Legal

How we use your data for AI

Ultron is built on large language models. Delivering the service means sending your prompts, conversation history, and tool results to model providers for inference and receiving generated output in return. This page is the complete account of that data flow: what leaves the platform and what does not, which providers receive it and under what terms, how training is prohibited, how long anything is kept on either side, and the responsibilities you hold when the content you submit contains other people's personal data. It is the operational companion to the Privacy Policy and the Data Processing Addendum.

Updated today

Overview

At a glance
Trained on your data
No, not by us and not by any provider
Sold or shared for ads
Never
Primary chat provider
Anthropic (Haiku, Sonnet, Opus tiers)
Default lite model
Kimi K2.6, hosted on Cloudflare Workers AI
Embeddings
OpenAI embedding endpoint, retrieval only
Platform retention
Per the Privacy Policy windows
Provider retention
Not retained for provider purposes after the call
Data protection contact
privacy@51ultron.com

A language model cannot answer a question it has not been shown. Running the chat loop, executing a skill, or advancing a background job therefore requires sending the relevant context to a model provider and receiving a generated response. That request and response is the entire reason any of your data reaches a model provider. We do not copy your content to a provider for any other purpose, we do not retain it with a provider beyond the call, and we do not use it to build a product that benefits anyone but you.

This page describes the default behaviour of the platform for all plans. Where an enterprise agreement adds stricter terms, such as a zero-retention inference path or a named-region routing constraint, those terms control for that customer. The Subprocessors page carries the current, dated list of every provider in the path.

Definitions

Terms used on this page have the following meanings. Capitalised terms not defined here carry the meaning given in the Data Processing Addendum or the GDPR.

TermMeaning
InferenceA single call to a model in which input is sent and a generated output is returned. The unit of AI processing on the platform
PromptThe text and structured context sent into a single inference call, including your message and any assembled history or tool results
Completion or outputThe text or structured result the model returns from an inference call
Foundation modelA general-purpose model trained by a provider, which the platform calls rather than trains
Training or fine-tuningAny process that updates a model's weights or behaviour using data, including pre-training, fine-tuning, reinforcement, and distillation
EmbeddingA numeric vector derived from text, used to measure similarity for retrieval. Not human-readable and not a model that generates content
Context windowThe bounded amount of prior content assembled and sent with a prompt so the model has continuity

The inference lifecycle

A single request moves through a fixed sequence. Understanding it tells you exactly when data leaves the platform and when it does not.

  • You submit a message, trigger a skill, or a scheduled job fires.
  • The platform assembles the context: your input, the relevant slice of conversation history within the context window, retrieved memory, and any tool results already gathered. Assembly happens inside your workspace.
  • The assembled prompt is sent over an encrypted channel to the model provider for the selected tier.
  • The provider runs inference and returns a completion. The completion is not retained by the provider for its own purposes.
  • The platform stores the exchange in your workspace so you can return to the thread, applies any rendering, and, where the step has external effect, routes it through the human approval gate before acting.
Note
Steps 1, 2, and 5 happen inside your workspace and involve no provider. Only step 3 transmits data to a provider, and only step 4 is processing by a provider. Everything else is local to the platform.

What leaves the platform

The table below states, for each class of data, whether it is sent for inference and whether it is stored in your workspace. Telemetry and billing data are never sent to a model provider.

DataSent for inferenceStored in workspace
Your prompt and messagesYes, to generate the responseYes, until you delete the thread
Conversation history in the context windowYes, for continuityYes, until you delete the thread
Tool results the agent gatheredYes, when the model needs them to continueYes, with the thread
Uploaded files referenced in a turnThe extracted text or, for vision models, the imageYes, until you delete the file
Model outputReturned by the provider, not re-sentYes, with the thread
Memory entries retrieved for a turnYes, the retrieved slice onlyYes, in your memory store
Account, billing, payment dataNoYes, per the Privacy Policy
Telemetry and request logsNoYes, ninety days at full fidelity

Model providers

The providers that perform inference or embedding, what each receives, and the operating region.

ProviderWhat it receivesRegionRole
AnthropicPrompts, conversation history, tool resultsUnited StatesPrimary chat provider across the Haiku, Sonnet, and Opus tiers
Cloudflare Workers AIDefault lite-tier chat prompts, planner inputs, image-scoring inputs, classifier and docs-support inputsUnited States, edgeRuns Kimi K2.6 (default lite model, authored by Moonshot AI), Gemma for planning, LLaVA for image scoring, on Cloudflare infrastructure
OpenAIText passed to the embedding endpoint onlyUnited StatesGenerates retrieval vectors. Not used for chat generation

Model authors versus hosts

Some models are authored by one organisation and run by another. Kimi K2.6 is authored by Moonshot AI but runs on Cloudflare Workers AI infrastructure. Your content is sent to Cloudflare for inference and is not transmitted to the model author directly. In that path Cloudflare is the subprocessor, and the no-training commitment is held with Cloudflare. The Subprocessors page records this relationship for every model in use.

