Privacy Policy
Last updated: 21 May 2026
This policy explains what personal data Ultreya collects through this website, why we collect it, and the rights you have over it. We keep what we collect to a minimum.
Who we are
Ultreya is an early-stage project still in development, run by a small private team based in Italy. It is not yet an incorporated company; we are testing the idea, and if it goes ahead we intend to form a company and update this policy accordingly.
For now, the Ultreya team is the “data controller” for the personal data described here. For anything concerning your data, write to us at info@ultreyacamino.com.
What this policy covers
Ultreya is currently a pre-launch website (ultreya.app) with one feature: a waitlist you can join with your email address to be notified when we launch. This policy covers the data collected through that site.
There is no user account, login, payment, or journey-tracking feature in operation yet. Before any such feature starts collecting new data, we will update this policy.
What we collect, why, and our legal basis
When you join the waitlist and as you browse the site, we process the following:
- Email address — when you submit the waitlist form. We use it to send you a confirmation (welcome) email and to notify you when Ultreya launches. Legal basis: your consent (Art. 6(1)(a) GDPR), given by submitting the form.
- Language preference — the site language at sign-up (English, Spanish, Italian or Portuguese), so we can write to you in your language. Legal basis: legitimate interest in communicating clearly (Art. 6(1)(f) GDPR).
- IP address — processed automatically when you submit the form, to limit abuse (rate limiting) and run an anti-bot check. We do not store it in our database; it is held only briefly by our security and hosting providers. Legal basis: legitimate interest in protecting the site (Art. 6(1)(f) GDPR).
- Email-delivery logs — a short technical record of whether your welcome email was sent, failed or was rejected, so we don’t email you twice and can fix delivery problems. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
- Usage statistics — we use Vercel Web Analytics, which is privacy-friendly and cookieless: it counts aggregate page visits without profiling you or tracking you across other sites. Legal basis: legitimate interest in understanding our traffic (Art. 6(1)(f) GDPR).
Cookies
We use no advertising or tracking cookies, and we show no cookie banner because the only cookies we set are strictly necessary or functional:
- ultreya_locale — remembers the language you chose.
- Supabase session cookies — set by our backend to manage sessions. No account login is live yet, so for visitors who only browse or join the waitlist these carry no identifying information.
Who we share data with
We do not sell your data and we do not share it for advertising. We rely on a few trusted providers that process data on our behalf under contract (“processors”):
- Supabase — database and backend hosting (EU region). Stores your waitlist email and language preference.
- Upstash — Redis store used for rate limiting (EU region). Briefly holds IP-based counters.
- Vercel — website hosting and cookieless analytics (US company).
- Cloudflare — Turnstile anti-bot protection (US company).
- register.it — email provider used to send your welcome email (Italy, EU).
International data transfers
Your waitlist data and rate-limiting data are stored in the EU. Some providers (Vercel, Cloudflare) are US-based companies. Where personal data is transferred outside the EU/EEA, it is protected by appropriate safeguards required by the GDPR — Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
How long we keep your data
- Waitlist email and language: until we launch and have notified you, or until you ask us to remove you — whichever comes first. If we abandon the project, we delete the waitlist.
- Email-delivery logs: kept only as long as needed to manage delivery, then deleted.
- IP-based security data: held only briefly by our providers (hours to about a day) and then expires automatically.
Your rights
Under the GDPR you have the right to access the personal data we hold about you, to correct it, to have it erased, to restrict or object to its processing, and to receive it in a portable format. Because the waitlist relies on your consent, you can withdraw that consent at any time — simply ask us to remove you.
To exercise any of these rights, email info@ultreyacamino.com; we will respond within one month. You also have the right to lodge a complaint with a data protection authority — in Italy this is the Garante per la protezione dei dati personali (garanteprivacy.it) — or with the authority in your own country.
Children
Ultreya is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us their data, contact us and we will delete it.
How we protect your data
We apply measures appropriate to an early-stage project: encrypted connections (HTTPS), row-level security on our database, signed and verified internal webhooks, rate limiting and anti-bot checks. No system is ever perfectly secure, so we deliberately collect as little as possible to reduce risk.
Changes to this policy
As Ultreya grows — particularly when accounts and journey features launch, or when we form a company — we will update this policy and change the “last updated” date above. We will tell waitlist subscribers by email about significant changes that affect them.
Contact
Questions about this policy or your personal data: info@ultreyacamino.com.