Privacy Policy

This policy applies to Ultaura's website, dashboard, and voice companion service. It covers data collected from account owners (payers), line recipients (the person receiving calls), and trusted contacts.

Account owners manage the service. Line recipients control consent, sharing, and privacy preferences for their calls. Trusted contacts only see the information shared with them.

Ultaura places scheduled check-in calls using telephony providers and connects the call to our AI voice companion. Audio is processed in real time so the conversation can happen.

After a call, we store call metadata and optional encrypted memory notes (summaries, preferences, and reminders) to support continuity. We do not keep full call transcripts by default.

Safety monitoring may flag concerning content. When enabled, it can trigger wellness alerts to trusted contacts with the minimal details needed to act.

We collect only the information we need to provide and improve the service.

• Account details such as name, email, billing information, and subscription plan.
• Line information like verified phone numbers, schedules, reminder settings, accessibility preferences, and consent choices.
• Call metadata (date/time, duration, outcome, voicemail detection, and delivery status) for usage dashboards, reliability, and billing.
• Encrypted memory notes and insights (summaries, preferences, and highlights) to provide continuity.
• Safety events and wellness alerts when concerns are detected.
• Optional call recordings when recording is enabled and consent is granted.
• Support communications, including emails or messages sent to our support team.
• Basic product analytics and device information to keep the service reliable and accessible.

We do not store full call transcripts by default, and we do not sell personal data. We aim to capture only the minimum needed to provide companionship and safety features.

We avoid collecting sensitive personal data unless it is shared during a call and required for safety or continuity, and then it is stored only in encrypted memory notes.

We use information to:

• Provide scheduled calls, reminders, and check-ins.
• Personalize conversations and improve continuity.
• Deliver safety monitoring and wellness alerts.
• Manage billing, minutes, and subscriptions.
• Respond to support requests and user feedback.
• Maintain reliability, prevent abuse, and secure accounts.

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under one or more of the following legal bases:

• Consent: For optional features such as call recordings, sharing preferences, and non-essential cookies. You can withdraw consent at any time.
• Contractual necessity: To deliver the service you signed up for, including making scheduled calls, storing memory notes, processing payments, and managing your account.
• Legitimate interest: To maintain service reliability, detect abuse, improve safety monitoring, and perform basic analytics, balanced against your rights and expectations.
• Legal obligation: To comply with tax, billing, fraud prevention, and regulatory requirements.

Consent is a core part of Ultaura. We collect consent during setup and, when required, directly during calls.

• Call consent and opt-outs are respected. A recipient can stop calls at any time by pressing 9 or asking Ultaura to stop.
• Recording consent is explicit and can be revoked at any point during a call.
• Sharing tiers control what families see in summaries, dashboards, and wellness alerts.
• Topic exclusions let you keep sensitive subjects out of summaries and insights.
• Conversation topics are not censored or filtered. Conversations are led by the person receiving calls. Safety monitoring for emergencies and distress operates independently and does not restrict what topics may be discussed.
• Retention controls and deletion requests are available in the Privacy Center.

Recordings are optional. If enabled, we request clear consent from the person receiving calls. Recording settings can be changed at any time, and consent can be revoked during a call.

Recordings, if stored, are encrypted and subject to retention settings. If recording is disabled or consent is revoked, we do not record the call.

Recording laws vary by jurisdiction. Some U.S. states (including California, Illinois, Florida, and others) require all-party consent before a call may be recorded. Ultaura always requests explicit verbal consent from the call recipient before any recording begins, regardless of the jurisdiction. We do not record any portion of a call without confirmed consent.

Families can receive summaries and insights based on the sharing tier you choose. Sharing tiers range from minimal visibility to more detailed summaries. You can change sharing tiers at any time.

• Account owners can view line-level dashboards based on the sharing tier for each line.
• Trusted contacts may receive wellness alerts only when enabled and only with the minimum information needed to help.
• We do not include exact quotes or sensitive private topics in shared summaries.

Ultaura monitors for distress keywords and concerning patterns to support safety. When a concern is detected, we may create a wellness alert with a severity level.

• Alerts can be shared with trusted contacts if enabled.
• Alerts are redacted to include only what is necessary to act.
• In serious situations, the system may suggest emergency resources, such as 988 or local emergency services.

Ultaura uses AI to power conversations, summarize calls, and detect wellness signals. This processing is automated and helps deliver reminders, maintain memory notes, and produce summaries.

Automated outputs are filtered to honor sharing tiers, topic exclusions, and consent settings.

Your call data is never used to train AI models. We do not share call audio, transcripts, memory notes, or personal information with any AI provider for the purpose of model training or improvement. Our AI providers process data solely to deliver real-time conversation and are contractually prohibited from using your data for training. If this policy ever changes, we will notify you in advance and provide a clear opt-out.

We encrypt sensitive data in transit and at rest. Memory notes and insights are protected with envelope encryption and account-level or line-level keys. Access is limited to authorized systems and personnel.

We monitor for abuse, restrict administrative access, and keep audit logs of privacy-related changes.

We use cookies and similar technologies to operate the service and understand how it is used.

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled without breaking core functionality.
• Preference cookies: Store your language, theme, and display settings so you do not need to reconfigure them on each visit.
• Analytics cookies: Help us understand usage patterns, page performance, and error rates. Analytics data is aggregated and is not used to build advertising profiles.

