Privacy Policy | ULTEH
Sign In Try for Free
Sign In Try for Free
Legal

Privacy Policy

Introduction

At ULTEH, we believe privacy is a fundamental human right — not a compliance checkbox. This Privacy Policy is written to be read, not just archived. We want you to understand exactly how your data moves through our systems, why we collect it, who we share it with, and how you can control it at every step.

ULTEH is an AI-powered platform that enables businesses to build intelligent agents for sales automation, customer support, and user engagement. In providing these services, we process personal data on behalf of our customers (as a data processor) and on our own behalf when you interact with our website and marketing channels (as a data controller). This policy covers both roles and is transparent about the distinction where it matters.

Our platform is built on a set of core privacy principles that guide every product and engineering decision we make:

  • Data Minimization: We collect only what is genuinely necessary to deliver and improve our services. If we don't need it, we don't collect it.
  • Purpose Limitation: Data collected for one purpose is not repurposed without your knowledge. We describe our purposes clearly and stick to them.
  • Transparency: We tell you what we collect, why, and for how long — in plain language, not legal jargon.
  • Security by Design: Privacy and security considerations are part of our engineering process from day one, not retrofitted afterwards.
  • Your Control: You have meaningful rights over your personal data, and we make it easy — not burdensome — to exercise them.
  • No AI Training on Your Data: We will never use your data to train, fine-tune, or improve general-purpose AI or machine learning models. Full stop.

This Privacy Policy applies to all websites, web applications, APIs, mobile applications, and other services operated by ULTEH (collectively, our "Services"). It covers personal data we collect from visitors to our website, registered users, business customers, and prospects.

If you are a business customer who has deployed ULTEH agents to your own end users, those end users' data is governed by your privacy policy and your data processing agreement with us. We act as a data processor on your instructions, and you remain the data controller for your users' data.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email (if you have an account with us) and by posting a prominent notice on our website. The "Last updated" date at the top of this page reflects when the most recent changes were made. Your continued use of our Services after a policy update constitutes acceptance of the revised terms.

If anything in this policy is unclear or you have questions that aren't answered here, please reach out to us at [email protected]. We're real people and we'll respond.

1. Contacting Us About Data Protection

Our Privacy Team

ULTEH has a dedicated Privacy Team responsible for all data protection matters. Whether you want to exercise a data subject right, report a concern, ask about our practices, or simply learn more about how we handle your information, we are here to help.

You can reach us at: [email protected]

How We Handle Your Request

  • Acknowledgment: We acknowledge receipt of your request within 5 business days, so you know it has reached the right team.
  • Response Time: We aim to fully respond to all data protection inquiries within 30 calendar days. For complex requests — such as large data access exports — we may need up to 90 days, and we will inform you of the reason and estimated timeline within the first 30 days.
  • Identity Verification: To protect the privacy of our users, we will need to verify your identity before processing requests to access, correct, or delete personal data. We may ask you to confirm information associated with your account or provide a government-issued ID in high-sensitivity cases. We will never use identity verification as a tool to obstruct your rights.
  • Free of Charge: Exercising your privacy rights is free of charge. If a request is manifestly unfounded or excessive — for example, repetitive requests for the same data — we reserve the right to charge a reasonable administrative fee or decline the request, but we will explain our reasoning if so.
  • Your Rights: Depending on your location, you may have rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Brazil's LGPD, Canada's PIPEDA, or other applicable regulations. See Section 7 and Section 12 for a full breakdown of these rights.

What to Include in Your Request

To help us process your request as efficiently as possible, please include:

  • Your full name and the email address associated with your account (if applicable).
  • A clear description of the right you wish to exercise (e.g., "I want to access my personal data," "I want my account deleted," etc.).
  • Any relevant context that will help us locate your data (e.g., the name of the business whose chatbot you interacted with).

Why Your Privacy Matters to Us

At ULTEH, trust is our most important asset. Our customers entrust us with their data and their users' data. We take that responsibility seriously, not because we have to, but because we believe that a business built on trust is the only kind worth building. We are continuously investing in privacy-enhancing technologies, employee training, and compliance processes to live up to that standard.

2. Personal Data We Collect and Why

ULTEH collects personal data in different ways and for different reasons depending on how you interact with us. Below is a comprehensive breakdown of the categories of data we collect, how we collect them, and what we use them for.

Data You Provide Directly

When you sign up for an account, request a demo, or contact our team, you may provide us with the following:

  • Name: Used to personalize your experience and our communications with you. We do not share your name with third-party advertisers.
  • Job Title and Employer Name: Help us understand your role, tailor our product recommendations, and conduct appropriate business-to-business outreach. This information is used internally and not sold.
  • Work Email Address: Our primary channel for account management, service notifications, product updates, and support. We will never send you unsolicited marketing without your consent or a legitimate existing business relationship.
  • Work Phone Number: Used for customer support, onboarding assistance, and two-factor authentication where applicable.
  • Work Address and Company Address: Used for billing purposes, geographic compliance (e.g., tax calculations, GDPR determination), and enterprise contract management.
  • Payment and Billing Information: Credit card numbers, billing addresses, and related financial data are processed by our PCI-DSS-compliant payment processors (Stripe). We never store full card numbers on our own servers.
  • Profile Information: Any optional profile details you choose to add to your account, such as a profile photo or timezone preference.
  • Support and Communications: Messages you send us via email, live chat, or support tickets. We retain these to provide support and improve our services.
  • Survey and Feedback Responses: Occasionally we invite users to participate in product surveys or NPS feedback. Participation is voluntary.

