Back

Privacy Notice for California Residents

Last updated Jul 1, 2026

This Privacy Notice for California Residents (this “CA Privacy Notice”) supplements the information contained in the Uphold Privacy Notice and applies solely to visitors, users, and others who reside in the State of California ("consumers" or "you"). We adopt this CA Privacy Notice to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), and the implementing regulations of the California Privacy Protection Agency. Capitalized terms used but not defined here have the meanings given to them in the CCPA.

Uphold HQ Inc. (“Uphold US”) is a financial institution under the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801, et seq.) (“GLBA”) and the California Financial Information Privacy Act ("CalFIPA," Cal. Fin. Code § 4050, et seq.). Uphold US has applied to the California Department of Financial Protection and Innovation ("DFPI") for license, with respect to its digital financial asset business activity with California residents, under the California Digital Financial Assets Law (Cal. Fin. Code § 3101, et seq.). Personal information that we collect, process, or disclose pursuant to GLBA or CalFIPA is exempt from certain provisions of the CCPA. We nonetheless extend the rights described in this CA Privacy Notice to personal information about California residents to the extent the CCPA requires.

The temporary CCPA exemptions for personal information reflecting a written or verbal business-to-business communication ("B2B personal information") and for personal information collected from job applicants, employees, owners, directors, officers, and contractors expired on January 1, 2023. References in this CA Privacy Notice to the treatment of B2B personal information are retained for historical context only and do not limit your rights under current law.

Information We Collect

Uphold US and its affiliated companies (collectively, “Uphold”) collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“personal information”). Personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.

Information excluded from the CCPA’s scope, such as:

  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the California Confidentiality of Medical Information Act (“CMIA”) or clinical trial data; and
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”) or California Financial Information Privacy Act (“FIPA”), and the Driver’s Privacy Protection Act of 1994.

In particular, Uphold collected the following categories of personal information from its consumers within the last twelve (12) months, some of which include “sensitive personal information” defined by the CPRA Section 1798.140(ae):

Category Example Collected

A. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
Yes

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Yes

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, or genetic information (including familial genetic information).
Yes

D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
No

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
Yes

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
Yes

G. Geolocation data.

Physical location or movements.
Yes

H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.
Yes

I. Professional or employment-related information.

Current or past job history or performance evaluations.
No

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
No

K. Inferences drawn from other personal information,

Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
No

Uphold obtains the categories of personal information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete or products and services you purchase.
  • Indirectly from you. For example, from observing your actions on our website.
  • From third parties. For example, from our third party service providers to verify your identity or to facilitate our provision of services to you.

All references to personal information below may include sensitive personal information as explained above.

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following purposes:

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to utilize our services, we will use that information to verify your identity, authenticate your funding source(s) and facilitate the provision of our services. We may also save your information to facilitate new requests and to comply with relevant laws.
  • To provide, support, personalize, and develop our website, products, and services.
  • To create, maintain, customize, and secure your account with us.
  • To process your requests, purchases, transactions, and payments and prevent transactional fraud.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To personalize your website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our website, third-party sites, and via email or text message (with your consent, where required by law).
  • To help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business.
  • For testing, research, analysis, and product development, including to develop and improve our website, products, and services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth in the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our website users is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Retention of Personal Information

We retain each category of personal information (including sensitive personal information) for as long as is reasonably necessary to fulfill the purposes for which it was collected and to comply with our legal, regulatory, accounting, audit, and reporting obligations, including obligations under the California Digital Financial Assets Law, the federal Bank Secrecy Act, anti-money-laundering and counter-terrorist-financing laws and regulations, and economic sanctions laws administered by the U.S. Office of Foreign Assets Control. As a general matter, we retain customer relationship records (including identification, transaction, and account records) for a minimum of five (5) years following the end of the customer relationship and, where required for sanctions screening, enforcement actions, or government investigations, up to ten (10) years or longer as required by law. When it is no longer necessary to retain your personal information, we will securely delete or de-identify it.

Sharing and Disclosing Personal Information

We may share or disclose your personal information with third parties for our business purposes, and to the extent any of our advertising or analytics activities constitute "sharing" for cross-context behavioral advertising under the CCPA, you have the right to opt out at any time as described in the “Right to Opt Out of the Sale or Sharing of Personal Information" section below. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

We share your personal information with the following categories of third parties:

  • Service providers.
  • API partners via our App Center at your request.
  • Regulatory or government agencies required by law.

