Legal document

Privacy Policy

Version: 1.0 In force since: 13 May 2026 Controller: ITRION SOFTWARE, S.L.

Index

Privacy philosophy
Data controller
Data Protection Officer
What data we process
What data we do NOT process
Purposes and legal bases
Retention periods
Recipients and processors
International transfers
Data subject rights
Minors
Security measures
Security breaches
Cooperation with authorities
Regional provisions
Changes to the Policy
Contact and complaints

Informational translation. The legally binding version is the Spanish original, available at /legal/privacidad.html. In case of discrepancy, the Spanish version shall prevail.

1. Privacy philosophy

ULOX is designed with privacy by design and by default. The server operated by ITRION is technically blind to the content of communications and to the content stored by the user: it does not hold the cryptographic keys necessary to decrypt that data, it cannot read messages, files, notes, stored passwords or any other user information.

This feature is not rhetoric: it is structural. It is realised through end-to-end encryption in messaging, cryptographic derivation of pseudonyms that break the association between base account and universes, and server storage exclusively as opaque blobs encrypted on the client.

Technical consequence. As an architectural consequence of end-to-end encryption and client-side encryption, ITRION does not hold the cryptographic keys necessary to decrypt user content. This is a limitation intrinsic to the design of the service in accordance with the principle of privacy by design and by default (GDPR, Art. 25), not a decision aimed at obstructing legitimate investigations. ITRION fully cooperates with competent authorities in the face of binding legal requests, delivering the data listed in section "What data we process" and providing the technical assistance that is reasonably possible within its model.

2. Data controller

Controller	ITRION SOFTWARE, S.L.
Tax ID	B19913797
Address	Calle Francisco Silvela, 110, floor 2, 28028 Madrid, Spain
General email	`privacy@ulox.org`
Web	ulox.org · ulox.app

3. Data Protection Officer (DPO)

Where the appointment of a DPO is mandatory under Article 37 GDPR, or where ITRION decides to designate one voluntarily, their contact details will be as follows:

DPO contact	`dpo@ulox.org`

4. What data we process

The set of personal data that ITRION may process in connection with the Service is deliberately minimal:

4.1. Account data

ULOX ID: alphanumeric identifier chosen by the user. It is not required to be identifying. It is not linked to email or phone number.
Master key (hash): ITRION stores only the cryptographic hash (Argon2id) of the key, not the key itself.
Cryptographic public keys generated on the client.
Derived pseudonyms: opaque identifiers in each LOX, cryptographically generated. They do not reveal to the server which base account they belong to.

4.2. Technical and usage data

IP addresses received in connections, present in technical logs for brief periods for security and diagnostic purposes.
Timestamps of last activity and presence (last seen, online_until) associated with the account or pseudonym. This data is the minimum necessary for presence functionality.
User agent information (browser, operating system) in connection logs, with exclusively technical purpose.
Push notification subscriptions, if the user enables them, in the form of an opaque endpoint provided by the browser/system.

4.3. Encrypted data

Encrypted messages and files in transit and at rest, stored as opaque bytes.
Encrypted metadata (meta_blob) of the private universe elements.
Encrypted binaries stored in object storage.

ITRION acknowledges that this encrypted data may contain personal user information, but does not have the keys to decrypt it. Therefore, it does not process its content beyond storage, transmission and delivery to the legitimate recipient in accordance with the Service protocol.

5. What data we do NOT process

By design, ITRION does not collect or store the following data in plaintext:

Real name, surnames, date of birth, gender, nationality or any civil identifier.
Email address or phone number of the user.
Device contact book.
Precise geolocation.
Content of messages, files, photos, videos, audio, notes or passwords stored by the user.
LOX strings in plaintext, neither on the server nor on the device. Keys are derived dynamically from the LOX on the client.
Association between base account and the pseudonyms the user adopts within each LOX.

