01 Who We Are
Upstream AI ("Upstream," "we," "us," or "our") is a Colorado-based technology company building predictive intelligence and data trust tools for small water and wastewater utilities. Our website is located at getupstream.ai, and our principal place of business is in Glenwood Springs, Colorado.
For the purposes of the Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq., Upstream AI acts as a controller of the personal data we collect through our website and marketing activities.
02 Scope of This Policy
This Privacy Policy applies to personal data collected through:
- Our website at getupstream.ai and associated subdomains
- Our product-market fit survey at upstream-survey.netlify.app
- Contact forms, early access requests, and email communications
- Conference interactions and lead capture activities
This policy does not cover operational SCADA or sensor data processed by the Upstream AI platform on behalf of utility customers. That data is governed by separate customer agreements and our Security page.
03 Data We Collect
Information you provide directly
| Category | Examples | Source |
|---|---|---|
| Contact information | Name, email, phone number | Forms, email, conferences |
| Professional information | Job title/role, utility name, plant capacity | Early access form, survey |
| Survey responses | Operational challenges, tool preferences, role-based feedback | Product-market fit survey |
| Communications | Message content, feedback, questions | Contact form, email |
Information collected automatically
| Category | Examples | Purpose |
|---|---|---|
| Device & browser data | Browser type, operating system, screen resolution | Site functionality & analytics |
| Usage data | Pages visited, time on page, click interactions, referral source | Product & UX improvement |
| Approximate location | Country, state, city (derived from IP) | Regional analytics |
What we do not collect
We do not collect sensitive personal data as defined by the CPA (racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship status, genetic or biometric data). We do not collect financial information, government IDs, or precise geolocation.
04 How We Use Your Data
We process your personal data for the following purposes:
- Respond to your inquiries — replying to contact form submissions, early access requests, and survey participation
- Improve our website and product — understanding how visitors interact with our site and identifying the features and messaging that resonate with utility operators
- Communicate with you — sending follow-up emails about early access, pilot opportunities, or product updates you've expressed interest in
- Conduct product-market research — analyzing survey responses to shape our product roadmap around real operator needs
- Ensure security — protecting against spam, abuse, and unauthorized access to our site
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
05 Legal Basis for Processing
Under the CPA, we process personal data based on the following lawful grounds:
- Consent — when you voluntarily submit a form, complete our survey, or sign up for communications
- Legitimate interest — to improve our website, understand our audience, and develop our product, where such interests are not overridden by your data protection rights
- Contractual necessity — to fulfill early access or pilot program commitments
06 Analytics & Tracking
We use PostHog as our web and product analytics platform. PostHog helps us understand how visitors use our website so we can improve the experience for utility operators and stakeholders.
What PostHog collects
- Page views, click events, and session duration
- Referral source (how you found our site)
- Device type, browser, and screen size
- Approximate geographic location (country/state level, derived from IP)
- Interaction events we've defined (e.g., form submissions, CTA clicks, persona segment selections)
What PostHog does not collect
- Keystrokes, form field contents, or passwords
- Personal identifiers like your name or email (unless submitted through a form event)
- Cross-site tracking or third-party advertising data
Our analytics philosophy
We chose PostHog specifically because it allows us to do web analytics and product analytics without relying on third-party advertising networks. We do not run ads, we do not sell your data, and we do not build advertising profiles. Our analytics exist solely to build a better product for small utility teams.
How to opt out of analytics
You can opt out of PostHog analytics tracking by:
- Enabling the Global Privacy Control (GPC) signal in your browser — we honor this as a universal opt-out mechanism as required by the CPA
- Using a browser extension that blocks analytics scripts (e.g., uBlock Origin, Privacy Badger)
- Contacting us at privacy@getupstream.ai to request opt-out
07 Cookies & Similar Technologies
We use a minimal set of cookies and local storage mechanisms:
| Cookie / Technology | Type | Purpose | Duration |
|---|---|---|---|
| PostHog analytics | First-party | Anonymous session identification for usage analytics | Session / 1 year |
| Formspree | Third-party | Form submission processing and spam prevention | Session |
We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies.
