00 Legal

Privacy Policy

Zero-knowledge architecture. EU-only infrastructure. No advertising, no profiling.

UltimaOS is designed for privacy by architecture: zero-knowledge encryption, EU-only infrastructure, no third-party trackers, no advertising. This page describes exactly what personal data we process, on what legal basis, and how you can exercise your GDPR rights.

01 Overview

Section overview

What personal data we process.

01

Account data

Account identifier (random, server-generated), display name (chosen by you), authentication public keys (ML-DSA-65). No email or phone required for account creation.

02

Encrypted content

Chat messages, files, calendar events, AI conversations — encrypted on your device before reaching the server. The server stores ciphertext and cannot decrypt it.

03

Minimal operational data

Request timestamps, error rates, abuse signals. Operational logs are retained for a maximum of 30 days and are never linked to your account identity beyond what's needed for security.

02 Details

Section details

Your GDPR rights on UltimaOS.

Under the General Data Protection Regulation, EU residents have specific rights over their personal data. UltimaOS's zero-knowledge architecture makes most of these rights trivially easy to honor.

01

Right of access (Article 15)

Request a copy of all personal data we hold about you. We will provide your account identifier, public keys, display name, and minimal operational metadata.

02

Right to rectification (Article 16)

Update your display name, recovery contacts, and other profile settings at any time from inside the workspace. Changes are immediate.

03

Right to erasure (Article 17)

Delete your account from the client. Your encryption keys are destroyed and the server-side encrypted blobs become undecryptable. Active storage is purged within 30 days, backups within 90 days.

04

Right to portability (Article 20)

Export your account data in a portable JSON format. This includes your keys (in encrypted form), your encrypted history (decryptable with your passphrase), and your profile.

03 Key points

Key takeaways

Legal bases, transfers, and contact.

  1. 01

    Legal bases (Article 6)

    For service operation, the legal basis is Article 6(1)(b) GDPR — contract performance. For security and abuse prevention, Article 6(1)(f) — legitimate interest. Consent is never the basis for core service operation.

  2. 02

    No transfers outside the EU

    All infrastructure is hosted in EU data centers. There is no replication outside the EU, no US-based CDN, no backup to non-EU hyperscalers. The US CLOUD Act does not apply.

  3. 03

    Retention periods

    Encrypted content is kept as long as your account is active. When you delete your account, your content is removed from active storage within 30 days and from backups within 90 days. The deletion is logged in our audit trail but does not include the content itself.

  4. 04

    Data Protection Officer

    Reach the DPO at dpo@ultimaos.com for any privacy concern, supervisory authority inquiry, or Article 37 notification. The DPO is the formal point of contact for EU regulators.

04b References

Authoritative sources

Standards and references.

05 Frequently asked

Common questions

Questions about UltimaOS privacy.

What personal data does UltimaOS process?
Short answer

Account identifier (random, server-generated), display name (chosen by you), authentication public keys (ML-DSA-65), encrypted content blobs (chat, files, calendar, etc.), and minimal operational logs (request timestamps, error rates). The server cannot read your content because it is encrypted on your device.

What is the legal basis for processing?
Short answer

For service operation, the legal basis is Article 6(1)(b) GDPR — contract performance. For security and abuse prevention, Article 6(1)(f) GDPR — legitimate interest. We do not process your data for advertising, profiling or any incompatible purpose; consent is never the basis for core service operation.

Do you use cookies or trackers?
Short answer

No. See the Cookies Policy page.

How can I exercise my GDPR rights?
Short answer

You can request access, rectification, erasure, restriction, portability or objection at any time by emailing privacy@ultimaos.com. Because UltimaOS is zero-knowledge, erasure is trivially possible: account deletion removes the encryption keys and the remaining ciphertext is undecryptable.

Do you transfer data outside the EU?
Short answer

No. All UltimaOS infrastructure is hosted in EU data centers. There is no replication outside the EU, no US-based CDN, no backup to non-EU hyperscalers. The US CLOUD Act does not apply.

How long do you keep data?
Short answer

Your encrypted content is kept as long as your account is active. When you delete your account, your content is removed from active storage within 30 days and from backups within 90 days. The deletion is logged in our audit trail but does not include the content itself.

Has UltimaOS ever received a government request for data?
Short answer

Our transparency report (updated quarterly) lists every government request we have received, the legal basis, and our response. To date, the volume is very low, consistent with our small user base and the architectural fact that we cannot read content even if compelled.

How do I contact the DPO?
Short answer

Email dpo@ultimaos.com. For any privacy concern, this is the right contact.