6. Purposes and legal bases of processing

Purpose	Data	Legal basis (GDPR)
Service provision (registration, authentication, encrypted message delivery, synchronisation)	ULOX ID, key hash, public keys, pseudonyms, encrypted blobs	Performance of the contract (Art. 6.1.b)
Technical security of the Service, abuse prevention, attack detection	IPs, timestamps, user agent, connection counters	Legitimate interest (Art. 6.1.f) — protection of the Service and users
Compliance with legal obligations (judicial requests, accounting retention, DSA reports)	The minimum necessary to respond to the request	Legal obligation (Art. 6.1.c)
Push notifications (if the user enables them)	Browser/system subscription endpoint	Consent (Art. 6.1.a) — revocable at any time
Handling enquiries and support	The data the user provides in the enquiry	Legitimate interest / contract performance

7. Retention periods

Account data: while the account is active. After deletion, removed within a maximum of 30 calendar days, save legal retention obligation.
Encrypted messages: until delivery to the recipient and, where applicable, during the retention period the user configures in their client. The server's technical policy provides for automatic deletion after reasonable periods following delivery.
Security and connection logs (IP, timestamp, user agent): up to ninety (90) calendar days. This period allows cooperation with legitimate legal requests from authorities within the usual times of the process (judicial order, police request), and is considered proportional to the purpose pursued. After that period, logs are automatically deleted, except where there is a duly formalised open investigation, in which case only the data directly related to the investigation will be retained.
Data subject to legal obligation: the corresponding legal period (e.g., accounting data up to 6 years for paying customers, data relating to judicial reports until closure of the procedure).

8. Recipients and processors

ITRION does not share or transfer personal data to third parties for advertising or commercial purposes. ITRION does not profile users, does not segment for advertisers and does not participate in advertising networks.

The only third parties that may have technical access to Service data are processors providing essential infrastructure, bound by processing agreement in accordance with Article 28 GDPR:

Hosting providers: the servers where the Service runs. Accessible data: opaque encrypted blobs, account identifiers, technical logs. No access to plaintext content.
DNS and content delivery network (CDN) providers: for name resolution and delivery of the web application. Accessible data: connection metadata.
Push notification providers: services from operating system or browser manufacturers (Apple, Google, Mozilla, Microsoft) that deliver notifications to the device. Accessible data: endpoint and opaque encrypted payload or payload without sensitive content.
Email providers for the *@ulox.org channels: currently an own mail server (Mailcow) operated by ITRION, located in the European Union.

The complete and updated list of processors is available to any interested party at privacy@ulox.org.

9. International data transfers

The Service's main infrastructure is located in the European Union. ITRION strives to keep all processing within the European Economic Area.

Where international transfers of personal data to countries outside the EEA occur (for example, to Apple or Google push notification providers), ITRION will ensure that such transfers are made under one of the safeguards provided for in the GDPR (Articles 44 et seq.): adequacy decisions, standard contractual clauses (SCC) or binding corporate rules (BCR), as appropriate.

10. Data subject rights

As the holder of personal data, the user has the following rights, exercisable at any time:

Access: to know what personal data of theirs ITRION processes.
Rectification: to correct inaccurate or incomplete data.
Erasure ("right to be forgotten"): to obtain the deletion of their data, save legal retention obligation.
Objection: to object to processing based on legitimate interest.
Restriction: to request the suspension of processing while a dispute is verified.
Portability: to receive the data in a structured, commonly used and machine-readable format, where technically possible.
Withdrawal of consent: to revoke previously granted consents (e.g., push notifications).
Not to be subject to individual automated decisions: ITRION does not make automated decisions with significant legal effects on the user.

Exercise is made by sending a request to privacy@ulox.org, accompanying, where appropriate, the minimum data necessary to identify the holder and the request. ITRION will respond within a maximum of one (1) month, extendable by up to two (2) additional months in complex cases.

