Legal

Privacy policy.

Your privacy is not an ad product. We use data to run your workspace, protect it clearly, and keep control in your team's hands.

Effective 2026-07-15

Utter's black cat mascot sitting beside a privacy shield and lock

TL;DR. We store the data you put in Utter on servers we operate. We do not sell it. We send transactional email and store uploaded files using third-party services, process payments through Stripe, and use AI model providers to power AI features; none of them may use your content to train models or for advertising. You can export or delete your data at any time. GDPR, UK GDPR, UAE PDPL, and CCPA/CPRA apply depending on where you live; we honour the rights they grant.

1. Who we are

Data controller: UTTER L.L.C-FZ (Dubai, UAE). Contact: [email protected].

2. What we collect

  • Account. Email address. Display name and optional profile fields if you set them. IP and user-agent at the moment of sign-in, and again when you accept our terms, for security auditing and to keep a record of the acceptance.
  • Workspace. Workspace + project names, slugs, member roles, invite emails, audit logs.
  • Content. Issue titles, descriptions, comments, attachments. Whatever you put into the Service.
  • Billing. For paid plans, our payment provider Stripe collects and stores your payment details. Card numbers never touch our servers. We keep the subscription state, plan, invoice metadata, and billing email.
  • Usage analytics. Only if you opt in through the cookie banner: product usage events via Google Analytics. We never put emails, names, or tokens in analytics events.
  • Technical. Server logs (request method, path, status, duration). Kept for 14 days unless we need them longer for a security investigation.

3. Lawful bases

We process the data above on the basis of (a) contract performance with you and your workspace, (b) our legitimate interest in operating and securing the Service, and (c) your consent, for analytics and wherever else we ask for it. You can withdraw consent at any time.

4. Purposes

  • Provide and operate the Service.
  • Send transactional email (magic links, invites, notifications).
  • Process payments for paid plans and prevent fraud.
  • Generate responses when you use AI features.
  • Detect, prevent, and investigate abuse.
  • Improve reliability via aggregated, non-identifying logs.

5. AI features

When you use an AI feature (for example asking the assistant a question or requesting a summary of an issue), the content needed to answer is sent to our AI model providers, Anthropic and OpenAI, to generate the response. Under our agreements with these providers, your content is not used to train their models. External AI agents that your workspace connects access workspace data through our API with the roles and permissions your workspace administrators configure, and their actions are recorded in the workspace audit trail.

6. Sub-processors

  • Resend. Transactional email delivery.
  • Cloudflare. DNS, CDN, and object storage.
  • Stripe. Payment processing for paid plans.
  • Anthropic and OpenAI. AI model providers for the AI features described above.
  • Google. Analytics, only after you consent through the cookie banner.
  • Database infrastructure operated by us in the EU (Finland).

7. Retention

  • Account and workspace data: while the account exists.
  • Soft-deleted workspaces: 30 days from deletion, then purged.
  • Server logs: 14 days.
  • Backups: 30 days, encrypted at rest.
  • Terms-acceptance records: for as long as the account exists, and afterwards for as long as needed to demonstrate acceptance.

8. Your rights

Under GDPR (EU), UK GDPR, UAE PDPL, and California CCPA/CPRA you have the right to access, correct, delete, port, and restrict the processing of your personal data, and to object to certain processing. You can also withdraw consent where we rely on it. Exercise these rights by emailing [email protected]; we will respond within thirty (30) days.

9. Data transfers

We are based in the UAE. Data may be transferred to and stored in the EU (Finland) and processed via Cloudflare's global network, and, for payments and AI features, by the sub-processors listed above in the US or EU. We rely on Standard Contractual Clauses with our sub-processors where applicable.

10. Children

The Service is not directed to children under 16. We do not knowingly collect data from children.

11. Cookies

We use a strictly-necessary session cookie (up_sess) and preference cookies for language, theme, and layout. Analytics cookies are set only after you opt in through the consent banner; if you decline, they are never set. We do not use advertising cookies and we do not sell personal data.

12. Security

Everything is sent over an encrypted connection. The sign-in links we email you can only be used once and expire after 15 minutes. Backups are encrypted, and only a short list of named people can reach the live data.

13. Changes

Material changes to this policy will be emailed to workspace owners at least fourteen (14) days before they take effect, and we will ask you to review and accept the updated policy inside the app.

14. Contact

Privacy questions: [email protected]. Operator: UTTER L.L.C-FZ, Dubai, UAE.

This document is provided for transparency. It does not constitute legal advice. Consult your own counsel.

Privacy policy · Terms of service