Last updated: March 1, 2026
ULTRA AGENT LIMITED ("we", "us", "our"), registered in Thailand (Tax ID: 0105569026818), operates UltraPilot — an AI Social Commerce OS that helps SME businesses manage customer conversations, orders, CRM, shipping, and payments across multiple social channels (Facebook, LINE, Instagram) in a single platform. This Privacy Policy explains how we collect, use, store, and safeguard your personal data when you use UltraPilot.
We collect information you provide directly when registering and using UltraPilot: name, email address, business name, and company details. Through Facebook APIs (with your explicit permission), we collect: Facebook Page ID, Page name, and Page access tokens for Pages you choose to connect; Page-Scoped User IDs (PSIDs), display names, and profile pictures of customers who message your Pages; and message content sent to your connected Pages. We also collect data from other channels you connect (LINE, Instagram). Additionally, we collect technical data including IP address, browser type, device information, and usage analytics to improve our service.
Your data is used to: provide AI auto-reply services for your connected social channels; display customer conversations in a unified inbox; manage orders, customers, and shipping in one platform; improve AI response accuracy based on your business knowledge base; generate analytics and performance reports; send service-related notifications; and process subscription payments. We never sell your personal data to third parties or use it for advertising purposes unrelated to our service.
All data is stored in our private datacenter located in Bangkok, Thailand. We implement AES-256 encryption at rest and TLS 1.3 for all data in transit. Database access requires multi-factor authentication and is restricted to authorized personnel only. We conduct regular security audits and vulnerability assessments to protect your data.
We retain your account data for as long as your account is active. Conversation and message data is retained for 24 months from the date of last interaction, after which it is automatically purged. Deletion timeframes depend on how the deletion is initiated: (a) when you delete your account through UltraPilot Settings or email [email protected], associated personal data is deleted within 30 days; (b) when you disconnect a channel from within UltraPilot, the channel tokens are revoked immediately and associated tokens are purged within 30 days; (c) when you remove UltraPilot from your Facebook Apps and Meta triggers our automated data deletion callback, deletion is processed within 48 hours (see Section 5 and Section 10). Transaction records are retained for 5 years as required by Thai tax law (Revenue Code B.E. 2481).
Our use of data received from Facebook APIs strictly complies with the Meta Platform Terms and Developer Policies. We request only the permissions necessary to provide our services, and each permission is used solely for the stated purpose. The following permissions are part of our current App Review submission and the only Facebook permissions requested at this time: (1) public_profile — to identify the user during Facebook sign-in by their display name and profile picture; (2) email — to associate the UltraPilot account with the user's Facebook email for account recovery and service notifications; (3) pages_show_list — to display the list of Facebook Pages a user manages so they can choose which Page(s) to connect to UltraPilot; (4) pages_manage_metadata — to subscribe the connected Page to Messenger webhook events so new customer messages reach the unified inbox in real time; and (5) pages_messaging — to receive and send Messenger messages on behalf of the connected Page through our unified inbox, including post-purchase updates sent with approved MESSAGE_TAG values (for example, POST_PURCHASE_UPDATE for shipping notifications) as required by Meta's Messenger Platform policy on messaging outside the standard 24-hour window. We may request additional permissions in future App Review submissions to extend the unified inbox to Instagram Direct Messages (instagram_basic, instagram_manage_messages) and WhatsApp Business (whatsapp_business_messaging); we will update this Privacy Policy and notify users before enabling those channels. Data received from Facebook APIs is used solely to provide AI auto-reply, unified inbox, and commerce management functionality. We do not transfer Facebook user data to third parties except as strictly necessary to provide our service (for example, AI inference within our private infrastructure operated by ULTRA AGENT LIMITED). We do not use Facebook data for advertising, data brokering, training AI models outside the user's tenant, or any purpose not explicitly approved by Meta. We provide a data deletion callback endpoint that automatically processes deletion requests within 48 hours when users remove our app from Facebook (see Section 10).
We comply with Thailand's Personal Data Protection Act B.E. 2562 (PDPA). You have the right to: access your personal data held by us; request correction of inaccurate data; request deletion of your data; restrict or object to processing; and request data portability in machine-readable format. To exercise these rights, contact our Data Protection Officer at [email protected]. We will respond within 30 days.
For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR). Our legal bases for processing include: contract performance (providing our service to you), legitimate interest (improving service quality and security), and consent (optional analytics). You have the right to erasure, data portability, and to restrict processing. Contact our DPO at [email protected] to exercise your rights.
We use essential cookies only: session cookies for authentication, a theme preference cookie (ultrapilot_theme), and a language preference cookie (up_lang). We do not use advertising cookies, third-party tracking cookies, or any cookies for remarketing purposes. You can manage cookie preferences in your browser settings; however, disabling essential cookies will prevent you from logging in.
UltraPilot integrates with the following third-party services to provide our features: Facebook/Meta APIs (to receive and send messages, access customer profile data via PSIDs, and manage Page webhook subscriptions); LINE Messaging API (for LINE channel integration); Cloudflare (CDN, DDoS protection, and Tunnel for secure connectivity); and payment processors for subscription billing. Data shared with these services is limited to what is necessary for their specific function. Each service operates under its own privacy policy.
You may request deletion of your personal data at any time by: (a) using the account deletion feature in UltraPilot Settings — your data is deleted within 30 days; (b) visiting https://ultrapilot.app/api/facebook/data-deletion for Facebook-related data; or (c) emailing [email protected] with your deletion request — handled within 30 days. We also support Facebook's automated data deletion callback — when you remove UltraPilot from your Facebook Apps, Meta sends our endpoint a signed request and we process the deletion within 48 hours, in line with Meta Platform Terms. You can verify the status of any deletion request at https://ultrapilot.app/data-deletion-status using the confirmation code returned by the endpoint.
We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by posting the updated policy with a new effective date. Continued use of UltraPilot after changes take effect constitutes acceptance of the updated policy.
For privacy-related questions, data access requests, or to exercise your rights, contact our Data Protection Officer: Email: [email protected] | Phone: +66 91-599-3559 | Postal: ULTRA AGENT LIMITED, 316/97 Soi Wongsawang 11, Wongsawang, Bang Sue, Bangkok 10800, Thailand | Tax ID: 0105569026818