Privacy Policy
Effective Date: July 1, 2026
This Privacy Policy describes how Elysium Spark LLC (d.b.a. Revolution Labs) ("we," "us," or "our") collects, uses, shares, and protects personal information when you use UpriseOS (upriseos.com) and related services (the "Services"). We are committed to transparency and to your rights under applicable privacy law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended (CCPA/CPRA), and other applicable data protection laws.
1. Data Controller
Elysium Spark LLC (d.b.a. Revolution Labs) is the data controller for personal data processed in connection with the Services. For contact details and data subject requests, see Section 15.
We have not appointed a formal Data Protection Officer (DPO) as we do not engage in large-scale systematic processing of sensitive personal data as a core activity. For all data protection inquiries, use the contact information in Section 15.
2. Services Covered
This Privacy Policy applies to all services provided at upriseos.com.
3. Personal Data We Collect
3.1 Data You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Identity data | Name, username | Account creation, personalization |
| Contact data | Email address, phone | Account management, communications |
| Account credentials | Password (hashed), security settings | Authentication |
| Payment data | Billing name, address, last 4 digits of card | Payment processing (via Stripe; full card data never stored by us) |
| Content and inputs | Text, files, prompts you submit | Delivering AI-powered Services |
| Communications | Support messages, survey responses | Customer service, product improvement |
3.2 Data Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage data | Pages visited, features used, session duration, click events | Service improvement, analytics |
| Technical data | IP address, browser type, OS, device identifiers | Security, fraud prevention, compatibility |
| Log data | Server logs, error reports, timestamps | Debugging, security monitoring |
| Cookies | Session tokens, preference identifiers | Authentication, user experience |
3.3 Data from Third Parties
We may receive limited data from payment processors (transaction confirmations), analytics providers (aggregated usage statistics), and any third-party services you choose to connect, subject to their respective privacy policies.
4. Legal Basis for Processing (GDPR)
For users in the EEA and UK, we process personal data on the following legal bases under GDPR Article 6:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Services you contracted for | Performance of a contract (Art. 6(1)(b)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional communications (receipts, security alerts) | Performance of a contract (Art. 6(1)(b)) |
| Fraud prevention and security monitoring | Legitimate interests (Art. 6(1)(f)) |
| Improving and developing the Services | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications (where opted in) | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Analytics via cookies (non-essential) | Consent (Art. 6(1)(a)) |
Where we rely on legitimate interests, you have the right to object (see Section 10).
5. AI Processing and Automated Systems
5.1 How We Use AI
Our Services use third-party AI models (including from Anthropic, OpenAI, Google, and others) to process your inputs and generate outputs. This processing constitutes automated processing of personal data to the extent your inputs contain personal information.
5.2 No AI Training on Your Data
We configure AI providers to opt out of using your inputs or outputs for model training where that option is contractually available. Where providers offer Zero Data Retention (ZDR) or equivalent data processing terms, we enable them. Your data is processed by AI systems only to provide the Services to you.
5.3 Automated Decision-Making
We do not make solely automated decisions that produce legal effects or significantly affect you without human oversight. AI outputs generated by our Services are decision-support tools and always require your review and judgment before application. If a future feature involves consequential automated decisions, we will provide specific notice and, where required by GDPR Article 22 or applicable law, obtain your explicit consent and provide a mechanism to request human review.
5.4 CCPA Automated Decision-Making (Effective January 1, 2026)
Under CCPA regulations effective January 1, 2026, if we use Automated Decision-Making Technology (ADMT) to make "significant decisions" about you, we will provide pre-use notice and offer an opt-out mechanism. Currently, our AI tools are used as productivity aids and do not make significant decisions about consumers within the meaning of these regulations.
5.5 EU AI Act Transparency
We do not operate AI systems classified as "high-risk" under the EU AI Act. Our AI-powered Services are general-purpose productivity tools. We disclose AI involvement in our service descriptions and do not engage in AI practices prohibited under the EU AI Act (including social scoring, subliminal manipulation, or real-time biometric surveillance).
5.6 Third-Party AI Provider Policies
When your inputs are processed by third-party AI providers, those providers act as our data processors (under applicable data protection law) or as independent controllers for certain limited purposes under their own terms. We maintain data processing agreements with our primary AI providers. For details on how specific providers handle data, refer to their privacy policies:
- Anthropic: anthropic.com/privacy
- OpenAI: openai.com/policies/privacy-policy
- Google: policies.google.com/privacy
6. Cookies and Tracking
6.1 Cookie Categories
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Authentication, session management, security | No (essential to Service) |
| Functional / preferences | Remembering settings, language, theme | Yes (non-essential) |
| Analytics | Measuring usage patterns (e.g., Matomo, Plausible) | Yes (non-essential) |
| Marketing | Advertising targeting, remarketing | Yes (if used) |
6.2 Managing Cookies
You can control cookies through your browser settings or our cookie consent mechanism. Disabling strictly necessary cookies will impair Service functionality. We use privacy-respecting analytics where possible (e.g., server-side or cookieless analytics).
6.3 Global Privacy Control (GPC)
We respect the Global Privacy Control (GPC) browser signal as an opt-out of sale/sharing of personal information for users in jurisdictions where this is required (including California under CPRA, and applicable US state laws).
