00 Security

GDPR Compliance

EU-only infrastructure. GDPR-compliant by design.

UltimaOS is built and operated in the European Union, by a company established in the EU. The architecture is GDPR-compliant by design — encrypted data, EU-only infrastructure, no US CLOUD Act exposure, no advertising, no third-party trackers.

01 Overview

Section overview

How UltimaOS is GDPR-compliant by design.

01

Encrypted data, EU-only infrastructure

All data is encrypted end-to-end on user devices before reaching EU servers. The server cannot decrypt the content. Backups are encrypted. There is no plaintext copy for the server to leak.

02

EU company, EU infrastructure

UltimaOS is operated by a European company, hosted in EU data centers, with primary team in the EU. The US CLOUD Act does not apply. There is no transfer to non-EU jurisdictions.

03

No advertising, no profiling

UltimaOS does not display advertising, does not profile users, does not sell or share personal data. The GDPR's legitimate-interest basis for advertising does not apply because advertising does not exist.

02 Details

Section details

Your GDPR rights on UltimaOS.

Under the GDPR, EU residents have specific rights over their personal data. UltimaOS's zero-knowledge architecture makes most of these rights trivially easy to honor. Below is how each right is implemented.

01

Right of access (Article 15)

Email privacy@ultimaos.com with a request. We will provide a copy of all personal data we hold about you — typically your account identifier, public keys, display name, and operational metadata.

02

Right to erasure (Article 17)

Delete your account from the client. Your encrypted blobs are deleted from active storage within 30 days and from backups within 90 days. The remaining ciphertext is undecryptable without your keys.

03

Right to portability (Article 20)

Export your account data from the client in a portable JSON format. This includes your keys (in encrypted form), your encrypted history (decryptable with your passphrase), and your profile.

04

Right to object (Article 21)

Email privacy@ultimaos.com to object to any processing based on legitimate interest. The only such processing is operational security (rate limiting, abuse prevention); you can opt out and we will accommodate.

03 Key points

Key takeaways

Compliance documentation.

  1. 01

    Data Processing Agreement (DPA)

    Available on request for all business customers. Includes the EU Standard Contractual Clauses where applicable.

  2. 02

    Transfer Impact Assessment

    Not strictly required because there are no transfers outside the EU. Documented internally for transparency and provided to enterprise customers on request.

  3. 03

    Records of Processing Activities (Article 30)

    Maintained internally and disclosed to supervisory authorities on request. Covers all data flows including third-party processors.

  4. 04

    Data Protection Officer

    Reach the DPO at dpo@ultimaos.com for any privacy concern, supervisory authority inquiry, or Article 37 notification.

04b References

Authoritative sources

Standards and references.

05 Frequently asked

Common questions

Questions about GDPR compliance.

Is UltimaOS GDPR-compliant?
Short answer

Yes. UltimaOS is operated by an EU company, hosted on EU infrastructure, and designed with zero-knowledge encryption. The architecture is GDPR-compliant by design — encrypted data, no advertising, no profiling, no transfer outside the EU. (EDPB · GDPR)

Where is my data stored?
Short answer

All data is stored in EU data centers operated by UltimaOS or by carefully selected EU-based infrastructure providers under signed DPAs. There is no replication outside the EU and no US-based CDN.

Does the US CLOUD Act apply to UltimaOS?
Short answer

No. The US CLOUD Act applies to US-controlled companies and their data. UltimaOS is a European company and its infrastructure is in Europe. Even if a US authority served a CLOUD Act order, it would have no jurisdiction.

Does UltimaOS sell my personal data?
Short answer

No. UltimaOS does not sell, rent, share, or trade personal data with any third party. There is no advertising business model that would create an incentive to do so.

How do I exercise my right to be forgotten?
Short answer

Delete your account from the client. Your encryption keys are destroyed and the server-side encrypted blobs become undecryptable. Active storage is purged within 30 days, backups within 90 days.

Do you use cookies or trackers on the marketing site?
Short answer

No. The UltimaOS marketing site sets zero cookies, uses zero third-party trackers, and is served entirely from EU infrastructure. See the cookies policy page for the explicit zero-cookie commitment.

Do you sign a Data Processing Agreement?
Short answer

Yes. A DPA is available for every business customer, including the EU Standard Contractual Clauses where required. Contact dpo@ultimaos.com for the document.

Who is your Data Protection Officer?
Short answer

The DPO can be reached at dpo@ultimaos.com. They handle all privacy concerns, supervisory authority inquiries, and Article 37 notifications.