Important technical limitation. Given end-to-end encryption and the pseudonym model, ITRION may not be able to locate all data associated with a specific user if the requester does not provide the corresponding identifiers. ITRION will cooperate to the extent technically possible.

11. Minors

The Service is not directed at minors below the minimum age set out in the Minors Policy. ITRION does not knowingly collect personal data from minors below that age. Should such collection be detected, the data will be immediately deleted and the account closed.

12. Security measures

ITRION applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR), among which the following stand out:

End-to-end encryption of user communications (XSalsa20-Poly1305, X25519).
Client-side encryption of contents stored in private universes.
Cryptographic key derivation from passwords with Argon2id (MODERATE parameters: 256 MiB, 3 iterations).
HTTPS/TLS communications exclusively.
Service isolation in containers and segmented networks.
Encrypted backups with key not held in the same location as the data.
Administrative access logging and role-based access control.
Periodic audits and internal review processes.

13. Security breaches

In the event of a security breach that may pose a risk to the rights and freedoms of the user, ITRION will comply with the notification obligations to the supervisory authority within a maximum of 72 hours (Art. 33 GDPR) and, where appropriate, will communicate the breach to affected users (Art. 34 GDPR) through the available channels.

14. Cooperation with authorities

ITRION cooperates with legally competent judicial and administrative authorities and law enforcement bodies within the framework of applicable legislation and international cooperation treaties.

Faced with a binding legal request, ITRION delivers the data it actually holds, within the periods and with the diligence required, and provides authorities with the technical assistance that is reasonably possible. ITRION lacks technical capability to decrypt the user's encrypted content, given that the cryptographic keys are not in its possession; this limitation derives from the service's privacy-by-design model and is recorded in good faith in each response to requests, without ever implying a refusal to cooperate.

The channel for cooperation with authorities is law-enforcement@ulox.org.

15. Specific provisions by region

15.1. European Union and EEA

Users resident in the EU/EEA may file a complaint with the competent supervisory authority. In Spain, the authority is the Spanish Data Protection Agency (AEPD), accessible at www.aepd.es.

15.2. United Kingdom

Users resident in the United Kingdom may file a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. UK GDPR and Data Protection Act 2018 apply.

15.3. United States — California (CCPA/CPRA)

California residents have analogous rights: right to know, delete, correct and oppose the sale or sharing of personal data. ITRION does not sell or share personal data within the definitions of CCPA/CPRA. Requests to privacy@ulox.org.

15.4. United States — Other states

Residents in other states with applicable privacy regulations (Virginia, Colorado, Connecticut, Utah, Texas, etc.) may exercise the rights provided in their legislation by directing the request to privacy@ulox.org.

15.5. Brazil (LGPD)

Brazilian residents may exercise the rights provided in the Lei Geral de Proteção de Dados Pessoais (Law 13.709/2018), including confirmation, access, correction, anonymisation, portability, deletion and withdrawal of consent. The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD).

15.6. Canada (PIPEDA/Provincial)

Canadian residents may exercise the rights provided in PIPEDA and applicable provincial regulations. The federal authority is the Office of the Privacy Commissioner of Canada (OPC).

15.7. Rest of the world

ITRION will apply the principles and rights of the GDPR as a minimum standard to all users. Any complaint may be addressed to privacy@ulox.org.

16. Changes to this Policy

ITRION may update this Privacy Policy to reflect legal, technical or service changes. Updates will be published on this same page indicating the revision date. When changes are substantial, the user will be informed through the Service with reasonable advance notice.

17. Contact and complaints

For any query or exercise of rights:

General privacy: privacy@ulox.org
Data Protection Officer: dpo@ulox.org
Postal: ITRION SOFTWARE, S.L. — "Privacy Department", Calle Francisco Silvela, 110, floor 2, 28028 Madrid, Spain.

Without prejudice to the above, the user has the right to file a complaint with the competent supervisory authority in their jurisdiction when they consider that the processing of their personal data infringes the applicable regulations.