PRIVACY POLICY

Last updated February 12, 2026

This Privacy Notice for Satoshi Toyama (doing business as Ultrahope) ("we," "us," or "our") explains how we collect, use, store, and share personal information when you use our services ("Services"), including when you:

• Visit https://ultrahope.dev
• Use Ultrahope (CLI and web API)
• Interact with us for support or account operations

If you do not agree with this Privacy Notice, do not use the Services. If you have questions, contact support@ultrahope.dev.

SUMMARY OF KEY POINTS

• We collect account data (name, email, auth data), usage data (command inputs/outputs), and service metadata.
• We do not use your content to train AI models.
• We share data only with service providers needed to run the product (for example Vercel AI Gateway, Turso, Polar, GitHub OAuth, Resend, Vercel hosting).
• We do not use third-party analytics or ad tracking tools.
• You can delete your account from Settings.
• Self-service data export is not available yet; request export via support@ultrahope.dev.

Use the table of contents below for full details.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?

2. HOW DO WE PROCESS YOUR INFORMATION?

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

8. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

9. HOW LONG DO WE KEEP YOUR INFORMATION?

10. HOW DO WE KEEP YOUR INFORMATION SAFE?

11. DO WE COLLECT INFORMATION FROM MINORS?

12. WHAT ARE YOUR PRIVACY RIGHTS?

13. CONTROLS FOR DO-NOT-TRACK FEATURES

14. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

15. USER-SUBMITTED CONTENT AND AI PROCESSING

16. DO WE MAKE UPDATES TO THIS NOTICE?

17. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

18. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information you provide directly.

We collect personal information when you create an account, use the Services, and contact support.

Personal information includes:

• Name
• Email address
• Username
• Authentication data

Sensitive Information. We do not process sensitive personal information.

Payment Data. Polar processes all payment data. See https://polar.sh/legal/privacy.

Social Media Login Data. If you sign in with GitHub, we receive profile data from GitHub as described in Section 7.

Information automatically collected

In Short: We automatically collect technical information needed to run and protect the Services.

We collect technical information such as IP address, browser/device characteristics, operating system, and usage timestamps. We use this data for service operation, security, abuse prevention, and internal reporting.

We use cookies only for session management and authentication.

The information we collect includes:

• Log and Usage Data (for example IP address, device/browser info, request timing, and service actions)

Information collected during service use

In Short: When you use our CLI or API, we collect your submitted input, generated output, and usage metadata.

When you generate commit messages, PR titles, PR bodies, or related text, we collect:

• Session Data. We record a unique CLI session identifier for each CLI/API command execution. For authentication sessions, we record IP address and User-Agent for security and session management.
• Request Payload. The content you submit, including diffs and command arguments.
• Generated Output. AI-generated text returned by AI providers.
• Usage Metadata. Model/provider, cost, latency, timestamps, and Vercel AI Gateway metadata.
• User Feedback. Optional generation rating (1-5).

We retain this data for the life of your account so you can review history and reprocess submissions. We use this data only to provide the Services. We do not use it to train AI models.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process personal information to run the product, operate accounts, secure the service, and meet legal obligations.

We process your information to:

• Create and manage accounts and authentication
• Deliver requested features and API responses
• Provide customer support
• Send account and policy-related notices
• Process orders, billing, and subscription events
• Protect the Services and prevent abuse
• Analyze product usage for improvement
• Comply with law and protect vital interests when required

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We process personal information under valid legal bases such as consent, contract, legitimate interests, and legal obligations.

If you are in the EU/UK, we rely on one or more of these legal bases:

• Consent
• Performance of a contract
• Legitimate interests (for example security and product improvement)
• Legal obligations
• Vital interests

If you are in Canada, we process based on express or implied consent where applicable, and on legal exceptions permitted by law.

You can withdraw consent at any time by contacting us. Withdrawal does not invalidate prior lawful processing.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We share personal information with service providers that operate key product functions and in limited legal/business scenarios.

We share personal information with these categories of third parties:

• AI Platforms (Vercel AI Gateway — https://vercel.com/legal/privacy-policy)
• Data Storage Service Providers (Turso — https://turso.tech/privacy)
• Payment Processors (Polar — https://polar.sh/legal/privacy)
• Social Networks (GitHub — https://docs.github.com/privacy) for optional OAuth login
• User Account Registration & Authentication Services
• Email Service Providers
• Website Hosting Service Providers (Vercel — https://vercel.com/legal/privacy-policy)

Polar data sharing details:

• We use Polar only for paid billing flows
• If you start a paid plan, we create or reference a Polar customer record for checkout, invoicing, and billing portal access
• For paid metered billing, we send customer ID, generation cost (microdollars), model, provider, and generation ID

We also share information when required for business transfers (for example merger, acquisition, financing, or asset sale).

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use essential session cookies only.

We use Better-Auth session cookies to keep you signed in and protect account access. These cookies are required for core site functionality.

We do not use third-party analytics trackers, advertising trackers, or targeted advertising cookies.

6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

In Short: Yes. We provide AI-powered developer text generation features.

