GDPR | Ultimo Bots

Controller / Processor Commitments

How we handle data processing and privacy responsibilities.

We operate as a processor under Art. 28 GDPR. Customers remain controllers of their data, and our Data Processing Agreement reflects that.

Ultimo ingests only the content you upload or connect. Telemetry is pseudonymized, and retention policies default to the bare minimum.

Every new feature undergoes GDPR impact review, ensuring roles, retention, and transparency are baked in from day one.

All EU customers can pin workloads to EU data centers. When transfers occur, we use SCCs plus supplementary measures.

Workflows that support individual privacy rights under GDPR.

Admins can export bot content, leads, and chat history per workspace. JSON/CSV outputs include metadata for regulators.

Knowledge base entries, behaviors, and leads can be updated or deleted instantly, changes propagate across all bots.

Ultimo deletes user content within 30 days of a request (often faster). Backups honor the same purge schedule.

We provide controls to pause processing, disable analytics, or scrub conversations via retention policies.

How we demonstrate compliance and maintain transparency.

Comprehensive audit logs show who accessed what, when, and from where-exportable for DPIAs.
A dedicated Trust Portal shares DPA copies, SCCs, subprocessor list, and penetration-test summaries.
Data breach notification SLA guarantees a maximum 24-hour initial update with remediation steps.
We only work with subprocessors that uphold ISO 27001/SOC 2 or equivalent certifications.

Email privacy@ultimo-bots.com or use the in-app support widget. We respond with a countersigned DPA/SCC bundle within one business day.