Skip to main content
🔒 Privacy & Security

Privacy Policy

How GoUltra collects, uses, stores, and protects your personal data and your customers' personal data. Built on Meta's official WhatsApp Cloud API.

Last updated: May 03, 2026

Privacy Policy

Last Updated: April 27, 2026 Effective Date: April 27, 2026

1. Who We Are

GoUltra Systems LLC ("GoUltra," "we," "our," or "us") operates the GoUltra application and the website at goultra.ai (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our Service.

Data Controller information:

  • Legal name: GoUltra Systems LLC
  • Registered address: 312 W 2nd St 2692, Casper, WY 82601, USA
  • Contact email: info@goultra.ai
  • Privacy contact: privacy@goultra.ai
  • Website: https://goultra.ai

GoUltra is built on Meta's official WhatsApp Cloud API.

2. Scope of This Policy

This Privacy Policy applies to:

  • Visitors to our website (goultra.ai)
  • Account holders using our Service ("Customers")
  • End-users whose phone numbers and message content are processed through Customer accounts ("End-users")

For End-users: GoUltra processes your data on behalf of our Customer (the business that contacted you on WhatsApp). The Customer is the controller of that data; GoUltra acts as a processor under their instructions. To exercise your rights regarding that data, please contact the business that messaged you. If you cannot reach them, contact us at privacy@goultra.ai and we will assist.

3. Personal Data We Collect

3.1 Information you provide directly

  • Account information: name, email address, business name, phone number, country
  • Billing information: processed through Stripe; we do not store full payment card details
  • Account preferences: language, time zone, notification settings
  • Support communications: content of emails or messages you send to support

3.2 Information we collect automatically

  • Technical data: IP address, browser type, device type, operating system, timestamp
  • Usage data: pages viewed, features used, login times, session duration
  • Cookies and similar technologies: see Section 11

3.3 Information from connected services

When you authorize integrations:

  • Meta (WhatsApp Business Platform): access tokens to send and receive WhatsApp messages on your behalf, business profile information, message templates
  • Google Calendar: event details, start and end times, descriptions, calendar permissions (read and write to calendar.events scope only). We do not access your Gmail, Drive, contacts, or other Google services.
  • Stripe: transaction confirmations, subscription status

3.4 Customer data and End-user data

When you use the Service to communicate with your customers, we process:

  • Phone numbers you upload or import
  • Message content you send and receive (templates, customer replies)
  • Conversation history and metadata (timestamps, delivery status, read receipts)
  • Tags, notes, and contact properties you add
  • Calendar appointments and reminder configurations

4. Lawful Basis for Processing (GDPR Article 6)

We process personal data only when we have a lawful basis under GDPR Article 6:

Processing activity Lawful basis
Operating the Service for paying Customers Contract performance (Article 6(1)(b))
Sending product updates and operational emails Contract performance / Legitimate interest
Marketing emails to leads Consent (Article 6(1)(a))
Fraud prevention and security Legitimate interest (Article 6(1)(f))
Compliance with tax, accounting, and WhatsApp Business Platform obligations Legal obligation (Article 6(1)(c))
Analytics and Service improvement Legitimate interest, balanced against your privacy
End-user data processing on Customer's behalf Customer's lawful basis as controller

You may withdraw consent at any time by contacting privacy@goultra.ai. Withdrawal does not affect processing carried out before withdrawal.

5. How We Use Personal Data

We use personal data to:

  • Authenticate your identity and provide the Service
  • Connect to the WhatsApp Business API and Google Calendar on your behalf
  • Send and deliver WhatsApp messages as you instruct
  • Process payments and manage subscriptions
  • Provide customer support
  • Detect, prevent, and respond to fraud, abuse, or security incidents
  • Comply with legal, tax, and regulatory obligations
  • Improve the Service through aggregated analytics
  • Send service-related notifications (billing, security alerts, policy changes)

We do not use your data to train generalized AI or machine learning models. We do not sell your personal data.

6. Data Sharing and Sub-processors

We share personal data only with:

6.1 Sub-processors (service providers)

Sub-processor Purpose Location
Meta Platforms, Inc. WhatsApp message delivery USA
Google LLC Calendar synchronization (only if you connect) USA
Stripe, Inc. Payment processing USA
Cloudflare, Inc. Hosting, CDN, security USA / Global
Amazon Web Services (AWS) Database hosting USA / EU regions

A current list of sub-processors is available at goultra.ai/sub-processors. We require each sub-processor to provide adequate data protection through written agreements.

6.2 Legal disclosures

We may disclose personal data if required by law, court order, or to protect our legal rights. We will notify you of any such request unless legally prohibited.

6.3 Business transfers

If GoUltra is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will notify you before any change in ownership or use of your personal data.

6.4 With your consent

We share data with other third parties only with your explicit consent.

7. International Data Transfers

GoUltra is headquartered in the United States. Your personal data may be transferred to, stored in, and processed in the USA and other countries where our sub-processors operate.

