Privacy Policy
This Privacy Policy describes what personal data Ultron collects, why we collect it, who we share it with, how long we keep it, and what rights you have. We process personal data as a data controller for our own service operations, and as a data processor when you push personal data of third parties through Ultron in the course of your business.
Summary
Ultron is built around a small principle: collect the data we need to run the service, hold it only as long as we need to, and let you take it back when you decide to leave. This page explains that principle in detail. The Data Processing Addendum covers our role when you process personal data of your own customers through the platform.
Controller
The data controller for personal data processed in connection with the Ultron service is the team operating Ultron from Bucharest, Romania. The address of record and the data protection contact point are published at privacy@51ultron.com. We have appointed a privacy lead who handles data subject requests and supervisory authority correspondence.
What we collect
Account data
Email address, display name, password (stored as a hash, never in plain text), workspace id, plan, and any organisation details you provide. Optionally, profile fields you fill in so skills can personalise their output.
Content
The chat messages, files, leads, notes, and other artifacts you create or upload. The data you import from connected third-party services at your direction. The skill outputs the platform produces in response to your prompts. The memory entries we persist to give the AI continuity across sessions.
Billing
Plan history, invoices, VAT identification, and the last four digits of the payment method. Full card details are processed and stored by our payment provider, not by us.
Telemetry
Request logs that include the timestamp, the endpoint touched, the response status, and a short trace. Aggregate usage counters such as turns consumed, sandbox seconds used, and tool calls dispatched. Crash reports and performance metrics, captured at a level that does not identify individuals.
Device and network
IP address, user agent string, browser and operating system, the country and city resolved from the IP. We store IPs in a salted hashed form for fraud and security analysis after the request completes.
Communications
Emails you send us, support tickets, in-product feedback, and the transcripts of those interactions.
Why we use it
| Purpose | Data used |
|---|---|
| Delivering the service you signed up for | Account, content, telemetry, device |
| Authentication and account security | Account, device, network |
| Billing, tax compliance, fraud prevention | Billing, account, device |
| Customer support | Account, content, communications |
| Operational notices about your account and the service | Account, communications |
| Product analytics and improvement | Telemetry, aggregated usage |
| Marketing communications you opted into | Account, communications |
| Compliance with legal obligations | Whatever data the obligation requires |
| Establishing, exercising, or defending legal claims | Whatever data is relevant to the claim |
Legal basis
Under the GDPR, processing of personal data requires a legal basis. The bases we rely on, and when each applies, are listed below.
| Basis | When it applies |
|---|---|
| Contract (Article 6(1)(b)) | Operating the service, delivering the features you purchased, providing support |
| Legal obligation (Article 6(1)(c)) | VAT collection, retention of invoices, responding to lawful access requests |
| Legitimate interests (Article 6(1)(f)) | Account security, fraud prevention, abuse detection, product analytics, security logging |
| Consent (Article 6(1)(a)) | Optional marketing emails, non-essential cookies, third-party integrations you choose to connect |
International transfers
Some of our subprocessors are established outside the European Economic Area. When we transfer personal data to them, we rely on adequacy decisions where available, the Standard Contractual Clauses approved by the European Commission where adequacy is not in place, and supplementary measures (encryption in transit and at rest, minimisation, access controls) to bring the level of protection up to EU standards. A copy of the SCCs in place with a specific subprocessor is available on request.
Retention
We keep personal data only as long as we need to for the purpose it was collected, or for as long as the law requires.
| Category | Retention |
|---|---|
| Account data | For the life of the account, then 30 days after deletion before final removal |
| Content | Until you delete it, then 30 days in backups before purging |
| Billing and invoices | Ten years from issue, as required by Romanian tax law |
| Telemetry logs | Ninety days at full fidelity, then aggregated and pseudonymised |
| Communications | Three years from the last interaction, unless needed for an open matter |
| Pause point and approval records | Until the parent conversation is deleted, then 30 days in backups |
Your rights
Under the GDPR you have the following rights with respect to your personal data:
- Access. Request a copy of the personal data we hold about you.
- Correction. Ask us to correct inaccurate or incomplete data.
- Erasure. Ask us to delete data where there is no longer a basis to keep it.
- Restriction. Ask us to limit how we process your data in certain circumstances.
- Portability. Receive your data in a structured, commonly used, machine-readable format.
- Objection. Object to processing based on legitimate interests, including profiling.
- Withdrawal of consent. Withdraw consent for any processing that relies on it, without affecting the lawfulness of past processing.
- Complaint. Lodge a complaint with a supervisory authority, including the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
privacy@51ultron.com and we respond within thirty days. We may extend the response window by sixty days for complex requests and will tell you when we do.Minors
Ultron is not directed at children under sixteen and we do not knowingly collect personal data from them. If we learn that we have collected personal data from a child under sixteen without parental consent, we delete it.
Security
The Security page documents the technical and organisational measures we apply. In summary: encryption in transit and at rest, scoped access through least privilege, multi-factor authentication for our own team, structured logging of administrative access, regular dependency review, and a documented incident response runbook. We notify affected users and the supervisory authority of a breach in line with Articles 33 and 34 GDPR.
Automated decision making
Ultron uses AI models extensively to produce content for users. We do not make decisions that produce legal effects on users solely by automated means. Where automated routing or scoring contributes to a decision (for example, anti-abuse signals on an account), a human reviews the outcome before any account action that materially affects the user.
Changes
We revise this Privacy Policy when our practices change. Material changes are announced at least thirty days before they take effect, with an email to the address on file and a banner inside the product.
Contact and complaints
Privacy questions and data subject requests go to privacy@51ultron.com. If you are not satisfied with our response, you have the right to complain to a supervisory authority. The Romanian National Supervisory Authority for Personal Data Processing is at www.dataprotection.ro. You can also complain to the supervisory authority in your country of residence within the EU.