GDPR commitment

    UpperClass helps institutions run student creator programs. In doing so we handle personal data belonging to student creators, institution staff, recruitment agents, and prospective students. We take that responsibility seriously, and this page explains how we meet our obligations under the EU and UK General Data Protection Regulation (GDPR).

    Our role: controller and processor

    GDPR distinguishes between the party that decides why data is processed (the controller) and the party that processes it on their behalf (the processor). UpperClass acts in both roles, depending on the data:

    UpperClass as processor. When an institution runs a creator program on UpperClass, the institution is the controller of its program data — creator applications, content submissions, bookings, and the prospective-student leads its creators generate. UpperClass processes this data on the institution's instructions under a Data Processing Agreement (DPA). Each institution's data is held in strict isolation from every other institution's.

    UpperClass as controller. For account registration, platform security, billing, service communications, and improving the platform itself, UpperClass is the controller.

    EU and UK institutions can request our DPA, including Standard Contractual Clauses, at privacy@upperclass.app. Our current sub-processors are listed at upperclass.app/subprocessors.

    What we collect

    Institution staff and agents: name, work email, role, and activity within the platform.

    Student creators: profile information you choose to publish (name, program, photos, bio), social account handles you verify, content you submit, your availability and bookings, and your points and redemption history. Gender and year of birth are collected at signup for program administration only and are never displayed publicly. Identity verification documents, where required, are stored securely, access-restricted, and deleted shortly after the verification decision.

    Prospective students: if you contact a creator or submit an inquiry through an institution's page, your contact details and inquiry are shared with that institution — the party responsible for responding to you.

    Visitors: we measure page views and link clicks on our public pages to understand how they perform. This measurement does not use cookies or any identifier stored on your device, and it does not track you across sites.

    Lawful bases

    We rely on contract to provide the platform to registered users; legitimate interests for security, fraud prevention, aggregate page measurement, and service improvement; consent where we ask for it explicitly (for example, connecting a social or Google account via OAuth, session recording, or marketing email); and legal obligation where the law requires retention, such as payment records.

    Your rights

    If you are in the EU or UK — and as a matter of policy, wherever you are — you have the right to:

    • Access the personal data we hold about you, and receive a copy.
    • Rectify inaccurate data. Most profile data can be corrected directly in your account.
    • Erasure. You can request account deletion at any time; deletion is verified by one-time passcode and includes the option to export your data first.
    • Data portability. Our data export delivers your data in a structured, machine-readable format.
    • Restrict or object to processing, including any processing based on legitimate interests or used for direct marketing.
    • Withdraw consent at any time, where consent is the basis — for example, disconnecting a linked social or Google account.
    • Complain to your local data protection authority. We would appreciate the chance to address your concern first, but you can contact your supervisory authority at any time.

    If your data is held by an institution as controller (for example, an inquiry you sent to a university), we will route your request to them and support their response.

    You do not need an account to exercise these rights — our deletion request intake is open to anyone, and access and portability requests can be made by email.

    International transfers

    UpperClass operates globally. Our platform infrastructure is hosted on Supabase (AWS, United States). Where personal data of EU or UK residents is transferred outside those regions, we rely on Standard Contractual Clauses — and the UK Addendum where applicable — with our infrastructure provider and every sub-processor that handles personal data.

    Sub-processors

    We use a small number of vetted providers to deliver the service — cloud hosting, email delivery, payment processing, content moderation, video sessions, and reward fulfillment. The current list, with each provider's role and location, is published at upperclass.app/subprocessors. We notify institution customers at least 30 days before adding or replacing a sub-processor that handles their data, and institutions may object on reasonable grounds.

    Retention

    We keep personal data only as long as needed for the purposes described here or as the controlling institution instructs. Our standard retention periods:

    Data Retained for
    Account and profile data Life of the account, then removed within 30 days of confirmed deletion
    Identity verification documents 30 days after the verification decision, then deleted
    Session recordings and transcripts 90 days; the written session summary is retained with the booking
    Prospective-student inquiries (leads) 24 months from last activity, or as the controlling institution instructs
    Payment and billing records As required by applicable tax and accounting law (typically 7 years)
    Security and audit logs 24 months
    Page-view measurement Aggregated after 90 days; raw events deleted at 13 months
    Deletion registry A minimal record (no profile data) is kept indefinitely so your deletion is honored permanently

    Security

    Access to data is enforced at the database layer with row-level isolation per institution, one defined role per user, and audit logging on sensitive operations. Verification documents and media are stored in institution-isolated storage. Administrative actions on accounts, bans, and deletions are logged.

    Minors

    Creator accounts are open to registered students aged 18 or over; we verify this against the year of birth provided at signup and do not accept creator applications from anyone younger. Institution pages may be visited by prospective students under 18. We collect only what a prospective student chooses to submit in an inquiry, and institutions are responsible for handling those inquiries in line with their own obligations to minors.

    Changes to this page

    We version our legal documents and record acceptance. Material changes will be communicated to institution customers and reflected here with a new effective date.

    Contact

    Questions or requests: privacy@upperclass.app, attention: privacy team. We respond to data subject requests within 30 days.

    Effective date: July 9, 2026