Data & GDPR
This page explains how Ulbry handles personal data under the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws. It supplements our Privacy Policy.
1. Our role: controller and processor
For our website, marketing, and our direct relationship with you, Ulbry is a data controller. When you use Ulbry to message your own customers, you are the controller of those conversations and Ulbry is a processor acting on your documented instructions under a Data Processing Agreement (DPA).
2. Lawful bases for processing
- Contract — to provide the Service you have signed up for.
- Legitimate interests — to operate, secure, and improve the Service and our website (balanced against your rights).
- Consent — for certain marketing and non-essential cookies; you can withdraw consent at any time.
- Legal obligation — to comply with applicable laws.
3. Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data (“right to be forgotten”).
- Restrict or object to processing.
- Data portability — receive your data in a machine-readable format.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with your supervisory authority.
To exercise any of these, email hello@ulbry.com. We will respond within the timeframes required by law. If you are an end-customer of a business that uses Ulbry, please contact that business (the controller) first.
4. What we process and why
| Data | Purpose | Basis |
|---|---|---|
| Account & contact details | Provide and support the Service | Contract |
| Conversation & contact data (your customers) | Operate the Service on your behalf | Processor — per DPA |
| Usage & technical data | Security and improvement | Legitimate interests |
| Marketing data | Communications you opted into | Consent |
| Website analytics & advertising | Measure traffic, campaigns, and ad performance (Google, Meta) | Consent |
5. Subprocessors & third parties
We use vetted subprocessors and third parties bound by data-protection terms, including hosting and infrastructure, AI model providers, and analytics and advertising partners such as PostHog, Google (Analytics and Ads) and Meta (Facebook Pixel). These partners may receive website usage and event data and process it under their own terms. A current list is available on request at hello@ulbry.com.
6. International transfers
Where personal data is transferred outside the EEA or UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), together with supplementary measures where needed.
7. Data retention
We retain personal data only as long as necessary for the purposes described, or as required by law, after which it is deleted or anonymised. Conversation data follows your account settings and our agreement with you.
8. Data Processing Agreement (DPA)
Business customers can enter into our DPA, which sets out the subject matter, duration, nature, and purpose of processing, the types of data and data subjects, and our obligations as processor. Request a copy at hello@ulbry.com.
9. Data-protection contact
For all data-protection matters, including any request relating to your personal data, contact us at hello@ulbry.com. We have not appointed a separate Article 27 representative.
10. Contact
For any data-protection question or request, email hello@ulbry.com.