Apply

Privacy Policy

Effective Date: July 1, 2026

This Privacy Policy describes how Elysium Spark LLC (d.b.a. Revolution Labs) ("we," "us," or "our") collects, uses, shares, and protects personal information when you use UpriseOS (upriseos.com) and related services (the "Services"). We are committed to transparency and to your rights under applicable privacy law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended (CCPA/CPRA), and other applicable data protection laws.

1. Data Controller

Elysium Spark LLC (d.b.a. Revolution Labs) is the data controller for personal data processed in connection with the Services. For contact details and data subject requests, see Section 15.

We have not appointed a formal Data Protection Officer (DPO) as we do not engage in large-scale systematic processing of sensitive personal data as a core activity. For all data protection inquiries, use the contact information in Section 15.

2. Services Covered

This Privacy Policy applies to all services provided at upriseos.com.

3. Personal Data We Collect

3.1 Data You Provide Directly

CategoryExamplesPurpose
Identity dataName, usernameAccount creation, personalization
Contact dataEmail address, phoneAccount management, communications
Account credentialsPassword (hashed), security settingsAuthentication
Payment dataBilling name, address, last 4 digits of cardPayment processing (via Stripe; full card data never stored by us)
Content and inputsText, files, prompts you submitDelivering AI-powered Services
CommunicationsSupport messages, survey responsesCustomer service, product improvement

3.2 Data Collected Automatically

CategoryExamplesPurpose
Usage dataPages visited, features used, session duration, click eventsService improvement, analytics
Technical dataIP address, browser type, OS, device identifiersSecurity, fraud prevention, compatibility
Log dataServer logs, error reports, timestampsDebugging, security monitoring
CookiesSession tokens, preference identifiersAuthentication, user experience

3.3 Data from Third Parties

We may receive limited data from payment processors (transaction confirmations), analytics providers (aggregated usage statistics), and any third-party services you choose to connect, subject to their respective privacy policies.

4. Legal Basis for Processing (GDPR)

For users in the EEA and UK, we process personal data on the following legal bases under GDPR Article 6:

Processing ActivityLegal Basis
Providing the Services you contracted forPerformance of a contract (Art. 6(1)(b))
Processing paymentsPerformance of a contract (Art. 6(1)(b))
Sending transactional communications (receipts, security alerts)Performance of a contract (Art. 6(1)(b))
Fraud prevention and security monitoringLegitimate interests (Art. 6(1)(f))
Improving and developing the ServicesLegitimate interests (Art. 6(1)(f))
Marketing communications (where opted in)Consent (Art. 6(1)(a))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))
Analytics via cookies (non-essential)Consent (Art. 6(1)(a))

Where we rely on legitimate interests, you have the right to object (see Section 10).

5. AI Processing and Automated Systems

5.1 How We Use AI

Our Services use third-party AI models (including from Anthropic, OpenAI, Google, and others) to process your inputs and generate outputs. This processing constitutes automated processing of personal data to the extent your inputs contain personal information.

5.2 No AI Training on Your Data

We configure AI providers to opt out of using your inputs or outputs for model training where that option is contractually available. Where providers offer Zero Data Retention (ZDR) or equivalent data processing terms, we enable them. Your data is processed by AI systems only to provide the Services to you.

5.3 Automated Decision-Making

We do not make solely automated decisions that produce legal effects or significantly affect you without human oversight. AI outputs generated by our Services are decision-support tools and always require your review and judgment before application. If a future feature involves consequential automated decisions, we will provide specific notice and, where required by GDPR Article 22 or applicable law, obtain your explicit consent and provide a mechanism to request human review.

5.4 CCPA Automated Decision-Making (Effective January 1, 2026)

Under CCPA regulations effective January 1, 2026, if we use Automated Decision-Making Technology (ADMT) to make "significant decisions" about you, we will provide pre-use notice and offer an opt-out mechanism. Currently, our AI tools are used as productivity aids and do not make significant decisions about consumers within the meaning of these regulations.

5.5 EU AI Act Transparency

We do not operate AI systems classified as "high-risk" under the EU AI Act. Our AI-powered Services are general-purpose productivity tools. We disclose AI involvement in our service descriptions and do not engage in AI practices prohibited under the EU AI Act (including social scoring, subliminal manipulation, or real-time biometric surveillance).

5.6 Third-Party AI Provider Policies

When your inputs are processed by third-party AI providers, those providers act as our data processors (under applicable data protection law) or as independent controllers for certain limited purposes under their own terms. We maintain data processing agreements with our primary AI providers. For details on how specific providers handle data, refer to their privacy policies:

  • Anthropic: anthropic.com/privacy
  • OpenAI: openai.com/policies/privacy-policy
  • Google: policies.google.com/privacy

6. Cookies and Tracking

6.1 Cookie Categories

CategoryPurposeConsent Required
Strictly necessaryAuthentication, session management, securityNo (essential to Service)
Functional / preferencesRemembering settings, language, themeYes (non-essential)
AnalyticsMeasuring usage patterns (e.g., Matomo, Plausible)Yes (non-essential)
MarketingAdvertising targeting, remarketingYes (if used)

6.2 Managing Cookies

You can control cookies through your browser settings or our cookie consent mechanism. Disabling strictly necessary cookies will impair Service functionality. We use privacy-respecting analytics where possible (e.g., server-side or cookieless analytics).

