Privacy Policy

Last updated: April 5, 2026

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, company name, and company size. If you subscribe to a paid plan, we collect billing information through our payment processor (Stripe).

Connected Data Sources

When you connect third-party services (CRM, billing, support, analytics platforms), we ingest and process the data from those integrations to provide intelligence features. This data may include customer records, financial transactions, support tickets, and usage analytics, depending on the services you connect.

Usage Data

We collect information about how you use the Service, including queries submitted, features accessed, session duration, and interaction patterns. This data helps us improve the Service and provide personalized insights.

Technical Data

We automatically collect technical information such as IP address, browser type, device information, and operating system. This data is used for security, analytics, and service optimization.

2. How We Use Information

We use collected information to:

  • Provide, operate, and maintain the Service, including natural-language query processing and intelligence generation
  • Process your queries through our AI systems (Anthropic Claude Sonnet and OpenAI GPT-4o)
  • Generate morning briefs, anomaly detection alerts, and proactive insights
  • Process billing and manage your subscription
  • Send transactional communications (account verification, password resets, onboarding emails)
  • Detect and prevent fraud, abuse, and security incidents
  • Improve and develop new features based on aggregate usage patterns
  • Comply with legal obligations

PII Protection: Before any data is sent to AI/LLM providers, we apply a PII filter that redacts personally identifiable information (email addresses, phone numbers, social security numbers, credit card numbers, and IP addresses). Data is rehydrated after processing so your results remain accurate while protecting sensitive information during AI processing.

3. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

  • Service Providers: We use third-party services to operate the platform (see Section 8 below)
  • Legal Requirements: We may disclose data if required by law, subpoena, or government request
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you explicitly authorize sharing

All data processing occurs within Google Cloud Platform (GCP) infrastructure. We do not transfer data to third-party analytics or advertising platforms.

4. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods include:

  • Account data: Retained for the duration of your subscription plus 30 days after termination
  • Query history: Retained for 12 months, then automatically archived
  • Connected data: Synced data is retained for the duration of the active connection plus 90 days
  • Audit logs: Retained for 24 months for security and compliance purposes
  • Billing records: Retained for 7 years as required by financial regulations

Upon account deletion, we initiate a data purge process. All tenant data is permanently deleted within 30 days using crypto-shredding (destroying the tenant-specific encryption key renders all encrypted data unrecoverable). A deletion certificate is generated and provided as proof of data destruction.

5. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

GDPR Rights (European Economic Area)

  • Right of Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Request correction of inaccurate personal data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restriction: Request that we limit processing of your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests

CCPA Rights (California Residents)

  • Right to Know: Request disclosure of what personal information we collect, use, and share
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of the sale of personal information (note: we do not sell personal information)
  • Right to Non-Discrimination: Exercise your rights without receiving discriminatory treatment

To exercise any of these rights, submit a Data Subject Access Request (DSAR) through your account privacy dashboard at /settings/privacy or email us at privacy@ultimateintel.ai. We will respond to verified requests within 30 days.

6. Security Measures

We implement comprehensive security measures to protect your data:

  • Encryption at Rest: All data is encrypted using AES-256-GCM with per-tenant encryption keys
  • Encryption in Transit: All communications use TLS 1.3
  • Tenant Isolation: Strict row-level security (RLS) policies ensure complete data isolation between organizations
  • Access Controls: Role-based access control with JWT authentication
  • Audit Logging: Comprehensive audit trail of all data access and modifications
  • Key Management: Encryption keys managed through Google Cloud Secret Manager with key rotation
  • Infrastructure: Hosted on Google Cloud Platform with SOC 2, ISO 27001, and GDPR compliance

7. Cookies

We use essential cookies required for the Service to function, including authentication tokens and session management. We do not use third-party tracking cookies or advertising cookies.

  • Authentication Cookie: Stores your session token for secure access (expires on logout or after 7 days)
  • Preferences Cookie: Stores your UI preferences such as theme and layout (persistent)

8. Third-Party Services

We use the following third-party services to operate the platform:

  • Google Cloud Platform (GCP): Infrastructure hosting, database (Cloud SQL), storage, messaging (Pub/Sub), task queues (Cloud Tasks)
  • Stripe: Payment processing and subscription management. Stripe's privacy policy applies to payment data.
  • Resend: Transactional email delivery for account notifications, onboarding emails, and morning briefs
  • Anthropic (Claude): Primary AI/LLM provider for natural-language query processing (PII-filtered data only)
  • OpenAI (GPT-4o): Fallback AI/LLM provider for query processing when primary is unavailable (PII-filtered data only)

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

10. International Data Transfers

Your data is processed and stored on Google Cloud Platform infrastructure. If you are accessing the Service from outside the United States, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for international transfers as required by applicable data protection laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification at least 30 days before taking effect. Your continued use of the Service constitutes acceptance of the updated policy.

12. Contact / Data Protection Officer

For questions about this Privacy Policy or to exercise your data rights:

  • Email: privacy@ultimateintel.ai
  • Data Protection Officer: dpo@ultimateintel.ai
  • Address: UltimateIntel.ai, Inc.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.