Skip to main content
🇪🇺 EU GDPR Compliance

GDPR Compliance Statement

How GoUltra complies with the EU General Data Protection Regulation. Lawful basis, data subject rights, transfer safeguards, and accountability.

Last updated: April 27, 2026

GDPR Compliance Statement

Last Updated: April 27, 2026

This page describes how GoUltra Systems LLC ("GoUltra") complies with the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, and equivalent provisions in the UK GDPR.

1. Our Position Under GDPR

When GoUltra is a Controller

For the personal data of GoUltra Customers (account holders, billing contacts, administrators), GoUltra is the Controller. We determine the purposes and means of processing this data under our Privacy Policy.

When GoUltra is a Processor

For the personal data of End-users (the people that Customers communicate with via WhatsApp), GoUltra is the Processor. The Customer is the Controller. Our processing operations are governed by our Data Processing Agreement (DPA).

2. Lawful Basis for Processing

We process personal data only on lawful bases under GDPR Article 6:

  • Contract performance (Article 6(1)(b)) for delivering the Service to Customers
  • Consent (Article 6(1)(a)) for marketing communications
  • Legal obligation (Article 6(1)(c)) for tax, accounting, and platform compliance
  • Legitimate interest (Article 6(1)(f)) for fraud prevention, security, and Service improvement, balanced against your privacy rights

For special categories of data, processing requires explicit consent or another lawful basis under Article 9(2). GoUltra is not designed to process special categories at scale; Customers using the Service for sensitive contexts (e.g., medical clinics) bear responsibility for the lawful basis.

3. Your Rights Under GDPR

You have the following rights:

Right Article Description
Right of Access 15 Obtain a copy of your data
Right to Rectification 16 Correct inaccurate or incomplete data
Right to Erasure 17 Request deletion ("right to be forgotten")
Right to Restrict Processing 18 Limit how we use your data
Right to Data Portability 20 Receive your data in a machine-readable format
Right to Object 21 Object to processing, including direct marketing
Right Against Automated Decision-Making 22 Not be subject to automated decisions with legal effect
Right to Lodge a Complaint 77 Complain to a supervisory authority

How to exercise your rights

Email privacy@goultra.ai with sufficient information to verify your identity. We respond within 30 days (extendable by up to 60 days for complex requests, with notification).

We do not charge fees for these requests, except for manifestly unfounded or excessive requests where we may charge a reasonable administrative fee.

4. Data Protection Measures

We implement technical and organizational measures appropriate to the risk:

Technical

  • TLS 1.2/1.3 encryption in transit
  • AES-256 encryption at rest
  • Tokenized authentication
  • Regular vulnerability scanning and penetration testing
  • Sandboxed staging environments

Organizational

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Confidentiality obligations for personnel
  • Privacy training for staff
  • Documented incident response procedures
  • Vendor due diligence for sub-processors

5. International Data Transfers

GoUltra is headquartered in the United States. Personal data may be transferred from the EEA, UK, or Switzerland to:

  • The USA (GoUltra and most sub-processors)
  • Other countries where sub-processors operate

For these transfers, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914)
  • UK Addendum to the EU SCCs for transfers from the UK
  • Supplementary technical measures including encryption and access controls
  • Documented assessments of the recipient country's legal regime

You may obtain a copy of the safeguards we use by emailing privacy@goultra.ai.

6. Data Breach Notification

In the event of a personal data breach affecting Customer data:

  • We notify the affected Customer within 72 hours of becoming aware
  • We assist Customer in notifying supervisory authorities (typically within 72 hours of awareness, per GDPR Article 33)
  • We assist Customer in notifying affected Data Subjects where required (Article 34)
  • We document all breaches internally per Article 33(5)

7. Sub-processors

We maintain a current list of sub-processors at /sub-processors. We require each sub-processor to provide adequate data protection through written agreements with terms substantially equivalent to our DPA.

We notify Customers at least 30 days before adding or replacing a sub-processor. Customers may object on reasonable grounds.

8. Records of Processing Activities (Article 30)

We maintain records of processing activities for personal data we process, including:

  • Categories of personal data
  • Purposes of processing
  • Recipients of personal data
  • International transfer details
  • Retention periods
  • Security measures

These records are available to supervisory authorities upon request.

9. Data Protection Impact Assessments (DPIAs)

We support Customers in conducting DPIAs where required (Article 35), particularly for processing involving:

  • Large-scale processing of special categories
  • Systematic monitoring of public areas
  • Automated decision-making with legal effects

Customers using the AI Agent feature for sensitive industries (healthcare, legal, financial) should consult their compliance team about DPIA requirements.

10. Data Protection Officer

GoUltra is not currently required to appoint a formal Data Protection Officer (DPO) under GDPR Article 37. However, we maintain a dedicated Privacy team accountable for GDPR compliance. The Privacy team can be reached at privacy@goultra.ai.

11. EU Representative

For Customers in the EEA, we are evaluating the appointment of an EU representative under GDPR Article 27. In the interim, you may contact our Privacy team directly at privacy@goultra.ai for any GDPR-related matter.

12. Children's Data

GoUltra is not directed at children under 16. We do not knowingly collect personal data from children under 16 (under GDPR Article 8). If a Customer's use case involves End-users under 16 (e.g., pediatric clinics), the Customer is responsible for obtaining parental consent.

13. Cookies and Online Tracking

For details on cookies, see Section 11 of our Privacy Policy. We use a cookie consent banner for non-essential cookies in line with the ePrivacy Directive and GDPR.

14. Supervisory Authorities

If you believe your GDPR rights have been violated, you may lodge a complaint with:

  • Your local Data Protection Authority in the EU/EEA
  • The UK Information Commissioner's Office (ICO) at https://ico.org.uk
  • The Israeli Privacy Protection Authority (where Israeli residents are concerned)

A list of EU/EEA Data Protection Authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en

15. Updates to This Statement

We update this GDPR Compliance Statement as our practices evolve and as regulations change. Material changes are communicated to active Customers via email.

16. Contact

For GDPR-related inquiries:

  • Privacy team: privacy@goultra.ai
  • General: info@goultra.ai
  • Postal mail:

GoUltra Systems LLC Privacy Department 312 W 2nd St 2692 Casper, WY 82601, USA

This GDPR Compliance Statement is provided in English, Hebrew, and Arabic. In the event of any inconsistency, the English version controls for legal interpretation, except where local law requires otherwise.