Privacy Policy

This Privacy Policy explains what data Ultraria collects, how we use it, who we share it with, and how you can access or delete it.

1. What we collect on the server

• Account information — your email address, optional company name, and time zone, provided when you sign up.
• Subscription preferences — the NAICS codes, set-aside designations, keywords, geography, and notification settings you configure for your alerts.
• Billing information — handled entirely by Stripe, our payment processor. We never receive or store your full credit card number; we only see the last four digits and an opaque customer ID.
• Usage data — basic logs of which pages and emails you opened, retained for security and product improvement.
• Support messages — anything you email us at support@ultraria.com.

We do not collect or process any data about your bids, your proposals, your contracts, your awards, or your customers on our servers unless you voluntarily share it with us by email.

1a. What stays in your browser (local-only data)

Several Ultraria features store information only in your browser’s localStorage. This data never reaches our servers and is not synced across devices. It is wiped when you clear your browser data or use the “Delete all my local data” button on your Account page. Local-only data includes:

• Bid pipeline — opportunities you’ve tracked, their stage, your notes, bid checklist progress, and the won/lost/skipped outcomes you record.
• Past-performance database — every project you log, including agency, contract number, KO/COR names + emails, project narrative, and CPARS rating.
• Capability statement(s) — every variant you build, including company name, UEI, CAGE, address, contact info, competencies, differentiators, set-aside expirations, layout choice, accent color, optional logo image (as a data URL), and version-history snapshots.
• Bid scorecards / Pwin estimates — your scoring of each opportunity, decision (go / no-go / undecided), notes, and estimated proposal cost.
• Renewals tracker — labels, due dates, and notes you enter for SAM, set-asides, insurance, bonds, and other renewals.
• Cover-letter drafts, saved searches, notification channel credentials (e.g., webhook URLs you pasted), and your onboarding completion flag.

We chose local-only storage for these features specifically because they may include sensitive operational data (KO contacts, your own capability claims, win/loss records). Keeping this data in your browser means we never touch it, store it, or carry liability for it. The trade-off is no cross-device sync — clearing your browser wipes everything.

1b. Data about federal employees (KO/COR contacts)

The past-performance database lets you record names, emails, and phone numbers of Contracting Officers (KOs) and Contracting Officer Representatives (CORs). These are federal employees acting in their official capacity, and their work contact information is generally public. Ultraria does not transmit, sell, share, or process this data on our servers — it stays in your browser. You are responsible for maintaining the accuracy and lawful use of any contact information you enter. Do not record personal (non-work) contact details, and do not use stored contacts for any purpose other than legitimate federal-contracting business communication.

2. How we use it

• To run the Service: scan SAM.gov, match against your filters, and email you the digest.
• To bill you, manage your subscription, and prevent fraud.
• To support you when you contact us.
• To send service-essential announcements (price changes, security notices, major feature changes).
• To improve the Service in aggregate (e.g., median match counts, most-used set-aside categories) — never tied to identifiable individuals when used this way.

We do not sell your personal information. We do not share your email or filter preferences with advertisers. We do not use your data to train a third-party AI model.

2a. SAM.gov UEI lookup proxy

The capability-statement builder offers a “Pull from SAM.gov” button that fetches your registered entity record from the public SAM.gov Entity API. The lookup is server-side proxied through Ultraria so that our shared SAM.gov API key (if any) is not exposed to the browser. We do not log the UEI you submit, do not store the response, and do not associate the lookup with your account. The response is cached for up to 24 hours at the edge for performance. SAM.gov is the U.S. government’s System for Award Management; the data returned is public-domain federal contracting information about your registered entity.

3. Who we share with (subprocessors)

The third-party services we rely on to run Ultraria:

• Stripe — payment processing.
• Resend — email delivery.
• Cloudflare — web hosting, DNS, edge security.
• Railway — backend hosting and database (Postgres).
• SAM.gov — source of public federal contracting data we read; we do not transmit your personal data to SAM.gov.

We may add or change subprocessors over time and will update this list. We require all subprocessors to provide at least the same level of protection that we promise here.

4. Cookies & tracking

We use a minimal number of first-party cookies essential to keeping you signed in and remembering your dashboard preferences. We do not use third-party advertising cookies or cross-site behavioral trackers.

5. Email — and how to stop receiving it

Every digest email contains a one-click unsubscribe link. Clicking it stops the digest immediately; you remain logged in to the dashboard and can re-enable digests anytime. We may still send a small number of service-essential messages (account changes, billing receipts, security notices) that cannot be unsubscribed from for as long as you have an active account.

6. Data retention & deletion

While your account is active, we retain your account information, subscription preferences, and digest history. If you delete your account or request deletion under Section 7, we permanently remove your account information and preferences within 30 days, except for records we are required to keep for tax, accounting, or legal-defense purposes (typically 7 years for billing records). Anonymized aggregate statistics may persist indefinitely.

7. Your rights

Regardless of where you live, you can:

• Access the personal data we hold about you;
• Correct inaccurate data;
• Delete your account and the personal data tied to it;
• Export a copy of your data in a portable format;
• Opt out of non-essential email at any time.

California residents (CCPA/CPRA): in addition to the rights above, you have the right to know the categories of personal information we have collected about you and to request that we do not sell or share it. We do not sell or share personal information as those terms are defined under California law.

EU/UK/EEA residents (GDPR/UK GDPR): our legal basis for processing is contractual necessity (running the Service you signed up for) and legitimate interest (security, improvement). You have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@ultraria.com from the address on your account. We respond within 30 days.

8. Security

Data is encrypted in transit (TLS) and at rest. Database access is scoped to the minimum personnel required. We follow industry-standard practices but cannot guarantee absolute security; no system is impenetrable. Notify us immediately if you suspect unauthorized access to your account.

9. Children

The Service is for business use and is not directed to children under 16. We do not knowingly collect data from anyone under 16.

10. International transfers

Ultraria is operated from the United States, and our subprocessors may store data in the United States or other jurisdictions. By using the Service, you consent to your data being processed in the U.S.

11. Changes

We’ll notify you by email of material changes at least 30 days before they take effect. The current effective date is at the top of this page.

12. Contact

Privacy questions: privacy@ultraria.com.