Data Collected Automatically

When you use our website or platform, we automatically collect certain technical and behavioral data:

  • IP Address: Used for security monitoring, geographic analytics, and fraud prevention. IP addresses are pseudonymized in our analytics systems where possible.
  • Device and Browser Information: Browser type, version, operating system, device type, and screen resolution — used to ensure our platform renders correctly across devices.
  • Usage Data: Pages visited, features used, buttons clicked, time spent on pages, and navigation paths. This helps us understand what works and what needs improvement.
  • Referring URLs: How you arrived at our website (e.g., from a Google search, a social media post, or a partner referral). Used for marketing attribution and channel optimization.
  • Session Identifiers: Temporary identifiers tied to your browsing session for purposes of security and continuity. These expire when your session ends.
  • API Usage Data: For customers using our API, we log request volume, endpoint access patterns, and error rates for billing, debugging, and capacity planning.
  • Log Data: Server logs capturing requests made to our infrastructure. Logs are retained for a limited period for debugging and security monitoring and are then deleted or anonymized.

Data We Receive from Third Parties

  • Professional Network Data: We may receive business contact information from platforms such as LinkedIn, where such data is made publicly available in a professional context.
  • Partner Referrals: If a partner or reseller refers you to ULTEH, they may share your name and email address with us for follow-up purposes.
  • Analytics Providers: We may enrich usage data with anonymized, aggregated insights from analytics platforms to better understand market trends.
  • Identity Verification Services: In cases where enterprise contract signing or elevated access requires identity verification, we may use third-party identity verification services.

Why We Process This Data

The personal information we collect is used for the following clearly defined purposes:

  • Providing and Operating Our Services: Delivering the platform, processing your instructions, and maintaining system availability.
  • Account Management: Creating and maintaining your account, authenticating your identity, and managing subscriptions and billing.
  • Customer Support: Responding to your inquiries, resolving technical issues, and providing onboarding assistance.
  • Security and Fraud Prevention: Detecting unauthorized access, preventing abuse, monitoring for suspicious activity, and protecting the integrity of our platform.
  • Product Improvement: Analyzing how users interact with our platform to improve features, fix bugs, and develop new capabilities.
  • Marketing and Communications: Sending you relevant product updates, industry insights, event invitations, and promotional offers — always with an easy opt-out mechanism.
  • Legal and Regulatory Compliance: Fulfilling our obligations under applicable laws, including data protection regulations, financial regulations, and contractual requirements.
  • Business Analytics: Understanding market trends, customer segments, and business performance for internal planning purposes.

We do not sell personal information to third parties. We do not monetize your data through advertising networks. Our business model is built on providing a high-quality software service — your data is not our product.

3. Legal Basis for Processing Your Personal Data

For users in the European Economic Area (EEA), the United Kingdom, and other jurisdictions that require a legal basis for data processing, ULTEH processes your personal data under one or more of the following lawful bases:

Contractual Necessity (Article 6(1)(b) GDPR)

When you sign up for a ULTEH account or agree to our Terms of Service, we process your personal data as necessary to fulfill our contractual obligations to you. This includes creating and managing your account, delivering the platform, processing payments, providing customer support, and communicating about your subscription.

Examples of data processed on this basis: name, email address, payment information, usage data, support communications.

Legitimate Interests (Article 6(1)(f) GDPR)

We process certain data based on our legitimate business interests, provided those interests do not override your fundamental rights and freedoms. Before relying on this basis, we conduct a Legitimate Interests Assessment (LIA) to ensure the balance is appropriate.

Our legitimate interests include:

  • Improving our products and services through usage analytics.
  • Preventing fraud and maintaining the security of our platform.
  • Marketing our services to existing customers and qualified prospects via direct communications.
  • Understanding market trends and competitive positioning.
  • Protecting our legal rights and interests in the event of a dispute.

You have the right to object to processing based on legitimate interests at any time. See Section 7 for how to do so.

Consent (Article 6(1)(a) GDPR)

Where we rely on consent, we will ask for it clearly and specifically. Consent is used as a legal basis for:

  • Non-essential cookies and tracking technologies.
  • Marketing communications sent to prospects who are not existing customers.
  • Participation in surveys, beta programs, or user research.

Consent is always freely given, specific, informed, and unambiguous. You can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, email us at [email protected] or use the unsubscribe link in any marketing email.

Legal Obligation (Article 6(1)(c) GDPR)

We process certain personal data to comply with legal obligations, including tax and accounting requirements, responding to lawful government or regulatory requests, and fulfilling our obligations under applicable data protection laws.

Vital Interests (Article 6(1)(d) GDPR)

In rare and exceptional circumstances, we may process personal data to protect the vital interests of an individual — for example, in an emergency situation involving a credible threat to life.

Special Categories of Personal Data

ULTEH does not intentionally collect or process special categories of personal data (also known as sensitive personal data) as defined under Article 9 of the GDPR. These categories include racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.

If you believe you have shared such data with us inadvertently — for example, by including it in a support message — please contact us at [email protected] and we will take appropriate steps to delete it.

4. Use of Our Website and Platform

When you visit our website or use our platform, ULTEH collects technical and behavioral data automatically. This section explains what that data is, how it's collected, and precisely how it's used.

