Privacy Policy

Last updated: 28 May 2026

This Privacy Policy explains what personal data Uboros collects when you use our platform, why we collect it, how we use it, and the choices and rights available to you. It is aligned with the EU General Data Protection Regulation ("GDPR") and the Portuguese Lei n.º 58/2019.

Uboros (the "Service") is operated by the Uboros team, currently in pre-incorporation phase. The operating entity will be a Portuguese Sociedade Unipessoal por Quotas registered in Lisbon; the entity name and registration number will be added here upon completion of incorporation.

Contents

Who controls your data
What data we collect
How we use your data
Legal bases for processing
Who we share data with (sub-processors)
International transfers
How long we keep data
Security
Your rights under GDPR
Children
Changes to this policy
Contact and complaints

1. Who controls your data

Uboros is the data controller for personal data we collect about you as a user of the Service (e.g. your email address, your account preferences, your billing history). For personal data that you process through the Service (e.g. data you ingest from your ad accounts or upload as creative inputs), Uboros acts as a data processor on your behalf — see our Data Processing Agreement.

2. What data we collect

2.1 Data you provide directly

Account information — email address, display name (optional), password (stored as a salted hash; never in plain text).
Workspace and project metadata — brand names, competitor lists, briefs, asset titles and tags.
Connection credentials — API tokens and OAuth grants you authorise for connected platforms (Meta, TikTok, AdsPower, OpenAI, Anthropic, etc.). Tokens are stored encrypted at rest.
Uploaded content — images, videos, brand documents, or other files you upload for use in creative briefs and renders.
Billing details — name, billing address, VAT number, payment method. Payment-card details are processed and stored by Stripe; we never see or store full card numbers.
Support communications — emails or chat messages you send us.

2.2 Data we generate as you use the Service

Usage logs — request paths, timestamps, response codes, error traces (retained for operational debugging).
Audit logs — who approved which brief, who deployed which asset, who changed which setting.
Per-render cost records — token counts, model used, EUR cost, mark-up applied. Retained for billing and dispute resolution.
Performance signals — ad-spend and result metrics ingested via your connected ad-platform accounts.

2.3 Data we receive from third parties

From Stripe — billing status, subscription tier, payment outcomes.
From ad platforms — ad-performance metrics returned by the ad-platform APIs you have authorised.
From Apify — publicly available competitor-ad-library data, as a service operated on your behalf.

We do not use third-party advertising trackers (Google Analytics, Facebook Pixel, etc.) on our marketing site or in the Service.

3. How we use your data

Provide the Service — operate the account, workspace, briefs, asset rendering, deployment, and performance reporting features you have signed up for.
Bill correctly — calculate and collect subscription, generation-cost, and ad-spend fees.
Communicate — send transactional emails (account confirmations, password resets, billing receipts, service notifications). We do not use your address for unrelated marketing.
Improve the product — analyse aggregate, de-identified usage to find rough edges and decide what to build next. Individual content is never used to train shared models.
Protect the Service — detect abuse, prevent fraud, comply with platform partner policies (Meta, TikTok, Google).
Meet legal obligations — respond to lawful requests from authorities; keep records required by tax and accounting law.

4. Legal bases for processing

Under GDPR Article 6, we process personal data on the following bases:

Processing	Legal basis
Operating the Service for paying customers	Contract (Art. 6(1)(b))
Operating the Service for trial users	Pre-contractual measures (Art. 6(1)(b))
Billing and tax records	Legal obligation (Art. 6(1)(c))
Security, fraud and abuse prevention	Legitimate interests (Art. 6(1)(f))
Aggregate product analytics	Legitimate interests (Art. 6(1)(f))
Transactional emails	Contract (Art. 6(1)(b))

Where we rely on legitimate interests, you have the right to object — see Your rights under GDPR.

To run the Service we share data with carefully selected sub-processors. Each is bound by data-processing terms equivalent to or stricter than this policy.

Sub-processor	Purpose	Region
Stripe	Subscription billing, payment processing, customer portal	Ireland (EU) / USA (SCC)
Cloudflare	DNS, CDN, DDoS protection, edge tunnels	Global edge / USA (SCC)
Hosting provider	Application servers and database (location confirmed at launch)	EU
Anthropic	Claude AI models — competitor tagging, brief generation, AI iteration	USA (SCC)
OpenAI	GPT and Whisper models — brief drafting, audio transcription	USA (SCC)
Google	Gemini and Veo models — brief drafting, video generation	EU + USA (SCC)
Apify	Public competitor-ad-library data extraction	EU (Czech Republic)
fal.ai	Image and video generation models	USA (SCC)
Resend	Transactional email delivery	USA (SCC)

We will update this list when we add or change sub-processors. Material changes will be announced in-product at least thirty (30) days before they take effect.

6. International transfers

Some of our sub-processors are based outside the European Economic Area, primarily in the United States. Where data is transferred to a country without a European Commission adequacy decision, we rely on the EU Standard Contractual Clauses (SCCs) and, where appropriate, supplementary technical measures (encryption in transit and at rest, access controls).

You can request a copy of the SCCs in place with a specific sub-processor by emailing [email protected].

7. How long we keep data

Account data — for the lifetime of your account, plus thirty (30) days after termination during which you can export.
Billing records — retained for the period required by Portuguese tax law (currently 10 years for accounting records).
Operational logs — 30 days for request logs; 90 days for error logs.
Audit logs — for the lifetime of your account; deleted on account termination.
Competitor-library data — for the lifetime of your project; deleted when the project is deleted.
Backups — encrypted off-site backups retained for up to 30 days, then cycled out.

8. Security

We protect your data with industry-standard technical and organisational measures, including:

encrypted connections (TLS 1.3) for all traffic;
encryption at rest for the application database and file storage;
secrets management — API tokens stored encrypted, never logged or returned to the client;
password storage as salted hashes (PBKDF2-SHA256);
session cookies marked Secure, HttpOnly, and SameSite=Lax;
CSRF protection for cookie-authenticated state-changing requests;
role-based access inside each workspace, with project-level isolation;
regular dependency updates and security review.

If you discover a security issue, please email [email protected].

9. Your rights under GDPR

You have the following rights regarding personal data we hold about you. You can exercise them by emailing [email protected] from the address on your account; we will respond within thirty (30) days.

Access (Art. 15) — receive a copy of the personal data we hold about you.
Rectification (Art. 16) — correct inaccurate or incomplete data.
Erasure (Art. 17) — request deletion of your data, subject to legal retention requirements.
Restriction (Art. 18) — limit how we process your data while a question is being resolved.
Portability (Art. 20) — receive your data in a structured, machine-readable format.
Objection (Art. 21) — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, withdraw it at any time.
Complain to a supervisory authority — in Portugal, the CNPD (www.cnpd.pt); or to the authority in your country of residence.

10. Children

Uboros is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified at least thirty (30) days before they take effect, by email to the address on your account and by an in-product notice. Minor clarifications may be made with the updated date noted above.

12. Contact and complaints

Privacy questions, rights requests, or complaints can be sent to [email protected]. If you are unsatisfied with our response, you have the right to lodge a complaint with the CNPD or your local data-protection supervisory authority.