Infinite
privacy-policy.md

Privacy Policy

This Privacy Policy explains how Ultima AI, Inc., a Delaware corporation (United States) ("Ultima," "we," "us"), handles information in connection with Infinite Growth OS ("Infinite," the "Software," the "Service") — a self-hosted, local-first growth-analytics runtime that connects your business data sources and helps you understand what changed and why.

Our guiding principle is simple: you own your growth data, and it stays on your machine. This policy describes the limited cases in which any data reaches our servers, and how we treat data you authorize us to access from third parties such as Google.

This document is a plain-language policy intended to satisfy applicable disclosure requirements (including the Google API Services User Data Policy). It is not legal advice; have counsel review before publishing.

1. Who we are

Ultima AI, Inc., a Delaware corporation (United States).
Contact: support@ultima.inc

2. The local-first model — your data lives on YOUR computer, not ours

Infinite runs entirely on your own machine. When you connect a data source (for example Google Analytics, PostHog, Stripe, Shopify, Meta, or X), the data that is synced is stored in a database on your own device that you controlnot on Ultima's servers. We do not host, receive, store, or have access to that data.

  • Raw records (events, orders, customers, and any personal data they contain) never leave your machine. They live only in your local store.
  • We cannot see your connected accounts, your synced data, or your credentials. They are held locally on your device and encrypted at rest.
  • There is no Ultima-hosted copy of your business data. If your machine is the only place you've run Infinite, then your machine is the only place your data exists.

3. Google user data (Google Analytics)

If you connect Google Analytics, Infinite uses Google OAuth to read your Google Analytics data into the local store on your own machine. Your Google Analytics data is never sent to Ultima's servers — it is read directly from Google to your device.

  • Scopes requested: read access to your Google Analytics data (analytics.readonly) and, where you enable provisioning features, limited account configuration (analytics.edit).
  • How it is used: solely to read your Google Analytics metrics into your local Infinite store so the Software can compute summaries, trends, and insights for you, and (only if you ask) to assist with setup tasks you initiate. We do not use Google user data for advertising, and we do not sell it.

Two ways to connect — both keep your data and tokens on your machine

You choose how the Google sign-in is authorized. In both cases, the resulting access and refresh tokens are exchanged and stored locally on your device (encrypted), and Ultima does not receive your tokens or your Analytics data. The only difference is whose Google app shows on the consent screen:

  1. Use your own Google app (bring-your-own). You create your own OAuth credentials in your own Google Cloud project and paste them into Infinite. The authorization is strictly between you and Google, using your app — Ultima is not involved in the connection at all, and the API usage counts against your own Google quota.
  2. Quick connect with Infinite's Google app. For convenience, you authorize through Infinite's verified Google app. You still sign in to Google in your own browser, and the tokens are still exchanged and stored locally on your device by the software running on your machine — Ultima still does not receive your tokens or your data. What's different: Google's consent screen shows Infinite's app, and API calls count against Infinite's shared quota.
Either way, your Google Analytics data flows Google → your machine, never through Ultima. (If we later offer an optional hosted connection broker, this policy will be updated before that option exists.)
  • Where it is stored: in your local Infinite database; OAuth tokens are stored encrypted on your device. We do not retain your Google data on our servers under either option.
  • Sharing: we do not transfer your Google user data to third parties. We never sell it.
  • Limited Use: Infinite's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Revoking access: you can disconnect Google Analytics at any time inside Infinite, and you can revoke access directly at https://myaccount.google.com/permissions.

4. Other connected sources

PostHog, Stripe, Shopify, Meta, X, and any other source you connect behave the same way: their data is synced into your local store and stays there. Credentials and tokens for these sources are stored encrypted on your device.

5. When data reaches our servers (optional, only if you use hosted features)

The free, local product does not send your business data to us. If you choose to use an optional paid/hosted action (for example, a hosted "growth audit" report):

  • Your device sends us a numbers-only aggregated summary (e.g., revenue change, traffic change, top campaigns by name) — not raw records or personal data. This summary is used to generate the requested result and is not retained beyond the request.
  • The result (the report) may be stored for your workspace so you can re-open it across your devices. You can delete it at any time, and it is purged when you delete your workspace or account.
  • Account information you provide for a hosted plan (identity, billing, API key) is stored on our servers to operate the Service.

6. AI sub-processors

When you run a hosted AI action, the aggregated summary may be processed by large-language-model providers acting as our sub-processors — currently Anthropic and/or OpenAI — under their business/API terms with no-training / no-retention settings enabled. When you bring your own model or key, your data goes to the endpoint you configure, under that provider's terms.

7. Data retention and deletion

  • Local data: controlled entirely by you; delete it by removing the local store or disconnecting sources.
  • Hosted data (if any): action results and account/brand context are retained until you delete them or close your account; deleting a workspace/account purges its stored results.
  • Requests: to exercise access, correction, or deletion rights, contact support@ultima.inc.

8. Security

We use industry-standard measures, including encryption of credentials and tokens at rest. No method of storage or transmission is 100% secure, but because the local-first model keeps your raw data on your own device, the data exposed to us is minimized by design.

9. Children's privacy

Infinite is a business tool not directed to children under 16, and we do not knowingly collect their personal data.

10. International users

If you use the Service outside the United States, you understand that any data sent to our hosted features may be processed in the United States, where Ultima AI, Inc. is incorporated (Delaware).

11. Changes to this policy

We may update this policy; we will post the updated version and, for material changes, provide reasonable notice.

12. Contact

Questions or requests: support@ultima.inc (Ultima AI, Inc.).