What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR for EU/EEA users, UK GDPR for UK users, and CCPA/CPRA for California residents. Upwork identifies Standard Contractual Clauses as its mechanism for international data transfers from the EU/EEA. The FTC has jurisdiction over Upwork's data practices under Section 5 of the FTC Act regarding unfair or deceptive practices. The ePrivacy Directive is implicated by the policy's use of cookies and behavioral advertising technologies. Compliance teams should…

How does Upwork's Upwork Privacy Policy affect users?

The policy establishes that work history, feedback, profile information, and communications are visible to other platform participants as part of normal platform operation. Upwork implements behavioral advertising cookies that track activity across external websites, with users able to adjust cookie preferences through privacy settings. Data access, deletion, and correction requests are processed through Upwork's privacy settings interface or by contacting privacy@upwork.com.

How often is Upwork's Upwork Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Upwork updates this document?

Yes. Watcher subscribers ($9.99/month) can add Upwork to their watchlist and receive same-day email alerts whenever this document or any other Upwork document changes.

CA-D-000142

Upwork Privacy Policy

Upwork

Last change detected May 1, 2026 Privacy policy

SHA-256: e1123dbf9ceb71e5f5a… 2 versions captured 2 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Upwork ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

6 Medium severity

1 Low severity

Summary

This Privacy Policy establishes Upwork's data collection, use, and sharing practices for personal information including names, payment details, work history, platform communications, and browsing activity. The policy authorizes disclosure of profile data, communications metadata, and usage information to clients, freelancers, advertising partners, and third-party service providers, with retention continuing after account closure. Users in California and the EU are provided specific mechanisms to access, delete, or correct personal data through privacy settings or direct request to the privacy team.

Technical / Legal Breakdown

This document is Upwork's Privacy Policy, governing the collection, use, storage, and disclosure of personal data by Upwork Global Inc. and its affiliates in connection with the Upwork freelance marketplace platform, with its stated legal basis grounded in contractual necessity, legitimate interests, and user consent depending on the processing activity and applicable jurisdiction. The policy states that Upwork collects a broad range of personal data including identity information, payment and financial data, communications between users on the platform, usage data, device identifiers, and profile information, and the terms authorize sharing this data with clients, freelancers, third-party service providers, advertising partners, and in connection with business transactions such as mergers or acquisitions. Notably, the policy asserts broad rights to use user-generated content and profile data for platform operations and marketing, and it authorizes the use of cookies and tracking technologies for behavioral advertising purposes, which may require evaluation under GDPR consent requirements and the ePrivacy Directive for EU/EEA users. The policy engages GDPR for EU/EEA data subjects, CCPA and CPRA for California residents, and UK GDPR post-Brexit, with Upwork asserting Standard Contractual Clauses as the transfer mechanism for international data flows; compliance teams should note that the policy addresses user rights including access, deletion, correction, and portability, but the operationalization of these rights and the lawfulness of behavioral advertising consent mechanisms warrant jurisdiction-specific review.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

2 important changes detected

2 versions captured · Last updated: May 2026

May 1, 2026

high

What changed Upwork removed detailed language about its compliance with the U.S. Data Privacy Framework (a legal mechanism for transferring personal data from Europe and Switzerland to the U.S.) but kept a single sentence stating you can request copies of data transfer documents. This means the policy no longer explicitly commits to Data Privacy Framework protections or acknowledges regulatory oversight, which may create uncertainty about how your data is legally protected if you are in the EU, UK, or Switzerland.

Why this matters Upwork's privacy policy previously disclosed that it complied with the U.S. Data Privacy Framework and certified adherence to its Principles regarding how it processes personal data from EU, UK, and Swiss residents. The updated policy removes nearly all of this language, including the explicit commitment to Data Privacy Framework Principles and the statement that those Principles would govern in case of conflict with other policy terms. Users in the EU, UK, and Switzerland no longer have a clear, policy-level statement of the legal framework protecting their data when transferred to the U.S., which may reduce transparency about data protection safeguards. You may contact Upwork to request copies of the data transfer mechanism documents it uses.

View full change record →

April 19, 2026

medium

What changed Upwork's privacy policy now includes explicit language describing compliance with the U.S. Data Privacy Framework (DPF) for EU, UK, and Swiss residents' data. Previously, the policy stated only that users could request copies of data transfer mechanism documents. The updated policy adds a dedicated Data Privacy Framework section confirming Upwork's certification under the DPF frameworks and stating that if any conflict exists between the privacy policy and DPF principles, the DPF principles will govern.

Why this matters The updated policy now explicitly states that Upwork complies with the U.S. Data Privacy Framework and has certified to the U.S. Department of Commerce that it adheres to DPF principles when processing personal data from EU, UK, and Swiss residents. The policy establishes that if any conflict exists between Upwork's privacy policy and DPF principles, the DPF principles will govern. This creates an explicit legal hierarchy for data protection standards applicable to residents of those jurisdictions. Users from affected regions can visit https://www.dataprivacyframework.gov/ to view Upwork's certification and learn more about the DPF program.

View full change record →

High — 1 provision

Third-Party Data Sharing for Advertising Compare →

Upwork shares your personal information with outside companies that help run its business, including advertisers and analytics providers, and may share aggregated data that is not directly tied to your identity.

Added May 10, 2026 Standard Seen across 246 platforms

Medium — 6 provisions

Personal Data Collection Scope Compare →

Upwork collects a wide range of personal information when you sign up and use the platform, including your name, contact details, payment card information, and anything else you choose to share in your profile.

Added May 10, 2026 Standard Seen across 251 platforms
Platform Communications Access Compare →

Upwork may read or analyze messages you send through the platform for purposes including fraud prevention, safety, and improving its services.

Added May 10, 2026 Standard Seen across 178 platforms
International Data Transfers via Standard Contractual Clauses Compare →

Upwork transfers personal data from Europe to other countries, including the US, and uses Standard Contractual Clauses as the legal mechanism to make those transfers lawful.

Added May 10, 2026 Standard Seen across 246 platforms
User Rights and Data Subject Requests

Depending on where you live, you may have rights to see, correct, delete, or move your personal data, and you can make these requests by emailing Upwork at privacy@upwork.com.

Added May 10, 2026 Rare
Cookies and Tracking Technologies Compare →

Upwork and its advertising partners use cookies and similar trackers to monitor how you use the platform and across the web, including for targeted advertising.

Added May 10, 2026 Standard Seen across 251 platforms
Data Retention After Account Closure Compare →

Closing your Upwork account does not mean all your data is immediately deleted. Upwork may keep some of your information for legal compliance or business reasons after you close your account.

Added May 10, 2026 Standard Seen across 223 platforms

Low — 1 provision

Children's Data and Age Restriction Compare →

Upwork's platform is for adults only and the company states it does not knowingly collect data from anyone under 18. If a child's data is found, Upwork says it will delete it.

Added May 10, 2026 Standard Seen across 262 platforms

Monitoring

Upwork has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Identity Verification and Sensitive Document Collection and similar clauses.

Compare across platforms →