Ultimia Ultimia Beta

Privacy Policy

Effective date: March 10, 2026

Effective Date: March 10, 2026
Last Updated: March 10, 2026

This Privacy Policy explains how Ultimia collects, uses, discloses, and safeguards personal information when you use our website, products, and services (collectively, the "Services").

This policy is drafted for Ultimia's cross-border operation through:

  • Ultimia Inc. (Canada)
  • Ultimia LLC (Montana, United States)

If you do not agree with this Privacy Policy, do not use the Services.

1. Scope

This Privacy Policy applies to personal information we process as a business or service provider in connection with:

  • account registration and authentication;
  • subscriptions, billing, and credit purchases;
  • project setup and discovery workflows;
  • uploaded files and generated outputs;
  • customer support, feedback, and communications;
  • referral and invite workflows.

This policy does not apply to third-party services that you access through links or separate integrations not controlled by Ultimia.

2. Personal Information We Collect

Depending on your use of the Services, we may collect the following categories of personal information.

2.1 Account and identity data

  • Name
  • Email address
  • Password hash and authentication metadata
  • OAuth identifiers (for example, Google account identifier)
  • Role and membership information (for example, owner/admin/member/viewer)

2.2 Profile and organization/workspace data

  • Organization/client and workspace details
  • Contact details (such as business email, phone)
  • Team membership and invitation records
  • Theme and product preferences

2.3 Billing and transaction data

  • Subscription plan and status
  • Credit balances and credit transaction history
  • Promo-code redemption activity
  • Payment processor references (such as Stripe customer/session/payment identifiers)
  • Invoice/receipt metadata

2.4 Communications and support data

  • Support submissions, comments, attachments, and ratings
  • Invite and message content/templates
  • Email/SMS opt-in and opt-out data where applicable

2.5 Project and content data

  • Project inputs and discovery responses
  • Interview/participant contact and profile data provided by you
  • Uploaded files/documents and extracted text/metadata
  • AI-generated outputs, summaries, and recommendation artifacts

2.6 Technical and security data

  • Device, browser, and request metadata
  • Session and authentication logs
  • Abuse-prevention and bot-check signals (for example, turnstile verification)

3. Sources of Personal Information

We collect personal information:

  • directly from you and authorized users of your account;
  • from workspace administrators who add or invite users/participants;
  • from integrated services you choose to use (for example, Google sign-in, payment provider);
  • automatically through normal operation, security, and logging of the Services.

4. How We Use Personal Information

We use personal information to:

  • provide, operate, and maintain the Services;
  • authenticate users and secure accounts;
  • process payments, subscriptions, and credit transactions;
  • deliver support and product communications;
  • power requested AI workflows and output generation;
  • detect/prevent fraud, abuse, and unauthorized access;
  • enforce contractual/legal rights and comply with legal obligations;
  • improve product quality, reliability, and user experience.

5. AI Processing and Expert Panel Simulations

Some features generate AI-assisted recommendations, responses, and simulated expert panel outputs.

  • Inputs may include project context, responses, and content you submit.
  • Outputs may include simulated viewpoints and debate-style reasoning.
  • Expert panel outputs are AI simulations, not the personal opinions or endorsements of real individuals.
  • You are responsible for reviewing outputs before relying on them for legal, financial, tax, medical, or other professional decisions.

6. Legal Bases and Consent

Where required by applicable law, we process personal information based on one or more of:

  • performance of a contract (providing the Services you request);
  • your consent (for example, optional marketing communications);
  • legal obligations;
  • legitimate business interests (such as security, support, fraud prevention, and service improvement), where permitted.

You may withdraw consent for optional marketing communications at any time.

7. How We Share Personal Information

We may disclose personal information to the following categories of recipients, only as needed for the purposes above:

  1. Service providers and processors, including:
  • payment processing providers;
  • cloud infrastructure and storage providers;
  • communications providers (email/SMS);
  • authentication and anti-abuse providers;
  • AI model/API providers used to process requested workflows.

Examples of providers currently used in our stack may include:

  • Stripe (payments and billing);
  • Amazon Web Services (AWS) (application hosting, infrastructure, and related storage/processing services);
  • Google (OAuth sign-in and cloud infrastructure components);
  • Twilio (SMS delivery and webhook processing);
  • Cloudflare Turnstile (bot and abuse prevention);
  • OpenRouter and Google Gemini/Vertex AI endpoints (AI processing requested by you);
  • email delivery providers configured by Ultimia (for example, Postmark, SES, or Resend).

  1. Within Ultimia corporate entities (Ultimia Inc. and Ultimia LLC) for operations, support, billing, compliance, and security.

  2. Legal/compliance recipients, including regulators, law enforcement, courts, or counterparties where required by law, legal process, or to protect rights and safety.

  3. Business transaction counterparties (for example, in merger, acquisition, financing, or asset sale), subject to customary confidentiality and legal safeguards.