Website Analytics

We use analytics tools to understand how users interact with our website. The data collected includes:

  • IP Address: Used to determine approximate geographic location (country/city level) for regional analytics. We do not track precise geolocation.
  • Browser and Device Type: Helps us ensure compatibility and optimize the experience for the most common browsers and devices used by our audience.
  • Page Views and Navigation Paths: We track which pages are visited and in what order, helping us identify popular content and pages with high drop-off rates that need improvement.
  • Session Duration and Engagement: How long users spend on each page and how they interact with elements (scroll depth, clicks). Used to improve UX and content strategy.
  • Traffic Sources: Whether you arrived via organic search, a paid ad, a referral link, or directly. Used for marketing attribution and budget optimization.
  • Conversion Events: Actions such as signing up for a demo, starting a free trial, or completing a purchase. Used to measure the effectiveness of our marketing and onboarding flows.

Platform Usage Data

Within our platform, we collect data about how you use the product:

  • Feature Usage: Which features you enable, how often you use them, and in what sequence — used to prioritize product development and identify underused features.
  • Performance Metrics: Response times, error rates, and system resource usage — used to maintain service quality and SLA compliance.
  • AI Agent Interaction Logs: Conversations between end users and the AI agents you build are stored to provide the service (retrieving relevant context) and may be reviewed by our team if you report a bug or support issue. These logs are never used to train general-purpose AI models.
  • Configuration Data: Your agent configurations, knowledge base uploads, integrations, and customizations — stored to deliver your service and restore it in case of technical issues.

How We Use This Data

  • Service Delivery: Ensuring the platform operates reliably and correctly.
  • Performance Optimization: Identifying and fixing bottlenecks, slow pages, and infrastructure inefficiencies.
  • Security Monitoring: Detecting anomalous access patterns, potential intrusions, and abuse.
  • Product Improvement: Building a data-informed roadmap based on how real users interact with the platform.
  • Customer Success: Identifying customers who may need onboarding support or who are at risk of churning, so our team can proactively help.

Our Legitimate Interest in Data Collection

ULTEH has a legitimate interest in understanding how users interact with our website and platform. Without this data, we would be unable to maintain a competitive, high-quality service, detect and prevent abuse, or understand our business performance. We have assessed that these interests are proportionate and do not override your privacy rights. Where we can achieve our analytics goals with anonymized or aggregated data, we do so.

5. Cookies and Tracking Technologies

ULTEH uses cookies and similar tracking technologies (such as pixel tags, web beacons, and local storage) to deliver, maintain, and improve our Services. This section gives you a clear picture of what we use, why, and how you can control it.

What Are Cookies?

Cookies are small text files that a website stores on your device when you visit. They allow the website to remember information about your visit — such as your login session, language preference, or shopping cart contents — so you don't have to re-enter it every time. Cookies can be set by us (first-party cookies) or by third parties whose services we embed on our pages.

Types of Cookies We Use

  • Strictly Necessary Cookies: These cookies are essential for our website and platform to function and cannot be switched off. They include session management cookies that keep you logged in, security tokens that protect against CSRF attacks, and cookies that remember your cookie consent preferences. Without these, the site or platform would not work properly.
  • Performance and Analytics Cookies: These cookies help us understand how visitors interact with our website by collecting information about pages visited, time spent, and errors encountered. The information is aggregated and anonymous where possible. We use this to improve site performance and user experience.
  • Functional Cookies: These cookies enable enhanced functionality and personalization — for example, remembering your selected language, timezone, or UI preferences. Disabling them may degrade your experience but will not prevent access to the site.
  • Marketing and Targeting Cookies: These cookies are set by our advertising partners to build a profile of your interests and show you relevant advertisements on other sites. We use these only with your explicit consent. They track your activity across websites using a unique identifier.
  • Social Media Cookies: If you interact with our social sharing buttons (LinkedIn, Twitter/X, YouTube), those platforms may set cookies on your device. Their use of those cookies is governed by their respective privacy policies.

Third-Party Analytics and Advertising Tools

We use the following third-party tools that may set their own cookies:

  • Google Analytics: Website traffic analysis and user behavior insights. Data is pseudonymized and subject to Google's Privacy Policy.
  • Google Ads: Conversion tracking for paid advertising campaigns. Used to measure the effectiveness of our ad spend.
  • Meta (Facebook) Pixel: Conversion tracking and custom audience building for Facebook and Instagram advertising, activated only with your consent.
  • Intercom / Live Chat: Powers our in-app chat support widget and may set functional cookies to maintain conversation state.

First-Party vs. Third-Party Cookies

First-party cookies are set directly by ULTEH and are only readable by us. Third-party cookies are set by our partners and may be readable by those partners across multiple websites. We carefully vet all third-party cookie providers and require data processing agreements from those who handle personal data.

Session Cookies vs. Persistent Cookies

Session cookies expire when you close your browser. Persistent cookies remain on your device for a defined period (typically 30 days to 2 years, depending on the cookie's purpose) or until you delete them manually.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. At this time, there is no universally accepted standard for how websites should respond to DNT signals. We currently do not respond to DNT signals differently from standard browser requests. We will revisit this position as industry standards evolve.

Managing Your Cookie Preferences

You can control cookies through our cookie preference center, accessible at any time via the cookie icon in the footer of our website. You can also manage cookies through your browser settings — most browsers allow you to block, delete, or be notified before cookies are set. Note that blocking certain cookies (particularly strictly necessary ones) may impair the functionality of our website and platform.

For more detailed information, please visit our Cookie Notice.

6. Artificial Intelligence, Machine Learning, and Your Data

AI is at the core of what ULTEH does. We want to be completely transparent about how AI interacts with your data — because this is where many AI companies fall short on privacy.