Information Security

Consistent with our obligations under California Financial Code § 3701(e), the federal Safeguards Rule, and other applicable laws, we maintain reasonable and appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of nonpublic personal information we receive, maintain, or transmit. Additional information about our security practices is available in the "How do we keep your Personal Data safe?" section of the Uphold Privacy Notice.

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Uphold has disclosed the following categories of personal information for a business purpose:

  • Category A: Identifiers.
  • Category B: California Customer Records personal information categories.
  • Category C: Protected classification characteristics under California or federal law.
  • Category E: Biometric information.
  • Category F: Internet or other similar network activity.
  • Category G: Geolocation data.
  • Category H: Sensory data.

We disclose your personal information for a business purposes to the following categories of third parties:

  • Service providers.
  • Third-Party User-initiated Applications

Sales of Personal Information

In the preceding twelve (12) months, Uphold has not sold personal information for monetary consideration. To the extent any of our advertising or analytics activities (for example, the use of cookies, pixels, or similar technologies on our Website) constituted "sharing" for cross-context behavioral advertising under the CCPA in the preceding twelve (12) months, the categories of personal information shared were limited to Category A (Identifiers), Category F (Internet or other similar network activity), and Category G (Geolocation data, where collected), and the categories of recipients were limited to advertising and analytics service providers. You may opt out of any such sharing as described in the "Right to Opt Out of the Sale or Sharing of Personal Information" section below.

Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see “Exercising Access, Data Portability, and Deletion Rights” below), we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or sharing that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you, in a format that is easily understandable, and to the extent technically feasible, in a structured, commonly used, machine-readable format. We may also transmit this information to another entity upon your request (also called a data portability request).
  • The length of time we intend to retain each category of personal information, including sensitive personal information. If we are unable to provide a specific retention period, we will instead provide the criteria used to determine such a period. 
  • If we shared or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

We do not provide these access and data portability rights for B2B personal information.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see "Exercising Access, Data Portability, and Deletion Rights" below), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
  • We do not provide these deletion rights for B2B personal information.

Right to Correct Inaccurate Personal Information

You have the right to request that we correct inaccurate Personal Data that we maintain about you, taking into account the nature of the personal information and and the purposes of processing. Once we receive and confirm your verifiable consumer request, we will use commercially reasonable efforts to correct the personal information as directed, unless we have a legal basis to deny the request.

Right to Limit the Use and Disclosure of Sensitive Personal Information

You have the right to direct us to limit our use and disclosure of your sensitive personal information to those uses that are necessary to perform the services or provide the goods reasonably expected by an average consumer who requests them, and to other purposes authorized by California Civil Code § 1798.121(a) and the CCPA regulations. We do not use or disclose sensitive personal information for purposes other than those specified in California Civil Code § 1798.121(a) and the CCPA regulations, and therefore we are not required to provide a "Limit the Use of My Sensitive Personal Information" link. If our practices change, we will update this CA Privacy Notice and provide the required link or alternative opt-out method.

Right to Opt Out of the Sale or Sharing of Personal Information

Under the CCPA, "sale" means disclosing personal information to a third party for monetary or other valuable consideration, and "sharing" means disclosing personal information to a third party for cross-context behavioral advertising, whether or not for valuable consideration.

Uphold does not sell personal information for monetary consideration. To the extent that any of our advertising or analytics activities (for example, the use of cookies, pixels, or similar technologies on our Website) constitute a "sale" or "sharing" under the CCPA, you have the right to opt out at any time. You may exercise this right by:

  • clicking the “Do Not Sell or Share My Personal Information” link on the footer of our website;
  • sending an email to [email protected] with the subject line "CA Do Not Sell or Share"; or
  • submitting a request through our standard customer support process by contacting our customer support team.

We will also recognize and process opt-out preference signals (such as the Global Privacy Control) sent by your browser or device in a frictionless manner, where required by the CCPA regulations.

We do not knowingly sell or share the personal information of consumers under the age of 16. Disclosures of personal information to our service providers and contractors that are governed by a written contract meeting CCPA requirements, and disclosures required by law (including the so-called "Travel Rule" for virtual asset transfers and disclosures to law enforcement and regulatory authorities), are not sales or sharing under the CCPA.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request through our standard customer support process, by contacting our customer support team.