We do not sell personal information for money.

8. Cross-Border Transfers and Transfer Safeguards

Ultimia operates in Canada and the United States. Personal information may be processed or stored in either country (and other jurisdictions where our subprocessors operate).

When data is transferred across borders, it may be subject to lawful access by courts, regulators, and law enforcement in those jurisdictions.

For cross-border transfers, Ultimia applies appropriate administrative, contractual, and organizational safeguards designed to protect personal information in line with applicable legal requirements.

9. Data Retention

We retain personal information only as long as reasonably necessary for the purposes described in this policy, including to:

  • provide the Services;
  • maintain records of billing and transactions;
  • resolve disputes;
  • enforce agreements;
  • comply with legal, tax, accounting, and audit obligations.

Retention periods vary by data type and legal requirements. We may de-identify or aggregate data for analytics and service improvement where legally permitted.

9.1 Retention schedule summary

Unless a longer period is required by law, dispute handling, security needs, or contractual obligations:

  • Account/profile data is retained while the account is active and for a reasonable period after closure.
  • Billing and financial records are retained as required for tax, accounting, and audit compliance.
  • Support and operational communications are retained for service continuity, troubleshooting, and compliance.
  • Security logs are retained for fraud prevention, incident response, and legal compliance.
  • Deleted-account data may persist in backups for a limited lifecycle and is then overwritten or deleted according to backup rotation practices.

10. Security

We use administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, loss, misuse, and alteration.

No method of transmission or storage is fully secure; therefore, we cannot guarantee absolute security.

11. Your Privacy Choices and Rights

Depending on your jurisdiction and applicable law, you may have rights to:

  • request access to personal information;
  • request correction of inaccurate information;
  • request deletion of personal information;
  • request portability of certain data;
  • withdraw consent where processing is based on consent;
  • object to or restrict certain processing.

You may also unsubscribe from marketing communications using unsubscribe links/instructions in those messages.

To exercise privacy rights, contact us using the details in Section 18. We may need to verify your identity before fulfilling requests.

11.1 Rights request process

You may submit privacy requests by emailing legal@ultimia.com or support@ultimia.com.

To protect account security, Ultimia may verify your identity before fulfilling a request (for example, by validating account control signals or requesting additional confirmation).

Ultimia will respond within timelines required by applicable law. Where law does not set a shorter period, we target an initial response within 30 days, and we will notify you if additional time is required.

If you are unsatisfied with our response, you may contact us for escalation and, where applicable, file a complaint with your local privacy regulator.

12. U.S. State Privacy Notices

Residents of certain U.S. states (including California and Colorado, where applicable) may have additional rights under state privacy law. Ultimia will honor applicable rights requests as required by law.

Where required, authorized agents may submit requests on your behalf, subject to verification and legal requirements.

For applicable U.S. state residents, rights may include:

  • right to know/access categories and specific pieces of personal information;
  • right to correction;
  • right to deletion (subject to legal exceptions);
  • right to portability;
  • right to opt out of certain targeted advertising, certain profiling, or certain sharing/sale constructs where applicable.

Ultimia does not sell personal information for monetary consideration.

13. Children and Minors

Our Services are not directed to children under 13. We do not knowingly collect personal information directly from children under 13 without legally required authorization.

If you believe a child has provided personal information in violation of this policy, contact us and we will investigate and take appropriate action.

14. Automated Processing and AI-Assisted Decisions

Ultimia may use automated systems, including AI-assisted workflows, to generate recommendations, summaries, and draft outputs requested by users.

These outputs are assistive and are not intended to be the sole basis for high-impact legal, financial, medical, employment, insurance, housing, or similarly significant decisions. Human review by you or your organization remains required.

15. Model Training and Content Use

Ultimia does not use your customer content to train Ultimia-owned foundation models unless explicitly disclosed and consented to where required by law.

When third-party AI providers are used to process requested workflows, processing may be subject to those providers' platform terms and controls. Ultimia configures and uses such providers to support service delivery and protect customer data consistent with contractual and legal requirements.

16. Subprocessor Transparency

Ultimia may use subprocessors to deliver infrastructure, hosting, communications, support, security, analytics, and AI functionality.

Ultimia maintains internal records of active subprocessors and, where commercially appropriate, may provide subprocessor details to customers upon request or through customer-facing documentation.

17. Policy Changes

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by posting the updated policy and revising the "Last Updated" date, and where required, additional notice in-product or by email.

18. Contact Us

For privacy questions, requests, or complaints:

Mailing addresses:

  • Ultimia Inc.: 101 Dundas St W, Suite 300, Whitby ON L1N 2M2, Canada
  • Ultimia LLC: 127 N Higgins Ave, Ste 307D 201, Missoula, MT 59802, USA

If your concern is unresolved, you may have the right to contact your applicable privacy regulator.