7. How We Use Your Information
We use personal data to:
- Provide, operate, maintain, and improve the Services
- Process transactions and send related confirmations
- Respond to inquiries and provide customer and technical support
- Send transactional communications (receipts, security alerts, service updates)
- Send marketing communications where you have opted in (you may opt out at any time)
- Conduct analytics to understand how the Services are used and to improve them
- Detect, investigate, and prevent fraudulent, abusive, or illegal activity
- Comply with legal obligations and enforce our agreements
- Protect the rights, property, and safety of our users and the public
We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes.
8. Data Sharing
We share personal data only in the following circumstances:
| Recipient | Purpose | Safeguards |
|---|---|---|
| AI Providers (Anthropic, OpenAI, etc.) | Processing your inputs to deliver AI outputs | Data processing agreements; ZDR/opt-out configured |
| Payment processors (Stripe) | Processing transactions | PCI-DSS compliant; separate controller for payment data |
| Hosting and infrastructure (Cloudflare, Supabase) | Hosting the Services and database | Data processing agreements; EU-US data transfer safeguards |
| Analytics providers (Matomo, Plausible) | Aggregate usage analytics | Privacy-respecting configuration; minimal data collection |
| Email delivery providers | Sending transactional and marketing emails | Data processing agreements |
| Law enforcement / courts | When required by valid legal process | Minimum necessary disclosure; notice where legally permitted |
| Successor entity | In connection with a merger or acquisition | User notice provided; same privacy commitments |
9. International Data Transfers
We are based in the United States. If you are located in the EEA or UK, your personal data is transferred to and processed in the US, which may not provide the same level of data protection as your home jurisdiction.
For transfers from the EEA/UK, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs with our data processors where applicable.
- Adequacy decisions: Where the European Commission has issued an adequacy decision for the destination country, we rely on that decision.
- Binding Corporate Rules or other mechanisms: Where applicable to specific providers.
10. Your Privacy Rights
10.1 Rights for All Users
You may request at any time:
- Access: A copy of the personal data we hold about you
- Correction: Correction of inaccurate or incomplete data
- Deletion: Deletion of your personal data, subject to legal retention obligations
- Portability: Your data in a structured, machine-readable format
10.2 Additional Rights for EEA / UK Residents (GDPR)
- Restriction of processing: Request that we limit how we use your data in certain circumstances
- Objection: Object to processing based on legitimate interests (we will cease unless we demonstrate compelling legitimate grounds)
- Objection to direct marketing: Object at any time to processing for direct marketing — we will stop immediately
- Rights related to automated decision-making: Request human review of any automated decision, express your view, and contest the decision (GDPR Article 22)
- Withdraw consent: Withdraw consent at any time where processing is consent-based (withdrawal does not affect prior lawful processing)
- Lodge a complaint: File a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.
10.3 California Residents (CCPA / CPRA)
- Right to Know: The categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell)
- Right to Delete: Request deletion of your personal information (subject to exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. You may signal opt-out via the GPC browser signal.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those necessary to provide the Services
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights
- Automated Decision-Making Opt-Out: Where applicable under 2026 CCPA regulations, you may opt out of ADMT used for significant decisions
10.4 How to Exercise Your Rights
Submit privacy requests via the Contact link in the footer. We will respond within 30 days (or 45 days for complex requests, with notice). We may verify your identity before fulfilling requests. Requests are free, though we may charge a reasonable fee for manifestly unfounded or excessive requests.
11. Data Retention
We retain personal data for as long as necessary for the purposes described in this Policy, subject to the following guidelines:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after closure |
| Transaction and billing records | 7 years (tax and legal compliance) |
| AI input/output logs | 90 days (operational logs); deleted on account closure unless required by law |
| Analytics data | Up to 26 months (aggregate); individual data deleted after 13 months |
| Communications (support) | 3 years |
| Legal hold data | Duration of legal proceeding + applicable statute of limitations |
When retention periods expire, data is securely deleted or anonymized. You may request earlier deletion subject to legal retention requirements.
12. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Access controls and principle of least privilege
- Regular security assessments
- Incident response procedures
No method of internet transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and, where required, relevant supervisory authorities within the legally required timeframes.
13. Children's Privacy
Our Services are not directed to children under 13 in the United States (or under 16 in the EEA/UK). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with personal data, contact us immediately and we will delete it promptly.
14. Changes to This Policy
We will notify you of material changes to this Privacy Policy by email or prominent notice within the Services at least 30 days before the changes take effect. Non-material changes (e.g., clarifications, formatting) may be made without advance notice. The "Effective Date" and "Last Updated" date at the top reflect the most recent revision. Continued use of the Services after the effective date constitutes acceptance.
15. Contact and Complaints
For privacy questions, data subject requests, or concerns:
Elysium Spark LLC d.b.a. Revolution Labs Email: Click 'Contact' in the footer Phone: (504) 556-2094 3014 Dauphine St., STE 100 #90883 New Orleans, LA 70117
We aim to respond to all requests within 30 days. If you are unsatisfied with our response, you have the right to escalate to your local data protection authority.