Last Updated: October 30, 2025

U6, Inc. ("U6," "we," "our," or "us") operates the website u6.ai and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal information, and describes your rights and choices. By using the Service, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Service.

Scope. This Policy applies to personal information we process as a business/controller via the Service, including websites, apps, dashboards, and APIs. Separate contracts may govern enterprise customers’ data (e.g., a Data Processing Addendum ("DPA")). If a contract or DPA conflicts with this Policy, the contract/DPA controls for contracted services.

1) Who We Are (Controller), Contact, and Representations

• Controller: U6, Inc., a Delaware corporation.

• Contact: contact@u6.ai

• EU/UK Representative: Ryan Jang (Article 27 Representative) — Email: ryan@u6.ai. We will update this Policy if contact details change.

• Data Protection Officer (DPO): Ryan Jang — Email: ryan@u6.ai.

2) Notice at Collection (California & Similar US State Laws)

We collect the categories of personal information listed below for the purposes stated, retain them for the periods indicated (or criteria used to determine such periods), and do not sell your personal information. We also do not share personal information for cross-context behavioral advertising unless stated otherwise below. We do not use or disclose Sensitive Personal Information to infer characteristics.

Category (examples) Sources Purposes Retention Sold/Shared? Identifiers (name, email, IP, device IDs) You; your org; devices; SSO/IdPs (e.g., Clerk); payment processors Account creation; authentication; security; service delivery; support; marketing with consent While account active + up to 3 years after last activity (or per contract/legal needs) No Commercial info (plans, billing history) You; payment processors (e.g., Stripe, Lemon Squeezy) Payments; fraud prevention; accounting; support Financial records kept per law (typically 7 years) No Internet/Network activity (pages viewed, clicks, logs) Devices; analytics and logging tools Diagnose issues; improve performance; analytics; security monitoring 12–24 months (aggregated/anonymized longer) No Geolocation (coarse) (e.g., country, time zone) IP-derived Localization; fraud/security 12–24 months No User content / AI interaction data (prompts, URLs, uploaded files, test flows) You; your org Provide Service; generate outputs; debugging (with safeguards); improving quality (where permitted) Up to 24 months by default; enterprise options available No Inferences (e.g., persona performance metrics) Derived from usage Improve features; quality; personalization (where permitted) 12–24 months No

Opt-Out: If we ever begin “sharing” for targeted advertising, we will provide a “Do Not Sell/Share My Personal Information” link and update this Policy before doing so.

3) Information We Collect

• Account Information. Name, email, company/role, workspace, and authentication data (from us or SSO/IdP such as Clerk).

• Usage & Device Data. Pages visited, features used, timestamps, referring URLs, browser and OS, IP address, locale/time zone, crash/diagnostic logs, and similar telemetry.

• AI Interaction Data ("Content"). Prompts, instructions, files, URLs, test flows, and outputs you (or your org) submit to or generate via the Service. Do not submit personal data you do not have rights to process.

• Payment Data. Managed by processors (e.g., Stripe, Lemon Squeezy). We receive limited metadata (e.g., last4, brand, card type) and do not store full card numbers.

• Cookies & Similar Technologies. Session cookies; preference cookies; analytics and performance cookies; security cookies. See Section 11 (Cookies).

• Support & Comms. Messages, tickets, call notes, feedback, and marketing preferences.

• Job Applicants. If you apply for roles, we collect applicant data per our recruiting notices.

We may aggregate or de-identify data so it can no longer reasonably identify you. We may use and disclose such data for any lawful purpose.

4) How We Use Personal Information (Purposes & Legal Bases)

Purposes (all users):

1. Provide, operate, maintain, and secure the Service (including authentication and fraud prevention).

2. Process and deliver AI interactions and outputs; logging for reliability and abuse detection.

3. Analyze usage to improve performance, safety, and user experience; develop new features.

4. Communicate transactional messages (e.g., security, billing, service updates) and—with appropriate consent—marketing.

5. Comply with law; enforce terms; protect our rights, users, and the public; detect, prevent, and address security incidents, spam, abuse, or illegal activity.

GDPR Legal Bases (EEA/UK/Switzerland): performance of contract; legitimate interests (e.g., security, product improvement); consent (where required, e.g., certain cookies/marketing); legal obligations.

We do not use Sensitive Personal Information to infer characteristics.

5) AI & Model Providers

• We may route prompts and inputs to third‑party model providers and infrastructure partners (e.g., OpenAI, Anthropic, Google, AWS/GCP/Azure, Supabase, Clerk, Cloudflare, Browser Use) to deliver functionality. These providers process data under their own terms and privacy policies.

• Model Training: We do not allow third‑party model providers to train on your Content unless (a) you explicitly opt in, or (b) provider terms in effect at the time require it and you consent via their interface. We will provide controls or instructions to opt out of any training uses where available and will default to opt‑out where feasible.

• Human Review: Limited human review may occur for abuse detection, debugging critical issues, safety research, or where you request support. Access is restricted and logged.

Enterprise customers may request a DPA and additional controls (data residency, retention windows, logging scope, SSO/SAML, audit trails).

6) Disclosures of Personal Information

We disclose personal information to:

• Service Providers / Processors. Vendors that help deliver the Service (hosting/CDN; compute; storage; analytics; logging; authentication; email; payments; customer support). They may access personal information only to perform services on our behalf and must protect it.

• Affiliates & Corporate Transactions. We may share with affiliates, and disclose in connection with mergers, acquisitions, financings, or asset transfers, subject to this Policy.

• Legal & Safety. To comply with law, lawful requests, or legal processes; to protect you, us, or others (e.g., investigating abuse, preventing spam/malware, protecting rights, property, or safety).

