Effective date: 28 May 2026 · Last updated: 30 May 2026
This Privacy Policy explains what personal data UP2U collects from you, why we collect it, who we share it with, how we protect it, and what rights you have over it. It applies to up2uagency.info and to every UP2U sales, training, and placement service delivered from that website, our Instagram accounts (@up2u.go, @up2u.company), WhatsApp, email, our CRM, and our payment pages.
If anything in this policy is unclear, write to us at privacy@up2uagency.info before you submit personal data to us.
The data controller of your personal data is:
If you are in the European Economic Area, the United Kingdom, or Switzerland, this Policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and equivalent data protection laws.
We collect personal data in three ways: (a) you give it to us directly, (b) we receive it automatically when you visit our website or interact with our ads, and (c) we receive it from third parties such as payment processors and social platforms.
Depending on which of our services you engage with — the free content, Tier 1 ("Not Native Still Hired" DIY course, $199), Tier 2 (Review, $349), Tier 3 (Full Mentorship, $750, including the China Program variant), or our TEFL add-on — we collect different categories of data. The table below tracks what we ask for, at what point, and why.
| Category | Examples | When collected |
|---|---|---|
| Identification data | Full name, country of residence, nationality, age range, gender (when relevant for visa/legal eligibility), photograph or video appearance | At enquiry, application, qualification video, course signup, and at payment |
| Contact data | Email address, phone number, Instagram handle, WhatsApp number, Telegram handle | At first contact and throughout the sales conversation |
| Professional and educational data | CV/resume, employment history, academic qualifications (including degree status — relevant to Vietnamese work-permit eligibility), English proficiency level, TEFL/TESOL certifications, prior teaching experience | Tier 2 and Tier 3 onboarding |
| Audio-visual data | Qualification video (typically 3-minute self-recording), pronunciation samples you submit, intro-video drafts and revisions | Tier 2 (one-shot video feedback), Tier 3 (iterative coaching) |
| Immigration and legal documents | Passport scan/details, visa documents, criminal-record (police) check, health-check results, legalised diploma, signed school contract | Tier 3 only, during the 12-step placement procedure |
| Financial data | Payment method type, billing name, billing country, the last four digits of the card or wallet reference, payment timestamps. We do NOT receive or store full card numbers or CVV — those are handled by Stripe and other processors directly. | At checkout and at the second installment of Tier 3 |
| Sales-conversation data | Every message you send us on Instagram DM, WhatsApp, Telegram, email, or the Kommo chat widget, plus internal sales notes and lead tags we create about that conversation | Throughout the funnel and after purchase |
| Marketing-preference data | Whether you have opted in to ad-targeting, newsletters, retargeting | Where applicable |
| Post-arrival support data | Messages and updates inside the dedicated Tier 3 WhatsApp Working Group during the 6 months after you land in Vietnam | Tier 3 post-arrival period |
Some of the above categories — passport scans, photos, video recordings of your face, and (in some places) criminal-record checks — are "special category" or otherwise sensitive personal data. You provide them voluntarily and only because they are necessary to apply for a Vietnamese teaching position and the associated work permit. You can refuse, but we cannot deliver Tier 3 without them.
When you visit up2uagency.info or engage with our ads, we (or our service providers) automatically collect:
Under GDPR we are required to declare a lawful basis for every processing activity. The table below pairs each purpose with its basis.
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Reply to your enquiry, send you a sales conversation, qualify you for a tier | Pre-contractual steps at your request (Art. 6(1)(b)) |
| Deliver Tier 1, Tier 2, Tier 3, the TEFL add-on, and any post-arrival support you bought | Performance of a contract (Art. 6(1)(b)) |
| Process your payment and prevent fraud | Performance of a contract and our legitimate interest in fraud prevention (Art. 6(1)(b) and (f)) |
| Comply with tax, accounting, anti-money-laundering, and other legal duties | Legal obligation (Art. 6(1)(c)) |
| Run our website, secure it, debug it, and keep audit logs | Our legitimate interest in operating the site (Art. 6(1)(f)) |
| Send marketing emails or messages about UP2U services to existing customers about similar services | Our legitimate interest (Art. 6(1)(f)) — you can opt out at any time |
| Run paid advertising and lookalike-audience modelling on Meta, set marketing cookies | Your consent (Art. 6(1)(a)) |
| Use sales-conversation data to improve our sales playbooks and to train internal AI sales-assistance prompts | Our legitimate interest in improving our service (Art. 6(1)(f)). The training data is held internally and is not sold or used to train any third-party model. |
| Process special-category data (passport, photo of face on a passport, criminal-record check, health check) for the visa/work-permit step of Tier 3 | Your explicit consent (Art. 9(2)(a)). You may withdraw consent at any time, but Tier 3 cannot complete without those documents — withdrawal will end the contract. |
We do not sell your personal data. We share it only with the categories of recipient listed below, and only to the extent necessary for the purpose.
UP2U is a Romanian sole-trader business (Persoană Fizică Autorizată). Access to your personal data inside UP2U is limited to the controller identified in Section 1. Any further processing carried out on UP2U's behalf is performed by the external service providers listed in Section 4.2, each of which is bound by its own contractual and statutory data-protection obligations.
Each of these acts on our instructions under a contract (a Data Processing Agreement) that obliges them to protect your data:
Note on TEFL providers. Vietnamese law requires every teacher to hold a legalised 120-hour TEFL/TESOL certificate to obtain a work permit. We do not resell, host, or operate any TEFL course. Where useful, we recommend third-party 120-hour accredited TEFL/TESOL providers. If you choose to enrol with one of them, you transact with that provider directly under their privacy policy and terms; UP2U does not share your personal data with the TEFL provider on your behalf and the provider is not our data processor.
