Privacy Policy

1. Passive Conduit Status

Ultimalayer LLC operates strictly as a "Passive Conduit". In accordance with the GDPR "Mere Conduit" principle (Art. 2(4)), DSA Recital, and the CCPA definition of "Service Provider", we do not determine the purposes or means of processing traffic data, nor do we use any transmitted data for our own purposes. We are neither a "Controller" nor a traditional "Processor" of traffic content; we merely provide the infrastructure for transmission.

2. The Strict No-Logs Pledge

We do not collect, record, or store any traffic content, original IP addresses, DNS queries, or browsing history transmitted through our services. This "No-Logs" architecture ensures that such data technically does not exist on our systems, providing a robust privacy safeguard against unauthorized access or legal demands.

3. Legal Basis

We process limited Account Data based on the legal necessity to perform our contract (Service provision) and our legitimate interest in preventing fraud and abuse.

4. Account Data (Necessary)

We collect only the minimum data required to maintain your account: a valid email address, hashed account credentials (we never see your password), and essential billing records.

5. Payment Data

We do not store full credit card numbers. All payment transactions are processed securely by third-party payment processors (e.g., Stripe, PayPal, or Crypto providers). We only retain transaction IDs for accounting purposes.

6. No Sensitive Data

We explicitly do not collect "Sensitive Personal Information" as defined by CPRA or GDPR, including racial or ethnic origin, religious beliefs, biometric data, or precise or approximate geolocation data derived from your traffic.

7. Service Provisioning

We use Account Data solely to provision compute instances, route traffic, and manage your subscription.

8. Communication

We use your email address to send invoices, critical service updates, and security notifications. We do not use your data for marketing unless you have explicitly opted in.

9. No Automated Decision-Making

We do not use algorithms or Automated Decision-Making (ADMT) processes that produce legal effects or similarly significant effects on you.

10. NO SALE of Data

Pursuant to the CCPA/CPRA, we declare that we have never and will never sell (Sell) or share (Share) your personal information for cross-context behavioral advertising.

11. Strict Limitation

We do not disclose your data to third parties except where strictly necessary for service delivery or required by law.

12. Trusted Third Parties

We share limited data with trusted sub-processors (e.g., data centers, payment gateways) solely to operate our services. All sub-processors are bound by strict Data Processing Agreements (DPAs).

13. Upstream Infrastructure

Our service relies on global upstream providers. While encrypted traffic flows through their hardware, they cannot identify individual users or access the content of encrypted communications.

14. Global Infrastructure

You acknowledge that your data may be transferred and processed globally to provide low-latency services.

15. Transfer Mechanisms

For cross-border data transfers, we primarily rely on the European Commission's Standard Contractual Clauses (SCCs). Where applicable, we also reference the EU-U.S. Data Privacy Framework (DPF) as a supplementary legal basis.

16. Data Localization Disclaimer

Users are responsible for ensuring their use of the Service complies with any data localization laws applicable in their jurisdiction.

17. CCPA/CPRA Rights (California)

California residents have the right to know what personal information is collected, request deletion, correct inaccuracies, and opt-out of the sharing of personal information.

18. Multi-State Opt-Out

We respect universal opt-out mechanisms and rights granted by applicable U.S. state comprehensive privacy laws, including but not limited to those in Colorado (CPA), Virginia (CDPA), and laws effective in 2026 (e.g., Indiana, Kentucky).

19. GDPR Rights (EU/UK)

EEA/UK users have the right to access, rectify, erase ("Right to be Forgotten"), restrict processing, and object to processing of their personal data.

20. Security Measures

We employ AES-256 encryption, TLS 1.2/1.3 for data in transit, and strict access controls based on the principle of least privilege.

21. Data Retention Policy

• Traffic Data: Real-time discard (0-second retention). Traffic data is processed in RAM and is never written to disk.
• Account Data: Retained only as long as necessary for service provision or to comply with legal/tax obligations, after which it is irreversibly deleted.

22. Breach Notification

In the event of a confirmed data breach affecting your personal information, we will notify you and relevant authorities in accordance with applicable laws.

23. Transparency Report

We commit to publishing regular Transparency Reports detailing the number of legal requests received. To date, we have disclosed zero bytes of user traffic data to any third party.

24. Response to Legal Process

We only respond to valid, binding legal orders issued by a competent U.S. court with proper jurisdiction. We do not respond to foreign requests unless they are domesticated via a Mutual Legal Assistance Treaty (MLAT).

25. "Cannot Give What We Don't Have"

Due to our strict No-Logs policy, we cannot provide traffic logs, browsing history, or DNS records in response to any legal request, as this data simply does not exist on our systems.

26. COPPA Compliance

Our Services are not intended for children under 13. We do not knowingly collect personal information from children.

27. Cookie Policy

We use only essential session cookies required for authentication and site functionality. We do not use third-party tracking cookies.

28. Do Not Track (DNT) / GPC

Our systems recognize and respect Global Privacy Control (GPC) signals sent by your browser.