• With Your Direction. At your request or with your consent (e.g., integrations you enable).

We do not sell personal information and do not share it for cross‑context behavioral advertising.

7) Data Retention

We retain personal information only as long as necessary for the purposes described or as required by law. Default guidelines:

• Account & Auth: while account is active + up to 3 years after last activity.

• AI Interaction Logs: up to 24 months (configurable for enterprise); anonymized/aggregated data may be retained longer.

• Billing/Tax Records: typically 7 years or as required by applicable law.

• Security Logs: 12–24 months (longer for investigations).
  We may delete earlier upon verified request (subject to legal exemptions) or per contract.

8) Security

We implement administrative, technical, and physical safeguards designed to protect personal information (e.g., encryption in transit; restricted access; role‑based controls; monitoring). No system is perfectly secure; we cannot guarantee absolute security. If we discover a security incident affecting your personal information, we will notify you and regulators as required by law.

9) International Data Transfers

We are based in the United States and may process data in the U.S. and other countries where we or our vendors operate. Where required, we use appropriate safeguards for cross‑border transfers (e.g., EU Standard Contractual Clauses and the UK Addendum). By using the Service, you understand your data may be transferred to jurisdictions with different data protection laws.

10) Your Privacy Rights & Choices

Global rights (where available): access; correction; deletion; portability; restriction/objection to certain processing; withdraw consent; appeal a denied request.

• How to submit: Email contact@u6.ai with subject “Privacy Request” and indicate your request type and the email associated with your account. We may verify your identity and/or authority (for authorized agents).

• Appeal: If we deny your request, you may appeal by replying to our decision email with “Appeal” in the subject. If your appeal is denied, you may contact your regulator/AG.

• Marketing Opt‑Out: You may unsubscribe from marketing emails via the link in the email or by contacting us. We may still send non‑marketing (transactional) emails.

• Cookies: See Section 11 for controls.

• Training & Human Review: See Section 5 for opt‑out options and enterprise controls.

California (CPRA): You have rights to know/access, delete, correct, portability, and to opt out of sale/share and limit use of Sensitive Personal Information (we do not sell/share and do not use SPI to infer characteristics). You also have the right to be free from discrimination for exercising your rights.

Virginia/Colorado/Connecticut/Utah and other US State Laws: Similar rights apply; we honor applicable state law requirements.

EEA/UK/Switzerland: You have rights under GDPR as noted above. You may lodge a complaint with your local supervisory authority.

11) Cookies & Similar Technologies

We use:

• Strictly Necessary Cookies (e.g., session, security, load balancing).

• Functional Cookies (preferences, localization).

• Analytics/Performance Cookies (traffic patterns, diagnostics). We may use tools such as Google Analytics or privacy‑centric analytics.

Controls: You can manage cookies via your browser settings and (where required) our cookie banner. Blocking some cookies may affect functionality. If we use analytics that enable data sharing for ads, we will seek consent where required and provide opt‑outs.

12) Children’s Privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided personal information, contact us to request deletion.

13) Third‑Party Services & Links

The Service may link to or integrate with third‑party sites and services (e.g., model APIs, SSO, payments). We do not control third parties and are not responsible for their privacy practices. Review their privacy policies.

14) Enterprise & Developer Features

• Integrations & APIs: If you enable integrations or use our APIs, you direct us to exchange data with those services. You are responsible for your configurations and for ensuring you have a lawful basis to process any personal data you submit.

• Logs & Monitoring: For reliability and abuse prevention (e.g., automated scraping, exploit attempts), we may scan traffic and content; see also our Terms for acceptable use.

• Data Residency/Retention Options: Available to enterprise customers by agreement (e.g., shorter log windows; single‑tenant or VPC options when available).

15) Changes to this Policy

We may update this Policy to reflect changes to our practices, technologies, or legal requirements. We will post updates here with a new “Last Updated” date and, where required, provide additional notice (e.g., email or in‑product). Material changes will take effect no sooner than the date of posting unless otherwise required by law.

16) How to Contact Us

• Email: contact@u6.ai

17) Supplemental Disclosures

Nevada: We do not sell covered information as defined by Nevada law.

Financial Incentives: We do not offer data‑related financial incentives. If this changes, we will provide required notices and opt‑in consent.

Security Research: We support responsible disclosure. Do not access other users’ data. Contact us before testing. We may maintain logs for abuse detection.

18) Key Definitions

• “Personal information / personal data” means information that identifies or is reasonably capable of being associated with you.

• “Content / AI Interaction Data” means prompts, instructions, files, URLs, test flows, logs, outputs, and related metadata you submit or generate.

• “Sell” means disclosure for monetary or other valuable consideration; “Share” means cross‑context behavioral advertising (CPRA definitions).

• “Sensitive Personal Information” means data like precise geolocation, government IDs, financial account details, health data, etc. We do not seek this and request you refrain from submitting it unless contractually required and protections are in place.

Short‑Form Summary (Non‑Binding)

• We collect account, usage, and AI interaction data to deliver and improve the Service.

• We don’t sell or share your personal information for behavioral advertising.

• Logs exist for reliability, safety, and support; enterprise can request tighter controls.

• You have rights to access, delete, correct, and opt out of certain processing; email contact@u6.ai.

• We use reputable processors (e.g., hosting, model APIs, payments) under contracts and safeguards.

• Data may be processed in the U.S. and other countries with appropriate transfer mechanisms.

• We secure your data but cannot guarantee absolute security.

Governing Law: This Privacy Policy is governed by the laws of the State of Delaware, USA, without regard to conflict‑of‑law principles. Contractual disputes are governed by your agreement with us (e.g., Terms of Use or MSA).