We do not use third-party advertising or tracking cookies. We do not serve ads, participate in ad networks, or allow third-party trackers that follow you across other websites.

We also use browser local storage to persist dashboard preferences and session tokens. This data stays on your device and is not transmitted to third parties.

You can manage cookie preferences through our cookie consent banner or through your browser settings. Blocking essential cookies may prevent you from using the dashboard.

You control how long data is retained. Retention options include 30, 90, or 365 days, or indefinite retention when required for continuity. Retention settings apply to memory notes, insights, and recordings.

• You can delete privacy data (memories, insights, recordings) from the Privacy Center.
• Call metadata, billing records, and user-created schedules are preserved as needed for billing, compliance, and scheduling.
• Full account deletion removes lines, schedules, and stored data within reasonable timeframes, except where we are required to retain records.

You can request a data export that includes call history, insights, and memories. Exports are delivered as a secure download and are available for 48 hours.

For your security, we may verify your identity before fulfilling a request.

We use trusted providers to deliver the service. These providers process data on our behalf under confidentiality and security obligations. We share only what is needed for them to perform their function.

• Twilio — Telephony infrastructure for placing and receiving calls, phone number verification, and SMS delivery.
• xAI — AI voice processing for real-time conversation during calls.
• OpenAI — Safety classification for detecting concerning content during calls.
• Supabase — Cloud database infrastructure and authentication.
• Stripe — Payment processing, subscription management, and billing.
• Resend — Transactional and notification email delivery.
• Sentry — Error monitoring and performance diagnostics (no personal content is sent).
• Vercel — Web application hosting and edge delivery.

Each provider is contractually required to protect your data and use it only for the purposes we specify. We review our sub-processors periodically and will update this list if material changes occur.

You can access, correct, export, or delete your data. You can also manage consent, sharing tiers, and retention settings at any time.

• Line recipients can opt out of calls or change consent and sharing preferences.
• Account owners can manage billing data, lines, schedules, and trusted contacts.
• If you need help exercising these rights, contact support.

If you live in certain U.S. states, you may have additional privacy rights under state law. These rights can include:

• Access to the personal information we hold about you.
• Correction of inaccurate personal information.
• Deletion of personal information.
• A portable copy of your personal information (data portability).
• Opting out of the sale or sharing of personal information, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise these rights, use the Privacy Center or email support@ultaura.com. We may need to verify your identity before fulfilling a request, and we may decline or limit a request as permitted by law (for example, when we must retain information for billing, compliance, or security).

Do Not Sell or Share: Ultaura does not sell or share personal information as those terms are defined by applicable U.S. state privacy laws. We do not use personal information for targeted advertising, and we do not use automated profiling to make decisions that produce legal or similarly significant effects. If this changes, we will provide a clear opt-out.

Authorized Agents: You may designate an authorized agent to submit a request on your behalf. We will require proof of authorization and may verify your identity directly with you.

Appeals: If we deny a request, you can appeal by contacting support with the subject line "Privacy Appeal." We will respond within the timeframe required by applicable law.

No Discrimination: We will not discriminate against you for exercising your privacy rights. You will not be denied services, charged different prices, or receive a different level of quality for exercising your rights.

If you are located in the EEA, United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) and equivalent local laws:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to restrict processing: Ask us to limit how we use your data while a dispute or request is being resolved.
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interest or for direct marketing purposes.
• Right to withdraw consent: Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority if you believe your rights have been violated.

To exercise any of these rights, email support@ultaura.com with the subject line "GDPR Request." We will respond within 30 days (or sooner if required by applicable law).

Ultaura does not currently appoint a Data Protection Officer. For privacy inquiries, contact us at the email or mailing address listed in the Contact section below.

Ultaura is a U.S.-based service. Your information may be processed in the United States and other locations where our service providers operate.

If your data is transferred outside of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms recognized by applicable law, to protect your data during transfer.

Ultaura is designed for older adults, and we take extra care to protect this population.

• Cognitive accessibility: Consent mechanisms are designed to be simple and direct. During calls, consent requests use clear, plain language and are confirmed verbally.
• Guardian and power of attorney access: If a legal guardian, conservator, or holder of power of attorney needs to manage an account or exercise privacy rights on behalf of a line recipient, they can contact support with documentation of their legal authority. We will verify the documentation and provide access or act on the request accordingly.
• Safety-first design: The safety monitoring system is calibrated to detect signs of distress, confusion, or declining wellbeing. When concerns arise, we prioritize the safety of the individual over feature functionality.
• Minimal data exposure: Sharing tiers, redaction, and topic exclusions ensure that sensitive personal details shared during calls are not unnecessarily exposed to family members or contacts.
• Conversation autonomy: Ultaura respects the senior's right to direct their own conversations. Topics are not censored or restricted. Safety systems monitor for emergencies and wellness concerns but do not limit what the senior chooses to talk about.

In the event of a data breach that affects your personal information, we will notify affected users without undue delay and within the timeframes required by applicable law (including 72 hours where required under GDPR and as specified by U.S. state breach notification laws).

Notifications will include a description of the breach, the types of data involved, the steps we are taking to address it, and recommendations for protecting yourself. We will also notify relevant regulatory authorities as required.

We may update this policy from time to time. If changes are material, we will provide notice on this page or in your dashboard. The "Last updated" and "Effective" dates at the top of this page reflect when the most recent version took effect.