6.3 Global Privacy Control (GPC)

We respect the Global Privacy Control (GPC) browser signal as an opt-out of sale/sharing of personal information for users in jurisdictions where this is required (including California under CPRA, and applicable US state laws).

7. How We Use Your Information

We use personal data to:

  • Provide, operate, maintain, and improve the Services
  • Process transactions and send related confirmations
  • Respond to inquiries and provide customer and technical support
  • Send transactional communications (receipts, security alerts, service updates)
  • Send marketing communications where you have opted in (you may opt out at any time)
  • Conduct analytics to understand how the Services are used and to improve them
  • Detect, investigate, and prevent fraudulent, abusive, or illegal activity
  • Comply with legal obligations and enforce our agreements
  • Protect the rights, property, and safety of our users and the public

We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes.

8. Data Sharing

We share personal data only in the following circumstances:

RecipientPurposeSafeguards
AI Providers (Anthropic, OpenAI, etc.)Processing your inputs to deliver AI outputsData processing agreements; ZDR/opt-out configured
Payment processors (Stripe)Processing transactionsPCI-DSS compliant; separate controller for payment data
Hosting and infrastructure (Cloudflare, Supabase)Hosting the Services and databaseData processing agreements; EU-US data transfer safeguards
Analytics providers (Matomo, Plausible)Aggregate usage analyticsPrivacy-respecting configuration; minimal data collection
Email delivery providersSending transactional and marketing emailsData processing agreements
Law enforcement / courtsWhen required by valid legal processMinimum necessary disclosure; notice where legally permitted
Successor entityIn connection with a merger or acquisitionUser notice provided; same privacy commitments

9. International Data Transfers

We are based in the United States. If you are located in the EEA or UK, your personal data is transferred to and processed in the US, which may not provide the same level of data protection as your home jurisdiction.

For transfers from the EEA/UK, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs with our data processors where applicable.
  • Adequacy decisions: Where the European Commission has issued an adequacy decision for the destination country, we rely on that decision.
  • Binding Corporate Rules or other mechanisms: Where applicable to specific providers.

10. Your Privacy Rights

10.1 Rights for All Users

You may request at any time:

  • Access: A copy of the personal data we hold about you
  • Correction: Correction of inaccurate or incomplete data
  • Deletion: Deletion of your personal data, subject to legal retention obligations
  • Portability: Your data in a structured, machine-readable format

10.2 Additional Rights for EEA / UK Residents (GDPR)

  • Restriction of processing: Request that we limit how we use your data in certain circumstances
  • Objection: Object to processing based on legitimate interests (we will cease unless we demonstrate compelling legitimate grounds)
  • Objection to direct marketing: Object at any time to processing for direct marketing — we will stop immediately
  • Rights related to automated decision-making: Request human review of any automated decision, express your view, and contest the decision (GDPR Article 22)
  • Withdraw consent: Withdraw consent at any time where processing is consent-based (withdrawal does not affect prior lawful processing)
  • Lodge a complaint: File a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.

10.3 California Residents (CCPA / CPRA)

  • Right to Know: The categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell)
  • Right to Delete: Request deletion of your personal information (subject to exceptions)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. You may signal opt-out via the GPC browser signal.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those necessary to provide the Services
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights
  • Automated Decision-Making Opt-Out: Where applicable under 2026 CCPA regulations, you may opt out of ADMT used for significant decisions

10.4 How to Exercise Your Rights

Submit privacy requests via the Contact link in the footer. We will respond within 30 days (or 45 days for complex requests, with notice). We may verify your identity before fulfilling requests. Requests are free, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

11. Data Retention

We retain personal data for as long as necessary for the purposes described in this Policy, subject to the following guidelines:

Data CategoryRetention Period
Account dataDuration of account + 2 years after closure
Transaction and billing records7 years (tax and legal compliance)
AI input/output logs90 days (operational logs); deleted on account closure unless required by law
Analytics dataUp to 26 months (aggregate); individual data deleted after 13 months
Communications (support)3 years
Legal hold dataDuration of legal proceeding + applicable statute of limitations

When retention periods expire, data is securely deleted or anonymized. You may request earlier deletion subject to legal retention requirements.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls and principle of least privilege
  • Regular security assessments
  • Incident response procedures

No method of internet transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and, where required, relevant supervisory authorities within the legally required timeframes.

13. Children's Privacy

Our Services are not directed to children under 13 in the United States (or under 16 in the EEA/UK). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with personal data, contact us immediately and we will delete it promptly.

14. Changes to This Policy

We will notify you of material changes to this Privacy Policy by email or prominent notice within the Services at least 30 days before the changes take effect. Non-material changes (e.g., clarifications, formatting) may be made without advance notice. The "Effective Date" and "Last Updated" date at the top reflect the most recent revision. Continued use of the Services after the effective date constitutes acceptance.

15. Contact and Complaints

For privacy questions, data subject requests, or concerns:

Elysium Spark LLC d.b.a. Revolution Labs Email: Click 'Contact' in the footer Phone: (504) 556-2094 3014 Dauphine St., STE 100 #90883 New Orleans, LA 70117

We aim to respond to all requests within 30 days. If you are unsatisfied with our response, you have the right to escalate to your local data protection authority.

TermsPrivacyROIBeta Login

© 2026 UpriseOS. All rights reserved.