Account data
Account identifier (random, server-generated), display name (chosen by you), authentication public keys (ML-DSA-65). No email or phone required for account creation.
Zero-knowledge architecture. EU-only infrastructure. No advertising, no profiling.
UltimaOS is designed for privacy by architecture: zero-knowledge encryption, EU-only infrastructure, no third-party trackers, no advertising. This page describes exactly what personal data we process, on what legal basis, and how you can exercise your GDPR rights.
Account identifier (random, server-generated), display name (chosen by you), authentication public keys (ML-DSA-65). No email or phone required for account creation.
Chat messages, files, calendar events, AI conversations — encrypted on your device before reaching the server. The server stores ciphertext and cannot decrypt it.
Request timestamps, error rates, abuse signals. Operational logs are retained for a maximum of 30 days and are never linked to your account identity beyond what's needed for security.
Under the General Data Protection Regulation, EU residents have specific rights over their personal data. UltimaOS's zero-knowledge architecture makes most of these rights trivially easy to honor.
Request a copy of all personal data we hold about you. We will provide your account identifier, public keys, display name, and minimal operational metadata.
Update your display name, recovery contacts, and other profile settings at any time from inside the workspace. Changes are immediate.
Delete your account from the client. Your encryption keys are destroyed and the server-side encrypted blobs become undecryptable. Active storage is purged within 30 days, backups within 90 days.
Export your account data in a portable JSON format. This includes your keys (in encrypted form), your encrypted history (decryptable with your passphrase), and your profile.
For service operation, the legal basis is Article 6(1)(b) GDPR — contract performance. For security and abuse prevention, Article 6(1)(f) — legitimate interest. Consent is never the basis for core service operation.
All infrastructure is hosted in EU data centers. There is no replication outside the EU, no US-based CDN, no backup to non-EU hyperscalers. The US CLOUD Act does not apply.
Encrypted content is kept as long as your account is active. When you delete your account, your content is removed from active storage within 30 days and from backups within 90 days. The deletion is logged in our audit trail but does not include the content itself.
Reach the DPO at dpo@ultimaos.com for any privacy concern, supervisory authority inquiry, or Article 37 notification. The DPO is the formal point of contact for EU regulators.
Account identifier (random, server-generated), display name (chosen by you), authentication public keys (ML-DSA-65), encrypted content blobs (chat, files, calendar, etc.), and minimal operational logs (request timestamps, error rates). The server cannot read your content because it is encrypted on your device.
For service operation, the legal basis is Article 6(1)(b) GDPR — contract performance. For security and abuse prevention, Article 6(1)(f) GDPR — legitimate interest. We do not process your data for advertising, profiling or any incompatible purpose; consent is never the basis for core service operation.
No. See the Cookies Policy page.
You can request access, rectification, erasure, restriction, portability or objection at any time by emailing privacy@ultimaos.com. Because UltimaOS is zero-knowledge, erasure is trivially possible: account deletion removes the encryption keys and the remaining ciphertext is undecryptable.
No. All UltimaOS infrastructure is hosted in EU data centers. There is no replication outside the EU, no US-based CDN, no backup to non-EU hyperscalers. The US CLOUD Act does not apply.
Your encrypted content is kept as long as your account is active. When you delete your account, your content is removed from active storage within 30 days and from backups within 90 days. The deletion is logged in our audit trail but does not include the content itself.
Our transparency report (updated quarterly) lists every government request we have received, the legal basis, and our response. To date, the volume is very low, consistent with our small user base and the architectural fact that we cannot read content even if compelled.
Email dpo@ultimaos.com. For any privacy concern, this is the right contact.