Our Architecture: Retrieval-Augmented Generation (RAG)

Our platform uses a technique called Retrieval-Augmented Generation (RAG) to power AI agents. Here's how it works in plain language:

  • You upload knowledge base documents, FAQs, product information, or connect data sources.
  • That content is processed into a searchable vector index, stored securely in your dedicated namespace in our vector database (Pinecone).
  • When a user asks your AI agent a question, the system searches your knowledge base for the most relevant context and passes it — along with the user's question — to a large language model (LLM) to generate a response.
  • Your data is retrieved for context; it is not used to update or retrain the underlying AI model.

What We Do Not Do

  • We do not use your data (conversations, documents, user queries, or any other content) to train, fine-tune, update, or improve any general-purpose AI or machine learning model.
  • We do not share your data with AI model providers (such as OpenAI or Anthropic) beyond the immediate API request necessary to generate a response to a user's query.
  • We do not pool your customers' conversation data with other customers' data to improve any shared model or system.
  • We do not use conversation data for advertising targeting or behavioral profiling.

Third-Party AI Model Providers

Our platform uses large language models provided by third-party AI providers (such as OpenAI, Anthropic, or others). When your AI agent processes a user query, the query and relevant retrieved context are sent to the AI provider's API to generate a response. This data transfer is governed by our data processing agreements with those providers, which prohibit the use of API request data for model training. We select AI providers whose data handling practices meet our security and privacy standards.

Human Review of AI Outputs

In the normal course of operations, AI-generated responses are not reviewed by ULTEH employees. However, if you contact our support team about a specific conversation — for example, to report an incorrect or inappropriate response — our support engineers may review the relevant conversation logs to diagnose and resolve the issue. Such reviews are conducted under strict confidentiality obligations.

AI Safety and Quality

We implement content moderation and safety guardrails on our platform to prevent AI agents from generating harmful, discriminatory, or misleading content. You, as the operator of an AI agent, are also responsible for configuring your agent appropriately and ensuring it is used in compliance with our Acceptable Use Policy.

7. Automated Decision-Making and Profiling

ULTEH takes seriously the risks associated with automated decision-making — particularly decisions that have significant effects on individuals. This section explains when and how we use automation, and what rights you have.

When We Use Automated Decision-Making

We use automated processes in the following limited ways:

  • Fraud Detection: Our systems automatically flag account activity that matches patterns associated with fraud or abuse (e.g., unusual login locations, rapid API abuse). Flagged accounts are reviewed by a human before any punitive action is taken.
  • Subscription and Billing: Automated systems handle subscription status changes (e.g., upgrading, downgrading, or pausing a plan) based on your instructions or payment status.
  • Spam and Content Filtering: Automated filters screen incoming communications for spam and potentially malicious content.
  • Usage-Based Alerts: Automated systems send notifications when you approach usage limits or when anomalous usage patterns are detected.

What We Do Not Do

We do not use fully automated decision-making (i.e., with no human involvement) to make decisions that produce significant legal effects on you — such as denying service, terminating accounts, or determining creditworthiness. Any such decision involves human review.

Profiling

We may create user profiles based on how you interact with our platform for the purpose of providing personalized product recommendations, customer success outreach, and relevant marketing. This profiling is based on first-party data (your own usage patterns) and does not involve sensitive personal data. You have the right to object to profiling for direct marketing purposes at any time.

Your Rights Regarding Automated Decisions

Under Article 22 of the GDPR, you have the right not to be subject to decisions based solely on automated processing that have significant legal or similarly significant effects on you. If you believe a decision was made about you through solely automated means and you wish to request human review, please contact us at [email protected].

8. Sharing Information with Third Parties

At ULTEH, we do not sell your personal data. We do not rent it, trade it, or give third parties access to it for their own commercial purposes. When we share data with third parties, it is for specific, defined purposes necessary to operate our business — and we hold those third parties to contractual standards that protect your privacy.

Categories of Recipients

  • Infrastructure and Cloud Providers: We host our platform on Amazon Web Services (AWS, us-east-1 region). Our database is managed by Supabase. Our application layer is deployed via Vercel. Our vector database is powered by Pinecone. These providers process data on our behalf under data processing agreements and do not have independent access to your data.
  • Payment Processors: Payment data is processed by Stripe, a PCI-DSS Level 1 certified payment processor. We do not store full credit card numbers on our servers.
  • Customer Support Tools: We use customer support and live chat software to manage your support requests. Support agents have access to your account information and communication history to the extent necessary to resolve your issue.
  • Email and Communication Services: We use third-party email delivery services to send transactional emails (account confirmations, password resets) and marketing emails (product updates, newsletters).
  • Analytics Providers: We share anonymized or pseudonymized behavioral data with analytics services to understand how our website and platform are used.
  • AI Model Providers: User queries are processed by third-party LLM APIs (such as OpenAI or Anthropic) as described in Section 6. These providers are bound by data processing agreements prohibiting the use of API data for their own training purposes.
  • Professional Advisors: Our lawyers, accountants, auditors, and insurers may access personal data to the extent necessary to perform their professional services, under professional confidentiality obligations.
  • Law Enforcement and Government Authorities: We may disclose personal data when required by law, a court order, a regulatory investigation, or to protect the safety, rights, or property of ULTEH, our users, or the public. We will notify you of any such request to the extent legally permissible.
  • Business Transfers: In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify affected users in advance and ensure the acquirer is bound by equivalent privacy obligations.

Aggregated and Anonymized Data

We may share aggregated, anonymized data — from which individual users cannot be identified — with partners, investors, or the public for research, marketing, and industry analysis purposes. This data does not constitute personal data and is not covered by data protection regulations.