Only you, or someone legally authorized to act on your behalf (an “authorized agent”), may make a verifiable consumer request related to your personal information. An authorized agent must (i) provide signed written permission from you authorizing the agent to submit the request on your behalf or provide a valid power of attorney under California Probate Code §§ 4000–4465, and (ii) verify their own identity with us. We may also require you to verify your identity directly with us and to confirm that you have provided the agent with permission to submit the request.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include personal information submitted during account sign-up.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. 

We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

We will deliver our written response to the email used when submitting your request through our standard customer support process.

For personal information collected on or after January 1, 2022, you may request that we disclose information beyond the 12-month period preceding our receipt of your verifiable consumer request, unless doing so proves impossible or would involve disproportionate effort. For personal information collected before that date, our response will cover the 12-month period preceding our receipt of the request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

No Sale of Personal Information of Minors

We do not sell or share for cross-context behavioral advertising the personal information of consumers we know to be under 16 years of age without affirmative authorization. Consumers between 13 and 16 must affirmatively authorize the sale or sharing of their personal information, and a parent or guardian must affirmatively authorize the sale or sharing of personal information for consumers under 13. Because we do not knowingly collect personal information from individuals under 18, this provision is included for completeness.

California “Shine the Light” Disclosure

California Civil Code § 1798.83 permits California residents who have an established business relationship with us to request certain information about the categories of personal information (if any) we have disclosed to third parties for those third parties' direct marketing purposes during the preceding calendar year, and the names and addresses of those third parties. We do not disclose personal information to third parties for their own direct marketing purposes. To make a Shine the Light request, please email [email protected] with the subject line "Shine the Light Request”.

Do Not Track

California Business and Professions Code § 22575(b)(5) requires us to disclose how we respond to “Do Not Track" signals from your browser. Our Website does not currently respond to "Do Not Track" browser signals because no uniform industry standard has been adopted. We do, however, honor opt-out preference signals such as the Global Privacy Control as described in the "Right to Opt Out of the Sale or Sharing of Personal Information" section above.

California Financial Information Privacy Act (CalFIPA)

Uphold US has applied, or intends to apply, for licensure with the DFPI as a money transmitter (and, where applicable, as a digital financial assets business), and as such, our handling of nonpublic personal financial information about California residents will also be governed by the California Financial Information Privacy Act, Cal. Fin. Code § 4050 et seq. ("CalFIPA"). CalFIPA generally requires that we obtain your affirmative ("opt-in") consent before we share your nonpublic personal financial information with nonaffiliated third parties, and that we provide you with notice and an opportunity to opt out before we share that information with our affiliates for marketing purposes, in each case subject to the exceptions set forth in Cal. Fin. Code §§ 4056 and 4056.5 (including disclosures necessary to perform services you have requested, prevent fraud, comply with law, or respond to lawful process). We provide a separate notice describing your rights under that Act, which is available in the Uphold Privacy Notice or upon request to [email protected].

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time. 

Changes to Our Privacy Notice

We reserve the right to amend this CA Privacy Notice at our discretion and at any time. When we make changes to this CA Privacy Notice, we will post the updated notice on our website and update this CA Privacy Notice’s effective date set forth above. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this CA Privacy Notice, the ways in which Uphold collects and uses your information described here and in the Uphold Privacy Notice, your choices and rights regarding such use, or wish to exercise your rights under California law, please contact us at:

  • Website: Uphold Customer Support
  • Email: [email protected]
  • Toll-free customer service: (888) 831-1780 (live customer assistance available at least 10 hours per day, Monday through Friday, excluding federal holidays)
  • Mail: Uphold HQ Inc., Attn: Data Privacy, 228 Park Ave. S., #50458, New York, NY 10003-1502

If you have a complaint with respect to any aspect of the business activities conducted by Uphold US that you have been unable to resolve with us, you may contact the California Department of Financial Protection and Innovation at its toll-free telephone number, 1-866-275-2677, by email at [email protected], or by mail at the Department of Financial Protection and Innovation, Consumer Services, 651 Bannon Street, Suite 300, Sacramento, CA 95811.