Encrypted data, EU-only infrastructure
All data is encrypted end-to-end on user devices before reaching EU servers. The server cannot decrypt the content. Backups are encrypted. There is no plaintext copy for the server to leak.
EU-only infrastructure. GDPR-compliant by design.
UltimaOS is built and operated in the European Union, by a company established in the EU. The architecture is GDPR-compliant by design — encrypted data, EU-only infrastructure, no US CLOUD Act exposure, no advertising, no third-party trackers.
All data is encrypted end-to-end on user devices before reaching EU servers. The server cannot decrypt the content. Backups are encrypted. There is no plaintext copy for the server to leak.
UltimaOS is operated by a European company, hosted in EU data centers, with primary team in the EU. The US CLOUD Act does not apply. There is no transfer to non-EU jurisdictions.
UltimaOS does not display advertising, does not profile users, does not sell or share personal data. The GDPR's legitimate-interest basis for advertising does not apply because advertising does not exist.
Under the GDPR, EU residents have specific rights over their personal data. UltimaOS's zero-knowledge architecture makes most of these rights trivially easy to honor. Below is how each right is implemented.
Email privacy@ultimaos.com with a request. We will provide a copy of all personal data we hold about you — typically your account identifier, public keys, display name, and operational metadata.
Delete your account from the client. Your encrypted blobs are deleted from active storage within 30 days and from backups within 90 days. The remaining ciphertext is undecryptable without your keys.
Export your account data from the client in a portable JSON format. This includes your keys (in encrypted form), your encrypted history (decryptable with your passphrase), and your profile.
Email privacy@ultimaos.com to object to any processing based on legitimate interest. The only such processing is operational security (rate limiting, abuse prevention); you can opt out and we will accommodate.
Available on request for all business customers. Includes the EU Standard Contractual Clauses where applicable.
Not strictly required because there are no transfers outside the EU. Documented internally for transparency and provided to enterprise customers on request.
Maintained internally and disclosed to supervisory authorities on request. Covers all data flows including third-party processors.
Reach the DPO at dpo@ultimaos.com for any privacy concern, supervisory authority inquiry, or Article 37 notification.
All data is stored in EU data centers operated by UltimaOS or by carefully selected EU-based infrastructure providers under signed DPAs. There is no replication outside the EU and no US-based CDN.
No. The US CLOUD Act applies to US-controlled companies and their data. UltimaOS is a European company and its infrastructure is in Europe. Even if a US authority served a CLOUD Act order, it would have no jurisdiction.
No. UltimaOS does not sell, rent, share, or trade personal data with any third party. There is no advertising business model that would create an incentive to do so.
Delete your account from the client. Your encryption keys are destroyed and the server-side encrypted blobs become undecryptable. Active storage is purged within 30 days, backups within 90 days.
No. The UltimaOS marketing site sets zero cookies, uses zero third-party trackers, and is served entirely from EU infrastructure. See the cookies policy page for the explicit zero-cookie commitment.
Yes. A DPA is available for every business customer, including the EU Standard Contractual Clauses where required. Contact dpo@ultimaos.com for the document.
The DPO can be reached at dpo@ultimaos.com. They handle all privacy concerns, supervisory authority inquiries, and Article 37 notifications.