Third-Party Integrations

ULTEH integrates with third-party services (such as CRM systems, helpdesk platforms, email marketing tools, and social media platforms) at your direction. When you authorize an integration, data may flow between our platform and that third party. You should review the privacy policy of any third-party service before connecting it to your ULTEH account.

Sub-Processor Transparency

Enterprise customers who have signed a Data Processing Agreement (DPA) with us can request an up-to-date list of our sub-processors — the third-party companies that process personal data on our behalf — by contacting us at [email protected]. We provide advance notice of any material changes to our sub-processor list.

9. International Data Transfers

ULTEH is a global service. Our infrastructure is primarily based in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, Switzerland, or another jurisdiction with data transfer restrictions, this section explains how we ensure your data is protected when it crosses borders.

Where Your Data is Processed

Our primary data processing occurs in the United States (AWS us-east-1, N. Virginia). Some of our service providers may process data in additional jurisdictions including the EU, United Kingdom, and other regions. We maintain a complete record of where your data is processed and can share this information upon request.

Legal Mechanisms for EEA/UK Data Transfers

The United States has not received an adequacy decision from the European Commission under Article 45 of the GDPR (except for the EU-U.S. Data Privacy Framework, which we monitor for applicability). We rely on Article 46 safeguards, which include:

  • Standard Contractual Clauses (SCCs): We have incorporated the European Commission's approved SCCs (2021/914) into our agreements with U.S.-based sub-processors and data importers. These contractual obligations require that your data be handled according to EU standards regardless of where it's processed.
  • UK International Data Transfer Agreements (IDTAs): For transfers involving UK personal data, we use the UK IDTA or addenda to EU SCCs as appropriate.
  • Supplementary Measures: In accordance with the guidance of the European Data Protection Board (EDPB), we implement supplementary technical and organizational measures including end-to-end encryption, pseudonymization, and strict access controls to protect transferred data against risks arising from the legal environment of the destination country.

Transfer Impact Assessment

For high-risk data transfers, we conduct Transfer Impact Assessments (TIAs) to evaluate whether our safeguards are sufficient given the laws of the destination country. Where we identify risks that cannot be mitigated, we do not proceed with the transfer.

Your Rights During International Transfers

Your rights under GDPR and UK GDPR apply regardless of where your data is processed. You can exercise any of your rights (see Section 10) by contacting us at [email protected], and we will ensure your request is honored under the same timeline and standards regardless of the jurisdiction involved.

Government Data Requests

Since its inception, ULTEH has never received a government request for user data. Should we receive such a request, our policy is:

  • Conduct immediate legal review to assess validity and scope.
  • Push back against requests that are overly broad, procedurally invalid, or not legally compelling.
  • Notify affected users before complying, to the maximum extent permitted by law.
  • Produce the minimum data necessary to comply with a valid legal order.
  • Publish aggregate statistics about government requests received in our transparency reports (published annually).

10. Your Data Subject Rights

ULTEH is committed to making your privacy rights easy to exercise — not just technically available on paper. Depending on your jurisdiction, you may have some or all of the following rights:

Rights Under GDPR (EU/EEA and UK Users)

  • Right to be Informed (Articles 13-14): You have the right to clear, transparent information about how we collect and use your personal data. This Privacy Policy is how we fulfill that right.
  • Right of Access (Article 15): You can request a copy of all personal data we hold about you, along with information about how it's processed, where it's stored, who it's shared with, and for how long it will be retained. We will provide this in a structured, commonly used, machine-readable format upon request.
  • Right to Rectification (Article 16): If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. You can update most profile information directly in your account settings; for other corrections, contact us at [email protected].
  • Right to Erasure / "Right to be Forgotten" (Article 17): You may request deletion of your personal data in certain circumstances — for example, if the data is no longer necessary for the purpose it was collected, if you withdraw consent, or if you object to processing based on legitimate interests. We will honor such requests promptly unless we are required by law to retain the data or need it to establish, exercise, or defend legal claims.
  • Right to Restriction of Processing (Article 18): You can ask us to pause processing of your personal data in certain circumstances — for example, while you contest the accuracy of data we hold, or while we consider an objection you've raised. During a restriction, we may still store your data but will not actively use it.
  • Right to Data Portability (Article 20): For data processed by automated means on the basis of your consent or contractual necessity, you have the right to receive your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV), and to transmit it to another service provider. We will provide data portability exports within 30 days of a verified request.
  • Right to Object (Article 21): You can object at any time to processing based on legitimate interests (including profiling for this purpose), and to processing for direct marketing. Where you object to direct marketing, we will stop immediately. Where you object to legitimate interests processing, we will stop unless we can demonstrate compelling legitimate grounds that override your rights.
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that have significant legal effects on you. See Section 7 for more detail on our automated decision-making practices.

How to Exercise Your Rights

To exercise any of the above rights, please send an email to [email protected] with the subject line "Privacy Rights Request" and describe the right you wish to exercise. We will acknowledge your request within 5 business days and respond fully within 30 days. We may ask you to verify your identity before processing your request.

Where requests are complex or numerous, we may extend the response period by a further 60 days, in which case we will notify you of the extension and the reason within the first 30 days.

Complaints to a Data Protection Authority

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your national data protection authority. For EU users, this is typically the supervisory authority in your country of residence. For UK users, this is the Information Commissioner's Office (ICO). We would ask that you contact us first at [email protected] so we have the opportunity to resolve your concern before escalation.

11. California Consumer Privacy Act (CCPA / CPRA) Rights

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act — CCPA/CPRA) grants you specific rights with respect to your personal information. This section supplements the general rights described in Section 10 and is provided specifically to fulfill our disclosure obligations under California law.

Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers: Real name, email address, IP address, account username.
  • Commercial Information: Subscription plan, purchase history, and billing information.
  • Internet or Electronic Network Activity: Browsing history on our website, search queries within our platform, interaction with ads.
  • Geolocation Data: Approximate geographic location derived from IP address (country and city level).
  • Professional or Employment-Related Information: Job title, employer name, and work address, where provided.
  • Inferences: Product usage preferences and patterns derived from the above data.

We do not collect sensitive personal information as defined under CPRA (such as Social Security numbers, financial account numbers, precise geolocation, racial or ethnic origin, or health data) in the ordinary course of our business.

Purposes for Collection

We collect the above categories of personal information for the business purposes described in Section 2 of this Privacy Policy, including providing our Services, security, analytics, and marketing.

Sale or Sharing of Personal Information

ULTEH does not sell personal information to third parties, nor do we share personal information with third parties for cross-context behavioral advertising purposes. Because we do not sell or share personal information in these ways, there is no opt-out required — but we mention this explicitly so California residents can have full confidence in our practices.

Your California Privacy Rights

  • Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You can request deletion of personal information we have collected from you, subject to certain exceptions (e.g., where retention is legally required).
  • Right to Correct: You can request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale/Sharing: Not applicable — we do not sell or share personal information for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: Not applicable — we do not process sensitive personal information as defined by CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices, provide a different level of service, or suggest that you will receive a different level of service for exercising your privacy rights.

Submitting a California Privacy Rights Request

To submit a verifiable consumer request, email us at [email protected] with "California Privacy Request" in the subject line. You may also designate an authorized agent to make a request on your behalf — we will require written proof of the agent's authorization. We will respond to verified requests within 45 calendar days, with the possibility of a 45-day extension for complex requests.

12. Use of Google Workspace APIs

ULTEH integrates with Google Workspace APIs to provide users with powerful automation capabilities — including email management, calendar scheduling, document workflows, and contact synchronization. This section provides full disclosure of how we handle data obtained through these APIs, in compliance with Google's API Services User Data Policy, including the Limited Use requirements.

Our Core Commitment

ULTEH's use of data obtained from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only request access to the specific Google Workspace data needed to provide the features you've explicitly activated.
  • Data obtained through Google Workspace APIs is used solely to provide or improve user-facing features that are visible and relevant to the user within the ULTEH application.
  • Google Workspace data is never used to develop, train, or improve generalized artificial intelligence or machine learning models — including large language models.
  • Google Workspace data is never transferred to third parties except as necessary to provide the service, comply with applicable law, or as expressly permitted by the user.
  • Humans do not read Google Workspace data unless (a) you give explicit permission for a specific support case, (b) it is necessary for security purposes, (c) it is required by law, or (d) the data is aggregated and anonymized.

Specific Google Workspace Integrations

  • Gmail API: Used to read, compose, and send emails on behalf of your connected account — enabling AI-powered email drafting, inbox management, and automated follow-ups. We do not store email content beyond what is necessary to fulfill the current user session or explicitly saved configurations.
  • Google Calendar API: Used to read calendar availability, create meeting invites, and schedule appointments — enabling AI scheduling assistants. Calendar data is processed in real time and not retained after the scheduling task is complete.
  • Google Drive API: Used to read documents uploaded to your Google Drive that you explicitly connect as a knowledge base for your AI agent. Document content is vectorized and stored in your dedicated knowledge base namespace.
  • Google Contacts API: Used to retrieve contact information to personalize AI agent responses and populate CRM-like features, only for contacts you explicitly grant access to.

Revoking Google Workspace Access

You can revoke ULTEH's access to your Google Workspace data at any time through your Google Account Security settings. Upon revocation, we will immediately stop accessing your Google data and will delete any cached Google data from our systems within 30 days, unless you have explicitly saved data as part of a knowledge base.

13. Security and Data Protection Mechanisms

At ULTEH, security is not a feature — it's a foundation. We implement a layered, defense-in-depth approach to protecting your personal data. Here is a comprehensive view of the technical and organizational measures we have in place.

Technical Security Measures

  • Encryption at Rest: All personal data and customer content stored in our databases and object storage is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with strict access controls and automatic rotation.
  • Encryption in Transit: All data transmitted between your browser, our APIs, and our infrastructure is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and use HTTP Strict Transport Security (HSTS) to prevent downgrade attacks.
  • Database Security: Our databases (managed via Supabase on AWS) are deployed in private subnets with no direct public internet access. Access is controlled via network-level firewalls, VPC configurations, and strong authentication.
  • Role-Based Access Control (RBAC): Internal access to customer data is governed by strict role-based permissions. Employees only have access to the data necessary for their job function. All access is logged and regularly audited.
  • Multi-Factor Authentication (MFA): MFA is required for all ULTEH employee access to production systems. We strongly encourage (and in enterprise plans, can enforce) MFA for customer accounts.
  • API Security: All API endpoints require authenticated access. We implement rate limiting, IP allowlisting (configurable by you), JWT token validation, and request signing to prevent unauthorized API access.
  • Domain Allowlisting: You can configure which domains are permitted to embed your AI agents, preventing unauthorized third parties from using your agents on their websites.
  • Vulnerability Management: We maintain a continuous vulnerability scanning program and promptly patch identified vulnerabilities according to severity SLAs. Critical vulnerabilities are addressed within 24 hours.
  • Penetration Testing: We conduct third-party penetration tests at least annually. Enterprise customers may request access to our most recent penetration test summary report under NDA.
  • DDoS Protection: Our infrastructure includes DDoS mitigation at the network and application layers, leveraging AWS Shield and CDN-level protections.
  • Audit Logging: All significant actions within our platform — including data access, configuration changes, and administrative actions — are logged in tamper-evident audit logs retained for a minimum of 12 months.

