Privacy Policy

DRAFT - legal review required before public launch.

Last updated: May 1, 2026

UltraFlips is currently a private beta marketing website. This draft explains the information the website is designed to collect and how it is intended to be used.

Information We Collect

We may collect waitlist email addresses and optional collector profile answers with your consent so we can manage beta access and product research. We collect contact form submissions when you ask us to respond to a message. We process referrer data, basic device metadata, and page events either with your consent for analytics or under our legitimate interest in keeping launch pages reliable. IP addresses are processed for spam prevention, rate limiting, security logging, and abuse investigation; they are not sold and are not used to build app portfolio profiles.

Cookies And Analytics

Essential cookies and local storage are limited to site operation and legal preferences such as analytics consent. Non-essential analytics only runs after a visitor accepts analytics in the cookie banner, and consent can be withdrawn by clearing the `ultraflips_analytics_consent` browser storage key or contacting legal@ultraflips.com.

PostHog may set `ph_<project>_posthog` for visitor/session analytics and `ph_<project>_posthog_opt_in_out` for opt-in status, with a planned retention period of up to 12 months unless configured shorter. Plausible's standard script is cookieless; if that changes, it must stay behind the same opt-in gate. Analytics events are limited to marketing-page views, CTA clicks, UTM/referrer context, and form conversion status. The marketing website does not collect or expose app portfolio holdings, scans, or seller data.

Service Providers

The website is designed to use Supabase for waitlist/contact storage, Resend for transactional email, PostHog and Plausible for opted-in analytics, Sentry for error reporting, and Vercel for hosting. These providers may process data in the United States or other regions. Production setup should rely on the providers' Data Processing Agreements, Standard Contractual Clauses, adequacy decisions where available, and access controls before public launch. Provider notices: Supabase https://supabase.com/privacy, Resend https://resend.com/legal/privacy-policy, PostHog https://posthog.com/privacy, Plausible https://plausible.io/data-policy, Sentry https://sentry.io/privacy, Vercel https://vercel.com/legal/privacy-policy, Stripe https://stripe.com/privacy.

Stripe is not used by this marketing website. Stripe may be used by the separate UltraFlips app when payment features launch, and app payment data should remain isolated from marketing-site waitlist/contact data unless a user explicitly connects those experiences.

Data Retention

Waitlist records are retained until beta access is complete or a user asks us to delete them. Contact submissions are retained for up to 24 months unless longer retention is needed for support, abuse prevention, or legal reasons. Rate-limit records should expire or be deleted after they are no longer needed for abuse prevention. Analytics data should be retained for the shortest practical product-analysis window, planned at 12 months or less.

Security Measures

Production systems should use encrypted transport, managed database access controls, service-role isolation, least-privilege API keys, provider audit logs where available, and separate app/marketing environments. Secrets must not be committed to the repo.

Your Rights

Depending on applicable law, including GDPR and CCPA/CPRA, you may request access, correction, deletion, export, restriction of processing, objection to processing, withdrawal of consent, and information about sharing or sale. You may also have the right to lodge a complaint with a data protection authority. Send requests to legal@ultraflips.com. We may verify your identity before fulfilling a request and aim to respond within 30 days unless the law allows more time.

Automated Decision-Making

The marketing website does not make legal, credit, employment, or similarly significant automated decisions. Future Ultra product recommendations are decision support and should not be treated as guaranteed financial outcomes.

Children's Privacy

UltraFlips is not directed to children under 13, and the marketing website should not knowingly collect personal information from children under 13. If you believe a child provided data, email legal@ultraflips.com for deletion.

Third-Party Links And Services

External marketplaces, social links, payment services, vaults, and future app integrations have their own privacy practices. Review their policies before using those services.

Do Not Track

Browsers may send Do Not Track signals, but there is no consistent industry standard for responding to them. UltraFlips honors its explicit analytics consent control for non-essential tracking.

Policy Changes And Breach Notice

We will update the "Last updated" date when this policy changes and may provide additional notice for material changes. If a data incident affects personal information, we will investigate, mitigate, and notify affected users or regulators when required by law.

Contact

For privacy questions, email legal@ultraflips.com.