Privacy Policy

The data controller is ULTRA AGENT LIMITED, registered in Thailand (Tax ID 0105569026818). Registered office:

316/97 Sirinpark Project 3, Soi Wongsawang 11, Wongsawang Road, Bang Sue Sub-district, Bang Sue District, Bangkok 10800, Thailand

For privacy questions or to exercise your rights under PDPA / GDPR, contact [email protected].

• Account: email, display name, password hash (when using email sign-up) or the OAuth identifier returned by Google or Facebook (we request only the public_profile and email scopes — nothing more).
• Files you upload for processing (images, videos, audio, PDFs). Stored in MinIO object storage located in Thailand.
• Generated content metadata: prompts, parameters, output file references for AI image generation jobs.
• Job metadata: processing parameters, timestamps, credit usage records.
• Payment data: when you subscribe to a paid tier or buy credits, Stripe processes your payment. We never see or store your full card number — Stripe holds card details under PCI-DSS. We do receive billing email, country, and an opaque Stripe customer ID for our records.
• Operational logs: IP address, user agent, request paths — retained 30 days for security and abuse prevention.

• Run the media processing or AI generation you requested.
• Authenticate your sessions and prevent fraud.
• Bill subscriptions and credit top-ups via Stripe.
• Aggregate anonymous usage metrics to improve features. We do not sell your data or share it with advertisers.
• Send critical service notifications (billing receipts, security alerts, policy changes). We do not send marketing email without separate opt-in.

Uploaded files are kept only as long as needed to process your job plus 30 days for re-download. You can delete them sooner from the dashboard. Deleted files are removed from storage within 24 hours.

Generated AI content is retained as long as your account is active, subject to your storage quota.

Account records persist until you delete your account. After deletion, we keep minimal billing and audit records for 12 months (Thai Revenue Code requires retention of tax-relevant records) and then purge them.

You can at any time:

• Access the data we hold on you (Settings → Privacy).
• Correct inaccurate profile fields.
• Delete your account and all associated files (Settings → Delete Account).
• Export your job and generation history as JSON.
• Revoke Facebook or Google access from the provider's own settings. We also honour Facebook's Data Deletion Callback.

To exercise any right not available in-product, email [email protected]. We respond within 30 days as required by PDPA Section 30.

We share the minimum data needed with the following processors. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguard:

• Stripe, Inc. (United States) — payment processing for subscriptions and credit packs. Receives card details directly from your browser; we receive only an opaque customer ID and billing receipts. Stripe is PCI-DSS Level 1 certified.
• fal.ai (Features and Labels Inc.) (United States) — AI image generation inference. Receives your prompt + generation parameters; does not receive your account email or identity. Generated images are returned to our servers, then served back to you.
• MinIO (self-hosted, Thailand) — object storage for uploads and generated content. Your data does not leave our infrastructure.
• Cloudflare, Inc. (United States, edge) — TLS termination, DDoS protection, CDN. Authenticated routes are not cached at the edge.
• Google Workspace (United States) — operates our support email at [email protected]. Receives only messages you send to support.
• Meta Platforms, Inc. and Google LLC — OAuth identity only (public_profile, email), when you choose to sign in via them.

Some processors above are located outside Thailand (primarily the United States). We rely on the following safeguards permitted by PDPA Section 28 and the applicable foreign frameworks:

• Stripe — Standard Contractual Clauses (SCCs) as approved by the European Commission, plus PCI-DSS Level 1.
• fal.ai — Data Processing Addendum with SCCs.
• Cloudflare — Data Processing Addendum with SCCs.
• Google Workspace — Data Processing Addendum with SCCs.

You may request a copy of any DPA by emailing [email protected].

Traffic is TLS 1.3 end-to-end. Passwords are bcrypt-hashed. Object storage is encrypted at rest. Database access is restricted to a single maintainer and fully audited. Payment card details never touch our servers — they are tokenised by Stripe in your browser.

Ultra Gen is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, email us and we will delete it.

We may update this policy. Material changes will be emailed to registered users at least 30 days before taking effect.

Privacy questions, deletion requests, or PDPA / GDPR inquiries: [email protected].

ULTRA AGENT LIMITED
316/97 Sirinpark Project 3, Soi Wongsawang 11, Wongsawang Road, Bang Sue Sub-district, Bang Sue District, Bangkok 10800, Thailand