For transfers from the European Economic Area (EEA), United Kingdom, Switzerland, or Israel:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and corresponding mechanisms approved by the Israeli Privacy Protection Authority
  • For Customers in Saudi Arabia, transfers comply with the SDAIA Regulation on Personal Data Transfer Outside the Kingdom
  • Where applicable, we apply supplementary technical measures including encryption in transit (TLS 1.2/1.3) and at rest (AES-256)

You have the right to obtain a copy of the safeguards we use for international transfers by contacting privacy@goultra.ai.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy:

Data category Retention period
Active account data For the duration of your subscription
Account data after deletion request Removed within 30 days from active systems
Backup copies Removed within 90 days post-deletion
Billing and tax records 7 years (US tax law)
Audit logs of security incidents Until matter is resolved
Aggregated, anonymized statistics Indefinitely (cannot be linked to individuals)
Records required by Meta WhatsApp Business Platform As required by Meta's terms

9. Your Rights

Depending on your jurisdiction, you have the following rights:

9.1 Rights under GDPR (EU/EEA, UK)

  • Right of access (Article 15): obtain a copy of your personal data
  • Right to rectification (Article 16): correct inaccurate data
  • Right to erasure (Article 17): request deletion ("right to be forgotten")
  • Right to restrict processing (Article 18)
  • Right to data portability (Article 20): receive your data in a machine-readable format
  • Right to object (Article 21): including objection to direct marketing
  • Rights related to automated decision-making (Article 22)
  • Right to lodge a complaint with a supervisory authority

9.2 Rights under Israeli Privacy Protection Law (תשמ"א-1981, Amendment 13)

  • Right to inspect your data held in our database
  • Right to correct inaccurate data
  • Right to delete your data
  • Right to know which third parties receive your data and where it is transferred outside Israel
  • Right to file a complaint with the Israeli Privacy Protection Authority

9.3 Rights under Saudi PDPL and UAE Federal Decree-Law No. 45

  • Right to be informed about how data is processed
  • Right to access personal data
  • Right to request correction
  • Right to request destruction of data when no longer needed
  • Right to withdraw consent at any time

9.4 How to exercise your rights

Send a request to privacy@goultra.ai with sufficient information to verify your identity. We will respond within:

  • 30 days for GDPR and Israeli law requests
  • 30 days for PDPL and UAE law requests
  • Extensions of up to 60 additional days may apply for complex requests; we will notify you

We do not charge for these requests, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable administrative fee.

10. Data Security

We implement industry-standard organizational and technical measures:

  • Encryption in transit: TLS 1.2/1.3 protocols
  • Encryption at rest: AES-256 for stored data and authentication tokens
  • Access controls: Role-based access control (RBAC); access is limited to authorized personnel
  • Vulnerability management: Regular security scanning and patching
  • Logging and monitoring: Audit logs for security-relevant events
  • Sub-processor due diligence: Security assessments of all sub-processors
  • Incident response: Documented procedures for breach detection and notification

While we apply robust security measures, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining strong data protection practices.

In the event of a personal data breach, we will notify affected users and supervisory authorities as required by applicable law.

11. Cookies and Tracking Technologies

Our website uses:

  • Strictly necessary cookies: required for the Service to function (authentication, session management)
  • Analytics cookies: Google Analytics 4 (with anonymized IP) to understand site usage
  • Functional cookies: remember your language and preferences

You can control non-essential cookies through our cookie consent banner or your browser settings. Rejecting non-essential cookies will not affect core Service functionality.

12. Children's Data

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we discover such collection, we will delete the data promptly. If you believe a child has provided us with personal data, contact privacy@goultra.ai.

For Customer-facing communications, our Customers are responsible for ensuring End-users have legal capacity (or parental consent where required) to consent to receiving WhatsApp messages.

13. Google User Data and Limited Use

When you connect your Google Calendar, GoUltra accesses only the data necessary for our core scheduling functionality:

  • Scope: calendar.events only
  • Read access: event titles, descriptions, start/end times for sending reminders
  • Write access: creating, updating, and canceling events at end-user request via WhatsApp flows
  • Not accessed: Gmail, Drive, contacts, or any other Google service

GoUltra's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We do not use Google user data to train AI or ML models. We do not sell, trade, or rent Google user data to third parties.

14. Direct Marketing and Communications

We may send you:

  • Service emails: billing, account, security, policy updates (cannot be opted out as they are operationally required)
  • Marketing emails: product news, offers (only with your consent; opt-out available in every email)

For Customer outbound WhatsApp messages to End-users: Customers must obtain End-user consent before messaging them through GoUltra. We enforce opt-in tracking and templated messaging in line with Meta's WhatsApp Business Solution Terms.

15. Automated Decision-Making

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects. AI features in the Service (such as the AI Agent for customer replies) operate under your control and configuration; final decisions affecting your customers remain in your hands.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by:

  • Email notification to active Customers (at least 30 days before the change)
  • Prominent notice on goultra.ai
  • Updated "Last Updated" date at the top of this Policy

Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

17. Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority:

  • Israel: Privacy Protection Authority (https://www.gov.il/en/departments/the_privacy_protection_authority)
  • EU/EEA: Your local Data Protection Authority (list at https://edpb.europa.eu/about-edpb/about-edpb/members_en)
  • UK: Information Commissioner's Office (https://ico.org.uk)
  • Saudi Arabia: Saudi Data and Artificial Intelligence Authority (SDAIA) (https://sdaia.gov.sa)
  • UAE: UAE Data Office (https://u.ae/en/about-the-uae/digital-uae/data/data-office)

18. Contact Us

For privacy questions, requests, or concerns:

  • Email: privacy@goultra.ai
  • General contact: info@goultra.ai
  • Postal mail:

GoUltra Systems LLC Privacy Department 312 W 2nd St 2692 Casper, WY 82601, USA

We aim to respond to all privacy inquiries within 5 business days for initial acknowledgment, with full response within the timelines specified in Section 9.4.

This Privacy Policy is provided in English, Hebrew, and Arabic. In the event of any inconsistency, the English version controls for legal interpretation, except where local law requires otherwise.