our website.
  • Contractual necessity — for client data processed under our Data Processing Agreement. We process this data because it is necessary to provide the services our clients have engaged us for.
  • Legal obligation — where we are required to process or retain data by law.

5. How we share personal data

We do not sell personal data to third parties.

We share personal data only in the following circumstances:

  • Authorised service providers — authorised personnel from our clients and their service providers (such as support operations partners) may access data through our platform in the course of delivering support services.
  • Sub-processors — we engage third-party service providers to host and operate our platform. These providers process personal data on our behalf and are contractually required to protect it. A current list of our sub-processors is available at /legal/sub-processors.
  • Legal requirements — we may disclose personal data where required by law, regulation, legal process, or enforceable governmental request.
  • Business transfers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We would notify affected parties of any change in controller.

6. International data transfers

Personal data processed by Upcroft is stored in the United States and other jurisdictions where our service providers operate.

For clients and individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for transferring personal data to the United States. These are incorporated into our Data Processing Agreement.

7. Cookies and analytics

We use Google Analytics to understand how visitors use upcroft.ai. Google Analytics uses cookies to distinguish unique users and track pageviews.

We only set analytics cookies after you provide consent. You can withdraw consent at any time through the cookie settings on our website, by configuring your browser to reject cookies, or by installing the Google Analytics Opt-out Browser Add-on.

We do not use advertising cookies or third-party tracking for marketing purposes.

8. Data retention

  • Website visitor data — retained in aggregate by Google Analytics in accordance with our configured retention settings. IP addresses are anonymised.
  • Client data — retained for the duration of the service agreement. On termination, client data is deleted or returned in accordance with the applicable agreement, typically within 90 days unless we are required by law to retain it. See our Data Processing Agreement for details.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Platform credentials are encrypted and isolated — never exposed to human operators
  • Role-based access controls with least-privilege principles
  • Regular review of access permissions

10. Your rights

Where we act as a data processor, requests relating to personal data should be directed to the relevant data controller (our client). Depending on your location, you may have the following rights regarding your personal data:

10.1 Australian Privacy Act

If you are located in Australia, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles

10.2 GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access, correct, or delete your personal data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your local data protection authority

10.3 CCPA (California)

If you are a California resident, you have the right to:

  • Know what personal data we collect and how it is used
  • Request deletion of your personal data
  • Opt out of the sale of personal data (we do not sell personal data)
  • Non-discrimination for exercising your rights

11. Data breach notification

We will notify affected parties and relevant authorities of any personal data breach in accordance with applicable law, including:

  • GDPR — supervisory authority within 72 hours; affected individuals without undue delay where there is a high risk to their rights
  • Australian Privacy Act — assessment within 30 days; notification if serious harm is likely
  • CCPA — prompt notification as required by California law

Breach notification to clients is governed by the Data Processing Agreement.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the effective date above. For material changes, we will provide reasonable notice.

13. Contact us

For questions about this Privacy Policy or to exercise your data protection rights:

Email: privacy@upcroft.ai

Upcroft Works Pty Ltd ACN 696 443 133 Level 2, 65 Dover Street Cremorne VIC 3121 Australia

Effective date: 2026-04-09
Version: UP-AU-PRI-v1