Our AI features generate commit messages, PR titles, and PR descriptions.

We route AI requests through third-party AI providers using Vercel AI Gateway. See current models/providers at https://ultrahope.dev/models.

How we process AI-related data:

• We send submitted content (for example code diffs and command inputs) to AI providers for generation.
• We store submitted input and generated output in your account for history and reprocessing.
• We retain this data while your account is active.
• We do not use your submitted content or generated output to train AI models.

You must use AI features in compliance with provider terms and policies.

7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you use GitHub login, we receive profile information from GitHub.

If you choose GitHub OAuth login, we receive profile data such as your name, email, and profile image. We use this information only to provide authentication and account features in the Services.

GitHub also processes your data under GitHub's own policies. Review their notice at https://docs.github.com/privacy.

8. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short: Yes. We process data in the United States and other countries where our providers operate.

Our infrastructure is primarily in the United States. Your information can be transferred to and processed in countries where our providers operate (for example the United States and France).

For EEA/UK/Switzerland users, we apply appropriate safeguards, including contractual protections such as Standard Contractual Clauses where applicable.

9. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep data while your account is active, then delete from active systems on account deletion (subject to legal exceptions).

We retain the following while your account is active:

• Account information
• Service usage data
• Session data and authentication tokens
• Billing and payment records

We do not run automatic age-based or inactivity-based deletion for active accounts.

When you delete your account (Section 18):

• We delete account data from active databases
• We do not currently operate backup archives for user data
• If backup operations are introduced in the future, we will publish the retention period in this notice
• We may retain billing records longer where required by tax/accounting law

10. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We use technical and organizational controls to protect personal information.

Our controls include:

• Better-Auth based account/session management
• Authenticated session and bearer-token based API protection
• Device authorization flow for CLI sign-in
• Anonymous daily request quota controls to reduce abuse
• Single-use password reset token flow via email
• Managed hosting and data infrastructure (Vercel and Turso)
• Secret handling through environment variables (no client-side hardcoded secrets)

No system is 100% secure. We cannot guarantee that unauthorized parties will never defeat safeguards. Use the Services in a secure environment.

11. DO WE COLLECT INFORMATION FROM MINORS?

In Short: No. We do not knowingly collect data from minors under 18 (or the equivalent local age).

If we learn that we collected personal information from minors in violation of this policy, we will deactivate the account and delete relevant data. Contact support@ultrahope.dev if you believe this occurred.

12. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your location, you can access, correct, delete, and control how we process your personal information.

Depending on applicable law (including EEA/UK/Switzerland/Canada and certain U.S. states), you may have rights to:

• Access personal information
• Correct inaccurate information
• Delete personal information
• Restrict or object to processing in specific cases
• Request portability (where applicable)
• Withdraw consent where consent is the legal basis

To exercise rights, use account settings for account deletion and contact support@ultrahope.dev for other requests.

If you are in the EEA/UK/Switzerland, you can also complain to your local data protection authority.

Account Information

You can request account termination at any time. On valid request, we deactivate or delete account data from active systems, subject to legal retention exceptions.

If you disable cookies, you will not be able to stay signed in to the Services.

13. CONTROLS FOR DO-NOT-TRACK FEATURES

Most browsers support Do-Not-Track (DNT) settings. Because there is no uniform DNT standard, we do not currently respond to DNT signals.

If a binding DNT standard is adopted in the future and applies to us, we will update this notice.

14. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: Yes. Residents of certain U.S. states have specific statutory privacy rights.

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have rights such as:

• Right to know whether we process your personal data
• Right to access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to obtain a copy of personal data you provided
• Right to non-discrimination for exercising rights
• Right to opt out of targeted advertising/sale/profiling where applicable

Personal information categories we process are described in Section 1. We disclose identifiers and related account/service data to providers listed in Section 4 for service operations.

We do not sell personal information for advertising purposes.

How to exercise U.S. state rights:

• Account deletion: use account settings
• Access/correction/export/appeal: email support@ultrahope.dev
• Authorized agents may submit requests where permitted by law

We may verify identity before fulfilling requests.

California "Shine The Light": California residents may request annual disclosures as permitted by California Civil Code Section 1798.83 via our contact methods in Section 17.

15. USER-SUBMITTED CONTENT AND AI PROCESSING

Section 6 explains how we process AI-related submissions, outputs, retention, and deletion. Avoid submitting sensitive or proprietary content unless you accept those risks.

16. DO WE MAKE UPDATES TO THIS NOTICE?

We update this notice when legal, product, or operational changes require it. For material changes, we update the "Last updated" date and may provide additional notice in-product or by email.

17. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

Contact:

Satoshi Toyama

Email: support@ultrahope.dev

Our physical mailing address is available upon request via email.

18. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Depending on applicable law, you can request access, correction, deletion, and related rights.

• Account deletion: use the account settings page in the Services.
• Self-service data export: not currently available.
• Access/correction/export and other privacy requests: email support@ultrahope.dev.

Where required by law, we provide requested personal data in a commonly used electronic format.