Privacy Policy

This Privacy Policy describes how GALAXZ HOLDINGS INC, doing business as UpGPT (“UpGPT”, “we”, “us”, or “our”) collects, uses, stores, and discloses information when you use our website at upgpt.ai and our AI workforce platform (collectively, the “Service”). By using the Service you agree to this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

• Account information: name, email address, company name, phone number, and password.
• Billing information: payment details processed by Stripe. We never store full credit card numbers on our servers.
• Communications: messages sent through our contact form, booking form, support channels, or email.

1.2 Information Collected Automatically

• Usage data: pages visited, features used, AI agent interactions, scheduling events, and analytics.
• Device & log data: IP address, browser type, operating system, referring URL, and timestamps.
• Cookies: we use essential cookies for authentication and session management only. We do not use third-party tracking cookies.

1.3 Information from Third-Party Services

When you connect a third-party account (e.g., Google, a CRM, or a property management system), we receive only the data necessary to provide the features you request. See Section 5 for specific disclosures regarding Google API data.

2. How We Use Your Information

We use collected information to:

• Provide, operate, maintain, and improve the Service.
• Process transactions and send billing-related notices.
• Respond to your inquiries and provide customer support.
• Send service updates, security alerts, and operational messages.
• Improve our AI models using anonymized, aggregated data only—never identifiable personal data.
• Detect, prevent, and address fraud or security issues.
• Comply with legal obligations.

3. Data Sharing & Disclosure

We do not sell your personal data. We share information only in the following circumstances:

• Service providers: we use sub-processors bound by data processing agreements, including Supabase (database & auth), Stripe (payments), Twilio (SMS/voice), SendGrid (email), Vapi (voice AI), and Anthropic (AI processing). Each receives only the minimum data necessary to perform its function.
• Legal requirements: when required by law, regulation, subpoena, or court order.
• Safety: to protect the rights, property, or safety of UpGPT, our users, or the public.
• Business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, with prior notice to affected users.

4. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Row-level security on all database tables.
• Infrastructure hosted on SOC 2-compliant platforms with regular security audits.
• Least-privilege access controls for all personnel.

No method of transmission or storage is 100 % secure. If you become aware of a security vulnerability, please contact security@upgpt.ai immediately.

5. Google API Services — Limited Use Disclosure

UpGPT’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 What Google Data We Access

When you connect your Google account, we request access to Google Calendar data through the following OAuth scopes:

• https://www.googleapis.com/auth/calendar — to see, edit, share, and manage calendars you can access (e.g., creating scheduling calendars, managing availability, and coordinating shared team calendars for appointment booking).
• https://www.googleapis.com/auth/calendar.events — to view and edit events on your calendars (e.g., creating meetings booked through our platform, checking availability to prevent double-booking, and sending calendar invitations).

5.2 How We Use Google Calendar Data

We use Google Calendar data exclusively to:

• Check your availability and prevent double-booking when scheduling appointments through UpGPT.
• Create calendar events for meetings, calls, and appointments booked via the Service.
• Display your upcoming schedule within the UpGPT dashboard so you can manage your appointments in one place.
• Send calendar invitations to meeting participants on your behalf.

5.3 Limited Use Compliance

In accordance with Google’s Limited Use requirements, we confirm:

1. We limit our use of Google Calendar data to providing and improving the scheduling features described above.
2. We do not transfer Google Calendar data to third parties except as necessary to provide or improve the scheduling features, as required by law, or as part of a merger/acquisition with prior notice.
3. We do not use Google Calendar data for serving advertisements, including retargeting, personalized, or interest-based advertising.
4. We do not allow humans to read your Google Calendar data unless (a) you provide affirmative consent for a specific message, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operations.

5.4 Storage & Retention of Google Data

Google Calendar data is cached temporarily in encrypted storage solely to provide real-time scheduling features. We do not permanently store the full contents of your Google Calendar. Cached availability data is automatically purged within 24 hours. When you disconnect your Google account or delete your UpGPT account, all cached Google data is deleted within 48 hours.

5.5 Revoking Google Access

You may revoke UpGPT’s access to your Google account at any time by visiting Google Account Permissions or by disconnecting Google Calendar from your UpGPT dashboard settings. Revocation takes effect immediately and all cached Google data is deleted within 48 hours.

6. Data Retention

• Account data: retained for as long as your account is active plus 30 days after deletion.
• Billing records: retained for 7 years as required by tax and accounting regulations.
• Google Calendar data: cached temporarily; purged within 48 hours of account deletion or access revocation.
• Anonymized analytics: may be retained indefinitely as it cannot be linked to any individual.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your personal data.
• Export your data in a machine-readable format (data portability).
• Restrict or object to certain processing activities.
• Opt out of marketing communications at any time.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority if you believe your rights have been violated.

To exercise any of these rights, contact privacy@upgpt.ai. We will respond within 30 days.

8. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place, including standard contractual clauses where required.

9. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or a prominent notice on the Service at least 30 days before the changes take effect. Your continued use after the effective date constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy, please contact:

• Email: privacy@upgpt.ai
• Web: Contact page
• Mail: GALAXZ HOLDINGS INC DBA UpGPT, 30 N Gould Street, STE R, Sheridan, WY 82801