Privacy Policy
Our commitment to protecting your privacy and ensuring compliance with global data protection regulations.
GDPR Privacy Policy
1. Controller
Uplift Technologies
571 East Ave, Gulberg Residencia, Islamabad
Data Protection Officer: legal@uplift-technologies.com
2. Scope
Applies to all personal data processed via uplift-technologies.com and related services.
3. Data Categories
- Identifiers: name, email, phone, company.
- Device & Usage: IP, cookies, browser, OS, timestamps, referrers, page interactions.
- Transactional: invoices, contracts, support tickets, audit logs.
- Special categories: none intentionally collected.
4. Purposes & Legal Bases
| Purpose | Legal Basis (Art. 6) | Details |
|---|---|---|
| Service provision, account setup | 1(b) contract | Authentication, user management, invoicing |
| Support, incident response | 1(b) contract | Ticket tracking, troubleshooting |
| Marketing communications | 1(a) consent | Opt-in newsletters, product updates |
| Analytics, UX optimisation | 1(f) legitimate interest | Pseudonymised statistics, conversion metrics |
| Security, fraud prevention | 1(f) legitimate interest | Access logs, anomaly detection |
| Compliance, tax, audit | 1(c) legal obligation | Statutory record-keeping |
5. Data Retention
- Authentication logs: 12 months.
- Financial records: 5 years from fiscal year-end.
- Marketing lists: until consent withdrawn.
- Support data: 3 years after resolution.
Data are deleted or irreversibly anonymised on expiry.
6. Recipients
- Hosting, CDN, email, CRM, payment, analytics providers under GDPR-compliant DPAs.
- Courts, regulators, law-enforcement if legally compelled.
No sale or rental of data.
7. International Transfers
Data stored in EU datacentres or transferred under Standard Contractual Clauses / adequacy decisions.
8. Data Subject Rights
Access, rectification, erasure, restriction, portability, objection, and consent withdrawal. Exercise via legal@uplift-technologies.com. Response within 30 days.
9. Security
TLS 1.3, AES-256 at rest, MFA for admin, role-based access, least privilege, network segmentation, quarterly penetration tests.
10. Changes
Policy version and date posted on this page; continued use constitutes acceptance.
HIPAA Compliance Policy
1. Covered Entity
Uplift Technologies
30 N Gould St, Sheridan, WY 82801, USA
Privacy & Security Officer: legal@uplift-technologies.com
2. PHI Definition
Any individually identifiable health information received, stored, or transmitted in electronic, paper, or verbal form.
3. Administrative Safeguards
- Annual risk analysis and mitigation plan.
- Workforce HIPAA training on hire and yearly thereafter.
- Role-based access assignments; sanction policy for violations.
- Business Associate Agreements (BAAs) with all vendors handling PHI.
- Disaster-recovery and emergency-mode operation plan tested semi-annually.
4. Physical Safeguards
- Tier III datacentres with biometric access control and 24/7 surveillance.
- Device encryption, locked cabinets for paper media, secure disposal (NAID-certified shredding).
- Facility security plan reviewed yearly.
5. Technical Safeguards
- Unique user IDs, automatic logoff, password rotation, MFA.
- AES-256 encryption at rest; TLS 1.2+ in transit.
- Audit logs retained 6 years; real-time intrusion detection.
- Integrity checksums on stored PHI.
- Emergency access procedures with break-glass accounts.
6. Minimum Necessary Standard
Access to PHI limited to workforce members needing it for job duties; periodic audits verify compliance.
7. Breach Notification
- Discovery triggers internal incident response within 24 h.
- Notification to affected individuals and HHS within 60 days (≤ 500) or without unreasonable delay (> 500).
- Annual breach log of incidents < 500 individuals submitted to HHS.
8. Documentation & Review
All policies, training records, risk assessments retained 6 years from date of creation or last effective date and reviewed annually.
PIPEDA Compliance Policy
1. Organization
Uplift Technologies
571 East Ave, Gulberg Residencia, Islamabad
Privacy Officer: legal@uplift-technologies.com
2. Application
Covers collection, use, disclosure, and storage of personal information about Canadian individuals, whether processed directly or through service providers.
3. Ten Fair Information Principles
- Accountability – Privacy Officer oversees compliance; contracts impose equivalent obligations on third parties.
- Identifying Purposes – Purposes stated at or before collection; documented in data inventory.
- Consent – Express or implied depending on sensitivity and context; records of consent maintained.
- Limiting Collection – Gather only information necessary to fulfil stated purposes.
- Limiting Use, Disclosure & Retention – Secondary use requires fresh consent; retention schedules mirror GDPR periods above.
- Accuracy – Data verified on input and periodically reviewed for currency.
- Safeguards – Encryption, access controls, staff confidentiality agreements, vendor due diligence.
- Openness – Privacy practices published on website; updated policy history retained.
- Individual Access – Written requests answered within 30 days; corrections made promptly.
- Challenging Compliance – Complaints routed to Privacy Officer; unresolved issues may be escalated to OPC.
4. Cross-Border Processing
Contractual clauses require service providers outside Canada to protect information to PIPEDA standards; individuals informed of foreign storage.
5. Data Breach Response
Breaches posing real risk of significant harm reported to OPC and affected individuals as soon as feasible; log of all breaches retained for 24 months.
6. Policy Review
Annual reassessment or upon legislative change; documented revision history.
Last updated: June 19, 2025