We do not rent, sell, or trade your personal data to advertisers or list brokers.
UP2U is operated from Romania (European Union), delivers a service whose end destination is Vietnam, and uses service providers based in the United States (Stripe, Meta, Anthropic, Google, Vercel), in various EU countries, and in Vietnam. Your personal data will therefore be transferred outside your country of residence.
Where data is transferred outside the EEA/UK to a country that the European Commission has not declared to provide an adequate level of protection, we rely on the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or — for Vietnam-based recipients such as schools and visa agents — your explicit, informed consent to the transfer as necessary to perform our contract with you (GDPR Art. 49(1)(a) and (b)).
You can ask us for a copy of the safeguards in place at privacy@up2uagency.info.
| Data category | Retention period |
|---|---|
| Enquiry / lead data where no purchase occurred | 24 months from last contact, then deleted or anonymised |
| Sales conversations (Instagram DM, WhatsApp, Kommo) for customers | Duration of the customer relationship plus 5 years, then archived in restricted form for limitation-period and tax purposes |
| Tier 1, 2, 3 course-access records | Duration of access plus 3 years |
| Payment / invoicing records | 10 years from the end of the financial year in which they were issued, as required by Romanian Law 82/1991 on accounting (Legea contabilității), art. 25 |
| Passport scans, visa documents, criminal-record checks (Tier 3) | Until 12 months after your Vietnamese work permit and residency are granted, then deleted, unless a longer period is required to defend a legal claim |
| Qualification videos | Until the end of the active sales cycle plus 6 months, then deleted |
| Marketing-cookie data | Per the cookie's own lifetime — see Section 8 |
| Backups and request logs | Vercel retains operational request logs for a short period under its own retention policy (typically 1–7 days depending on plan). Kommo, Google Workspace, and Stripe retain backups under their own privacy policies. We do not maintain an independent backup of personal data beyond what these providers keep. |
When the retention period ends, we delete the data or anonymise it so that it can no longer be linked back to you.
We take the following technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, and loss:
No system is perfectly secure. We do not, and cannot, guarantee absolute security — but we commit to handling your data with the standard of care our profession requires.
Our website uses the following cookies and tracking technologies:
?ref= code), we store that referral code in a first-party cookie named ref (and an equivalent entry in your browser's local storage) for up to 12 months. Its only purpose is to remember which partner introduced you, so that we can credit them correctly if you make a purchase. This information stays on our own systems — it is not shared with Meta, advertisers, or any third party, and it is not used to track you across other websites. If you do not arrive via a referral link, this cookie is never set.facebook.com/tr on each page load, subject to the consent rules described at the end of this Section. See Meta's Cookies Policy: facebook.com/policies/cookies.fonts.googleapis.com / fonts.gstatic.com), interface icons from Icons8 (img.icons8.com), and the Tailwind CSS library from Tailwind's CDN (cdn.tailwindcss.com). Each of these CDNs receives your IP address and the URL of the resource you request — this is technically necessary to deliver the visual layer of the page. They do not set tracking cookies on our pages. Our payment library Stripe.js (js.stripe.com) also loads on every page so that the checkout form is ready when you reach it; Stripe is already named as a data processor in Section 4.2.youtube-nocookie.com privacy-enhanced domain.We do not currently run advertising on Google, TikTok, or any other ad network, and no other advertising pixels are installed.
How we obtain consent (cookie banner): we operate a consent mechanism that applies the rules of the law in force where you are located:
Your choice is stored on your device for up to 6 months, after which we ask again. You can change or withdraw your choice at any time using the button below, which re-opens the consent banner. Withdrawing consent is as easy as giving it (GDPR Art. 7(3)).
You can also, at any time and in any region: block third-party cookies in your browser, use a tracker-blocking extension (e.g. uBlock Origin, Privacy Badger), adjust personalised-ad settings in your Meta account, or write to privacy@up2uagency.info to ask us to suppress retargeting against your identifiers — we will action this within 30 days.
We use AI tools, including Anthropic's Claude and Google's NotebookLM, to help draft replies, summarise long lead conversations, and analyse aggregated sales data. These tools are decision-support for the controller — they do not make binding decisions about you, they do not by themselves decide whether you are accepted into Tier 3, and they do not set your price. A human (the controller identified in Section 1) always reviews and is responsible for any decision that affects you, including Tier 3 acceptance, which is decided personally and never by an automated system.
You have the right to ask for human review of any decision you believe was made about you by automated means alone — write to privacy@up2uagency.info.
If you are in the EEA, UK, or Switzerland — and, by our policy, regardless of where you live — you have the following rights over your personal data:
To exercise any of these rights, write to privacy@up2uagency.info with enough information for us to identify you securely. We will reply within 30 days (extendable by two further months for complex requests, in which case we will tell you why). We will not charge you for the first request; manifestly unfounded or excessive repeated requests may be charged a reasonable fee or refused.
We do not use the California Consumer Privacy Act (CCPA) "sale" mechanism — we do not sell your personal data. California residents nonetheless have rights to access, deletion, correction, and non-discrimination, exercisable via the same contact above.
UP2U's services are not directed at children. We do not knowingly process personal data of anyone under 16 for marketing purposes. Tier 1 (the DIY course) is open to adult learners only; Tier 2 and Tier 3 require legal capacity to sign an international work contract, which in practice means 18+. If we discover we have collected data from a child below the age threshold without verified parental consent, we will delete it.
We will update this Policy when our practices change or when the law requires. The "Last updated" date at the top will always show the current version. Material changes will be announced on up2uagency.info and, where reasonable, by direct message to active customers. Continued use of our services after a material change indicates acceptance.
For any privacy question, request, or complaint: