Privacy Policy

Effective Date: 2025-08-17

This policy explains how uLog.ai (“uLog”, “we”, “us”) handles your data. We built uLog as a private AI‑assisted journal: minimal collection, no resale, no advertising trackers, no use of your content to train foundation models.

1. Controller

uLog.ai (Delaware, United States). Contact: privacy@ulog.ai.

2. Data We Collect

• Account Data: Email, auth identifiers (Supabase Auth).
• Journal Content: Topics, messages, AI summaries you create (stored in Supabase Postgres in us-east-1).
• Service Metadata: Timestamps, internal IDs for operation.
• Automatic Technical Data: Minimal request / connection data (e.g. IP) generated and transiently stored by Supabase infrastructure; we do not separately store or profile IPs.
• Payment Data: Processed by Stripe (we do not store full card data).
• Captcha Data: Google reCAPTCHA v2 challenge tokens to mitigate abuse.

No Google Analytics or marketing pixels. No third‑party behavioral ads.

3. How We Use Data

• Authenticate and maintain your session (Supabase Auth + local storage tokens).
• Store and display your journal entries and generated summaries.
• Send only the user input you submit (no full conversation history) to OpenAI to produce a single response.
• Process payments (Stripe) if you purchase a plan.
• Prevent abuse and spam (reCAPTCHA, basic rate limiting).
• Provide support and investigate abuse (limited manual review when necessary).
• Comply with legal obligations and maintain service security.

4. AI / Model Use

We do not opt in to OpenAI training programs. Only the text you just submitted (not your full journal history) is sent to the OpenAI API to return an answer for you. Your content is not used to train foundation models.

5. Legal Basis (EEA / UK users)

Performance of contract (core service), legitimate interests (security/abuse prevention - minimal and balanced), and consent where explicitly requested (e.g. optional communications). Governing law: Delaware, USA.

6. Sub‑processors

• Supabase: Hosting, Postgres, auth, storage (us-east-1).
• OpenAI: Text generation (ephemeral processing of provided prompt).
• Stripe: Payments.
• Google reCAPTCHA v2: Bot mitigation.

No other analytics or advertising platforms.

7. Retention & Deletion

• Journal Content: Kept until you delete entries or delete your account.
• Account Deletion: Removes active data immediately; residual data may persist only in Supabase default backups until overwritten (we do not currently implement a separate hard‑purge cycle).
• Logs: We do not retain separate application logs; infrastructure providers may hold transient operational logs.

8. Security

• TLS in transit; Supabase managed encryption at rest.
• Least‑privilege admin access (MFA not yet implemented for admins - roadmap).
• No application‑level (client‑side) encryption of entries beyond transport/at rest defaults (planned evaluation).
• Manual content access only for support or abuse investigation.

9. International Transfers

Primary storage: us-east-1. OpenAI may process in its operational regions. Appropriate contractual safeguards (e.g. SCCs) relied upon when required.

10. Your Rights

Subject to law you may request: access, rectification, deletion, restriction, export (JSON), or object to certain processing. Email privacy@ulog.ai. We target responses within 90 days (usually faster).

11. Children

Not directed to children under 13. If we learn an under‑13 user provided data, we will delete the account.

12. Manual Review

Only for user‑initiated support requests or suspected abuse/violation, and limited to necessary scope.

13. Automated Decisions

No automated decision making producing legal or similarly significant effects.

14. reCAPTCHA

reCAPTCHA v2 is essential security; no opt‑out pathway (service use implies acceptance of Google’s Privacy Policy & Terms).

15. Changes

We may update this policy; material changes will appear here with a new effective date.

16. Contact

Privacy: privacy@ulog.ai | Support: support@ulog.ai | Security: security@ulog.ai