The no-training commitment

What it covers

Ultron does not use Customer Personal Data, prompts, conversation history, tool results, or outputs to train, fine-tune, distil, evaluate for model improvement, or otherwise develop any model, ours or a third party's. We hold a contractual commitment from each model provider in the path above that they will not use data we send for inference on your behalf to train or improve their foundation models, and that they will not retain that data for their own purposes once the inference call completes.

Why training is the line that matters

Training is the process that would let your content influence a model's future behaviour for other people. Prohibiting it is what guarantees that your prompts cannot resurface in someone else's session, that your proprietary content cannot become part of a shared model, and that a competitor cannot benefit from what you put into the platform. Inference, by contrast, is transient: the model reads the prompt to answer it and does not learn from it.

Tip
The current providers and the terms attached to each are recorded on the Subprocessors page with a timestamp. If a provider changes or a term changes, that page is updated and material additions are notified in advance, as described under Changes below.

Retention

Platform side

Conversation content lives in your workspace so you can return to it, and is re-sent for inference each time you continue a thread. It follows the retention windows in the Privacy Policy: content persists until you delete it, then rolls out of backups within thirty days. Telemetry about a request, which never includes the prompt payload sent to a provider, is kept ninety days at full fidelity and then aggregated and pseudonymised.

Provider side

Under the no-training commitment, a provider does not retain the content of an inference call for its own purposes after the call completes. Where a provider applies transient processing to operate its service, it is bounded by the contract and is not used to train or improve a model. Enterprise customers who require a contractually guaranteed zero-retention path can request one; see Zero-retention and enterprise paths.

Deletion

When you delete a message, a conversation, a project, or your account, the associated content is removed from the platform on the schedule in the Privacy Policy, and the derived embeddings are removed with it. Backups roll off on the cycle documented on the Security page. Deletion of content already processed in a completed inference call does not require provider action, because the provider did not retain it.

Embeddings and memory

To make past context findable, selected text is converted into numeric vectors through OpenAI's embedding endpoint and stored in your workspace. The embedding endpoint receives only the text being indexed, returns the vector, generates no chat content, and does not train on the input. Retrieval then runs locally against your own stored vectors using the hybrid approach documented in the Memory section of the product docs. Embeddings are bound to your workspace, are not shared across customers, and are deleted when the underlying content is deleted. An embedding is not reversible into the original text in any practical sense, but we treat it as personal data where it derives from personal data and protect it accordingly.

Sensitive and special-category data

The platform is not designed to process special category personal data as defined in Article 9 of the GDPR, such as data revealing health, biometric identifiers, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation. You should not submit special category data through the platform unless you have a lawful basis under Article 9 and have notified us in writing in advance. You are responsible for not pasting into a prompt anything you are not entitled to send to a third-party processor.

Warning
Prompts are sent to model providers. Treat a prompt the way you would treat any disclosure to a processor: do not include secrets, credentials, special category data, or third-party personal data you have no basis to share.

Security of the AI pipeline

Data sent for inference travels over TLS to the provider. Provider credentials are scoped, stored in a managed secret store, and never exposed to the client. Request telemetry records the metadata of a call, the timestamp, the endpoint, the latency, and the status, but not the prompt payload as a logged artifact beyond what is needed to deliver and debug the response. The full set of technical and organisational measures, including encryption, access control, and logging, is on the Security page and is incorporated into the Data Processing Addendum.

Zero-retention and enterprise paths

Enterprise customers who need stricter guarantees than the default can request them in writing. Depending on plan and region, available options include a zero-retention inference path with a specific provider, constraints on which providers may be used, and a signed counterpart of the relevant terms. We will confirm what is available for your plan and region and document it in your agreement.

Tip
To scope a zero-retention or provider-restricted path, write to privacy@51ultron.com with your requirements and region. We respond with what we can commit to contractually.

Your controls

  • Choose the model tier per conversation. The lite tier and the higher tiers are selectable in the product.
  • Delete a message, a conversation, a project, or your entire account at any time. Deletion propagates to embeddings and stored context.
  • Export your data before deleting it, for the duration of the retention window, in a portable format.
  • Keep consequential actions behind a human approval gate. See Automated decisions and human oversight.
  • Exercise your GDPR rights, including access, erasure, and objection, through privacy@51ultron.com or the account settings.

Your responsibilities

When the content you submit contains the personal data of other people, you act as the controller for that data and Ultron acts as your processor under the Data Processing Addendum. You are responsible for having a lawful basis to submit and process that data, for providing any notice the law requires to the people concerned, and for not submitting special category data without an Article 9 basis. The platform gives you the means to process; the lawfulness of a given input and use is your decision.

Changes

The provider list and the terms attached to each can change as the platform evolves. The Subprocessors page is the canonical, dated record. A material addition or replacement of a provider that touches Customer Personal Data is notified at least thirty days in advance, with a banner in the product and an email to customers who subscribed to subprocessor notifications, and you may object on reasonable data protection grounds as described in the Data Processing Addendum.

Contact

Questions about how your data is used for AI, requests for a zero-retention path, and data subject requests go to privacy@51ultron.com. For the full processing record, read the Subprocessors page, the Data Processing Addendum, and the Privacy Policy.