Skip to main content
Legal

Privacy Policy

How UBava handles data — and more importantly, how we don't.

Who We Are

UBava OÜ is an Estonian AI infrastructure company. We operate a privacy relay that allows European businesses to access American large language models (Claude, GPT, Gemini, Grok) without exposing personal data.

Contact: info@ubava.ee

Data Protection Officer: dpo@ubava.ee

What Data We Collect

We collect the minimum data required to provide and bill for our service:

  • Account email address
  • Company name
  • Payment information (processed securely via Stripe — we do not store card numbers)
  • Usage metrics (token counts, request volume — no content)

Legal Bases for Processing

Under Art. 6 GDPR, we rely on the following legal bases for each processing activity:

  • Account creation — Art. 6(1)(b) performance of a contract
  • Billing and payments — Art. 6(1)(b) performance of a contract
  • Usage logging — Art. 6(1)(f) legitimate interest (service improvement and billing accuracy)
  • Cookie consent — Art. 6(1)(a) consent
  • Security monitoring — Art. 6(1)(f) legitimate interest (fraud prevention and platform integrity)

What We Do NOT Collect

UBava does not collect, store, or process:

  • PII from relay prompts
  • Employee data from your organization
  • Prompt content sent through the relay
  • Response content received from LLM providers

Our relay strips PII locally before transmission. We never see it, and we never store it.

Sub-processors and Recipients

We share data with the following categories of recipients (Art. 13(1)(e)):

  • Anthropic (Claude) — San Francisco, CA, USA — AI processing
  • OpenAI (GPT) — San Francisco, CA, USA — AI processing
  • Google (Gemini) — Mountain View, CA, USA — AI processing
  • xAI (Grok) — San Francisco, CA, USA — AI processing (DPA pending)
  • Stripe — San Francisco, CA, USA — payment processing
  • Hetzner Online GmbH — Nuremberg, Germany — infrastructure hosting

Important: LLM providers listed above receive only synthetic (tokenized) data via the VHH Privacy Air-Lock protocol. They never receive real personal data.

Cross-border Transfers

Certain data is transferred outside the EEA under the following safeguards (Art. 13(1)(f)):

  • LLM providers (Anthropic, OpenAI, Google, xAI) — receive synthetic data only. Synthetic data does not constitute personal data under CJEU Case C-413/23 P, so Chapter V GDPR transfer restrictions do not apply.
  • Stripe (US) — billing data transferred under Standard Contractual Clauses (SCCs).

Transfer mechanism: Standard Contractual Clauses supplemented by architectural measures (VHH cascade tokenization ensures no personal data leaves the EEA in relay traffic).

GDPR Article 4(2) — Data Processing

Under GDPR Article 4(2), UBava is not a data processor. We relay tokenized, anonymized data — we do not process personal data on behalf of our clients. PII is stripped by the VHH Privacy Air-Lock protocol on the client side before it reaches our infrastructure.

Data Retention

  • Account data (email, company name) — duration of active account + 30 days after closure
  • Billing records — 7 years (required by the Estonian Accounting Act)
  • Usage logs (token counts, request volume) — 90 days, then permanently deleted
  • Relay logs (timestamp, model, token count, status code) — 90 days, then permanently deleted
  • No prompt or response content is ever stored

Cookies

We use essential cookies only for session management. No tracking cookies, no analytics cookies, no third-party cookies.

Your Rights Under GDPR

As a data subject, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your personal data
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — request restriction of processing under Art. 18 GDPR
  • Objection — object to processing based on legitimate interest under Art. 21 GDPR. Where we process data on the basis of legitimate interest, you may object at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Complaint — lodge a complaint with the supervisory authority

To exercise any of these rights, contact dpo@ubava.ee.

Automated Decision-Making

UBava does not make automated decisions that produce legal or similarly significant effects on data subjects (Art. 22 GDPR). All AI outputs generated through our relay are informational only and require human review before any action is taken.

Obligation to Provide Data

Provision of certain personal data is a contractual requirement necessary for service delivery (Art. 13(2)(e)):

  • Account email and company name — required to create and manage your account
  • Payment information — required for billing via Stripe

If you do not provide this data, we cannot provide you with access to the UBava service.

Supervisory Authority

Our supervisory authority is the Andmekaitse Inspektsioon (Estonian Data Protection Authority).

Website: www.aki.ee

Last updated: April 2026