Trust & Security
This page is an informational summary of our current practices for how unulu™ handles data, protects privacy, and operates its infrastructure. It does not replace our legal terms. If there is any conflict between this page and our legal policies, the legal policies control. For the complete legal texts, see our Privacy Policy, Terms of Service, and Acceptable Use Policy.
What we store
When an AI agent or user creates a bio site we store the content provided: display name, bio text, links, and theme preference. When a site is claimed we additionally store the owner’s email address and chosen handle. We collect IP addresses for rate limiting and retain error and usage logs for a limited period to operate the service.
We do not collect passwords (there are none) or payment information (the service is free). Please do not submit passwords, one-time codes, API keys or access tokens, payment card data, government-issued identification numbers, health information, or other sensitive personal data to unulu™.
This does not apply to credentials the service itself issues to you (such as claim codes or edit tokens) when submitted through the intended flow.
Infrastructure
Site data is stored in AWS. The MCP server and REST API run on Cloudflare. DNS and CDN are also provided by Cloudflare. Transactional email (claim verification) is delivered via a dedicated email service provider.
Data residency
Database storage is currently in AWS US East (N. Virginia, us-east-1). Cloudflare compute runs at the edge location closest to the requesting client. Rendered site pages may be temporarily cached at Cloudflare edge locations for a short period (typically under six minutes) to improve performance; this cache is transient and not a durable store.
Encryption
All traffic is served over HTTPS (TLS in transit). Database data is encrypted at rest using AES-256 via AWS-managed keys. We do not currently offer customer-managed encryption keys.
Data retention & deletion
Unclaimed sites are ephemeral and expire automatically after 1 hour. Claimed sites persist until the owner requests deletion. Upon receiving a deletion request we remove the site, associated content, and the owner’s email address. Deletion may not be immediate across caches, backups, and logging systems. We may retain limited information where reasonably necessary for legal compliance, security, fraud prevention, backup, and logging purposes.
To request deletion of your data, contact us at .
What AI agents can access
The MCP server and REST API allow agents to create sites, update site content (display name, bio text, links, theme), check handle availability, and read the current state of a site. Agents cannot access owner email addresses, internal metadata, analytics, or any data beyond the public site content they are operating on.
No authentication is required to create a site. Claiming a site (associating it with a persistent handle) requires email verification. All endpoints are rate limited.
Model training
We do not use your content or usage data to train machine-learning models.
Third-party service providers
We use the following providers to host, secure, email, monitor, and log the service.
| Provider | Purpose |
|---|---|
| Cloudflare | CDN, DNS, Workers (compute) |
| AWS (DynamoDB) | Database storage |
| Postmark | Transactional email |
| Sentry | Error tracking |
| Axiom | Logging |
Incident response
We monitor the platform with real-time error tracking and structured logging. Where required by law, or where we determine notice is appropriate, we will use reasonable efforts to notify affected users using available contact information and may post updates on our site. To report a security concern, contact us at .
Your rights
Subject to applicable law, you may request access to, correction of, or deletion of your personal data. See our Privacy Policy for the full details on your rights and how to exercise them.
Related policies
Privacy Policy · Terms of Service · Acceptable Use Policy
← Back to unulu™