Privacy Policy
Notice version: 2026-07-01
Digital Personal Data Protection Act, 2023 (India) · GDPR · CCPA
1. Introduction
UltraLooper is operated by Fundaking Media OPC Pvt Ltd (“we”, “us”). This Privacy Notice explains what personal data we collect, why, how long we keep it, who we share it with, and your rights.
We process personal data based on your consent, performance of a contract (providing the Service you signed up for), and legitimate uses permitted under the Digital Personal Data Protection Act, 2023 (DPDP Act). Creating an account requires affirmative consent to this notice and our Terms — we do not rely on passive browsing as consent for core processing.
2. Information we collect
- Account data: Name, email, password (hashed), company, role, billing contact.
- Workplace content: Documents, tasks, calendar, meetings, drive files, chat.
- CRM & lead data: Contacts and leads you or your organisation upload or generate.
- AI inputs/outputs: Prompts, brand settings, knowledge uploads, agent results.
- Mail data: Encrypted mailbox credentials, message metadata, campaign content.
- Technical data: IP address, browser, device, session IDs, security and consent logs.
3. How we use information
- Provide and secure the platform, workplace apps, CRM, mail, and AI agents.
- Manage accounts, workspaces, subscriptions, and credit wallet.
- Run automations you configure (workflows, agents, campaigns).
- Send service messages (security, billing, product-critical).
- Send marketing emails only if you opt in separately.
- Improve reliability using aggregated or anonymised telemetry.
4. Your rights under the DPDP Act (India)
As a data principal in India, you may:
- Access a summary of personal data we process about you.
- Correction of inaccurate or incomplete data.
- Erasure when consent is withdrawn or processing is no longer necessary (subject to legal retention).
- Grievance redressal — contact our Grievance Officer (§12).
- Nominate another individual to exercise your rights in the event of death or incapacity (as permitted by law).
Exercise rights via Privacy Request form, Settings → Privacy & data in your dashboard, or email the Grievance Officer.
5. Consent and withdrawal
We record consent events (purpose, notice version, timestamp, IP) in our audit log. Withdrawing marketing consent is as easy as giving it — toggle off in Settings or use the unsubscribe link in any marketing email. Withdrawing consent for essential service processing may require closing your account.
See our Cookie Policy for analytics cookies.
6. AI processing
We use Google Gemini and OpenAI APIs to power assistant and agent features. We do not use your private workspace content to train public foundation models. Prompts may be sent to sub-processors outside India — see §8.
7. Data retention
- Account: While active; deletion requested accounts purged after a 7-day grace period unless law requires longer retention.
- Workplace & CRM: Until you delete or close the workspace.
- Chat (Autopilot): Purged after approximately 90 days.
- Billing: Up to 7 years for tax and legal compliance.
- Consent logs: Retained as proof of compliance.
8. Sub-processors and cross-border transfers
We share data only as needed with:
- AI: Google (Gemini), OpenAI, LiteLLM proxy
- Payments: PayU (India)
- Email: Postmark
- Lead enrichment: Apify, DataForSEO
- Meetings: LiveKit
- Monitoring: Sentry (scrubbed errors)
- Integrations you connect: Google, Meta, LinkedIn, WordPress, etc.
Google integrations (OAuth)
If you choose to connect Google services, we access only the scopes shown on Google's consent screen at connect time:
- Sign-in: Basic profile (name, email) to create or authenticate your account.
- Google Drive / Search Console: Only when you connect those features for export or SEO tools.
- Google Calendar (optional): If you click Connect Google Calendar in UltraCalendar Settings, we request read-only access
(
calendar.readonly) to display your Google Calendar events alongside UltraCalendar meetings. We do not create, edit, or delete Google Calendar events. Tokens are encrypted at rest; you can disconnect at any time in Settings, which deletes our stored Google Calendar token.
Google user data from OAuth is used only to provide the connected feature. We do not sell it or use it for advertising.
Some processors may store or process data outside India. We use contractual safeguards and disclose transfers in our Data Processing Agreement for B2B customers.
9. Security
TLS encryption in transit, AES-256 for sensitive tokens at rest, role-based access, session protections, and audit logging. No method is 100% secure; report concerns to support@ultralooper.com.
10. GDPR (EEA) and CCPA (California)
EEA residents: access, rectification, erasure, restriction, portability — contact us as above. California residents: we do not sell personal information; you may request disclosure and deletion.
11. Children
The Service is intended for users 18 years and older. We do not knowingly collect data from minors. If you believe a minor has registered, contact the Grievance Officer for deletion.
12. Grievance Officer (DPDP)
For privacy complaints under the DPDP Act:
- Name: Privacy Grievance Officer
- Email: support@ultralooper.com
- Phone: +91 9325535047
- Response SLA: We acknowledge grievances within 72 hours and aim to resolve within 30 days.
General support: support@ultralooper.com
13. Changes to this notice
Material changes will be posted here with an updated notice version. Continued use after notice of changes may require renewed consent where the law requires it.