Organizational Security Measures

  • Security Training: All employees complete comprehensive security and privacy training upon onboarding and annually thereafter. Employees with access to sensitive systems undergo additional training.
  • Background Checks: All employees and contractors with access to customer data undergo appropriate background screening before onboarding.
  • Vendor Security Assessment: Third-party service providers are assessed for their security posture before engagement and on an ongoing basis. We require all sub-processors to meet minimum security standards and sign data processing agreements.
  • Security Policies: We maintain a comprehensive set of internal security policies covering acceptable use, access management, incident response, business continuity, and data handling. These policies are reviewed and updated annually.
  • Business Continuity and Disaster Recovery: We maintain tested business continuity and disaster recovery plans. Our infrastructure is designed for high availability with redundancy across multiple availability zones. We conduct regular backup tests to verify data integrity and restore procedures.

Compliance and Certifications

  • GDPR: We are fully compliant with the EU General Data Protection Regulation and the UK GDPR, as documented throughout this Privacy Policy.
  • SOC 2: We maintain SOC 2 Type II compliance, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 report is available to enterprise customers under NDA upon request.
  • No AI Training on Customer Data: We do not use customer data to train AI or ML models. This commitment is contractually binding in our Terms of Service and Data Processing Agreements.

Security Incident Response

Despite our best efforts, no system can be guaranteed 100% secure. In the event of a confirmed security incident involving your personal data, we will:

  • Contain and investigate the incident immediately upon discovery.
  • Notify affected customers and users within 72 hours of confirming a breach (in compliance with GDPR Article 33) or earlier where possible.
  • Provide clear, honest communication about what data was involved, what we are doing about it, and what you should do to protect yourself.
  • Report to the relevant data protection authority within 72 hours where legally required.
  • Conduct a post-incident review and implement remediation measures to prevent recurrence.

If you discover or suspect a security vulnerability in our systems, please report it responsibly to [email protected]. We take all reports seriously and will respond within 24 hours.

14. Data Storage and Retention

ULTEH is intentional about how long we keep your data. We retain personal data only for as long as it is necessary to fulfill the purpose for which it was collected, or as required by applicable law. This section explains our retention practices in detail.

Where We Store Your Data

  • Primary Database: User account data, subscription information, and platform configurations are stored in PostgreSQL databases managed by Supabase, hosted on AWS us-east-1 (N. Virginia, USA).
  • Vector Database: Knowledge base documents processed for AI retrieval are stored in Pinecone's vector database, in your dedicated namespace (your data is logically separated from other customers' data).
  • Object Storage: Uploaded files, documents, and media assets are stored in AWS S3 buckets with encryption at rest and versioning enabled.
  • Application Layer: Deployed on Vercel's global edge network for low-latency access, with no personal data permanently stored at the edge.
  • Backups: Database backups are encrypted and retained in a geographically separate AWS region for disaster recovery purposes.

Data Retention Schedule

  • Active Account Data: Retained for the duration of your account's active relationship with ULTEH, plus a brief transition period post-cancellation to enable account recovery if you change your mind.
  • Deleted Account Data: When you delete your account, your personal data and content are marked for deletion and permanently removed from production systems within 30 days. Anonymized, aggregated usage statistics derived from your account may be retained indefinitely as they no longer constitute personal data.
  • Conversation Logs: AI agent conversation logs are retained for the period configured by you (the account holder) in your platform settings, or for 12 months by default. You can export and delete conversation logs at any time from your dashboard.
  • Financial Records: Billing and payment records are retained for a minimum of 7 years to comply with tax and accounting regulations, even after account deletion. These records contain only the minimum financial information necessary for compliance.
  • Security Logs: Audit and security logs are retained for 12 months to support security investigations and incident response, after which they are deleted or anonymized.
  • Prospect Data: Contact information for prospects who have not converted to customers is retained for no more than 24 months from the date of last engagement, after which it is purged unless re-engaged.
  • Backup Data: Database backups follow a rolling retention window — daily backups are retained for 30 days, weekly backups for 3 months, and monthly backups for 1 year. After that period, backups are permanently deleted.

Data Deletion Process

When data reaches the end of its retention period — or when you request deletion — we follow a secure deletion process:

  • Data is flagged for deletion and immediately removed from production systems.
  • The deletion propagates to all replicas and caches within our infrastructure.
  • Encrypted backups containing the data are purged on a rolling basis as they expire.
  • Upon request, we can provide a deletion certificate confirming that your data has been removed from our systems.

Requesting Data Deletion or Portability

To request deletion, export, or more information about the retention of your personal data, contact us at [email protected].

15. Marketing Communications and Your Choices

ULTEH may send you marketing communications about our products, features, industry insights, events, and promotions. We want to keep you informed — but only about things that are relevant to you, and never without your knowledge or consent.

Types of Communications We Send

  • Transactional Emails: Account-related emails (welcome, password reset, billing notifications, account security alerts) are sent as part of our service and do not require opt-in. You may not opt out of these without deactivating your account, as they are essential to delivering the service.
  • Product Updates: Notifications about new features, improvements, and changes to our platform. As an existing customer, we may send these under our legitimate interest in keeping you informed about the product you use. You can opt out at any time.
  • Marketing Newsletters: Thought leadership content, case studies, industry reports, and promotional offers. These are sent only with your consent (for prospects) or legitimate interest (for existing customers), and you can unsubscribe with one click.
  • Event Invitations: Webinars, product demos, conferences, and local events. Again, one-click unsubscribe is always available.

