Legal

Privacy Policy

This Privacy Policy describes what personal data Ultron collects, why we collect it, who we share it with, how long we keep it, and what rights you have. We process personal data as a data controller for our own service operations, and as a data processor when you push personal data of third parties through Ultron in the course of your business.

Updated today

Summary

Ultron is built around a small principle: collect the data we need to run the service, hold it only as long as we need to, and let you take it back when you decide to leave. This page explains that principle in detail. The Data Processing Addendum covers our role when you process personal data of your own customers through the platform.

Controller

The data controller for personal data processed in connection with the Ultron service is the team operating Ultron from Bucharest, Romania. The address of record and the data protection contact point are published at privacy@51ultron.com. We have appointed a privacy lead who handles data subject requests and supervisory authority correspondence.

What we collect

Account data

Email address, display name, password (stored as a hash, never in plain text), workspace id, plan, and any organisation details you provide. Optionally, profile fields you fill in so skills can personalise their output.

Content

The chat messages, files, leads, notes, and other artifacts you create or upload. The data you import from connected third-party services at your direction. The skill outputs the platform produces in response to your prompts. The memory entries we persist to give the AI continuity across sessions.

Billing

Plan history, invoices, VAT identification, and the last four digits of the payment method. Full card details are processed and stored by our payment provider, not by us.

Telemetry

Request logs that include the timestamp, the endpoint touched, the response status, and a short trace. Aggregate usage counters such as turns consumed, sandbox seconds used, and tool calls dispatched. Crash reports and performance metrics, captured at a level that does not identify individuals.

Device and network

IP address, user agent string, browser and operating system, the country and city resolved from the IP. We store IPs in a salted hashed form for fraud and security analysis after the request completes.

Communications

Emails you send us, support tickets, in-product feedback, and the transcripts of those interactions.

Why we use it

PurposeData used
Delivering the service you signed up forAccount, content, telemetry, device
Authentication and account securityAccount, device, network
Billing, tax compliance, fraud preventionBilling, account, device
Customer supportAccount, content, communications
Operational notices about your account and the serviceAccount, communications
Product analytics and improvementTelemetry, aggregated usage
Marketing communications you opted intoAccount, communications
Compliance with legal obligationsWhatever data the obligation requires
Establishing, exercising, or defending legal claimsWhatever data is relevant to the claim

Sharing

We share personal data with the subprocessors listed on the Subprocessors page. Each one is contracted under data protection terms compatible with the GDPR. Subprocessors process personal data only on documented instructions from us. They cannot use it for their own purposes.

We do not sell personal data. We do not let our model providers train on your content. We do not share content with advertisers. We disclose personal data to law enforcement only when compelled by a binding legal process from a competent authority, and we challenge any process that we believe is overbroad or unlawful.

International transfers

Some of our subprocessors are established outside the European Economic Area. When we transfer personal data to them, we rely on adequacy decisions where available, the Standard Contractual Clauses approved by the European Commission where adequacy is not in place, and supplementary measures (encryption in transit and at rest, minimisation, access controls) to bring the level of protection up to EU standards. A copy of the SCCs in place with a specific subprocessor is available on request.

Retention

We keep personal data only as long as we need to for the purpose it was collected, or for as long as the law requires.

CategoryRetention
Account dataFor the life of the account, then 30 days after deletion before final removal
ContentUntil you delete it, then 30 days in backups before purging
Billing and invoicesTen years from issue, as required by Romanian tax law
Telemetry logsNinety days at full fidelity, then aggregated and pseudonymised
CommunicationsThree years from the last interaction, unless needed for an open matter
Pause point and approval recordsUntil the parent conversation is deleted, then 30 days in backups

Your rights

Under the GDPR you have the following rights with respect to your personal data:

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Ask us to correct inaccurate or incomplete data.
  • Erasure. Ask us to delete data where there is no longer a basis to keep it.
  • Restriction. Ask us to limit how we process your data in certain circumstances.
  • Portability. Receive your data in a structured, commonly used, machine-readable format.
  • Objection. Object to processing based on legitimate interests, including profiling.
  • Withdrawal of consent. Withdraw consent for any processing that relies on it, without affecting the lawfulness of past processing.
  • Complaint. Lodge a complaint with a supervisory authority, including the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
Tip
You can self-serve most of these rights through the account settings. Anything that cannot be self-served goes to privacy@51ultron.com and we respond within thirty days. We may extend the response window by sixty days for complex requests and will tell you when we do.

Minors

Ultron is not directed at children under sixteen and we do not knowingly collect personal data from them. If we learn that we have collected personal data from a child under sixteen without parental consent, we delete it.

Security

The Security page documents the technical and organisational measures we apply. In summary: encryption in transit and at rest, scoped access through least privilege, multi-factor authentication for our own team, structured logging of administrative access, regular dependency review, and a documented incident response runbook. We notify affected users and the supervisory authority of a breach in line with Articles 33 and 34 GDPR.

Automated decision making

Ultron uses AI models extensively to produce content for users. We do not make decisions that produce legal effects on users solely by automated means. Where automated routing or scoring contributes to a decision (for example, anti-abuse signals on an account), a human reviews the outcome before any account action that materially affects the user.

Changes

We revise this Privacy Policy when our practices change. Material changes are announced at least thirty days before they take effect, with an email to the address on file and a banner inside the product.

Contact and complaints

Privacy questions and data subject requests go to privacy@51ultron.com. If you are not satisfied with our response, you have the right to complain to a supervisory authority. The Romanian National Supervisory Authority for Personal Data Processing is at www.dataprotection.ro. You can also complain to the supervisory authority in your country of residence within the EU.

Note
Publication-quality draft. Review with privacy counsel before adopting as your final, binding notice.