08 Third-Party Service Providers
We use a limited number of third-party processors to operate our website and manage leads. Each is contractually obligated to handle your data in accordance with this policy.
| Provider | Purpose | Data Processed |
|---|---|---|
| PostHog | Web & product analytics | Usage events, device info, approximate location |
| Formspree | Form submission routing | Name, email, message content |
| Zapier | Workflow automation (form → CRM) | Form submission data |
| Airtable | Lead CRM & survey response database | Contact info, role, survey responses |
| Netlify | Survey page hosting | Standard web server logs |
| GitHub Pages | Website hosting | Standard web server logs |
| Cloudflare | CDN, DNS, and DDoS protection | IP address, request metadata |
We review our service providers periodically and will update this list as our stack evolves. We do not share your data with any providers for advertising or marketing purposes unrelated to our direct communications with you.
09 Data Sharing & Sales
We do not sell your personal data
Upstream AI does not sell, rent, lease, or trade your personal data to any third party for monetary or other valuable consideration. We never have and never will. We also do not share personal data for third-party targeted advertising purposes.
We may disclose personal data in the following limited circumstances:
- Service providers — as described in Section 08, strictly for operating our website and managing communications
- Legal obligation — if required by law, subpoena, or court order
- Safety — to protect the rights, safety, or property of Upstream AI, our users, or the public
- Business transfer — in the event of a merger, acquisition, or sale of assets, with advance notice provided to affected individuals
10 Your Rights Under the Colorado Privacy Act
If you are a Colorado resident, the CPA grants you the following rights with respect to your personal data:
Right to Know & Access
Confirm whether we are processing your personal data and access the data we hold about you.
Right to Correct
Request correction of inaccurate personal data we hold about you.
Right to Delete
Request deletion of your personal data from our systems and third-party processors.
Right to Portability
Obtain a copy of your personal data in a commonly used, machine-readable format.
Right to Opt Out
Opt out of the sale of personal data, targeted advertising, or certain profiling activities.
Right to Non-Discrimination
Exercise your rights without receiving discriminatory treatment from us.
How to exercise your rights
To submit a data rights request, contact us at privacy@getupstream.ai. We will verify your identity and respond within 45 days. If we need additional time, we will notify you of the extension (up to 45 additional days) and the reason.
Right to appeal
If we decline your request, you have the right to appeal. Submit your appeal to privacy@getupstream.ai with "Privacy Appeal" in the subject line. We will respond within 45 days. If your appeal is denied, you may contact the Colorado Attorney General at coag.gov.
11 Universal Opt-Out Mechanisms
In accordance with the CPA (C.R.S. § 6-1-1306(1)(a)(IV)), we honor the Global Privacy Control (GPC) as a valid universal opt-out mechanism. When we detect a GPC signal from your browser, we will treat it as a request to opt out of:
- The sale of personal data (though we do not sell data)
- Processing of personal data for targeted advertising
You can enable GPC in browsers such as Firefox, Brave, and DuckDuckGo, or via browser extensions like Privacy Badger. Learn more at globalprivacycontrol.org.
12 Data Security
We implement reasonable administrative, technical, and physical safeguards to protect your personal data, including:
- TLS encryption for all data in transit across our website
- Access controls limiting who within our organization can view personal data
- Secure, reputable third-party processors with their own security certifications
- Regular review of our data handling practices
For details on how we protect operational SCADA data within our product, see our Security page.
13 Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
- Contact & lead data: retained for the duration of our business relationship and up to 24 months after last contact, unless you request earlier deletion
- Survey responses: retained for product research purposes, anonymized after 24 months
- Analytics data: aggregated and anonymized in accordance with PostHog retention settings, typically within 12 months
- Server logs: retained by hosting providers per their standard retention policies (typically 30–90 days)
You may request deletion of your data at any time by contacting privacy@getupstream.ai.
14 Children's Privacy
Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a child, we will promptly delete it. If you believe a minor has provided us with personal data, please contact us at privacy@getupstream.ai.
15 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website.
We encourage you to review this policy periodically.
16 Contact Us
If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your personal data, please reach out:
For complaints that we are unable to resolve, Colorado residents may contact the Colorado Attorney General's Office.