How to Opt Out

You can manage your marketing preferences at any time by:

  • Clicking the "Unsubscribe" link in the footer of any marketing email.
  • Updating your communication preferences in your account dashboard under Settings → Notifications.
  • Emailing us at [email protected] with "Unsubscribe" in the subject line.

After you opt out, we will stop sending you the specified type of marketing communication within 10 business days. Please note that opting out of marketing emails does not affect your receipt of transactional service communications.

Third-Party Marketing

We do not share your personal data with third parties for their own marketing purposes. Any marketing you receive from third parties as a result of interacting with ULTEH is a result of permissions you have separately granted to those parties.

16. Children's Privacy

ULTEH is a professional B2B software platform designed for businesses and adult professionals. Our Services are not intended for, nor directed at, children.

Age Restrictions

We do not knowingly collect, solicit, or process personal data from individuals under the age of 16 (or 13 in the United States, where COPPA applies). By creating an account or using our Services, you represent that you are at least 16 years old (or the applicable minimum age in your jurisdiction). Enterprise customers who use our platform are responsible for ensuring their end users meet applicable age requirements.

What We Do If We Discover a Minor's Data

If we become aware that we have inadvertently collected personal data from a child without verified parental consent, we will:

  • Immediately cease processing the data.
  • Delete the data from our systems as quickly as technically feasible.
  • If the data was shared through an account, close or suspend that account.
  • Notify the relevant party (parent, guardian, or account holder) of the incident.

For Parents and Guardians

If you believe that your child (under 16) has provided personal information to ULTEH without your consent, please contact us immediately at [email protected]. We will work with you to investigate and take appropriate action, including deletion of the data, as quickly as possible.

COPPA Compliance

For users in the United States, we comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us so that we will be able to take necessary action.

17. Third-Party Links and Integrations

Our website and platform may contain links to third-party websites, services, or applications — including social media platforms, partner tools, and integrated services. This Privacy Policy applies only to ULTEH's own services and does not extend to any third-party sites or services.

External Links

When you click on a link to a third-party website, you are leaving our platform and entering a site governed by that third party's own terms and privacy policy. We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policy of any website you visit.

Third-Party Integrations

Our platform integrates with various third-party services at your direction — such as CRM platforms, helpdesk tools, payment processors, email marketing platforms, and social media APIs. When you connect a third-party service to your ULTEH account:

  • You are authorizing data to flow between our platform and that third party according to the permissions you grant.
  • That third party's handling of your data is subject to their own privacy policy.
  • We are not responsible for the security or privacy practices of third-party services.
  • You can disconnect any integration at any time from your account settings.

Social Media Integrations

We integrate with social media platforms including LinkedIn, Facebook/Meta, Twitter/X, and others. If you choose to interact with our content on these platforms — for example, logging in via social SSO or clicking a social sharing button — your activity may be associated with your social media profile. The respective platform's privacy policy governs this data.

18. Changes to This Privacy Policy

Privacy and technology are constantly evolving. We review and update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, and business operations.

How We Notify You of Changes

  • Material Changes: If we make changes that materially affect your rights or our data practices — such as processing new categories of data, changing how we share data, or altering your rights — we will notify you via email (if you have an account) at least 30 days before the changes take effect. We will also post a prominent notice on our website.
  • Minor Changes: For non-material updates (such as correcting a typo, clarifying existing practices, or updating contact information), we will update the "Last updated" date at the top of this page without separately notifying you.
  • Continued Use: Your continued use of our Services after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree to the revised terms, you should stop using our Services and may close your account.

Version History

We maintain a version history of all material changes to this Privacy Policy. If you would like to see previous versions or understand what has changed between versions, please contact us at [email protected].

19. Questions, Concerns, or Complaints

Your privacy matters to us deeply. If you have questions about this Privacy Policy, concerns about how your personal data is handled, a complaint about our practices, or simply want to learn more, please reach out. We are a real team and we take every inquiry seriously.

How to Reach Us

Our Privacy Team is available to assist with all data protection inquiries, including requests to exercise your data subject rights, questions about our security practices, and concerns about data processing.

Email: [email protected]

Please use the subject line "Privacy Inquiry" so our team can route your message to the right person quickly.

Response Commitments

  • We will acknowledge receipt of your message within 5 business days.
  • We aim to resolve most inquiries within 30 calendar days.
  • Complex requests (such as large data exports or multi-jurisdictional data subject rights requests) may take up to 90 days, and we will inform you if this is the case.

Escalating a Complaint

If you contact us with a complaint and are not satisfied with our response, you have the right to escalate to the relevant data protection authority in your jurisdiction:

  • EU Users: Your national data protection authority (e.g., CNIL in France, BfDI in Germany, DPC in Ireland). A list of EU DPAs is available at edpb.europa.eu.
  • UK Users: The Information Commissioner's Office (ICO) at ico.org.uk.
  • US (California) Users: The California Privacy Protection Agency (CPPA) at cppa.ca.gov.
  • Other Jurisdictions: Please contact us and we will direct you to the appropriate authority for your country.

A Final Note

Privacy is not a problem we solved once and moved on from. It's an ongoing responsibility that we take seriously every day. Every feature we build, every vendor we onboard, and every policy we write is weighed against our commitment to protecting your data and your trust. If you ever feel we've fallen short of that commitment, we want to know — and we'll do everything in our power to make it right.

Thank you for trusting ULTEH.

Last updated: February 19, 2026